- UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION CONLAN ABU and RYAN MOORE, Plaintiffs, Civil Case No. 20-10747 Honorable Linda V. Parker v. STANLEY B. DICKSON and DICKSON & ASSOCIATES, PC, Defendants. ______________________________/ OPINION AND ORDER DENYING PLAINTIFFS’ MOTION FOR SUMMARY JUDGMENT (ECF NO. 48) AND GRANTING DEFENDANTS’ MOTION FOR SUMMARY JUDGMENT (ECF NO. 55) This case arises from the retrieval of Plaintiff Ryan Moore’s email communications by non-party John Massey at the direction of Defendant Stanley B. Dickson. The retrieval occurred during state court litigation concerning an agreement by which Plaintiff Conlan Abu purchased certain restaurant assets from The Epicurean Group. Plaintiff Ryan Moore is a 50% owner of Conlan Abu. Dickson owned The Epicurean Group, and he is majority owner of Defendant Dickson & Associates, P.C. After discovering that the emails had been accessed by Defendants, Plaintiffs initiated this action alleging violations of federal law. Following previous dispositive motion rulings, what remains are Plaintiffs’ claims alleging violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2713. The matter is presently before the Court on the parties’ cross-motions for summary judgment, filed pursuant to Federal Rule of Civil Procedure 56. (ECF Nos. 48, 55.) The motions have been fully briefed. Finding the facts and legal arguments adequately presented in the parties’ briefs, the Court is dispensing with oral argument pursuant to Eastern District of Michigan Local Rule 7.1(f). I. Summary Judgment Standard Summary judgment pursuant to Rule 56 is appropriate “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a). The central inquiry is “whether the evidence presents a sufficient disagreement to require submission to a jury or whether it is so one-sided that one party must prevail as a matter of law.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 251-52 (1986). After adequate time for discovery and upon motion, Rule 56 mandates summary judgment against a party who fails to establish the existence of an element essential to that party’s case and on which that party bears the burden of proof at trial. Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986). The movant has the initial burden of showing “the absence of a genuine issue of material fact.” Id. at 323. Once the movant meets this burden, the “nonmoving party must come forward with specific facts showing that there is a genuine issue for trial.” Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986) (internal quotation marks and citation omitted). To demonstrate a genuine issue, the nonmoving party must present sufficient evidence upon which a jury could reasonably find for that party; a “scintilla of evidence” is insufficient. See Liberty Lobby, 477 U.S. at 252. The court must accept as true the non-movant’s evidence and draw “all justifiable inferences” in the non-movant’s favor. See Liberty Lobby, 477 U.S. at 255. II. Factual Background On January 1, 2019, Conlan Abu and The Epicurean Group closed on an Asset Purchase Agreement (“APA”) pursuant to which The Epicurean Group sold certain restaurant assets to Conlan Abu. (See ECF No. 48-2.) According to the APA, on the closing date, The Epicurean Group was to inter alia “sell, assign, convey, transfer, set over, and deliver (by appropriate instrument of transfer)” to Conlan Abu “all of the assets, rights, and interests of every conceivable kind or character whatsoever, whether tangible or intangible, that . . . are owned by Seller or in which Seller has an interest of any kind in relation to the business.” (Id. at Pg ID 1481, ¶ 1.1.) The assets included “computer programs, software programs, software and technical libraries . . . license agreements, and all other intellectual and/or proprietary information and property and applications for or licenses of used in connection with the Business, including Internet address(es) for the Business . . ..” (Id. ¶ 1.1(B).) Also included were “[a]ll contracts and service agreements.” (Id. ¶ 1.1(F).) The APA defines the “Business” as “certain restaurant businesses and the assets used in connection with such businesses under various entities and names as listed in Exhibit A . . ..” (Id. at Pg ID 1873.) “The Epicurean Group” is included. (Id. at Pg ID 1893, Ex. A.) After the closing date, The Epicurean Group breached the APA and Conlan Abu, Moore, and Moore’s father sued Dickson, The Epicurean Group, and related entities in the Circuit Court for Oakland County, Michigan (“state court litigation”).1 (See ECF Nos. 55-2, 48-8.) Sometime after the closing date but before the state court litigation, Plaintiffs began operating The Epicurean Group and utilized e-mail accounts with the “theepicureangroup.com” domain (hereafter “the Domain”), such as Moore’s address: rmoore@theepicureangroup.com. The accounts