Experian Marketing Solutions, Inc. v. Lehman et al

Filing 42

OPINION ; signed by Judge Robert Holmes Bell (Judge Robert Holmes Bell, kcb)

Download PDF
UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION EXPERIAN MARKETING SOLUTIONS, INC., Plaintiff, File No. 1:15-CV-476 v. HON. ROBERT HOLMES BELL JEREMY LEHMAN, THORIUM DATA SCIENCE, LLC, Defendants. / OPINION This is an action for (1) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq.; (2) misappropriation of trade secrets under the Michigan Uniform Trade Secrets Act (“MUTSA”), Mich. Comp. Laws § 445.1901; (3) breach of contract; (4) breach of fiduciary duty; and (5) tortious interference with contract. Plaintiff Experian Marketing Solutions, Inc. (“Experian”) is a marketing-services company based in Illinois. Defendant Jeremy Lehman is a former employee of Experian residing in Grand Rapids, Michigan. Defendant Thorium Data Science, LLC (“Thorium”) is an entity allegedly created by Lehman while he was employed by Experian. On June 18, 2015, the Court entered an opinion and order granting, in part, Experian’s motion for a preliminary injunction, after determining that Experian had established a substantial likelihood of success on its claims for misappropriation of trade secrets and breach of contract. The facts alleged in the complaint are summarized in that opinion (ECF No. 27). Before the Court is Defendants’ motion to dismiss the complaint for failure to state a claim (ECF No. 19). Defendants’ motion will be granted in part and denied in part. I. In reviewing a Rule 12(b)(6) motion to dismiss, the Court must “‘construe the complaint in the light most favorable to the plaintiff, accept its allegations as true, and draw all reasonable inferences in favor of the plaintiff,’” but it “‘need not accept as true legal conclusions or unwarranted factual inferences.’” Hunter v. Sec’y of U.S. Army, 565 F.3d 986, 992 (6th Cir. 2009) (quoting Jones v. City of Cincinnati, 521 F.3d 555, 559 (6th Cir. 2008)). A complaint must contain “a short and plain statement of the claim showing how the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). The purpose of this statement is to “give the defendant fair notice of what the claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). The complaint need not contain detailed factual allegations, but it must include more than labels, conclusions, and formulaic recitations of the elements of a cause of action. Id. “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 555). To survive a motion to dismiss under Rule 12(b)(6), a complaint must allege facts that “state a claim to relief that is plausible on its face,” and that, if accepted as 2 true, are sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 556 U.S. 678. “A claim is plausible on its face if the ‘plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.’” Ctr. for Bio-Ethical Reform, Inc. v. Napolitano, 648 F.3d 365, 369 (6th Cir. 2011) (quoting Iqbal, 556 U.S. at 677). Where a complaint pleads facts that are merely consistent with a defendant’s liability, it “stops short of the line between possibility and plausibility of ‘entitlement to relief.’” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 557). II. A. General Objection Defendants assert that the entire complaint should be dismissed because it is an improper “shotgun” pleading containing thirty-seven pages of allegations, thirteen counts, and seventy-one exhibits. Shotgun pleadings include those in which “it is virtually impossible to know which allegations of fact are intended to support which claim(s) for relief.” Anderson v. Dist. Bd. of Trustees of Cent. Fl. Cmty. Coll., 77 F.3d 364, 366 (11th Cir. 1996). They make it difficult for the defendant “to discern what the plaintiff is claiming and to frame a responsive pleading.” Id. Defendants assert that Experian’s complaint puts 3 Defendants and the Court in the difficult position of sifting through numerous allegations and claims and determining which have factual support. The Court does not find Plaintiff’s complaint to be improper as a whole. Although it is lengthy, it is not unmanageable. In most cases, it is not difficult for the Court to discern what is being claimed or what allegations are relevant to each claim. Moreover, although many counts are asserted, there are only five types of claims, which are recited at the beginning of this Opinion. The large number of counts is due, in part, to Plaintiff’s decision to separate its breach-of-contract claim into separate counts corresponding to different contract provisions. In this way, Plaintiff has made it easier for Defendants and the Court to ascertain what is being claimed. In any event, if Defendants are uncertain about a particular claim, the Federal Rules provide a remedy; Defendants can move for a more definite statement pursuant to Rule 12(e). See Anderson, 77 F.3d at 366. Thus, the Court is not persuaded that the complaint should be dismissed in its entirety on account of its length and complexity. B. Count I: CFAA Count I of the complaint asserts that Defendants violated the CFAA. Specifically, Experian alleges that: (1) while Lehman was employed by Experian, he accessed Experian’s confidential information for a competitive purpose (i.e., to further the work of Thorium), in violation of his employee agreements and Experian’s code of conduct; (2) after he left Experian, Lehman retained his company-issued computer and hard drive and accessed them 