Beins, Axelrod, P.C. v. Analytics, LLC ( 2020 )


Menu:
  •                             UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA
    BEINS, AXELROD, PC,
    Plaintiff,
    v.                                        Civil Action No. 19-3794 (JEB)
    ANALYTICS, LLC, et al.,
    Defendants.
    MEMORANDUM OPINION
    This case concerns an old-fashioned heist achieved via 21st-century means. Plaintiff
    Beins, Axelrod, PC claims that someone hacked into its managing partner’s email account and
    thereby redirected a $60,000 payment intended for Plaintiff’s legal services into the thief’s
    account maintained at Citibank, NA. Beins, Axelrod has been unable to recover the funds and
    thus brings various causes of action against all the involved parties, including a claim under the
    Computer Fraud and Abuse Act against Defendant Citigroup Inc., the parent company of
    Citibank. Citigroup now moves to dismiss. The Court is sympathetic to the firm’s plight, but
    because Plaintiff improperly named Citigroup as a Defendant and, in any event, has failed to
    state a claim under the CFAA, it will grant the Motion.
    I.     Background
    Plaintiff is a District of Columbia–based corporate entity engaged in the practice of law.
    See ECF No. 7 (Amended Complaint), ¶ 1. Years ago, it provided legal services in tandem with
    two other law firms –– Ciresi Conlin, LLP and Defendant McTigue Law, LLP –– for a class-
    action lawsuit brought in the Southern District of New York.
    Id., ¶¶ 15–19;
    see also Carver v.
    1
    Bank of New York Mellon, No. 15-10180 (S.D.N.Y. Mar. 31, 2017). In December 2018, the suit
    settled, and the settlement agreement provided, among other things, for $5,966,250 to be
    allocated among the various law firms.
    Id., ¶ 20.
    The firms hired Defendant Analytics LLC
    –– which specializes in class-action-settlement implementation –– to distribute these hefty sums.
    Id., ¶ 21.
    Plaintiff’s share of the fee award came to an undisputed $60,354.67, but McTigue and
    Ciresi Conlin fought for months over their respective pieces of the remainder.
    Id., ¶¶ 22–27.
    On the evening of July 16, 2019, J. Brian McTigue, a partner at McTigue LLP, sent Jon
    Axelrod, Plaintiff’s managing partner, an email stating, “Jon I know you changed addresses.
    Give me your wire transfer information to which to wire funds.”
    Id., ¶ 30;
    see also
    id., Exh. 1
    (July 16, 2019, Email from Brian McTigue to Jon Axelrod). Axelrod responded with his account
    information at Eagle Bank, the only bank at which Beins, Axelrod maintained accounts.
    Id., ¶¶ 31,
    38; see also
    id., Exh. 2
    (July 17, 2019, Email from Axelrod to McTigue).
    Enter thief, stage left. Later that afternoon, McTigue received an e-mail that appeared to
    be from Axelrod stating, “So sorry about the mix up. Use the account below instead of the one
    sent earlier.”
    Id., ¶ 39;
    see also
    id., Exh. 4
    (July 17, 2019, Email from Axelrod to McTigue). The
    message then provided wiring instructions for a Citibank account.
    Id. McTigue forwarded
    that
    information to Analytics, which sent the $60,354.67 payment to the Citibank account.
    Id., ¶¶ 42–44.
    The following day, Axelrod followed up with McTigue, inquiring as to when the
    promised funds would arrive.
    Id., ¶¶ 45–46;
    see also
    id., Exh. 6
    (July 18, 2019, Email from
    Axelrod to McTigue). McTigue responded that the funds had already been wired.
    Id., ¶ 49;
    see
    also
    id., Exh. 7
    (July 18, 2019, Email from McTigue to Axelrod). He also promised to wire
    Axelrod an additional $8,000 for a separate matter.
    Id. The following
    morning, Axelrod called
    McTigue to inquire again about the status of these two payments, and McTigue responded that he
    2
    had wired them both to the “Citibank Account.”
    Id., ¶ 50.
    (It appears that McTigue was later
    able to claw back the $8,000 wire.
    Id., ¶ 52.)
    A bewildered Axelrod, who did not know of the existence of a Citibank account, soon
    realized that his email had been hacked.
    Id., ¶ 59.
    Plaintiff alleges that the hacker managed to
    gain access to Axelrod’s email, re-direct McTigue’s emails to a separate account, and then
    supply the Citibank account information as if it had come from Axelrod himself.
    Id. Axelrod journeyed
    to the nearest Citibank branch with the hacker’s wiring instructions in hand.
    Id., ¶ 56.
    A bank teller confirmed the account’s existence, explained that there was no money remaining in
    it, and refused to divulge any further information.
    Id., ¶ 57.
    Plaintiff has pursued a variety of avenues of relief. It immediately filed a criminal
    complaint –– which thus far has not led to any law-enforcement action –– and a month later,
    filed an insurance claim, which was denied.
    Id., ¶¶ 61–63.
