TACTICAL PERSONNEL LEASING, INC. v. HAJDUK
Filing
33
MEMORANDUM ORDER. Defendant's Motion to Dismiss (Doc. 19 ) is GRANTED. Plaintiff's Motion to Strike (Doc. 28 ) is DENIED as moot. Count I of the Amended Complaint, asserting a federal cause of action under the Computer Fraud and Abuse Act is hereby DISMISSED with prejudice. Counts II through V of the Amended Complaint, asserting state law causes of action, are hereby DISMISSED without prejudice to Plaintiff reasserting these claims in state court. Judgment Order to follow. See contents of this filing. Signed by Judge Cathy Bissoon on 10/2/18. (rdl)
IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF PENNSYLVANIA
TACTICAL PERSONNEL LEASING,
INC., a Pennsylvania corporation, d/b/a
CADUCEUS-LEX MEDICAL
AUDITING, INC.,
Plaintiff,
v.
MARY L. HAJDUK,
Defendant.
)
)
)
)
)
)
)
)
)
)
)
)
Civil Action No. 18-203
Judge Cathy Bissoon
MEMORANDUM ORDER
Pending before the Court are two motions: Defendant’s Motion to Dismiss (Doc. 19)
Plaintiff’s Amended Complaint in its entirety (Doc. 14), and Plaintiff’s Motion to Strike (Doc.
28) Exhibit 1 to Defendant’s Memorandum (Doc. 26-1). For the reasons that follow,
Defendant’s Motion to Dismiss will be GRANTED and Plaintiff’s Motion to Strike will be
DENIED AS MOOT.
BACKGROUND
Plaintiff Tactical Personnel Leasing, Inc., a Pennsylvania corporation transacting
business as Caduceus-Lex Medical Auditing, Inc., (“TPL”) brings this suit alleging that
Defendant Mary Hajduk (“Mrs. Hajduk”) violated the Computer Fraud and Abuse Act
(“CFAA”) and state common law when she embezzled money from TPL, her husband’s
corporation. (Am. Compl. ¶¶ 1, 9, 20, Doc. 14.)
According to the Amended Complaint, J. Lawrence Hajduk (“Mr. Hajduk”) is the
president and sole shareholder of TPL. (Id. at ¶ 8.) In 2000, Mr. Hajduk suffered a heart attack
and stroke, which prevented him from continuing his involvement in the management and
oversight of TPL. (Id. at ¶¶ 12, 14.) As a consequence of Mr. Hajduk’s disability, Mrs. Hajduk
began operating TPL “as its agent and legal counsel.” (Id. at ¶ 15.) Mrs. Hajduk also agreed to
perform legal services in exchange for hourly compensation. (Id. at ¶ 16.)
Mrs. Hajduk, aware of her husband’s inability to manage TPL, allegedly embezzled
funds from TPL. (Id. at ¶ 20.) Specifically, Mrs. Hajduk caused checks to be issued by TPL
directly to her—depositing such checks into a checking account solely within her control—or to
a corporation owned solely by her, caused payments to be made by TPL to her personal credit
card accounts, and directed checks issued by the Pennsylvania Bureau of Worker’s
Compensation to TPL to be mailed directly to Mrs. Hajduk’s law offices instead of TPL’s
offices. (Id. at ¶¶ 17, 21, 22, 24.) TPL maintained a checking account at several banks, but Mrs.
Hajduk never had signature authority on any TPL account. (Id. at ¶¶ 17–19.) These various
activities occurred between January 2008 and February 23, 2016. (Id. at ¶¶ 16, 21, 23.)
TPL first learned about the improper use of its funds in the months following February
18, 2016. (Id. at ¶ 48.) TPL filed its initial Complaint on February 14, 2018 (Doc. 1), and its
Amended Complaint on April 18, 2018. (Doc. 14.)
Count I of the Amended Complaint alleges a violation of the CFAA, 18 U.S.C.