4 in violation of his employee and separation agreements and Experian’s code of conduct; (3) Lehman deleted the data on his company-issued hard drive before returning it to Experian, rendering the data unavailable; (4) Lehman, acting on behalf of Thorium, instructed Experian employees Trevor Watkins and Amir Behrozi to access Experian’s computers in order to retrieve its confidential documents and computer source code; (5) Watkins copied Experian source code onto Thorium’s Google drive account; and (6) Behrozi and Experian employee Sergey Vladimirov stored Experian source code and confidential information on their computers for the benefit of Lehman and Thorium. Experian claims that the foregoing conduct violated the following sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), and 1030(a)(5)(A). Section 1030(a)(2)(C) prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from a protected computer.” Id. Section 1030(a)(4) prohibits “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value . . . .” Id. Finally, § 1030(a)(5)(A) prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” Id. The foregoing sections of the CFAA describe two types of claims: “access” claims and “transmission” claims. Generally, an access claim involves accessing a computer 5 without authorization, or exceeding authorized access, see 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), whereas a transmission claim involves the transmission of a program or command that intentionally causes “damage,” see id. at § 1030(a)(5)(A). Most of Experian’s claims are access claims; one is a transmission claim. 1. Loss First, Defendants argue that Experian does not state any type of CFAA claim, either an access claim or a transmission claim, because it has not alleged a loss. Although the CFAA is primarily a criminal statute, it provides a civil remedy for anyone who “suffers damage or loss by reason of a violation[.]” 18 U.S.C. § 1030(g). A civil action may only be brought if the conduct involves one of the “the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” Id. The only factor that applies here is subclause (I), which involves “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Id. § 1030(c)(4)(A)(i)(I). Thus, in order to state a claim, Experian must allege a “loss.” The term “loss” is defined in the statute as: . . . any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.] 18 U.S.C. § 1030(e)(11). Citing this definition, Defendants note that Experian has not alleged an interruption of service. Such an allegation is not necessary, however. The Sixth 6 Circuit has concluded that the definition of loss in § 1030(e)(11) is “disjunctive”; in other words, a loss can consist of (1) “any reasonable cost” to the victim, including “responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” or (2) the lost revenue and other damages resulting from an “interruption of service.” Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014). The losses alleged by Experian fall into the first category, which does not require an interruption of service. In paragraphs 68-69, 180-181, and 236-241 of the complaint, Experian alleges that it conducted a damage assessment of Lehman’s hard drive and other devices to attempt to recover data deleted from that drive and to discover the extent of the information that was accessed by Lehman or individuals working with Thorium. Experian also hired a third party to assist with this assessment. These allegations are sufficient to state a loss. 2. Access claims (a) Lehman’s access during his employment In one of its access claims, Experian alleges that, while he was still employed by Experian, Lehman accessed Experian’s information to further the work of Thorium, which was “unauthorized” in the sense that it was prohibited by Lehman’s employee agreements and Experian’s internal policies. Experian notes that Lehman was bound by an Experian Information Security User Acknowledgment and Agreement (“Security Agreement”), which provides that “use of all Experian computers, software, and devices shall be restricted to the 7 conducting of Experian business.” (Security Agreement, Ex. 3 to Compl.) The Security Agreement also provides that Experian employees may only “[a]ccess information within the parameters provided.” (Id.) The CFAA does not define the phrase “without authorization,” but the Sixth Circuit has interpreted it to mean “without sanction or permission.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 304 (6th Cir. 2011). In other words, “a person who uses a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer in question.” Id. (quoting LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009)) (emphasis added). Thus, “when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations.” LVRC Holdings, 581 F.3d at 1133. Some courts have interpreted the phrase “without authorization” more broadly and hold that an employee’s access is unauthorized when the employee acts out of an interest that is adverse to the employer and thereby breaches a duty of loyalty to the employer. See, e.g., Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). Those courts reason that an employee who breaches a duty of loyalty is not authorized because he is no longer an agent of the employer. See id. Under this view, the employee’s motive or purpose for accessing a computer is relevant to determine whether the access was authorized. 