were hosted by Microsoft 365. Dickson & Associates first purchased the Domain through GoDaddy.com on March 27, 2017. (ECF No. 55-3.) Dickson & Associates paid the two-year 1 In the state court litigation, a jury found in favor of the plaintiffs (Conlan Abu, Moore, and Moore’s father) on their breach of contract claim against Dickson, and awarded damages of $1,100,600.00. (See ECF No. 48-8.) renewal fees for the Domain, including in March 2018 and 2020. (ECF No. 55-5.) After obtaining the Domain, Dickson & Associates, through its affiliated internet technology (“IT”) company Propel Technologies (“Propel”), purchased Microsoft Office 365 licenses for business products (e.g., Outlook, Word, Excel) to be used by its employees. (ECF No. 55-6.) Massey, the IT administrator for the entities owned by Dickson, administered the Microsoft Office 365 accounts through Propel’s “tenant account,” which is the master account of an organization that houses the users in a company and the information about them (e.g., passwords, user profile data, and permissions). (ECF No. 9-4 at Pg ID 193, ¶¶ 1, 3.) Defendants registered the tenant account under the name “Trowbridge House” (hereafter “Trowbridge Tenant”). (See ECF No. 55-8.) After the APA’s closing date, former employees of The Epicurean Group continued to use their @theepicureangroup.com Microsoft Office 365 accounts. Moore requested that Dickson & Associates create accounts for himself and employees brought in following the purchase. (ECF Nos. 55-9, 55-10, 55-11.) Dickson & Associates—more specifically its IT Administrator Massey—continued to act as the administrator for the accounts throughout Plaintiffs’ operation of The Epicurean Group, until Massey deactivated the accounts belonging to members of The Epicurean Group on September 1, 2019. (ECF No. 9-4 at Pg ID 193, ¶ 6; ECF no. 55-12 at Pg ID 2669; ECF No. 55-16.) Massey assisted Moore on multiple occasions with the accounts, including cancelling accounts for terminated employees, creating accounts for new hires, and resetting passwords. (ECF No. 9- 4 at Pg ID 193, ¶ 7.) In late August 2019, during the state court litigation, Dickson instructed Massey to retrieve emails between Moore’s @theepicureangroup.com address and various other individuals. (ECF No. 9-4 at Pg ID 194, ¶ 9.) Massey’s search also collected emails from Moore’s personal email addresses. (ECF No. 48-3 at Pg ID 1526-29; ECF No. 48-12; ECF No. 48-13.) Massey accessed the emails through the Trowbridge Tenant, using his credentials as the administrator for the accounts. (See ECF No. 9-4 at Pg ID 194, ¶¶ 10-13; ECF No. 55-7 at Pg 2620-22; ECF No. 48-3 at Pg ID 1517-24.) The defendants in the state court action produced some of these emails in response to the plaintiffs’ discovery requests. On March 6, 2022, the plaintiffs deposed Massey in the state court litigation to uncover details concerning his access to the emails. (See ECF No. 27-5.) Plaintiffs claim that they incurred $8,855.50 in “investigation costs” related to this “intrusion.” (ECF No. 48-15.) The costs reflect time spent by the attorneys representing the plaintiffs in the state court litigation (i.e., the same attorneys representing Plaintiffs here) from February 7 to March 8, 2020—shortly before the present lawsuit was filed. (Id.) The description of this time includes: 2.3 hours “investigat[ing] hacking of email accounts”; multiple hours “investigat[ing] potential computer fraud” and “computer claims”; 3.5 hours “[prepar[ing] for Massey deposition re computer fraud investigation”; and another 3.5 hours to “travel and attend Massey deposition[.]” (Id.) III. Applicable Law & Analysis A. CFAA Congress enacted the CFAA to deter computer crimes. A.V. ex rel Vanderhye v. iParadigms, LLC, 562 F.3d 630, 645 (4th Cir. 2009) (explaining that the statute is “primarily a criminal statute designed to combat hacking”); Estes v. Forwarding Worldwide LLC v. Cuellar, 239 F. Supp. 3d 918, 922 (E.D. Va. 2019). However, the statute also provides a civil right of action for “[a]ny person who suffers damage or loss by reason of a violation of [the statute]” provided “the conduct involves 1 of the factors set forth in [18 U.S.C. § 1030(c)(4)(A)(i)(I), (II), (III), (IV), or (V)].” 18 U.S.C. § 1030(g). The CFAA prohibits seven types of conduct with respect to unauthorized access of computers. Id. § 1030(a)(1)-(7). Plaintiffs allege that Defendants violated the statute by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access . . . thereby obtain[ing] . . . information from any protected computer.” Id. § 1030(a)(2)(C). To prevail on this claim, Plaintiffs must show that Defendants “accessed a ‘protected computer’ either ‘without authorization’ or in a manner that ‘exceeds authorized access.’” Am. Furukawa, Inc. v. Hossain, 103 F. Supp. 3d 864, 870 (E.D. Mich. 2015) (quoting 18 U.S.C. § 1030) (internal footnotes omitted). Plaintiffs also must show that they suffered “damage” or “loss” as a result of the violation. Id. The parties address the various elements in their summary judgment filings, disputing whether the facts support or do not support them. The Court finds it necessary to address only the damage or loss element. 