- IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND Modern Remodeling, Inc., * * v. * Civil Action No. 19-1397 * Tripod Holdings, LLC, et al. * MEMORANDUM Now pending is Tripod Holdings, LLC, High Mark Construction, LLC, Strong Wall Construction, LLC, MGB Investments, LLC, Patrick Boyle, Robert Michael Kimball, and David Drab’s (collectively, the “defendants”) motion for partial summary judgment as to Modern Remodeling Inc’s (“MRI”) Computer Fraud and Abuse Act (“CFAA”) claim1 and demand for attorney’s fees. (ECF 100). For the reasons stated below, the court will grant the motion as to the CFAA claim against Drab, and otherwise deny it. FACTS AND PROCEDURAL HISTORY Mike Kimball, Patrick Boyle, and David Drab are former employers of MRI who started their own competing business venture consisting of businesses Tripod Holdings, LLC, High Mark Construction, LLC, and Strong Wall Construction, LLC. (See ECF 107-2, Patrick Boyle Depo., at 98–103).2 MRI alleges ten counts in its amended complaint. (ECF 64, Amended Complaint). In Count 3 of the amended complaint, MRI alleges that the individual defendants gained unauthorized access to MRI’s computers in violation of the CFAA, 18 U.S.C. § 1030.3 1 The CFAA claim is not brought against the business defendants. 2 According to MRI in its amended complaint, Boyle was a managing member at MRI (ECF 64 Am. Compl. ¶ 16), Drab was senior director of one of MRI’s divisions (id. ¶ 21), and Kimball was sales manager for one of MRI’s divisions (id. ¶ 22). 3 MRI also alleges that other individual defendants violated the CFAA, but those individuals have not moved for summary judgment. The rest of the counts assert Maryland common law claims. For each count, MRI’s requested relief includes attorney’s fees. (See ECF 64, Amended Complaint). I. Patrick Boyle Patrick Boyle resigned on April 23, 2019, by a phone call to MRI partner Steve Trancucci, and his resignation became effective immediately. (ECF 107-1, Steve Trancucci Aff. ¶ 6). After Boyle resigned, Trancucci told him to return his laptop without modifying it in any manner. (Id.). But computer forensic analysis shows that, approximately four hours after Boyle resigned, he reinstalled his computer’s operating system, which deleted all user file data on the laptop. (ECF 107-9, Steven Hillary Aff., ¶ 13). According to Boyle, he deleted the contents of his laptop before returning it because it contained his personal information such as tax returns and photos.4 (ECF 107-2, Boyle Depo. at 123:1–9). MRI also alleges that Boyle deleted the non-compete agreement of another employee, Randy Moran. The evidence for this is that the document was kept in a computer folder which only Boyle and MRI Chief Information Officer Mark McLean had access to, the document was missing from the folder, and McLean states that he did not delete it. (ECF 107-5, Mark McLean Aff. ¶¶ 12–13).5 II. Mike Kimball On January 4, 2019, Mike Kimball reinstalled his computer’s operating system, which erased his user profile on his laptop. (ECF 107-9, Hillary Aff. ¶ 8). Kimball left MRI on January 8, 2019. (ECF 107-3, Kimball Depo. at 78:10–11). Kimball testified that he deleted the contents of his work laptop because it contained his personal information, and he did not want to 4 It appears that MRI employees were permitted to use their work laptops for personal use also. 5 The agreement was also missing from the paper file in McLean’s locked office. McLean states that both he and Boyle maintained keys to his office and the filing cabinet. (ECF 107-5, McLean Aff. ¶ 14). It is not clear if others also had keys to the office and to the cabinet. sort through the information on the laptop to determine what to delete. (Id. at 184:1–9, 185:16– 22). MRI Chief Information Officer Mark McLean states that “[n]o one at MRI is authorized to delete all of their files or remove their user profile from their laptop or desktop computer.” (ECF 107-5, McLean Aff. ¶ 17). It appears that sometime in late July 2018,6 Kimball and Boyle met with Baltimore Consulting to design or implement a customer relationship management (“CRM”) system for their new business. (ECF 107-7, Ryan Brooks Depo. at 53–55, 61–62).7 During the meeting, Kimball and Boyle accessed MRI’s CRM system to show Ryan Brooks from Baltimore Consulting, (id. at 53–55), and Kimball gave Brooks his login information so Brooks could log into MRI’s CRM system to take screenshots, (id. at 59–60). Brooks testified that Kimball and Boyle showed him the MRI CRM system to point out what about it they did not want in their CRM system. (Id. at 52–54). Email activity also shows that Kimball accessed his email after January 8 when he left MRI. (See ECF 107-8, various emails). III. David Drab David Drab resigned around the first week of January, and his last day at MRI was January 25, 2019. (ECF 107-4, David Drab Depo. at 42:23–43:1). A forensic analysis of Drab’s computer suggests that Drab connected two USB devices to his work computer on December 18, 2018. (ECF 107-9, Hillary Aff. ¶ 10). According to MRI, this indicates that Drab may have downloaded MRI files onto these flash drives. According to McLean, MRI employees are not authorized to copy internal MRI information onto external devices outside of the MRI computer 6 Modern Remodeling in its opposition states that the defendants engaged Baltimore Consulting in July 2019. (ECF 107, Opp’n at 6). It appears this should read “July 2018,” as Brooks’s deposition indicates that one of the meetings between him and the defendants was in July 2018. (ECF 107-7, Brooks Depo. at 61–62). 