8 In at least one other case, this Court has adopted the narrower interpretation. See Dana Ltd. v. Am. Axle & Mfg. Holdings, Inc., No. 1:10-CV-450, 2012 WL 2524008, at *3 (W.D. Mich. June 29, 2012). Under this interpretation, the employee’s motive and purpose for accessing the employer’s computer are not relevant, because the CFAA prohibits “improper ‘access’ [to] computer information, rather than misuse or misappropriation of such information.” Id. (citing LVRC Holdings, 581 F.3d at 1127). As the Court explained: The plain language of the CFAA concerns access to a computer rather than the motive for accessing the computer or the use of the information obtained. See [Black & Decker (US), Inc. v. Smith, 568 F. Supp. 2d 929, 934–35 (W.D. Tenn. 2008)]; see also LVRC Holdings, 581 F.3d at 1135 (“The plain language of the statute therefore indicates that ‘authorization’ depends on actions taken by the employer. Nothing in the CFAA suggests that a defendant’s liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer.”). Moreover, because the CFAA is primarily a criminal statute, the rule of lenity requires any ambiguity to be resolved in favor of the party accused of violating the law. Black & Decker, 568 F. Supp. 2d at 935. Federal criminal liability should not be based on every violation of a private computer use policy. See [United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012)] (noting that criminalizing any unauthorized use of information obtained from a computer would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime). Finally, the legislative history “supports the conclusion that Congress did not intend the CFAA to extend to situations where the access was technically authorized but the particular use of the information was not.” [ReMedPar, Inc. v. AllParts Medical, LLC, 683 F. Supp. 2d 605, 613 (M.D. Tenn. 2010)] (citing Black & Decker, 568 F. Supp. 2d at 935–36). See also, Nosal, 676 F.3d at 858 n.5 (“[T]he legislative history of the CFAA discusses this anti-hacking purpose, and says nothing about exceeding authorized use of information . . . .”). These courts also noted that the broad interpretation “would require an analysis of an individual’s subjective intent in accessing a computer system, whereas the text of the CFAA calls for only an objective analysis of whether an individual had sufficient ‘authorization.’” [Ajuba Int’l, LLC v. Saharia, 871 F. Supp. 2d 671, 687 (E.D. Mich. 2012)] (quoting United States v. Aleynikov, 737 F. Supp. 2d 173, 193 (S.D.N.Y. 9 2010)). In addition, “an interpretation of the CFAA based upon agency principles would greatly expand the reach of the CFAA to any employee who accesses a company’s computer system in a manner that is adverse to her employer’s interests” and “would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense.” Id. (quoting Aleynikov, 737 F. Supp. 2d at 193). Dana, 2012 WL 2524008, at *4. The Court affirms and follows the foregoing analysis in Dana for purposes of this case. Because Lehman was unquestionably authorized to access his work-issued computer while he was employed by Experian, it does not matter whether he used it for an improper purpose; he did not access it without authorization. This holds true even if Lehman’s employee agreement prohibited him from using the computer for non-business purposes. That leaves the question of whether Experian has adequately alleged that Lehman “exceed[ed] authorized access” to his computer during his employment. See 18 U.S.C. § 1030(a)(2)(C). The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Experian contends that Lehman’s access to Experian data for Thorium-related matters exceeded authorized access because it violated the Security Agreement. As with the phrase “without authorization,” there is a split between courts which have adopted a “narrow” interpretation of “exceeds authorized access” (where the employee’s purpose for accessing the employer’s information is never relevant), and those which have adopted a broader interpretation (where the employee’s purpose for accessing information 10 is relevant, especially where the employer’s policies prohibit access for certain purposes). The Fourth and Ninth Circuits have adopted the “narrow” approach. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc). The First, Fifth, and Eleventh Circuits have adopted the “broad” approach. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001) (compiling information available on a public website and providing it to a competitor exceeds authorized access); United States v. John, 597 F.3d 263 (5th Cir. 2010) (accessing information on the employer’s computer for criminal purposes exceeds authorized access); United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir. 2010) (accessing information for non-business reasons exceeds authorized access). The Sixth Circuit has not taken a position on this issue. This Court finds the narrow approach to be more persuasive. Many of the same reasons that support a narrow reading of “without authorization” also support a narrow reading of “exceeds authorized access.” For instance, the plain language of the statute focuses solely on the individual’s authorization to obtain or alter information; liability does not hinge on the individual’s purpose for obtaining access or use for the information obtained. The statute does not prohibit conduct that “exceeds the purposes” for which access is granted. See Aleynikov, 737 F. Supp. 2d at 193. Moreover, the individual’s use of the information after it is obtained “is utterly distinct from whether the access was authorized in the first place.” Id. at 192. 