IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA
October 22, 2010
CLINTON PLUMBING AND HEATING OF TRENTON, INC., ET AL., PLAINTIFFS,
STEPHEN ANTHONY CIACCIO, NICOLE MARIE CIACCO, AND CAPITOL ONE BANK (USA), N.A., DEFENDANTS.
The opinion of the court was delivered by: Rufe, J.
MEMORANDUM OPINION AND ORDER
In this case, Plaintiffs Clinton Plumbing and Heating of Trenton, Inc. ("CPH") and Peter and Nancy Pelicano ("Pelicanos"), bring multiple claims against Defendants, all relating to Stephen Anthony Ciacco's alleged fraudulent scheme to make unauthorized transfers from Plaintiffs bank accounts to Ciacco's outstanding credit balance held by Defendant Capital One Bank ("Capital One"). Presently before the Court is Defendant Capital One's Motion to Dismiss Counts II, VII, and XI of the First Amended Complaint.*fn1 For the reasons that follow, Capital One's Motion will be GRANTED.
I. FACTUAL AND PROCEDURAL BACKGROUND
A. Procedural Background
Plaintiff Peter Pelicano is the president and sole shareholder of Plaintiff CPH, a corporation that provides plumbing and heating services in New Jersey and Pennsylvania.*fn2
Defendants are Stephen Ciacco ("Ciacco"), his wife, Nicole Marie Ciacco, and Capital One, the national bank that allegedly held Ciacco's outstanding credit balance and initiated the unauthorized debits from CPH's accounts.
Plaintiffs filed an Amended Complaint in this matter on August 24, 2009.*fn3 The amended complaint describes a scheme by Ciacco to defraud CPH and the Pelicanos by misrepresenting himself as authorized to initiate transfers from CPH's bank account to his outstanding balance at Capital One. Capital One is alleged to have participated, albeit unwittingly, in Ciacco's scheme by carrying out the unauthorized transactions. Against all Defendants, Plaintiffs bring claims for computer fraud in violation of the Computer Fraud and Abuse Act ("CFAA"), conversion, and identity theft in violation of the New Jersey Identity Theft Statute. Plaintiffs bring claims of fraud and fraudulent transfer against Ciaccio and claims for negligence and breach of warranty against Capital One.
Defendant Capital One has moved to dismiss Plaintiffs' claims against it for computer fraud, identity theft, and breach of warranty. The Court has considered the Motion, Response in Opposition, Reply and Sur-reply, and this matter is now ready for disposition.
B. Factual Background
Stephen Ciaccio is the sole proprietor of Krash Enterprises ("Krash"), a computer repair and management company.*fn4 On November 21, 2007, Ciacco, acting through Krash, entered into a service agreement with CPH.*fn5 Pursuant to that contract, Ciaccio was responsible for installing and managing CPH's network servers and office management software-which included the software for managing payables and receivables.*fn6
Allegedly, Ciacco soon sought greater responsibility for managing the accounts receivable software from CPH.*fn7 Plaintiffs claim they promoted Ciacco to comptroller of CPH because he told them he required greater access to their bank accounts in order to manage the complexity of the software and difficulties arising from its installation.*fn8 As comptroller, Ciacco was responsible for managing CPH's payables and receivables and was given access to CPH's bank accounts.*fn9 Ciacco also set up CPH's computer system so that he could remotely access CPH's account information from his home and personal computer.*fn10 However, Plaintiffs allege that Ciacco's authorized access was limited to monitoring the daily status of those accounts.*fn11 Plaintiffs also claim the Pelicanos had sole authority to authorize payments from the CPH accounts and to authorize automatic clearing house ("ACH") debit transfers on behalf of CPH.*fn12
In March of 2008, Ciacco allegedly began making unauthorized transfers from CPH's bank accounts to his personal Capital One credit card account.*fn13 Plaintiffs claim that Ciacco initiated the ACH debit transfers using Capital One's online credit card payment site.*fn14 Upon receiving Ciacco's transfer request, Capital One debited the funds from CPH's bank accounts and applied them to Ciaccio's outstanding credit balance.*fn15 Although the Pelicanos terminated Ciacco from his position as Comptroller in August 2008, he allegedly continued to remotely access the CPH servers and accounts until November 2008.*fn16
In November 2008, the Pelicanos discovered the electronic withdrawals by Capital One.*fn17