1. Loss2 As indicated, a civil action for a violation of the CFAA may be brought only if the conduct involves at least one of several factors. 18 U.S.C. § 1030(g). The only factor possible here is a violation causing “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value[.]3 Id. § 1030(c)(4)(A)(i)(I). 2 The CFAA allows for a civil action by a person who “suffers damage or loss by reason of a violation[.]” 18 U.S.C. § 1030(g). “Damages” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). The facts here do not show any damage incurred by Plaintiffs. 3 The remaining factors are violations that cause: (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person; (IV) a threat to public health or safety; The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]” Id. § 1030(e)(11). The definition is read in the disjunctive such that the costs in the first clause do not need to be related to the “interruption of service” referred to in the second clause. Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014) (citing Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 563 (2d Cir. 2006)). Lost revenue and other consequential damages, however, cannot be claimed without an interruption in service. Id. (citing Nexans Wires, 166 F. App’x at 563). Nevertheless, not every expense is considered a “reasonable cost to the victim” for purposes of the first clause. See Bd. of Trs. of Pierce Twp., Ohio v. Hartman, No. 1:08-cv-037, 2009 WL 10679053, at *2 (S.D. Ohio Mar. 17, 2009) (quoting Resdev, LLC v. Lot Builders Ass’n, No. 6:04-cv-1374, 2005 WL 1924743, at *4 (M.D. Fla. Aug. 10, 2005)) (“[T]he CFAA plainly enumerates a narrow (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.] 18 U.S.C. § 1030(c)(4)(A)(i). grouping of ‘loss’ distinct from—and thus excluding—the far greater range of losses that could flow from a violation of the CFAA.”). Instead, courts hold that the first clause covers “only . . . the remedial expenses borne by victims.” Id. (citing Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 722 (N.D. Ohio 2008) (citing In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 521 (S.D.N.Y. 2001))). The expenses must be related to investigating or remedying damage to a computer or computer system. ReMedPar, Inc. v AllParts Med., LLC, 683 F. Supp. 2d 605, 614-15 (M.D. Tenn. 2010) (citing cases); Am. Family Mut. Ins., 554 F. Supp. 2d at 772 (quoting L-3 Commc’ns Westwood Corp. v. Robicharux, No. 06-0279, 2007 WL 756528, at *3 (E.D. La. Mar. 8, 2007)) (explaining that “[l]osses are ‘compensable when they result from damage to a computer system or the inoperability of the accessed system’”). Stated differently, the costs must be “related to analyzing or restoring the system to its previous condition.” ReMedPar, 683 F. Supp. 2d at 614 (holding that loss under the CFAA does not include the damage to the plaintiff’s business due to trade-secret information being accessed or the costs to investigate the defendants’ conduct, seeking redress for those acts, or locating and retaining replacement employees). This means that they are “necessary to assess the damage caused [to a computer] and to restore the plaintiff’s computer system.” Hartman, 2009 WL 10679053, at *2 (citing Tyco Int’l (US) Inc. v. Does, No. 01 CIV 3856, 2003 WL 23374767, at *3 (S.D.N.Y. Aug. 29, 2003)); Tyco Int’l, 2003 WL 23374767, at *3 (holding that investigator’s fees are not compensable under the CFAA when they were not “necessary to assess the damage caused to the plaintiff’s computer system or to rescue the system in the wake of a spamming attack”). Expenses incurred investigating the identity of a computer hacker therefore are not losses recoverable under the CFAA when used to determine from whom relief should be sought, as compared to remedying or discovering the extent of the harm to the computer or computer system. Compare Tyco, 2003 WL 23374767, at *1, 3 (holding that the costs of investigation to identify the spammer in order to sue that individual are not losses recoverable under the statute) with SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980-81 (N.D. Cal. 2008) (expenses incurred to discover who obtained protected information and what information was obtained found recoverable as they were “essential to remedying or discovering the extent of the harm”); see also Turner W. Branch, P.A. v. Osborn, No. 13-00110, 2014 WL 12593991, at *17-18 (D.N.M. Mar. 26, 2014) (concluding that the plaintiff’s alleged expenses did not qualify as a “loss” under the CFAA because they arose “from attorneys