11 The definition of exceeds authorized access uses different language for authorization than the phrase “without authorization,” but the difference is not significant; the terms are synonymous. Nosal, 676 F.3d at 857. To say that a person is “not entitled” to obtain something is equivalent to saying that he lacks authorization to do so. The relevant distinction between the two types of unauthorized access is that one refers to unauthorized access to a computer, whereas the other refers to unauthorized access to particular files or information on a computer when access to the computer itself is permitted. See id. at 858. The narrow interpretation is also supported by the purposes of the statute and the rule of lenity. See Nosal, 676 F.3d at 858 (noting that Congress enacted the CFAA to prevent hackers from “intentionally trespassing onto someone else’s computer files”) (quoting S. Rep. No. 99–432, at 9 (1986) (Conf. Rep.)); see also WEC Carolina Energy Solutions, 687 F.3d at 205-06 (applying the rule of lenity); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965-67 (D. Ariz. 2008) (same). The Court’s interpretation is fatal to Experian’s claim regarding Lehman’s access during his employment. To determine whether a person has exceeded authorized access, the Court examines whether that person had “any right” to obtain or alter the particular files or information at issue. Experian’s assertion that Lehman was not authorized to obtain information on his computer for conducting non-Experian business implies that he was authorized to obtain it for Experian-related purposes. If so, then he did not exceed authorized access under the CFAA. 12 Experian cites a recent case from the Eastern District of Michigan in which the court held that the employer’s policies were relevant to determining whether an employee had exceeded authorized access to company files. Am. Furukawa, Inc. v. Hossain, __ F. Supp. 3d __, No. 14–cv–13633, 2015 WL 2124794, at *15 (E.D. Mich. May 6, 2015). That case is distinguishable from this one, however. The defendant in that case allegedly violated his employer’s policies by downloading files to an external hard drive without permission, even though he was authorized to access those files. Id. at *10. The court concluded that these facts stated a CFAA claim because “someone exceeds authorized access by obtaining information in a prohibited manner, even if the accesser might be entitled to obtain the same information under other circumstances.” Id. at *14. Unlike that case, Experian has not alleged that Lehman obtained information in a prohibited manner. Instead, it alleges that he accessed and obtained information for an improper purpose, i.e., to benefit Thorium. The Court agrees with the courts of appeal in the Fourth and Ninth Circuits that accessing information for an improper purpose is not a violation of the CFAA. Moreover, the analysis in American Furukawa is not persuasive as applied to this case. To reach its conclusion, the court noted the Sixth Circuit’s statement in Pulte Homes that, “Under [the] definition [in § 1030(e)(6)], ‘an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has “exceed[ed] authorized access.”’” Pulte Homes, 648 F.3d at 304 (quoting LVRC Holdings, 581 F.3d at 1133). This statement certainly suggests that using a computer for an improper purpose 13 would exceed authorized access, but it is dictum. The Sixth Circuit did not rely on this interpretation of “exceeds authorized access” to resolve that case; instead, it dismissed the CFAA claim because the plaintiff failed to allege access “without authorization.” Id. Indeed, the court’s entire discussion of “exceeds authorized access” consists of only this one statement, which was offered solely for the purpose of contrasting the court’s definition of access without authorization. See id. Reliance on this statement in Pulte Homes is also problematic because it lacks context. The statement originates from the Ninth Circuit’s opinion in LVRC Holdings, which provides a more developed interpretation of exceeds authorized access later in that opinion. According to the Ninth Circuit, “a person who exceeds authorized access . . . has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” LVRC Holdings, 581 F.3d at 1133 (citation and quotation marks omitted). This is consistent with what the Court stated above. Thus, the Court does not read the Sixth Circuit’s statement in Pulte Homes as providing a binding or definitive interpretation of “exceeds authorized access.” Next, the court in American Furukawa observed that, in Pulte Homes, “[t]he Sixth Circuit never indicated that limitations on employee access and use of employer computers were foreclosed by the CFAA.” 2015 WL 2124794, at *3. This is true, but it does not resolve the question of how to interpret and apply the statute. The court then characterized Dana, Nosal, and like-minded cases as holding “that there can be no liability for an 14 individual who violates a computer use policy.” Id. This is an overstatement. Dana and Nosal hold that access for an improper purpose or use is not a violation of the CFAA, even if such purposes or uses are prohibited by a computer use policy (assuming that access for other purposes or uses is permitted). They do not foreclose the possibility that other kinds of restrictions in a computer use