§ 1030(a)(4), giving rise to a private right of action under 18 U.S.C. § 1030(g). TPL pleads
“[t]hat upon assuming responsibility for the operation of [TPL’s] business, [Mrs. Hajduk] owned
and employed computers to transact business on [TPL’s] behalf.” (Id. at ¶ 39.) Mrs. Hajduk
used installed software applications on computers owned by either herself or TPL to “access the
Internet in furtherance of [TPL’s] business,” including e-mail applications and applications that
enabled Mrs. Hajduk to access TPL’s checking accounts and cause payments to be made to her
2
own personal accounts. (Id. at ¶¶ 39–40.) Mrs. Hajduk also used computers “to access [TPL’s]
checking account on computers owned and operated by the First National Bank of
Pennsylvania.” (Id. at ¶ 41.) “[S]aid transactions were made without Plaintiff’s authorization.”
(Id. at ¶ 43.) As a result of these activities, TPL conducted investigations and assessments to
determine the extent of Mrs. Hajduk’s misappropriations, causing a loss in excess of $5,000 a
year to TPL. (Id. at ¶ 46.) TPL also discovered that Mrs. Hajduk opened a Chase Ink credit card
in TPL’s name, the establishment and use of which involved access to a protected computer
without authorization, and incurred charges unrelated to TPL’s operation in excess of $10,000.
(Id. at ¶ 49.) The remaining claims in the Amended Complaint arise under state law: fraud
(Count II), conversion (Count III), breach of fiduciary duty (Count IV), and breach of contract
(Count V).
Mrs. Hajduk filed the pending Motion to Dismiss (Doc. 19) and a memorandum in
support thereof (Doc. 20). TPL filed a Motion to Strike Exhibit 1 to Mrs. Hajduk’s
memorandum in support of her Motion to Dismiss (Doc. 28) and a memorandum in opposition to
the Motion to Dismiss (Doc. 30). TPL filed a response in opposition to the Motion to Strike
(Doc. 32).
3
ANALYSIS 1
Mrs. Hajduk’s Motion to Dismiss asserts that the Amended Complaint fails to state a
CFAA claim under Federal Rule of Civil Procedure 12(b)(6) because Mrs. Hajduk was
authorized to access the computers that she allegedly accessed, and, regardless, the claim is
barred by a two-year statute of limitations. (Mot. to Dismiss, at 2.) This Court’s subject-matter
jurisdiction arises by virtue of the federal question in the Amended Complaint pursuant to 28
U.S.C. § 1331, so if the CFAA claim (the only claim arising under federal law) fails, this Court
may decline to exercise supplemental subject-matter jurisdiction over the remaining state law
claims. In addition, Plaintiff filed a Motion to Strike the exhibit attached to Defendant’s brief
supporting its Motion to Dismiss on the basis that the exhibit is neither referenced in the
Amended Complaint nor essential to the claims asserted by TPL. (Mot. to Strike, at 1–2.)
I.
Defendant’s Motion to Dismiss
A. Failure to State a Plausible Claim under the CFAA
Section (a)(4) of the CFAA creates a private cause of action against one who “knowingly
and with intent to defraud, accesses a protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers the intended fraud and obtains
anything of value . . . .” 18 U.S.C. § 1030(a)(4), (g). The first issue presented here is whether
1
In deciding whether to grant a motion to dismiss under Federal Rule of Civil Procedure
12(b)(6), the court must take as true all of the well-pleaded facts in the complaint, Fowler v.
UPMC Shadyside, 578 F.3d 201, 211 (3d Cir. 2009), and determine whether these facts raise a
reasonable expectation that discovery will reveal the evidence necessary to prove each element
of plaintiff’s claims, Thompson v. Real Estate Mortgage Network, 748 F.3d 142, 147 (3d Cir.
2014). Although the Amended Complaint alleges fraud, including computer fraud under the
CFAA, the parties do not address the applicability of Federal Rule of Civil Procedure 9(b). As
the Court ultimately concludes that the Amended Complaint fails under the general, and more
lenient, pleading standards of Federal Rule of Civil Procedure 8(a)(2), the Court need not address
the applicability of Rule 9(b).