investigating Plaintiff’s CFAA claims and prosecuting th[e] case and not from damage to the computer, remedying damage to the computer, incurring other remedial costs of investigating the computer for damage, or incurring lost revenue because the computer cannot function while or until repairs are made”); Millennium TGA, Inc. v. Leon, No. 12-cv-01360, 2013 WL 5719079, at *18 (E.D.N.Y. Oct. 18, 2013) (expenses paid to investigator to locate and collect information about the hacker as opposed to discovering and repairing any damage are not recoverable under the CFAA). Litigation costs are generally not compensable “because they are not related to investigating or remedying damage to the computer.” Brooks v. AM Resorts, LLC, 954 F. Supp. 2d 331, 338 (E.D. Pa. 2013) (citing Healthcare Advocs., Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 647-48 (E.D. Pa. 2007); Wilson v. Moreau, 440 F. Supp. 2d 81, 110 (D.R.I. 2006)); see also Hartman, 2009 WL 10679053, at *2; cf. Integrity Applied Science, Inc. v. Clearpoint Chems. LLC, No. 1:18-cv-02235, 2020 WL 12584444, at *2 (D. Colo. Apr. 20, 2022) (finding the cost of securing an injunction recoverable because the injunction was necessary to stop the offender from accessing the plaintiff’s computer systems). Thus in Brooks, the court held that “costs associated with hiring courts reporters and videographers and obtaining deposition transcripts” and the “fees paid to an expert to assist in litigation do not fall with the CFAA’s definition of ‘loss.’” 954 F. Supp. 2d at 338 (citations omitted). Expenses to secure expert testimony or discovery in anticipation of a CFAA lawsuit also are not recoverable. Calendar Rsch. LLC v. StubHub, Inc., No. 2:17-cv-04062, 2020 WL 4390391, at *26 (C.D. Cal. May 13, 2020) (citations omitted). In Wilson, the district court found that the costs of litigation could not be counted towards the $5,000 statutory threshold where the plaintiffs had “suffered no economic harm,” “their ability to conduct their business was not . . . impaired,” and “[n]o remedial measures were required to repair their computer capabilities.” 440 F. Supp. 2d at 110; see also Above & Beyond – Bus. Tools & Servs. for Entrepreneurs, Inc. v. Wilson, No. 21-7339, 2022 WL 1774276, at *7 (D.N.J. Sept. 1, 2022) (finding attorney’s fees and costs of damage assessment through a consultant insufficient to meet $5,000 threshold where the plaintiff alleged no impairment or damage to its computer or computer system to which those expenses were related). The expenses Plaintiffs claim here (see ECF No. 48-15 at Pg ID 1747) do not count towards the CFAA’s loss threshold. Plaintiffs do not identify costs associated with assessing or remedying damage to a computer or computer system arising from Defendants’ acquisition of the subject emails. Nor do Plaintiffs allege an impairment to their business or computer capabilities as a result of the alleged CFAA violation. They fail to show that the identified “investigation costs” were expended to assess and remedy any damage as opposed to litigating their claims against Defendants. For these reasons, this case is distinguishable from the two Plaintiffs rely upon to support their claimed loss: Facebook, Inc. v. Power Ventures, Inc., 252 F. Supp. 3d 765 (N.D. Cal. 2017); NCMIC Finance Corporation v. Artino, 638 F. Supp. 2d 1042 (S.D. Iowa 2009). In Facebook, expenses were incurred “for technical measures to block [the defendant] from accessing Facebook servers and expenses for negotiating with [the defendant] to voluntarily stop its activities and destroy the data.” 252 F. Supp. 3d at 778. The case is therefore similar to SuccessFactors and Integrity Applied Science cited earlier, where costs were expended to stop the offender’s continued violations. None of the expenses claimed by Plaintiffs here were incurred for such a purpose. Massey’s search which accessed Plaintiffs’ emails was complete by the time Plaintiffs’ “investigation costs” were expended. In NCMIC Finance, the defendant obtained the plaintiff’s customer spreadsheet which included social security numbers and credit information. 638 F. Supp. 2d at 1064. The plaintiff incurred investigative costs to assess the extent to which the defendant disclosed the social security numbers and credit information to third parties. Id. The plaintiff also incurred expenses for legal research and assistance to determine whether it had an obligation under federal or state law to report the disclosure of this information or notify the victims. Id. at 1065. Finally, the plaintiff had to purchase identify-theft-prevention services for those individuals whose social security information the defendant obtained. Id. at 1064. These costs, unlike any claimed here, were vital to assessing the extent of the harm caused by the defendant’s conduct and remedying that harm. Plaintiffs do not