policy might be relevant. For instance, a policy might identify specific information or files that an employee is never authorized to access. Or, a policy could state that all authorization to access the company’s computers ceases in certain circumstances, such as a leave of absence or the termination of employment. A violation of either of these policies would arguably be a violation of the CFAA. Such policies are not at issue in this case, however. In short, the Court is not persuaded by the analysis in American Furukawa. Lehman’s access to his work-issued computer during his employment does not state a claim. (b) Lehman’s access to his devices post-employment. Experian also claims that Lehman is liable under the CFAA for accessing his workissued computer and hard drive after his employment ended. Lehman’s employee agreement required him to return his laptop upon termination of his employment, but he did not do so. This claim fails because, as Defendants indicate, Experian does not allege that Lehman “obtained” any information or anything of value. See 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4). Experian contends that it is reasonable to infer that Lehman accessed his hard drive because he deleted the data on his hard drive before sending it to Experian. Under the 15 CFAA, however, unauthorized access to a computer is not sufficient to state a claim. Experian must also allege that Lehman obtained information or something of value. See id. The closest that Experian comes to making any allegation that Lehman obtained information on his computer is its assertion that, “[o]n information and belief,” “Lehman copied the contents of the hard drive to another device before wiping the hard drive and returning it to Experian.” (Compl. ¶ 179, ECF No. 1.) There are no allegations to support this assertion. Indeed, Experian concedes that it “does not know what Lehman did with information stored or contained on [his] computer” during the period of time that he retained it following his termination from the company. (Pl.’s Resp. to Mot. to Dismiss 8, ECF No. 23.) “The mere fact that [a party] believes something to be true does not create a plausible inference that it is true.” In re Darvocet, Darvon, & Propoxyphene Prods. Liability Litig., 756 F.3d 917, 931 (6th Cir. 2014); see also 16630 Southfield Ltd. Partnership v. Flagstar Bank, FSB, 727 F.3d 502, 506 (6th Cir. 2013) (rejecting allegations based solely on “information and belief”). Therefore, insofar as Experian’s CFAA claim rests on Lehman’s access to his computer after his employment ended, its allegations are not sufficient to state a plausible claim. (c) Instructing Experian employees to obtain information Experian also contends that Defendants violated the CFAA when Lehman, acting on behalf of Thorium, instructed Experian employees Watkins and Behrozi to access Experian’s confidential information on Experian’s computers. 16 Experian contends that these circumstances are “analogous to a traditional ‘hacker’ CFAA case,” because Lehman was using Experian employees “as his tool, like a hacker or trespasser, to breach into [Experian’s] networks to gain unauthorized access[.]” (Pl.’s Resp. to Mot. to Dismiss 9, ECF No. 23.) The CFAA permits a civil action against “the violator.” 18 U.S.C. § 1030(g). One of the necessary elements of an “access” violation is access to a computer. When instructing Experian’s employees to obtain information, Defendants did not access Experian’s computers; rather, Experian’s own employees accessed the computers (presumably, with authorization from Experian). Experian offers no legal authority for the proposition that an entity or individual can violate the CFAA by obtaining information from a person who has authorization to access a protected computer. See Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (M.D. Pa. 2013) (finding “no legal basis in the CFAA or otherwise to justify imputing liability from the individuals who access a computer without authorization to others who may eventually benefit from their actions”); accord Koninklijke Philips NV v. Elec-Tech Int’l Co., No. 14-cv-02737-BLF, 2015 WL 1289984, at *4 (N.D. Cal. Mar. 20, 2015) (holding that “CFAA violations require a person to engage in the hacking, not merely benefit from its results”). Experian cites American Family Mutual Insurance Co. v. Rickman, 554 F. Supp. 2d 766 (N.D. Ohio 2008), but that case provides no support for its position. See id. at 772-73 (dismissing the CFAA claim for failure to allege a loss covered by the statute). 17 (d) Copying/retention of information by Watkins, Behrozi & Vladimirov Experian also contends that Defendants are liable because Watkins copied Experian’s source code to Thorium’s Google drive, and Behrozi and Vladimirov stored source code and confidential information on their computers for the benefit of Defendants. This claim fails for similar reasons as the claim above. Defendants are not liable merely because they benefitted from the actions of others. Absent allegations that Defendants accessed Experian’s computers without authorization, or exceeded their authorized access, Plaintiff does not state an access claim against them under the CFAA. For the foregoing reasons, therefore, Plaintiff’s complaint fails to state an “access” claim under the CFAA. 2. Transmission claim Experian also claims that Lehman violated 18 U.S.C. §1030(a)(5)(A) when he deleted all the information on his company-issued