    On December 20, 2019, it filed the
    present action. See ECF No. 1 (Complaint). The Amended Complaint asserts common-law
    negligence, fraud, and breach-of-contract claims against various involved parties. See Am.
    Compl., ¶¶ 72–107. As relevant here, Plaintiff also brings one claim under the CFAA, see 18
    U.S.C. § 1030, against Defendant Citigroup Inc. See Am. Compl., ¶¶ 64–71. Citigroup has now
    filed a Motion to Dismiss, which Plaintiff has opposed.
    II.     Legal Standard
    Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of an action where a
    complaint fails “to state a claim upon which relief can be granted.” Although “detailed factual
    allegations” are not necessary to withstand a Rule 12(b)(6) motion, “a complaint must contain
    sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its
    face.’” Ashcroft v. Iqbal, 
    556 U.S. 662
    , 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550
    
    3 U.S. 544
    , 570 (2007)). For a plaintiff to survive a 12(b)(6) motion, the facts alleged in the
    complaint “must be enough to raise a right to relief above the speculative level.” 
    Twombly, 550 U.S. at 555
    .
    In evaluating Defendant’s Motion to Dismiss, the Court must “treat the complaint’s
    factual allegations as true, and must grant plaintiff ‘the benefit of all inferences that can be
    derived from the facts alleged.’” Sparrow v. United Air Lines, Inc., 
    216 F.3d 1111
    , 1113 (D.C.
    Cir. 2000) (citation omitted) (citing Leatherman v. Tarrant Cty. Narcotics Intelligence and
    Coordination Unit, 
    507 U.S. 163
    , 164 (1993) (quoting Schuler v. United States, 
    617 F.2d 605
    ,
    608 (D.C. Cir. 1979)). The Court need not accept as true, however, “a legal conclusion couched
    as a factual allegation,” nor an inference unsupported by the facts set forth in the Complaint.
    Trudeau v. FTC, 
    456 F.3d 178
    , 193 (D.C. Cir. 2006) (quoting Papasan v. Allain, 
    478 U.S. 265
    ,
    286 (1986)). Finally, even at the Rule 12(b)(6) stage, a court can review “documents attached as
    exhibits or incorporated by reference in the complaint” or “documents upon which the plaintiff’s
    complaint necessarily relies.” Ward v. D.C. Dep’t of Youth Rehab. Servs., 
    768 F. Supp. 2d 117
    ,
    119 (D.D.C. 2011) (internal quotation marks and citations omitted).
    III.   Analysis
    In moving to dismiss, Citigroup argues that Plaintiff named the wrong entity as a
    Defendant in this action and that, alternatively, the Amended Complaint fails to state a claim
    under the CFAA. The Court agrees on both counts.
    First, Defendant erred in naming Citigroup instead of its subsidiary, Citibank, as a
    Defendant in the Amended Complaint. As explained above, the Complaint only contains
    allegations regarding Citibank, which Plaintiff does not dispute is a separate legal entity from
    Citigroup. See ECF No. 10 (Def. MTD) at 5–6. Generally, a corporation, even if a subsidiary,
    4
    “is treated as a separate and distinct juridical entity, independent of its owner.” Alkanani v.
    Aegis Def. Servs., LLC, 
    976 F. Supp. 2d 1
    , 8 (D.D.C. 2013). Only in unique circumstances may
    a parent company be held liable for the actions of its subsidiary, such as where the parent
    “dominate[s]” the subsidiary and the “affairs of the group [are] so intermingled that no distinct
    corporate lines are maintained.” Transamerica Leasing, Inc. v. La Republica de Venezuela, 
    200 F.3d 843
    , 849 (D.C. Cir. 2000) (quoting NLRB v. Deena Artware, Inc., 
    361 U.S. 398
    , 403
    (1960)). Plaintiff has not attempted to provide factual support for a theory of relief predicated on
    the interconnectedness of Citigroup and Citibank, and it has, in fact, conceded that it likely
    named the incorrect party. See ECF No. 11 (Pl. Opp.) at 1.
    In any event, the Amended Complaint fails to state a claim under the CFAA against
    either Citigroup or its subsidiary, Citibank. “The CFAA was enacted in 1984 to enhance the
    government’s ability to prosecute computer crimes.” LVRC Holdings LLC v. Brekka, 
    581 F.3d 1127
    , 1130 (9th Cir. 2009). While the Act is a criminal statute, subsection (g) “provides a civil
    cause of action to ‘any person who suffers damage or loss by reason of a violation’ of the
    CFAA,” if the purported violation satisfies certain enumerated factors. Lewis-Burke Assocs.,
    LLC v. Widder, 
    725 F. Supp. 2d 187
    , 191 (D.D.C. 2010) (quoting 18 U.S.C. § 1030(g)).
    Plaintiff first points to the CFAA provision that criminalizes “knowingly and with intent
    to defraud, access[ing] a computer without authorization, or exceed[ing] authorized access, and
    by means of such conduct further[ing] the intended fraud and obtains anything of value, unless
    the object of the fraud and the thing obtained . . . is not more than $5,000 in any 1-year period.”