allege any harm arising from Defendants’ asserted violation of the CFAA other than the violation itself. They did not incur expenses to respond directly to Defendants’ conduct (e.g., to assess and remedy any damage incurred). Instead, they incurred fees “toward building a civil case against [Defendants.]” See United States v. Nosal, No. CR-08-0237, 2014 WL 121519, at 6 (N.D. Cal. Jan. 13, 2014) (finding that costs incurred “[d]etermining who breached the system security and the manner and extent of the intrusion” are remedial steps considered “loss” for purposes of the CFAA but “[c]osts incurred for the purpose of building or supporting the victim’s civil case” are not). As Plaintiffs fail to satisfy the CFAA’s $5,000 threshold requirement where they have the burden of doing so, Defendants are entitled to summary judgment in their favor with respect to this claim. B. SCA Like the CFAA, the SCA is a federal criminal statute, 18 U.S.C. § 2701(a), which also provides a private right of action to any “person aggrieved by any violation of the Act . . . in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind[,]” id. § 2707(a). The SCA imposes liability upon a person who: (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage[.] Id. This provision does not apply to inter alia “the person or entity providing a wire or electronic communications service[.]” Id. § 2701(c). In a civil action, the SCA allows for the following relief: (1) such preliminary and other equitable or declaratory relief as may be appropriate; (2) damages under subsection (c); and (3) a reasonable attorney’s fee and other litigation costs reasonably incurred. Id. § 2707(b). With respect to “damages,” the statute provides, in relevant part: “The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.” Id. § 2707(c). As with the CFAA, the parties assert several arguments in their papers for why they are entitled to summary judgment with respect to Plaintiffs’ claim under the SCA. The Court begins again with damages. However, unlike Plaintiffs’ CFAA claim, the lack of damages does not doom this claim. 1. Damages “Damages,” for purposes of the SCA, do not include “attorney’s fee[s] and other litigation costs” as Congress put these forms of relief in separate categories. Puerto Rico Tel. Co. v. Ayala Rivera, No. 15-1837, 2018 WL 1705301, at *2 (D.P.R. Mar. 29, 2018) (holding that the plaintiff’s attorneys’ fees and litigation costs are separate from actual damages for purposes of the SCA); see also City of Sandusky, Ohio v. Coregis Ins. Co., 192 F. App’x 355, 359 (6th Cir. 2006) (quoting Sullivan Cnty., Tenn. v. Home Indem. Co., 925 F.2d 152, 153 (6th Cir. 1991)) (finding that attorney’s fees and costs awarded pursuant to the federal civil rights statute, 42 U.S.C. § 1988, are not damages, explaining that “Congress is free to put attorney fees in either category [costs versus damages] . . . but when an act of Congress unambiguously assigns such fees to one category, the courts are not free to pretend that Congress has assigned them to the other”). As discussed above, the investigation costs itemized by Plaintiffs constitute attorney’s fees and litigation costs, only. Plaintiffs nevertheless argue that “the SCA does not require actual damages as it provides for statutory damages of no ‘less than the sum of $1,000.’” (ECF No. 59 at Pg ID 3184 (quoting 18 U.S.C. § 2707(c)).) The Circuit Courts of Appeals that have addressed whether statutory damages are recoverable under the SCA absent proof of actual damages have held that they are not. Domain Prot., LLC v. Sea Wasp, LLC, 23 F.4th 529, 537-38 (5th Cir. 2022); Seal v. Peacock, 32 F.4th 1011, 1021-27 (10th Cir. 2022); Vista Mktg., LLC v. Burkett, 812 F.3d 954, 965-75 (11th Cir. 2016); Van Alstyne v. Elec. Scriptorium Ltd., 560 F.3d 199, 205 (4th Cir. 2009); Hovanec v. Miller, 831 F. App’x 683, 685 (5th Cir. 2020). Those courts relied on the Supreme Court’s decision in Doe v. Chao, 540 U.S. 614 (2004), where the Court analyzed the “substantively identical” damages provision in the Privacy Act of 1974, 5 U.S.C. § 552a(g)(4), and held that plaintiffs must show they sustained actual damages before they can recover the statutorily guaranteed minimum of $1,000. Chao, 540 U.S. at 620. A number of district courts also have applied the Supreme Court’s analysis in Chao to the SCA or otherwise found that the $1,000 in the SCA’s relief provision is not a separate statutory damage but a floor for an award of actual damages. See, e.g., Seale, 32 F.4th at 1023 n. 8 (collecting cases); Boane v. Boane, No. 11-cv-2565, 2022 WL 331015, at *3 (W.D. Tenn. Feb. 3, 2022). On the other hand, a number of district courts disagree, reasoning that they are “different statutes, with different purposes, and they penalize different behavior.” See Seale, 32 F.4th at 1024 n. 9 (collecting cases). The Sixth Circuit has not