hard drive after he left the company. To state a transmission claim, Experian must allege that Defendant “knowingly cause[d] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[d] damage without authorization, to a protected computer.” Id. Defendants contend that Plaintiff has not sufficiently alleged damage. Under the CFAA, “any impairment to the integrity or availability of data, a program, a system, or information” qualifies as “damage.” Id. § 1030(e)(8). Defendants assert that Experian has not alleged that Lehman’s conduct deprived it of the use of any of its information. To the contrary, the complaint specifically alleges that Lehman “permanently 18 deleted” files and other data on his hard drive, and when Experian’s consultant attempted to recover data from those files, it discovered that Lehman had caused “impairment to the integrity or availability of data in the files.” (Compl. ¶¶ 236, 240.) Defendants assert that Experian cannot claim damages because the files on Lehman’s computer were available to it through other means. Some courts, including this one, have held that “deletion of files alone does not constitute damage if the deleted data is still available to the plaintiff through other means.” Dana, 2012 WL 2524008, at *5 (citing Cheney v. IPD Analytics, LLC, No. 08–23188–CIV, 2009 WL 3806171, at *6 (S.D. Fla. Aug. 20, 2009)). In support of its assertion, Defendants cite several paragraphs of the complaint that are irrelevant because they do not necessarily refer to the data on Lehman’s hard drive. (See Compl. ¶¶ 129, 232.) Defendants also cite an exhibit to the complaint, in which Lehman asserts in an email to Experian’s counsel that Experian did not lose any data because Experian created a “clone” of his laptop before he left the company. (See Ex. 54 to Compl.) Although the Court is permitted to consider exhibits attached to the complaint in a motion to dismiss, see Bassett v. Nat’l Collegiate Athletic Assoc., 528 F.3d 426, 430 (6th Cir. 2008), Lehman’s self-serving statement in an email to Plaintiff does not establish that the information on his hard drive was otherwise available to Experian. Consequently, at this stage of the proceedings, the Court finds that Experian’s allegations suffice to state a transmission claim. 19 C. Count II: Misappropriation of Trade Secrets Defendants contend that Experian fails to state a misappropriation claim. The Court addressed the substance of Defendants’ objections in its June 18, 2015 opinion regarding the preliminary injunction. In short, Experian’s allegations suffice to state a claim. D. Counts III-XI: Breach of Contract In connection with his employment, Lehman entered into an Employee Agreement Regarding Confidential Information, Intellectual Property, Non-Competition and NonSolicitation (“Employee Agreement”) (Ex. 1 to Compl.). In April 2014, after Experian notified Lehman that he would be terminated, they entered into a Settlement and General Release (“Settlement Agreement”) (Ex. 4 to Compl.). In Counts III-VI of the complaint, Experian alleges that Lehman breached the confidentiality, non-solicitation, non-competition, and return-of-property provisions of the Employee Agreement both during and following the his employment with Experian. In Counts VII-X of the complaint, Experian alleges that Lehman breached the confidentiality, non-solicitation, non-competition, and return-ofproperty provisions of the Settlement Agreement. In Count XI, Experian alleges that Lehman breached a provision in the Settlement Agreement requiring him not to act in a manner detrimental to the business or reputation of Experian. Defendants assert that the breach-of-contract claims should be dismissed for several reasons: (1) Experian has not alleged damages; (2) the restrictive covenants are not enforceable; and (3) all claims arising under the Employee Agreement should be dismissed 20 because that agreement was superceded by the Settlement Agreement. The first two reasons were rejected by the Court in its June 18, 2015 opinion regarding the preliminary injunction. As for the third reason, Defendants note that the Employee Agreement has been merged into, and superceded by, the Settlement Agreement, which contains the following provision: This Agreement constitutes a single, integrated, written contract expressing the entire understanding between the parties with respect to the subject matter hereto. No covenants, agreements, representations or warranties of any kind whatsoever, whether oral, written or implied, have been made by any party hereto, except as specifically set forth in this Agreement or as expressly incorporated into this Agreement. All prior discussions, agreements, understandings and negotiations have been and are merged and integrated into, and are superseded by, this Agreement. (Settlement Agreement ¶ 20.) Read in isolation, this provision would appear to render the Employee Agreement obsolete. But the Settlement Agreement also states the following: Lehman acknowledges and fully understands that he is obligated to comply with the terms of the restrictive covenants in the Employee Agreement Regarding Confidential Information, Intellectual Property, Non-Competition and Non-Solicitation, which he signed on July 11, 2011, at the commencement of his employment with Experian. A copy of the Employee Agreement is attached hereto and is incorporated into this Settlement Agreement and General Release as if specifically set