7 The rough draft version of the deposition transcript of Ryan Brooks, the corporate designee for Baltimore Consulting, was attached to MRI’s opposition. system. (ECF 107-5, McLean Aff. ¶ 6). Additionally, computer analysis shows an additional flash drive was connected to Drab’s laptop on February 7, 2019, (ECF 107-9, Hillary Aff. ¶ 10), which would have been after Drab returned his laptop to MRI. Trancucci and McLean both state they did not insert the USB drive, (ECF 107-1, Trancucci Aff. ¶ 10; ECF 107-5, McLean Aff. ¶ 18), and MRI alleges that because Boyle was still working at MRI and was in constant communication with Drab, Boyle may have worked with Drab to access his laptop.8 IV. Investigation After realizing that several employees had started a rival venture and that Boyle had access to MRI internal information, and because Kimball had deleted information from his laptop when he resigned, an investigation commenced. (ECF 107-1, Trancucci Aff. ¶¶ 8, 9). MRI’s attorneys oversaw the investigation into what information had been accessed and destroyed. (Id. ¶ 9). This included hiring a computer forensics firm, Maragell, that investigated the laptops in question (of Boyle, Kimball, and Drab, as well as additional individual defendants not involved in this motion) and attempted to remediate or restore deleted data. (Id.). Specifically in regard to Boyle, Kimball, and Drab, MRI spent $2,250 to investigate Boyle’s computer; $2,750 to investigate Kimball’s computer; and $4,500 to investigate Drab’s computer. (ECF 107-11 at 2, 4, Maragell Invoice). STANDARD OF REVIEW Federal Rule of Civil Procedure 56(a) provides that summary judgment should be granted “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a) (emphases added). “A dispute is 8 MRI cites to 121:22–122:18 of Boyle’s deposition which does not appear to relate to Boyle’s communications with Drab. It appears there are text messages between Boyle, Drab, and Kimball that were not attached to the motion due to confidentiality issues. (ECF 107, Opp’n at 7 n.5). The nature of these communications is not clear. genuine if ‘a reasonable jury could return a verdict for the nonmoving party.’” Libertarian Party of Va. v. Judd, 718 F.3d 308, 313 (4th Cir. 2013) (quoting Dulaney v. Packaging Corp. of Am., 673 F.3d 323, 330 (4th Cir. 2012)). “A fact is material if it ‘might affect the outcome of the suit under the governing law.’” Id. (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). Accordingly, “the mere existence of some alleged factual dispute between the parties will not defeat an otherwise properly supported motion for summary judgment[.]” Anderson, 477 U.S. at 247–48. The court must view the evidence in the light most favorable to the nonmoving party, Tolan v. Cotton, 134 S. Ct. 1861, 1866 (2014) (per curiam) (citation and quotation omitted), and draw all reasonable inferences in that party’s favor, Scott v. Harris, 550 U.S. 372, 378 (2007) (citations omitted); see also Jacobs v. N.C. Admin. Office of the Courts, 780 F.3d 562, 568–69 (4th Cir. 2015). At the same time, the court must “prevent factually unsupported claims and defenses from proceeding to trial.” Bouchat v. Balt. Ravens Football Club, Inc., 346 F.3d 514, 526 (4th Cir. 2003) (quoting Drewitt v. Pratt, 999 F.2d 774, 778–79 (4th Cir. 1993)). DISCUSSION I. CFAA The CFAA is primarily a criminal statute, but provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief” as long as the conduct involves “1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). Here, MRI claims “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value,” under § 1030(c)(4)(A)(i)(I). An individual violates the statute if he or she, inter alia, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer,” id. § 1030(a)(2)(C); “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value,” id. § 1030(a)(4); and “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss,” id. § 1030(a)(5)(C). “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6). “Authorization” is not defined in the CFAA. WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012). II. Unauthorized Access/Exceeding Authorized Access The parties disagree as to whether there is a genuine dispute of material fact that Boyle, Kimball, and Drab accessed MRI’s computers without authorization or exceeded their authorized access in violation of the CFAA. The Fourth Circuit has taken “a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’” as