addressed the issue. The only district court within the Circuit that has indicated that statutory damages are available even in the absence of actual damages said so in dicta. Cardinal Health 414, Inc. v. Adams, 582 F. Supp. 2d 967, 975-76 (M.D. Tenn. 2008). This Court is persuaded by the decisions of the Circuit Courts that have resolved the issue and adopts the reasoning from those decisions here. Unlike the CFAA, however, Plaintiffs’ lack of actual damages does not doom their SCA claim. Plaintiffs neglect to point this out. But courts uniformly hold that, even absent actual damages, a prevailing plaintiff may recover punitive damages and/or attorney’s fees. See, e.g., Seale, 32 F.4th at 1028-29 (“Unlike statutory damages, the text of the SCA does not connect an award of punitive damages with a showing of actual damages”); Van Alstyne, 560 F.3d at 209 (same); Vista Mrktg., 812 F.3d at 978 (explaining that “liability under the SCA is a concept distinct from whether a person is ‘entitled to recover’ actual damages or a violator’s profits” and thus a plaintiff may still recover punitive damages and/or attorney’s fees and costs). Thus, the Court turns to the other elements of the claim. 2. Elements A person violates the SCA by: (i) “intentionally access[ing] without authorization” or “intentionally exceed[ing] an authorization to access” (ii) “a facility through which an electronic communication service is provided” and (iii) “obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system[.]” 18 U.S.C. § 2701(a) (emphasis added). As the italicization above reflects, for purposes of the SCA, the access at issue is to “a facility.” Thus, the relevant question is, did the defendant have authority to access the facility in question or exceed the authorization the defendant possessed. The SCA does not define “facility,” although it does define “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). It is clear from the language of the statute, see 18 U.S.C. § 27027(a), that a facility is distinct from the electronic communication service and the wire or electronic communications sent or received through that service. “[T]elephone companies, [i]nternet or e-mail service providers, and bulletin board services” are commonly recognized facilities within the statute. In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 146 (3d Cir. 2015) (first brackets added) (citing cases). Most courts hold that personal devices, such as computers, are not.4 See, e.g., In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1058 (N.D. Cal. 2012); see also Morgan v. Preston, No. 3:13-00403, 2013 WL 5963563, at *5 & n. 3 (M.D. Tenn. Nov. 7, 2013) (holding that the plaintiff’s personal computer was not covered by the SCA and collecting cases reflecting “the overwhelming body of law” supporting that conclusion). 4 Therefore, to the extent Plaintiffs assert that Defendants’ accessed Plaintiffs’ computers, without authorization, this would not support their SCA claim. Plaintiffs maintain that Defendants lacked authorization or exceeded their authorization to access Plaintiffs’ email accounts because, pursuant to the APA, Defendants were obligated to transfer “all of the rights” to the Microsoft Office 365 accounts and the Domain to Conlan Abu. (See ECF No. 48 at Pg ID 1473.) However, the question is not necessarily who owns the Microsoft Office 365 accounts or the Domain because someone other than, or in addition to, the owner may have been authorized to access the accounts. Plaintiffs also seem to confuse what the person had to lack the authority to access for purposes of the SCA because, as emphasized above, it is the authorization to access the facility (i.e., the Microsoft Office 365 accounts or its products) that is relevant, not the emails associated with those accounts. See Cornerstone Consultants, Inc. v. Prod. Input Sols., LLC, 789 F. Supp. 2d 1029, 1052 (N.D. Iowa 2011) (quoting 18 U.S.C. § 2701(a)(1)) (rejecting the plaintiff’s argument that “access to more emails . . . exceeded expected norms of intended use . . . because the question is not whether access to particular e-mails was authorized or in excess of authorization, but whether access to ‘a facility through which an electronic communication service is provided’ was unauthorized or was in excess of authorization”). There is no dispute that Massey was the administrator of the Microsoft Office 365 accounts which housed the @theepicureangroup.com emails accessed during the state court litigation. Whether or not the rights or licenses to the accounts, including the administrative rights, should have been transferred to Conlan Abu pursuant to the APA is a red herring. The record evidence reflects that they were not. 5 What is relevant is that Massey undisputedly still held the administrative rights to the accounts. Massey has indicated that he was never asked to give up his administrative privileges. (ECF No. 9-4 at Pg ID 1934, ¶ 8.) There also is no dispute that Massey served as the administrator with Plaintiffs’ knowledge and apparent consent. In fact, Moore and his employees asked Massey, in his role as the account administrator, to activate and terminate accounts, reset passwords, and set up email forwarding and sharing. 