4
the Amended Complaint plausibly alleges that Mrs. Hajduk accessed a computer without
authorization or exceeded her authorized computer access. “An employee accesses a computer
‘without authorization’ when he [or she] ‘has no rights, limited or otherwise, to access the
computer in question.’” Synthes, Inc. v. Emerge Med., Inc., No. 11-cv-1566, 2012 U.S. Dist.
LEXIS 134886, at *52 (E.D. Pa. Sep. 19, 2012) (quoting Grant Mfg. & Alloying, Inc. v.
McIlvain, No. 10-cv-1029, 2011 WL 4467767, at *7 (E.D. Pa. Sept. 23, 2011)). Whether a
defendant “exceed[s] authorized access depends on the computer access restrictions imposed by
his employer.” Grant Mfg., 2011 WL 4467767, at *7.
As this Court explained in USG Insurance Services, Inc. v. Bacon, courts within this
circuit unremittingly adhere to the principle that “liability under Section (a)(4) of the CFAA does
not lie where” someone within a company had permission to view certain information in the
company’s computer system even if she used that information against the interests of the
company. No. 16-cv-1024, 2016 WL 6901332, at * 4 & *4 n.2 (W.D. Pa. Nov. 22, 2016)
(collecting cases). In other words, what one intends to do with information taken from a
computer is irrelevant if the individual was given computer access to that information. See
QVC, Inc. v. Resultly, LLC, 159 F. Supp. 3d 576, 595 (E.D. Pa. 2016) (“[T]hose who have
permission to access a computer for any purpose, such as employees, cannot act ‘without
authorization’ unless and until their authorization to access the computer is specifically rescinded
or revoked.”); Advanced Fluid Sys. v. Huber, 28 F. Supp. 3d 306, 329 (M.D. Pa. 2014) (“To the
extent that Huber misappropriated information from AFS’s servers and computer system while
he was employed and had access thereto, AFS’s CFAA claim against Huber must be
dismissed.”); Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 619 (E.D. Pa. 2013) (discussing
5
circuit split between meaning of “without authorization” and concluding that the CFAA
“narrowly governs access, not use”).
In order to survive under Rule 12(b)(6), TPL must plausibly show that Mrs. Hajduk
accessed or altered information on TPL’s computers which she was not allowed to access or alter
at the time. Bacon, 2016 WL 6901332, at *5.
It is clear that the Amended Complaint takes issue with Mrs. Hajduk’s “use” of TPL’s
checking account and the nature of the financial transactions that she initiated. However, TPL
simply fails to allege that Mrs. Hajduk did not have authorized computer access to TPL’s
banking or financial records or that she was not authorized or had exceeded the scope of her
authorized access to conduct these financial transactions on computers. There are no pleaded
allegations that show that Mrs. Hajduk lacked authorized computer access or that delineate Mrs.
Hajduk’s authorized computer access. In fact, in the “General Averments” section of the
Amended Complaint, of all the pleaded activities, only one activity is alleged to even involve
“the use of computers,” and this statement fails to include any factual allegations indicating
whether that use was without or exceeded authorization. (Am. Compl. ¶ 21.)
Contrary to TPL’s argument, the fact that Mrs. Hajduk did not have “signature authority”
on TPL’s financial accounts cannot overcome the lack of factual allegations addressing the scope
of Mrs. Hajduk’s authorized computer access. (See Pl.’s Br. in Opp’n, at 6.) This is because the
other pleaded allegations in the Amended Complaint, that she acted as TPL’s agent and was
responsible for TPL’s business operations, contradict any implication that Mrs. Hajduk had no
computer access or limited authorized access. Without more, the Court is left with internally
inconsistent statements that fail to provide any insight into the nature of Mrs. Hajduk’s computer
access at TPL.
6
Although the Amended Complaint pleads that Mrs. Hajduk did not have “authorization”
for “said transactions”—referring to payments from TPL accounts to her credit card—(Am.