forth herein. (Settlement Agreement ¶ 3 (emphasis added).) According to this provision, the Employee Agreement did not disappear entirely. Rather, its terms were incorporated into the Settlement Agreement. Experian asserts that the Settlement Agreement “reaffirms” the Employee Agreement, but that is not quite accurate. Read together with the merger clause, paragraph 3 of the 21 Settlement Agreement means that there is one “single, integrated, written contract” between the parties which contains the terms of the Settlement Agreement as well as the terms in the Employee Agreement. Thus, the Employee Agreement ceased to exist as a standalone agreement, but its terms have continued on as part of the Settlement Agreement. Defendants assert that Plaintiff’s contractual claims, if any, are now limited to claims under the Settlement Agreement. That may be true, but it does not mean that the claims arising under the Employee Agreement (Counts III-VI) should be dismissed for failure to state a claim. The covenants on which those counts are based remain in force as part of the Settlement Agreement. Thus, the Court rejects Defendants’ argument that they should be dismissed due to the merger clause. Defendants’ argument implies that the claims arising under the Employee Agreement (Counts III-VI) should be dismissed because they are duplicative of similar claims arising under the Settlement Agreement (Counts VII-X). Indeed, there is a significant overlap between these two groups of claims. For instance, Count IV asserts that Lehman breached the non-solicitation clause in the Employee Agreement. Similarly, Count VIII asserts that Lehman breached the non-solicitation covenant in the Settlement Agreement, as incorporated from the Employee Agreement. Thus, Count VIII arguably covers any claim that could be asserted under Count IV. On the other hand, it may be the case that Count IV applies to conduct occurring before the effective date of the Settlement Agreement. The parties do not expressly address this issue in their briefs, however. Thus, the Court will not 22 address it in this Opinion. In short, at this stage of the proceedings, the Court finds that the breach-of-contract claims are not subject to dismissal for failure to state a claim. E. Count XII: Breach of Fiduciary Duty Count XII of the complaint asserts that Lehman breached his fiduciary duties toward Experian during his employment. See In re Hanson, 225 B.R. 366, 375 (Bankr. W.D. Mich. 1998) (applying Michigan law and holding that “[t]he common law imposes a duty of loyalty on employees, forbidding them from taking action contrary to the interests of their employers”); Restatement (Second) of Agency § 387 (1958) (stating that “[u]nless otherwise agreed, an agent is subject to a duty to his principal to act solely for the benefit of the principal in all matters connected with his agency”). Defendants assert that this claim is preempted by MUTSA to the extent that it relies upon Lehman’s alleged misappropriation or trade secrets. See Mich. Comp. Laws § 445.1908(1) (“[T]his act displaces conflicting tort, restitutionary, and other law of this state providing civil remedies for misappropriation of a trade secret.”). Nevertheless, Experian contends that Lehman breached a duty of loyalty when he engaged in other conduct that is not related to Experian’s confidential information of trade secrets. According to Experian, Lehman competed with Experian and/or acted contrary to Experian’s interests during his employment by: incorporating Thorium; creating a website for Thorium; holding meetings with other Experian employees about work for Thorium; soliciting Experian employees to work for Thorium; attending a conference in Las Vegas for the sole purpose of promoting 23 Thorium; and advising Experian employees to submit expense reports to Experian for attending the conference. Claims based on these activities are not preempted by MUTSA. Defendants also contend that Plaintiff has not properly alleged damages to state a claim for breach of a fiduciary duty. Experian does not allege that it lost any revenue, customers, or employees as a direct result of Lehman’s conduct. However, Experian asserts that, at a minimum, its damages include the loss of time that Lehman and other Experian employees spent working for the benefit of Thorium, including attending Thorium meetings and the conference in Las Vegas during work hours, as well as the travel and lodging expenses that Experian paid to its employees to attend the conference. Although the Court questions whether Lehman can be liable for breach of a fiduciary duty based on the conduct of other Experian employees, the Court is satisfied that the allegations concerning Lehman’s own conduct suffice to state a claim. Thus, Plaintiff’s motion to dismiss Count XII will be denied. F. Count XIII: Tortious Interference with Contract In Count XIII, Experian contends that Defendants tortiously interfered with its employee contracts. The elements of such a claim are: “(1) the existence of a contract, (2) a breach of the contract, and (3) an unjustified instigation of the breach by the defendant.” Health Call of Detroit v. Atrium Home & Health Care Servs., Inc., 706 N.W.2d 843, 849 (Mich. Ct. App. 2005). Experian alleges that it had “business relationships with its employees” and an “expectation” that these relationships would continue and would not be 24 “unjustifiably” disrupted. (Compl. ¶ 341, ECF No. 1.) Experian