used in the CFAA. WEC Carolina, 687 F.3d at 206. In WEC Carolina, the employee Miller had access to confidential information of his employer; in contravention of company policies, he downloaded this information to his personal computer and, when he moved to a rival company, used that information. Id. at 202. The Fourth Circuit held that the CFAA prohibits unauthorized access, but does not govern the use of information or documents. So, “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.” Id. at 206. Therefore, “the terms ‘without authorization’ and ‘exceeds authorized access’ . . . apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” Id. As Miller was authorized to access the confidential documents, he did not violate the CFAA, even though he was not allowed to download them to his personal computer. Id. at 206–07.9 A. Patrick Boyle Boyle is alleged to have 1) accessed his computer after he resigned to remove all data and 2) deleted the Randy Moran agreement. There are genuine disputes of material fact as to whether this is unauthorized access or exceeding unauthorized access under the CFAA. There is a genuine issue of material fact as to whether Boyle was authorized to access his computer after he resigned and/or delete the contents of his computer, and whether he altered the Moran agreement without authorization. In WEC Carolina, the Fourth Circuit stated that the CFAA has “criminalized[10] obtaining or altering information that an individual lacked authorization to obtain or alter.” WEC Carolina, 687 F.3d at 206 (emphasis added). Here, the parties dispute whether Boyle was allowed to access his computer after he resigned, whether he was allowed to delete the contents of his computer, whether Boyle deleted the Moran agreement, and, if he did, whether he was allowed to do so. See Richards v. Octane Envtl., LLC, No. 1:18- CV-157, 2019 WL 6720444, at *4 (N.D.W. Va. Dec. 10, 2019)11 (“deletion of information from a work computer. . . could each be considered an ‘alter[ation] [of] information on a computer beyond that which he is authorized to access.’” (quoting WEC Carolina, 687 F.3d at 206)).12 9 WEC Carolina makes clear that an employee does not violate the CFAA merely by violating his employer’s computer use policy. WEC Carolina, 687 F.3d 199, 207 (4th Cir. 2012) (“But we are unwilling to contravene Congress's intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.”) 10 As noted above, the CFAA also allows for civil actions, which is at issue here. 11 Unreported cases are cited for the soundness of their reasoning, not for any precedential value. 12 The defendants stated in their motion that MRI only alleged that the individual defendants accessed MRI’s computers “without authorization,” but not that they “exceeded authorized access.” (ECF 100-1, Mot. at 3 & n.2). In its opposition, though, MRI argues that the defendants violated the CFAA by accessing MRI’s computers either B. David Drab Drab is alleged to have copied MRI files onto flash drives and to have arranged to have someone use a USB to copy information from his work computer after he resigned. As to Drab’s copying of files while he was working for MRI, this does not constitute a violation of the CFAA. This is the same situation as in WEC Carolina, where the employee improperly downloaded work documents to his personal computer. 687 F.3d at 202. Similarly, Drab may have copied MRI files to flash drives in contravention of MRI’s policy. But as in WEC Carolina, there is no dispute that Drab was authorized to access those files. Following the Fourth Circuit’s holding in WEC Carolina, then, Drab’s copying of documents to a USB, even if in violation of MRI policy, does not constitute unauthorized access or exceeding unauthorized access under the CFAA. Therefore, Drab is entitled to summary judgment as to the alleged copying of files to flash drives while he was working at MRI. MRI also has not presented sufficient evidence to create a genuine dispute of material fact as to whether Drab connected or helped to connect a USB drive to his former work computer on February 7, 2019. The evidence is that a USB drive was inserted into Drab’s computer after he had resigned and returned the laptop to MRI, and Drab was communicating via text message with Boyle, who still worked at MRI, at the time.13 MRI theorizes that “Boyle was still working for MRI at the time and had the keys to McLean’s office where the old computers were kept, and he could have accessed Drab’s computer or brought the computer to Drab to access after he no without authorization or in a manner that exceeded authorized access. (ECF 11–12, Opp’n at 11–12). As there has been no further discussion, the court will consider the CFAA claims as alleging that the defendants accessed computers without authorization and/or exceeded authorized access. 