They immediately cut off Mr. Ciaccio's access to their bank accounts, suspended all remote access to CPH's computers, changed the passwords for their bank accounts, and informed Capital One of the improper withdrawals.*fn18 Capital One responded by advising the Pelicanos that it would investigate the allegations.*fn19 Although Capital One has since provided Plaintiff with statements regarding the Capital One account, it refuses to reimburse CPH for the amounts withdrawn from their accounts.*fn20
II. STANDARD OF REVIEW
A complaint can be dismissed for failure to state a claim upon which relief can be granted pursuant to Federal Rule of Civil Procedure 12(b)(6) if the plaintiff has not presented "'enough facts to raise a reasonable expectation that discovery will reveal evidence' of [a] necessary element."*fn21 A court must "accept all factual allegations as true, construe the complaint in the light most favorable to the plaintiff, and determine, whether under any reasonable reading of the complaint, the plaintiff may be entitled to relief."*fn22 However, Plaintiffs' "bald assertions" or "legal conclusions" need not be accepted as true by the court.*fn23 At this stage, the court does not determine whether the non-moving party will prevail, but whether it will be permitted to offer evidence in support of the claims in the complaint.*fn24
This particular pleading standard, described in Federal Rule of Civil Procedure 8(a)(2) as "a short and plain statement of the claim showing that the pleader is entitled to relief"*fn25 has been addressed twice by the Supreme Court of the United States in recent years, first in Bell Atlantic Corp. v. Twombly*fn26 and then in Ashcroft v. Iqbal.*fn27 The Court in Twombly articulated a "plausibility" standard that a plaintiff must meet by its factual allegations to survive a motion to dismiss.*fn28 The Court described it as a level higher than suspicion or speculation.*fn29 The Iqbal Court clarified that "where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged - but it has not 'show[n]' - 'that the pleader is entitled to relief.'"*fn30
A. Count II: Computer fraud claim under 18 U.S.C. § 1030
1. Governing Law
Capital One moves to dismiss Count II of Plaintiffs Amended Complaint, wherein Plaintiffs allege that Capital One violated the Computer Fraud and Abuse Act ("CFAA").*fn31 In particular, Plaintiffs claim a violation of 18 U.S.C. § 1030(a)(5)(A)(iii).*fn32 As a preliminary matter, the Court notes that this provision of the CFAA no longer exists-the statute was amended in September 2008. The parties do not address this problem, and the First Amended Complaint and Capital One's Motion to Dismiss both apply the pre-amendment law.*fn33
A comparison of the pre- and post-amendment statutes reveals that the changes did not substantively change 18 U.S.C. § 1030(a)(5)(A)(iii); instead, they mainly reorganized the pertinent parts of the statute. Each version of the statute requires Plaintiffs to allege the same five elements, explained infra, to sufficiently state a claim.*fn34 In addition, the majority of the alleged debit transfers at issue in this case took place prior to the amendments.*fn35 Therefore, because the substance of the law did not significantly change post-amendment, and because the bulk of the alleged conduct occurred prior to the amendments, the Court will analyze Plaintiffs' claim under the pre-amendment law.
2. Analysis under the CFAA
Although the CFAA is primarily a criminal statute, it provides a private cause of action in particularized circumstances. Under § 1030(g), "[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action... if the conduct involves [one] of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)."*fn36 The five factors listed under subsection (a)(5)(B) specify the forms of damage or loss that are possible harmful results of violations of other parts of the statute.*fn37
Here, 1030(g) does not impose any extra burden on Plaintiff because §1030(a)(5)(A)(iii) contains a parallel requirement to show one of the special forms of loss or damage listed under (a)(5)(B). Accordingly, the Court need look no further then §1030(a)(5)(A)(iii) to determine if Plaintiffs have sufficiently alleged their claim. It is a violation of §1030(a)(5)(A)(iii) to: (iii) intentionally access a protected computer*fn38 without authorization, and as a result of such conduct, cause damage; and (B) by conduct described in clause (I), (ii), or (iii) of subparagraph (A), cause... [one of the special forms of loss or damage set forth in subsections (i)--(v)].*fn39
In short, §1030(a)(5)(A)(iii) requires Plaintiff to allege 1) intentional access; 2) of a protected computer; 3) without authorization; 4) that causes damage; and 5) loss.