employees Ghahary, Vladimirov and Frisch allegedly signed agreements with Experian “to protect and to maintain as confidential [Experian’s] confidential and proprietary information and trade secrets.” (Compl. ¶ 342.) Experian contends that Lehman was aware of these contracts and business relationships and that Defendants “interfered” with them. (Id. at ¶ 344.) Experian also alleges that it has been “injured” by Defendants’ actions. (Id. at ¶ 346.) Defendants assert that the foregoing allegations do not state a claim because they do not identify a breach of a contract, let alone a breach caused by Defendants. In response, Experian contends that Defendants interfered with a “business relationship or expectancy,” which is a claim distinct from tortious interference with contract. Health Call of Detroit, 706 N.W.2d at 848. The elements of tortious interference with a business relationship or expectancy are (1) the existence of a valid business relationship or expectancy that is not necessarily predicated on an enforceable contract, (2) knowledge of the relationship or expectancy on the part of the defendant interferer, (3) an intentional interference by the defendant inducing or causing a breach or termination of the relationship or expectancy, and (4) resulting damage to the party whose relationship or expectancy was disrupted. Id. at 849. Here, as in Health Call of Detroit, Plaintiff’s claim is titled a claim for interference with contract, but its allegations blend this type of claim with a claim for interference with a business relationship. See id. Indeed, in one instance, Experian mixes both theories in the same sentence, alleging that Defendants interfered with Experian’s “employee agreements,” 25 even though it was aware of Experian’s “relationships and expectancies” with respect to Experian’s employees. (Compl. ¶ 344.) Blending two different theories is not cause for dismissal in itself, but it points to a larger problem with the allegations in Count XIII, which is that the factual basis for this claim is entirely unclear. Is it based on Experian’s employee contracts, its employee relationships, or both? Which contracts or relationships are at issue? Moreover, in what manner did Defendants interfere with these contracts or relationships and what injury did Plaintiff suffer? The Court cannot readily answer these questions by reading the complaint. Experian apparently expects Defendants to root through the lengthy allegations of the complaint and try to guess the basis for each element of its claim. Experian’s contention that its employees signed agreements to maintain the confidentiality of its information arguably suggests that its claim is based on the fact that Experian employees disclosed confidential information. As the Court indicated in its June 18, 2015 opinion, however, it is not clear how Defendants instigated such conduct. Moreover, Defendants contend that such a claim would be preempted by MUTSA. Experian completely ignores this argument in its response to the motion to dismiss. Instead, Experian contends that its claim is premised upon something else: competitive activity by Experian employees who performed work for Thorium. Experian asserts that Thorium was competitive with Experian, and that by working for Thorium, Experian employees like Ghahary were violating a clause in their employee agreements which required them not to “engage in, solicit or perform any work competitive with any 26 Experian line of business . . . .” (Pl.’s Resp. in Opp’n to Mot. to Dismiss 19, ECF No. 23 (quoting Employee Agreement ¶ 11(c), Ex. 6 to Compl., ECF No. 1-6).) The foregoing argument does not save Plaintiff’s claim, however. Section 11(c) of the employee agreement prohibits Experian employees from performing competitive work. It does not prohibit them from working for an entity that might be engaged in competitive activity. Moreover, Experian does not indicate what work by Ghahary is alleged to be competitive, or how this conduct caused injury. Corresponding with other employees and attending meetings related to Thorium is not work that is competitive with an Experian line of business. Thus, the Court agrees with Defendants that the vague and skeletal allegations in Count XIII asserting “interference” with Experian’s employee contracts or relationships and “injury” fail to satisfy the basic pleading standards for stating a tortious-interference claim. The Court cannot discern which of Plaintiff’s many allegations its claim is based upon and, thus, the complaint does not provide “fair notice” to Defendant. See Twombly, 550 U.S. at 555. Consequently, Count XIII will be dismissed without prejudice to the filing of an amended complaint. III. In summary, Defendants’ motion to dismiss will be granted in part and denied in part. Count I of the complaint will be dismissed for failure to state a claim to the extent that it is based upon improper access to Experian’s computers, or exceeding authorized access to those computers. In addition, Count XIII will be dismissed for failure to state a claim. In 27 all other respects, the motion will be denied. Plaintiff may file an amended complaint within 30 days of this Opinion to address the deficiencies in its allegations. An order will be entered that is consistent with this Opinion. Dated: September 29, 2015 /s/ Robert Holmes Bell ROBERT HOLMES BELL UNITED STATES DISTRICT JUDGE 28

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?