6 It is Plaintiffs’ burden to prove the elements of their SCA claim, including that Defendants acted without or exceeded their authorization. See Cornerstone Consultants, 789 F. Supp. 2d at 1047-08 (citations omitted) (finding that the 5 Until the Microsoft Office 365 licenses were transferred to Conlan Abu, Defendants retained ownership of the related accounts. The failure to execute the transfer might state a breach of the APA but that was the subject of the state court litigation. In any event, as discussed above, who owned the licenses does not necessarily determine who was authorized to administer the related accounts. 6 Quoting Massey’s declaration, Plaintiffs assert that he “admittedly, was only authorized to help with the ‘the termination of employees, new hires, creation of new accounts, and resetting passwords.’” (ECF No. 59 at Pg ID 3172 (quoting ECF No. 9-4 at Pg ID 193, ¶ 7).) However, the word “only” does not appear in Massey’s statement and his declaration in no way suggests that these were the only functions he was authorized to perform. Instead, Massey simply was providing examples of the assistance he provided to Plaintiffs in connection with the Microsoft Office 365 accounts. without or exceeds authorization in § 2701(a) and the with authorization in the exception in § 2701(c) are “an integral part of the definition of the claim or offense”); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d at 507-508 (same); CreditMax Holdings, LLC v. Kass, No. 11-81056-CIV, 2013 WL 12080227, at *2 (S.D. Fla. Jan. 25, 2013) (collecting cases holding that authorization is an element of an SCA claim, rather than an affirmative defense, and thus the plaintiff bears the burden of proof on this issue); Shefts v. Petrakis, No. 10-cv-1104, 2011 WL 5930469, at *7 n. 10 (C.D. Ill. Nov. 29, 2011) (citing In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d at 507) (explaining that it is the “[p]laintiff’s burden to prove that the access was unauthorized, as the ‘without authorization’ and ‘exceeds an authorization’ terms are part of the definition of the wrongdoing itself, and authorized conduct is specifically listed as an exception”). However, Plaintiffs offer no evidence suggesting that the administrator of the Microsoft Office 365 accounts lacked the authority to access user data within those accounts, including emails. Plaintiffs only assert that Defendants were never given authorization to access any emails. (See, e.g., ECF No. 59 at Pg ID 3183.) However, first, as indicated above, it is the authority to access the facility that is relevant not specifically the emails. Second, if an administrator is automatically authorized to access every aspect of the account, including email data, no separate or specific authorization as to that information needs to be evidenced. Defendants’ evidence reflects that administrators are authorized to access users’ email and other data. Microsoft’s Privacy Statement in fact provides the following notice to end users: If you use a Microsoft product or use an email address to access Microsoft products and that product or email address was provided by an organization you are affiliated with, such as an employer or school, that organization can: Control and administer your Microsoft product and product account, including controlling privacy-related settings of the product or product account. Access and process your data, including the interaction data, diagnostic data, and the contents of your communications and files associated with your Microsoft product and product accounts. (ECF No. 55-26 at Pg ID 2801-02 (emphasis added).) Massey also testified that, as administrator, he was able to access the @theepicureangroup.com emails. (See ECF No. 48-3 at Pg ID 1517-23.) Plaintiffs argue that “ability” cannot be confused with “authorization” (see, e.g., ECF No. 48 at Pg ID 1473); however, the Court is not convinced that there is a distinction, at least when referring to computer-related access. As anyone who uses a computer knows—particularly a computer connected to the server of a business or organization or issued by a business or organization—a user’s “permissions” dictate what the user can and cannot do. The courts define “authorization” to mean “‘permission or power granted by an authority.’” LVRC Holding LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (quoting Random House Unabridged Dictionary 139 (2001)) (defining term for purposes of the CFAA); Central Bank & Trust v. Smith, 215 F. Supp. 