Plaintiffs argue that Capital One violated §1030(a)(5)(A)(iii) by intentionally accessing Plaintiffs' bank accounts through the banks' protected computers. They claim that Capital One's access was unauthorized and caused damage to CPH in the form of money withdrawn from the bank accounts, overdraft fees, returned checks, late fees, reputational damages arising from a damaged credit score, and the termination of contracts due to insufficient funds for payments.*fn40
Capital One argues that Count II should be dismissed for failure to state a claim under the CFAA. The thrust of Capital One's argument is that the kind of loss and damage alleged-"wrongfully debiting... bank accounts at the direction of Plaintiffs' alleged dishonest employee"-does not violate the CFAA.*fn41 Additionally, they argue §1030(a)(5)(A)(iii) requires Plaintiff to allege an "intent to harm." Finally, they contend that Plaintiffs did not sufficiently allege Capital One acted "without authorization." The Court will address each of these arguments in turn.
a. Intent and Authorization
Capital One argues that Plaintiffs must allege an intent to harm under §1030 (a)(5)(A)(iii). The Court disagrees. By the principle of expressio unius est exclusio alterius,*fn42 subsection (a)(5)(A)(iii) unambiguously excludes an intent to harm requirement. There are three subsections listed under (a)(5)(A), each of which specifies-or, in the case of (a)(5)(A)(iii), fails to specify-a different mental state associated with "damage." Subsection (i) punishes "intentional... damage," subsection (ii) punishes "reckless... damage," but subsection (iii) punishes "damage" alone. Congress's failure to define a mental state under subsection (iii) indicates that Congress did not establish an intent requirement for damage under 5(A)(iii).*fn43 Further, the cases cited by Defendant in support of its argument analyze the intent requirements for different subsections of 5(A).*fn44 Therefore, Plaintiffs are correct: They do not need to allege an intent to harm in order to state a claim under 1030(a)(5)(A); instead they need only allege that Capital One intentionally accessed the protected computers without authorization. Here, Plaintiffs allege that "Capital One intentionally accessed computers owned by Roma Bank, Sun National Bank, and/or others, which were used to store information regarding CPH's accounts with Sun National Bank and/or Roma Bank."*fn45 They also allege that Capital One repeatedly accessed the accounts and initiated transfers from CPH's bank accounts.*fn46 Therefore, the key inquiry is whether that access was "without authorization."
Capital One argues that because it was authorized to access the relevant computers when it initiated the debits from Plaintiffs' account, it is not liable under the CFAA. To state a claim under §1030(a)(5)(A)(iii), Plaintiffs must allege that the use of the computer was either without, or exceeded, Capital One's authorization. Capital One claims that it did not access the banks' protected computers without authorization because it initiated the online transfers upon the request of a customer who was apparently authorized to access those accounts.*fn47 In response, Plaintiffs argue that because Plaintiffs were the only persons allowed to authorize ACH transfers on behalf of CPH, Ciaccio was incapable of granting permission for Capital One to access the accounts.
Although the CFAA specifically defines "exceeds authorized access," it does not specifically define the phrase "without authorization" or "authorization."*fn48 Consequently, the contours of those terms have been developed primarily in the context of employer-employee disputes over whether authorization, once given, can be lost based on subsequent bad conduct.*fn49 Unlike in those cases, Plaintiffs do not allege that Capital One lost or exceeded a previously granted authorization. Instead, they argue that because Ciacco lacked the authority to grant access the accounts, Capital One's belief that its access was authorized is irrelevant.
Although the precise question presented in this case has not previously been addressed within this Circuit or elsewhere, the existing case law offers some guidance. Courts that have construed "without authorization" have reached conflicting interpretations: Some courts have adopted a broad, agency-based interpretation of "authorization" which examines the subjective intent of the accesser.*fn50
Others-including this court-have adopted "the narrower view that the terms [of the CFAA] describe action that is 'tantamount to trespass in a computer.'"*fn51 Because this Court has adopted the narrower view, Plaintiffs need only contend that Capital One actually lacked authorization, regardless of its belief-reasonable or not-that it was authorized to access the system.
Here, Plaintiffs allege that Ciacco was not permitted to authorize ACH payments from its bank accounts. Assuming this is true-as the Court must in the current procedural posture-if Ciacco did not have the authority to access the accounts, he was therefore incapable of granting Capital One permission to do so. Although the parties dispute whether Mr. Ciacco was an "apparent customer" with the authority to approve a transaction, resolution of that dispute is inappropriate at this stage in the litigation. Therefore, Plaintiffs have sufficiently alleged that Capital One debited the bank accounts "without authorization."