Compl. ¶ 43), TPL fails to specify whether the reference to authorization goes to her ability to
access such information on protected computers or to her ability to transfer funds to herself (as
opposed to other recipients). The Court reads this statement as averring only that TPL did not
authorize Mrs. Hajduk to move money from TPL to her private accounts. Such a claim goes to
the “use” of computer information and not her “access” to computer information. In re: Maxim
Integrated Prod., Inc., No. 12-244, 2013 WL 12141373, at *9 (W.D. Pa. Mar. 19, 2013); see
Eagle v. Morgan, No. 11-cv-4303, 2011 U.S. Dist. LEXIS 147247, at *22 (E.D. Pa. Dec. 22,
2011) (“The allegation that she used the information in an improper way or otherwise caused
damage or loss does not make her ‘access’ improper.”). It is simply not clear from the face of
the Amended Complaint if TPL is challenging her fiduciary duties to TPL or her computer
access.
Count I of the Amended Complaint repeats the only pleaded computer-related incident—
payments to Mrs. Hajduk’s personal credit card from TPL’s checking accounts from January
2008 to January 2009, (id. at ¶ 40)—but also adds allegations that the Chase Ink credit card was
established and used via access to “a protected computer or computers without authorization,
and/or exceeded the scope of such authorized access,” (id. at ¶ 49–50). This is a classic “legal
conclusion couched as a factual allegation” as it merely regurgitates the statutory language in
Section 1030(a)(4). Morrow v. Balaski, 719 F.3d 160, 165 (3d Cir. 2013) (quoting Baraka v.
McGreevey, 481 F.3d 187, 195 (3d Cir. 2007)). See also Eagle v. Morgan, 2011 U.S. Dist.
LEXIS 147247, at *21–22 (“Complaint fails to establish a factual basis for finding that her
access to the AT&T accounts was ‘without authorization.’. . . At most, the allegations set forth in
7
support of the CFAA claim establish nothing more than a state law cause of action for
misappropriation.”).
The Amended Complaint fails to allege facts regarding Mrs. Hajduk’s authorized (or
unauthorized) computer access, instead relying on broad statements related to her general
involvement in the company. The focus of a CFAA claim is on what the defendant was
authorized to access on a protected computer. TPL fails to allege that Mrs. Hajduk did not have
authorization to access TPL’s banking operations on a protected computer, and it fails to address
any boundaries of Mrs. Hajduk’s computer access from which the Court could infer the extent of
her authorized computer access. In the absence of factual allegations that Mrs. Hajduk somehow
violated access restrictions to achieve her alleged scheme, TPL has failed to plead a plausible
claim under § 1030(a)(4) of the CFAA. In re Maxim Integrated Prods., 2013 WL 12141373, at
*9. Cf. QVC, Inc., 159 F. Supp. 3d at 596 (E.D. Pa. 2016) (website’s terms of service prohibited
“web-crawling” so web-crawling exceeded authorized access); Fontina v. Corry, No. 10-cv1685, 2011 WL 4473285, at *5 (W.D. Pa. Aug. 30, 2011) (complaint alleged that defendant “did
not have authority to access” specific data yet accessed such data).
Because the Court concludes that TPL fails to sufficiently plead that Mrs. Hajduk
accessed a computer without authorization, or exceeded any authorized access, a necessary
element to a claim pursuant to § 1030(a)(4), the CFAA claim must be dismissed pursuant to
Ruler 12(b)(6).
B. CFAA Statute of Limitations
Mrs. Hajduk argues, in the alternative, that the CFAA claim is barred by the statute of
limitations. Whether the CFAA claim is so barred directs whether this claim will be dismissed
8
with or without prejudice. 2 Both parties point to Section 1030(g) as the applicable language for
the Court’s CFAA statute of limitation analysis. (Br. in Supp., at 8; Br. in Opp’n, at 9.) The
statute states: “No action may be brought under this subsection unless such action is begun
within 2 years of the date of the act complained of or the date of the discovery of the damage.”
18 U.S.C. § 1030(g). TPL does not dispute that the pleaded acts related to the CFAA claim
occurred more than two years ago. Instead, TPL argues that the traditional discovery rule or the
fraudulent concealment doctrine saves its claim. (Br. in Opp’n, at 10–14.)