3d 1226, 1236 (D. Wy. 2016) (finding that the definition in the SCA compares to that in the CFAA); Sartori v. Schrodt, No. 19-15114, 2021 WL 6060975, at *3 (11th Cir. Dec. 20, 2021) (citation and internal quotation marks omitted) (defining “authorization” for purposes of the CFAA and SCA as “the state of being authorized” and “authorize to mean to endorse, empower, justify, or permit by or as if by some recognized or proper authority”). Massey’s testimony reflects that an administrator of a Microsoft Office 365 account has the “permissions” to access the emails within the account. (See, e.g., ECF No. 48-3 at Pg ID 1515 (referring to Dickson’s “permissions” with respect to the account when asked about Dickson’s “authorization” to view emails connected to the account).) Massey also accessed emails from Moore’s non-@theepicurean.com accounts. However, the evidence reflects that he did so by searching the Trowbridge Tenant.7 (ECF No. 55-7 at Pg ID 2621-22; ECF No. 9-4 at Pg ID 194 ¶¶ 10-12.) Again, the focus of an SCA claim is the facility, not the communications, accessed. Defendants have shown that the emails from Moore’s non-@theepicureangroup.com addresses were attached to calendar items 7 Plaintiffs appear to concede this, as they describe that Massey’s searches of the account “also pulled independent emails” from other accounts. (See ECF No. 59 at Pg ID 3174.) associated with the Microsoft Office 365 products housed within the Trowbridge Tenant. (See ECF No. 55-19 at Pg ID 2697-02.) Plaintiffs fail to provide contrary evidence. In short, it is Plaintiffs’ burden to present evidence showing that Massey lacked the authority or exceeded his authority to access the Microsoft Office 365 accounts housing the @theepicureangroup.com emails. Plaintiffs fail to meet that burden. But even if Plaintiffs succeeded in showing that Massey lacked authorization or exceeded his authorization, they do not show that he did so “intentionally.” To prove their SCA claim, Plaintiffs must show that Defendants had “a highly culpable state of mind[.]” Cardinal Health 414, 582 F. Supp. 2d at 976 (internal citation omitted). The defendant must have had knowledge that his or her conduct was unlawful. Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 813 F. Supp. 2d 489, 556 (S.D.N.Y. 2011). Courts have found the intent element satisfied where the defendant “repeatedly, intentionally, and knowingly logged onto the e-mail account of [another individual] using [that individual]’s user name and password.” Id. at 977. Similarly, in Miller v. Meyers, 766 F. Supp. 2d 919 (W.D. Ark. 2011), the plaintiff’s ex-husband was found to have acted with the requisite state of mind when he used a keylogger program to obtain the plaintiff’s passwords and then used those passwords to access her email. Id. at 923. Plaintiffs assert that, like the defendant in Cardinal Health, “Defendants logged onto Moore’s email account without permission and reviewed his emails[.]” (ECF No. 59 at Pg ID 3187.) But there is no evidence that this is how the emails were accessed. Defendants did not log directly into Moore’s email account. Instead, as previously discussed, Massey accessed the emails through the tools available to the administrator of the Trowbridge Tenant, where the Microsoft Office 365 accounts resided, and the record evidence reflects only that he believed he had the permission to do so as administrator of the account. (ECF No. 55-7 at Pg ID 2623-24.) For these reasons, the Court concludes that Defendants are entitled to summary judgment as to the SCA claim, as well. IV. Conclusion Proof of actual damages is necessary to prevail on a claim under the CFAA. Plaintiffs show only litigation fees and costs resulting from Defendants’ alleged violation of the statute, which do not qualify as damages. Defendants, therefore, are entitled to summary judgment with respect to this claim. The $1,000 referred to in the relief provision of the SCA is not a statutory damage available in the absence of actual damages. In other words, Plaintiffs’ failure to show actual damages means they also are not entitled to statutory damages of $1,000. Plaintiffs still could recover punitive damages, reasonable attorney’s fees, and other litigation costs reasonably incurred if they establish the elements of their SCA claim, including that the violation is willful or intentional. For the reasons discussed above, however, Plaintiffs fail to present facts to support all of those elements. Accordingly, IT IS ORDERED that Plaintiffs’ motion for summary judgment (ECF No. 48) is DENIED. IT IS FURTHER ORDERED that Defendants’ second motion for summary judgment (ECF No. 55) is GRANTED. s/ Linda V. Parker LINDA V. PARKER U.S. DISTRICT JUDGE Dated: May 25, 2023
Document Info
Docket Number: 2:20-cv-10747
Filed Date: 5/25/2023
Precedential Status: Precedential
Modified Date: 6/23/2024