    18 U.S.C. § 1030(a)(4). According to the Amended Complaint, Citibank “aided and abetted” the
    hacker in violating this CFAA provision and thereby “conspir[ed]” with the hacker to commit a
    5
    crime established by the CFAA. See Am. Compl., ¶ 71; see also 18 U.S.C. § 1030(b)
    (criminalizing conspiracy and attempt to commit CFAA offenses).
    In support of this claim, Plaintiff argues that “the bank’s maintenance of an account that
    was used (possibly solely) for criminal purposes puts it at liability under the CFAA.” Pl. Opp. at
    2. This is so because “[t]he funds did not end up in the Citibank account against Citibank’s will.
    Citibank must have taken some overt steps to allow [John] Doe to have an account and to use it
    [to] deposit criminally obtained funds.”
    Id. In other
    words, the bank provided “assistance” to
    the hacker by maintaining the account and “transfer[ring] the stolen funds out of it.”
    Id. Plaintiff provides
    the following colorful analogy:
    [T]he bank was the farmer who provided a temporary safe harbor
    for the robber’s loot. Maybe the farmer didn’t know exactly where
    the money came from, but if unfamiliar people wearing ski masks
    keep knocking on his door asking to hide bags of cash in its barn for
    a few days in exchange for a few of the twenties in the bag, the law
    might have reason to hold the farmer accountable
    Id. As a
    threshold matter, the bank cannot be held liable under the theory that it conspired
    with the hacker given the absence of an allegation of an agreement (or course of conduct
    indicating one) between Citibank and the hacker to violate the CFAA. See United States v.
    Mellen, 
    393 F.3d 175
    , 184 (D.C. Cir. 2004). Plaintiff instead appears to be pursuing an
    accomplice theory of liability. As the Supreme Court has explained, accomplice liability
    “reflects a centuries-old view of culpability: that a person may be responsible for a crime he has
    not personally carried out if he helps another to complete its commission.” Rosemond v. United
    States, 
    572 U.S. 65
    , 71 (2014).
    A key element of establishing aiding-and-abetting (or conspiracy) liability, however, is
    demonstrating the requisite mens rea (state of mind) of the perpetrator.
    Id. at 77.
    Courts have
    6
    instructed juries that a person may be criminally liable as an accomplice under CFAA if he
    “knowingly and intentionally aided, counseled, commanded, induced or procured [a] person to
    commit each element of the crime . . . with the knowledge and intention of helping that person
    commit the crime.” United States v. Nosal, 
    844 F.3d 1024
    , 1039 (9th Cir. 2016). To be sure, “a
    statutory requirement that a criminal defendant acted ‘knowingly’ is not limited to positive
    knowledge, but includes the state of mind of one who does not possess positive knowledge only
    because he consciously avoided it.”
    Id. Under this
    standard, “[t]he finder of fact may infer that
    a defendant acted knowingly if he deliberately closed his eyes to what otherwise would have
    been obvious to him and did not act through ignorance, mistake, or accident,” a state of mind
    often referred to as willful blindness. See Cooper v. Nat’l Transp. Safety Bd., 
    660 F.3d 476
    , 483
    (D.C. Cir. 2011).
    Plaintiff here, however, has failed to plead Defendant’s knowing involvement in the
    scheme, even under a willful-blindness theory. Willful blindness is distinct from mere
    recklessness or negligence: “(1) The defendant must subjectively believe that there is a high
    probability that a fact exists and (2) the defendant must take deliberate actions to avoid learning
    of that fact.” Glob.-Tech Appliances, Inc. v. SEB S.A., 
    563 U.S. 754
    , 769 (2011). Plaintiff
    does not provide any facts that indicate that the bank “closed its eyes” to the hacker’s obvious
    crime.
    Id. at 767
    n.7. For example, it does not allege any unusual activity that might have
    raised the bank’s suspicion or any vetting irregularities, let alone the existence of “critical facts”
    that the Defendant “deliberately shield[ed]” itself from. See Rundquist v. Vapiano SE, No. 09-
    2207 
    2013 WL 12320782
    , at *4 (D.D.C. Mar. 19, 2013) (alteration in original).
    Returning to Plaintiff’s analogy, a bank that allows a private party to open an account to
    which funds are improperly transferred is not akin to a farmer who, in exchange for a bribe,
    7
    provides refuge to a group of strangers wearing ski masks and carrying bags of cash. Were it
    otherwise, whenever a thief used an unwitting bank in connection with his criminal scheme, the
    bank would be both criminally and civilly liable for the offense, regardless of the surrounding
    circumstances. Plaintiff’s claim against Citigroup must therefore be dismissed at this stage.
    IV.    Conclusion
    For the forgoing reasons, the Court will grant Defendant’s Motion to Dismiss without
    prejudice. A separate Order so stating will issue this day.
    /s/ James E. Boasberg
    JAMES E. BOASBERG
    United States District Judge
    Date: April 23, 2020
    8