The traditional “discovery rule” tolls “the start of the limitations period until ‘the date the
aggrieved party knew or should have known of the injury.’” Rotkiske v. Klemm, 890 F.3d 422,
425 (3d Cir. 2018) (quoting G.L. v. Ligonier Valley Sch. Dist. Auth., 802 F.3d 601, 613 (3d Cir.
2015) (emphasis added). But the CFAA provides a discovery rule that allows claims to accrue
on “the date of the discovery of the damage.” 18 U.S.C. § 1030(g) (emphasis added). The Court
agrees with the Northern District of Illinois that “the language of 18 U.S.C. § 1030 favors a strict
reading of the injury-discovery limitation that applies only to discovery of damage.” Kluber
Skahan & Assocs., Inc. v. Cordogen, Clark & Assoc., No. 08-cv-1529, 2009 WL 466812, at *7
(N.D. Ill. Feb. 25, 2009). The Court, therefore, rejects TPL’s argument that the traditional
discovery rule applies because, as TPL itself pointed out, the discovery rule applies to federal
statutes unless there is a contrary directive from Congress. (Br. in Opp’n, at 11 (quoting Stevens
v. Clash, 796 F.3d 281, 286–87 (3d Cir. 2015).)
The Court must now analyze whether the Amended Complaint sufficiently pleads timely
discovery of “damages.” “Damage” is defined under the statute as “any impairment to the
2
If the claim is clearly barred by the statute of limitations, any leave to amend the CFAA claim
to cure the deficiencies in the pleading is futile. If the claim is not barred, TPL will be granted
leave to amend.
9
integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8).
The Amended Complaint fails to plead any damages as defined by § 1030(d)(8) whatsoever.
Furthermore, TPL made no attempt in its Brief in Opposition to argue that it sufficiently pleaded
or could plead qualifying damages. (Doc. 30.)
To the extent that the Amended Complaint pleads losses (Am. Compl. ¶¶ 46, 47, 50),
“[t]he plain text of § 1030(g) reflects both that Congress understood ‘damage’ and ‘loss’ as
distinct harms and that it intended to apply the injury-discovery limitation to the former only.”
Kluber Skahan & Assocs., 2009 WL 466812, at *8. Compare 18 U.S.C. § 1030(e)(8) (defining
damage), with 18 U.S.C. § 1030(e)(11) (defining loss). 3
Given the absence of any pleaded damages, TPL cannot rely upon the CFAA’s discovery
rule. The CFAA claim is barred by the two-year statute of limitations. See Motorola, Inc. v.
Lemko Corp., No. 08-cv- 5427, 2010 U.S. Dist. LEXIS 35602, at *9 (N.D. Ill. Apr. 12, 2010)
(That “plaintiff can commence suit within two years after discovering ‘damage’ does not extend
to cases in which the plaintiff alleges only ‘loss’ within the meaning of the CFAA, not
‘damage.’”); State Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F. Supp. 2d 309, 316 (E.D. Va.
2009) (same).
TPL argues its CFAA claim is saved by the fraudulent concealment doctrine because the
Amended Complaint plausibly shows that Mrs. Hajduk took actions to conceal her misconduct
3
A “loss” is defined as “any reasonable cost to any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
As one district court explained, “Beyond the difference in definition, the terms “damage” and
“loss” are conceptually distinct: whereas ‘damage’ contemplates harms to data and information,
‘loss’ refers to monetary harms.” Kluber Skahan & Assocs., Inc. v. Cordogen, Clark & Assoc.,
No. 08-cv-1529, 2009 WL 466812, at *7 (N.D. Ill. Feb. 25, 2009).
10
from TPL. (Br. in Opp’n, at 12–13.) “Fraudulent concealment is an ‘equitable doctrine [that] is
read into every federal statute of limitations.’” Davis v. Grusemeyer, 996 F.2d 617, 624 (3d Cir.
1993) (quoting Holmberg v. Armbrecht, 327 U.S. 392, 397 (1946)).
But, to benefit from the equitable tolling doctrine, plaintiffs have the burden of
proving three necessary elements: (1) that the defendant actively misled the
plaintiff; (2) which prevented the plaintiff from recognizing the validity of her
claim within the limitations period; and (3) where the plaintiff’s ignorance is not
attributable to her lack of reasonable due diligence in attempting to uncover the
relevant facts.