13 MRI does not provide evidence that these text messages relate to or discuss connecting a USB drive to Drab’s former work computer. longer worked at MRI.” (ECF 107, Opp’n at 17). As to the first possibility, that Boyle accessed Drab’s computer, it is not clear how this would involve a CFAA violation by Drab. As to the second possibility, MRI presents no evidence that would indicate that Boyle brought the computer to Drab or that Drab was involved in connecting the USB drive.14 As such, there is not sufficient evidence for a reasonable jury to find that Drab was involved in inserting the USB drive into his former work laptop on February 7, 2019. Accordingly, the court will grant summary judgment to Drab on Count 3, the CFAA claim. C. Mike Kimball Kimball is alleged to have deleted the contents of his work computer without authorization, accessed his email after he resigned, and facilitated Baltimore Consulting’s ability to view MRI’s CRM system. Although Kimball had authorization to access the contents of his work computer before he resigned, there is a genuine dispute of material fact as to whether he had authorization to delete the contents. Unlike the situation in WEC Carolina, Kimball is alleged to have altered (i.e. deleted) information, rather than just use it improperly. In WEC Carolina, the Fourth Circuit stated that the CFAA prohibits “obtaining or altering information that an individual lacked authorization to obtain or alter.” WEC Carolina, 687 F.3d at 206 (emphasis added). Here, the dispute concerns whether Kimball had authorization to alter the information on his computer by deleting the computer’s contents. MRI has presented sufficient evidence in the form of McLean’s declaration, stating that employees were not authorized to delete all their files 14 McLean and Trancucci both deny inserting the USB drive into Drab’s former computer on February 7, 2019. (ECF 107-1, Trancucci Aff. ¶ 10; ECF 107-5, McLean Aff. ¶ 18). It is not clear how many people had access to Drab’s former computer after he returned it to MRI. or remove their user profile, to withstand summary judgment. Cf. Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 621 (E.D. Pa. 2013) (“Dresser–Rand does not point to any restrictions on King's access that, for instance, would allow him to view files on his laptop but forbid him from deleting them.”). There is evidence Kimball continued to access his email account after his last day at MRI and that he provided his login credentials to MRI’s CRM system to Baltimore Consulting. According to McLean, after employees leave MRI, they are no longer authorized to use any MRI computer systems. (ECF 107-5, McLean Aff. ¶ 15). But it appears that some employees continued to perform services and finish up certain jobs even after they left MRI. (ECF 114-2, Luke Russo Depo. at 117–18). It is not clear whether Kimball continued to perform such services which may require access to email, or whether he was otherwise allowed to access his email after he resigned. Accordingly, there is a genuine dispute of material fact as to whether Kimball accessed his email after he left without authorization. Also, according to McLean, employees are not allowed to share their login information with outside organizations. (ECF 107-5, McLean Aff. ¶ 9). Here, there is a genuine dispute of material fact as to whether Kimball helped Baltimore Consulting access the CRM system without authorization. III. Loss MRI claims “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(4)(A)(i)(I). “Loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]” Id.(e)(11). “Loss” includes “costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009). Once a qualified CFAA loss is shown, the plaintiff must also show that the costs were reasonable and “directly causally linked” to the CFAA violation. Glob. Policy Partners, LLC v. Yessin, 686 F. Supp. 2d 642, 646 (E.D. Va. 2010). As explained above, there are genuine disputes of material fact as to the following alleged CFAA violations: Boyle and Kimball deleting the contents of their work computers; the deletion of the Moran agreement; Kimball accessing his email after he resigned; and Kimball facilitating Baltimore Consulting’s access of MRI’s CRM system. MRI argues that it has qualified CFAA losses, pointing to the cost of a digital forensics analysis by Maragell Corporate Investigations and Steven Hillary of Boyle and Kimball’s computers. (ECF 107-9, Hillary Aff. ¶¶ 2, 8, 13; ECF 107-11, Invoice).15 MRI provides invoices from Maragell. Relating to the alleged CFAA violations by Boyle and Kimball, the invoice (ECF 107-11) provides charges of: $2,250 for “[c]reated forensic [i]mage of HP laptop used by Patrick Boyle. Data- carved for deleted files; analysis of file deletions/reinstallation of O/S/. . .” (ECF 107-11 at 2); $2,750 for “[c]reated backup copy of Kimball . . . [i]mages. Recovered deleted files. Created the Link File, User-generated file listing, Internet History, USB history, and Shellbags History re: user activity. Parsed Recycle Bin files. Parsed ntuser.dat files re: user activity. Parsed forensic image w/ Axiom re: timeline activity. Analyzed reports re: data-exfiltration. (flat fee -- Kimball $2,750 (missing user profile limited our standard research reporting) . . . ” (ECF 107-11 at 4). 15 Hillary also investigated Drab’s computer, but as noted above, the court will grant summary judgment to Drab on the CFAA claim. The defendants argue that MRI engaged Maragell in preparation for litigation, not to investigate the alleged CFAA violations and repair and remediate damage, and that engaging a forensics analysis in preparation for litigation is not a qualified CFAA loss. In Vanderhye, a student was able to register and submit papers to Turnitin (a website that checks if papers are plagiarized) as a student of a university he was not enrolled at and had not attended. 562 F.3d at 645. Although the student had actually just found a password on the internet, iParadigms, the owner and operator of Turnitin, feared a glitch in the system and spent numerous hours investigating. Id. The Fourth Circuit found that the cost of this investigation was a “loss” within the meaning of the CFAA, and remanded the case, although expressing no opinion as to “whether the alleged consequential damages were reasonable, sufficiently proven, or directly causally linked to A.V.'s alleged CF[A]A violation.” Id. at 646. Similarly, a district court in this circuit has found that the cost of analyzing a laptop when a company “suspect[ed] that its confidential information had been accessed without authorization by former employees” was a qualifying CFAA loss, noting that there was a genuine issue of material fact as to whether the investigation was reasonable. Animators at Law, Inc. v. Capital Legal Sols., LLC, 786 F. Supp. 2d 1114, 1121 (E.D. Va. 2011) (“Furthermore, perpetrators of unauthorized access should foresee that their actions may result in significant investigations and costs far exceeding the actual damage to the system”, id. at 1121–22). Here, MRI analyzed the laptops after suspecting that Boyle and Kimball had accessed and deleted information without authorization. The defendants argue that Maragell was retained by MRI to provide services contemporaneously with the filing of the lawsuit; Maragell provided services for eight months, beyond what could be reasonably characterized as an investigation; and Maragell’s invoices include entries for litigation-driven work, such as drafting expert reports. But MRI does not claim that the costs of the litigation-related work are CFAA losses, and although Maragell and Hillary may have provided litigation services to MRI, this does not mean that they did not also provide services to respond to the alleged CFAA violations. Here, there is a genuine issue of material fact as whether the costs spent analyzing the laptops at issue were reasonable and directly causally linked to the CFAA violation. Accordingly, there are genuine issues of fact as to at least $5,000 dollars of potential CFAA losses, precluding summary judgment on the CFAA claims.16 IV. Attorney’s Fees The defendants request summary judgment that MRI is not entitled to attorney’s fees under the CFAA or for their other Maryland common law claims.17 MRI argues that it is entitled to attorney’s fees to the extent those fees constitute CFAA losses, such as if attorneys were paid to oversee investigations into the alleged CFAA offenses. In Animators at Law, the court indicated that hiring an attorney to oversee an investigation into a CFAA violation could be a qualifying CFAA loss. 786 F. Supp. 2d at 1122 (“a jury may conclude that hiring an attorney to investigate the intrusion and oversee the investigation was reasonably foreseeable and reasonably necessary under the circumstances.”). The defendants do not appear to dispute the distinction between litigation and investigation. (ECF 114, Reply at 2). Because it appears there is a genuine dispute about the purpose of at least some of the fees, summary judgment will be denied. 16 Without Drab, the alleged CFAA losses for Boyle and Kimball total $5,000, which just meets the statutory loss requirement. The court notes that neither party addresses whether there must be $5,000 in qualified CFAA loss as to each individual defendant. Whether the $5,000 may be aggregated across multiple defendants appears to be an open question. See In re Dealer Mgmt. Sys. Antitrust Litig., No. 18-CV-864, 2019 WL 4166864, at *11–12 (N.D. Ill. Sept. 3, 2019) (suggesting losses may be aggregated only among defendants working together). Because the parties do not brief the issue, the court will not address it. 17 The briefing focuses on whether attorney’s fees are available under the CFAA, and the court therefore will not address the common law claims. CONCLUSION For the reasons stated above, the court will grant the motion for partial summary judgment as to Drab, and otherwise deny it. A separate order follows. 8/10/20 IS/ Date Catherine C. Blake United States District Judge 14
Document Info
Docket Number: 1:19-cv-01397
Filed Date: 8/10/2020
Precedential Status: Precedential
Modified Date: 6/22/2024