Cetel v. Kirwan Fin. Grp., Inc., 460 F.3d 494, 509 (3d Cir. 2006). TPL fails to address the
second and third element in either its Brief in Opposition or, more importantly, its Amended
Complaint. As a result, the fraudulent concealment doctrine, insufficiently pleaded in the
Amended Complaint, cannot save the CFAA claim from dismissal.
The CFAA claim will be dismissed with prejudice. TPL has already amended its
pleading once. (Docs. 1, 14.) TPL did not argue that it could amend its pleading to conform
with the plain reading of the CFAA with respect to “damages” or with respect to authorized
computer access. See United States ex rel. Wilkins v. United Health Grp., Inc., 659 F.3d 295,
314–15 (3d Cir. 2011), abrogated on other grounds by United States ex rel. Freedom Unlimited,
Inc. v. City of Pittsburgh, 728 F. App’x 101, 106 (3d Cir. 2018). Instead, TPL rested on an inapt
reading of the statute. In addition, despite invoking an equitable doctrine in a responsive brief,
TPL did not seek to amend its pleading to include the necessary elements of that doctrine. In
light of these critical omissions, the Court will deny leave to amend.
11
C. Supplemental Jurisdiction over Remaining State Law Claims
Because the federal claim on which federal jurisdiction rests, the claim brought under the
CFAA, will be dismissed, this Court declines to exercise supplemental jurisdiction pursuant to
28 U.S.C. § 1367(c)(3) over TPL’s remaining state law claims in Counts II through V. See
United Mine Workers of Am. v. Gibbs, 383 U.S. 715 (1966) (“Certainly, if the federal claims are
dismissed before trial, even though not insubstantial in a jurisdictional sense, the state claims
should be dismissed as well.”), superseded by statute, 28 U.S.C. § 1367(c)(3); see also Angeloni
v. Diocese of Scranton, 135 F. App’x 510, 514 (3d Cir. 2005). At the motion to dismiss phase,
this case is procedurally in the early stages. Here, “with the federal claim being dismissed,
considerations of judicial economy, convenience, fairness and comity, do not weigh in favor of
supplemental jurisdiction regarding the state law claims . . . .” McMahon v. Refresh Dental
Mgmt., LLC, No. 16-cv-170, 2016 U.S. Dist. LEXIS 171875, at *29 (W.D. Pa. Dec. 13, 2016)
(citing Silverstein v. Percudani, 207 F. App’x 238, 240 (3d Cir. 2006)). Thus, supplemental
jurisdiction over the remaining state law claims should be declined and the state law claims will
be dismissed without prejudice to their reassertion in state court. Id.
II.
Plaintiff’s Motion to Strike
In her Brief in Support of Defendant’s Motion to Dismiss the Amended Complaint (Doc.
26), Mrs. Hajduk attached an exhibit titled, “General Power of Attorney and Medical Power of
Attorney.” (Doc. 26-1.) Plaintiff filed the pending Motion to Strike (Doc. 28) requesting that
the Court strike the exhibit. In light of the Court granting Defendant’s Motion to Dismiss on
grounds completely unrelated to any matters surrounding power of attorney or the disputed
exhibit, the Court will deny Plaintiff’s Motion to Strike (Doc. 28) as moot.
* * *
12
For the reasons set forth above, Defendant’s Motion to Dismiss (Doc. 19) is GRANTED.
Plaintiff’s Motion to Strike (Doc. 28) is DENIED as moot.
Count I of the Amended Complaint, asserting a federal cause of action under the
Computer Fraud and Abuse Act is hereby DISMISSED with prejudice. Counts II through V of
the Amended Complaint, asserting state law causes of action, are hereby DISMISSED without
prejudice to Plaintiff reasserting these claims in state court.
IT IS SO ORDERED.
October 2, 2018
s\Cathy Bissoon
s
Cathy Bissoon
United States District Judge
cc (via ECF email notification):
All Counsel of Record
13
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?