b. Damage and loss
Although the CFAA defines "damage" as "any impairment to the integrity or availability of data, a system, or information,"*fn52 the scope of the term is unsettled.*fn53 Some courts construe the term narrowly, and construe "damage" as only those circumstances resulting in "some diminution in the completeness or usability of data or information on a computer system."*fn54 Courts advocating a broader interpretation have held that the mere copying or sending of confidential information constitutes damage because it causes irreparable harm to the integrity of the computer system or database.*fn55
The debate over the scope of the term "damage" has mainly arisen in employer-employee claims for theft of trade secrets or use of confidential information to gain an unfair competitive edge. For instance, in Shurgard Storage, the Plaintiff collected and disseminated confidential information from his former employer.*fn56 There, although no data was physically changed or erased, an impairment of integrity occurred because of the "subsequent corrective measures the rightful computer owner [had to] take to prevent the infiltration and gathering of confidential information."*fn57 In Bro-Tech Corporation v. Thermax,*fn58 this Court recognized the "increasingly expansive scope of the CFAA" and also allowed an employee-employer information misappropriation claim to proceed under the CFAA.*fn59
Plaintiffs do not allege that Capital One collected, copied, or disseminated any of the confidential information. Instead, they argue that the debit transfers impaired the integrity of the bank's information by changing the balance reflected in Plaintiffs' account. Before the transfers began, the computer data reflected a balance of almost $150,000; by the time they stopped, the balance was $0. Although this argument is creative, it goes too far. In Shurgard Storage, the court construed "integrity," in the context of the statute as "necessarily contemplat[ing] maintaining the data in a protected state." There, integrity referred to confidential information-namely trade secrets-that were gathered and disseminated.*fn60 Here, Plaintiffs do not allege that the integrity of data was impaired; instead, they allege the integrity of their bank funds was impaired. This claim does not allege damage for the purposes of the CFAA.
Similarly, Capital One argues that Plaintiffs' allegations do not meet the statutory definition of loss. "Loss" is treated separately from "damage" in the CFAA, and is specifically defined as:
Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.*fn61
Various courts have interpreted "loss" to mean the remedial costs of investigating a computer for damage, remedying damage done, and costs incurred while the computer is inoperable.*fn62 In Crown Coal & Coke Co. v. Compass Point Resources, LLC, the court explained that: "According to the CFAA, lost "revenue" constitutes "loss" if it is incurred "because of interruption of service." Therefore, if defendants had lost revenue because their computers were inoperable, that would be the type of lost revenue contemplated by the statute."*fn63 This interpretation of "loss" has been adopted by other courts. For instance, in B&B Microscopes v. Armogida, Plaintiffs suffered a loss after they lost access to data and were unable to reproduce their operational system.*fn64 Conversely, in Advantage Ambulance Group, Inc. v. Lugo,*fn65 Plaintiffs' claim for future lost revenue because of the dissemination of its trade secrets was not "loss" under the CFAA.*fn66
Here, Plaintiffs allege "loss of assets, overdraft fees, returned check fees, late fees, reputational damages arising from a damaged credit score, and termination of certain contracts due to insufficient funds for payment."*fn67 Like the claim in Advantage Ambulance, none of these claims allege loss related to computer impairment or interruption of service. These losses did not arise from investigating computer damage, remedying or responding to damage done, or costs incurred while the computer was impaired. Instead, they were the consequential damages of an overdrawn bank account. This is not the type of loss envisioned by the drafters of the CFAA. Because Plaintiffs do not set forth plausible fact allegations regarding the damage and loss elements of a CFAA claim, this claim against Capital One will be dismissed.
B. Count VII: Identity Theft under New Jersey Statute 2C: 21-17
A civil cause of action for a person harmed by a violation of the New Jersey Identity Theft Statute ("Identity Theft Statute") 2C:21-17 is found in 21-17.4, as Plaintiffs suggest*fn68 and as Capital One concedes.*fn69 First, Capital One claims the statute applies only to natural persons and not corporations. This is incorrect. "Person" is defined in two places in the Identity Theft Statute, and both definitions are inclusive of Capital One. Under New Jersey Statute 2C:20-1(m), which applies to the Identity Theft Statute, "person" is defined to "include any individual or entity or enterprise;" and under New Jersey Statute 2C 21-24, which also applies to the Identity Theft Statute, "person" is defined as "any corporation, unincorporated association or any other entity or enterprise."
However, Capital One properly challenges the substance of Plaintiffs' allegations under the New Jersey Identity theft statute. In their Response to Defendant's Motion to Dismiss, Plaintiffs claim that their allegations "fit the statutory language" of two subsections of the Identity Theft Statute:
A person is guilty of an offense if the person...
(2) Pretends to be a representative of some person or organization and does an act in such pretended capacity for the purpose of obtaining a benefit for himself or another or to injure or defraud another; [or]
(4) Obtains any personal identifying information pertaining to another person and uses that information, or assists another person in using the information, in order to assume the identity of or represent himself as another person, without that person's authorization and with the purpose to fraudulently obtain or attempt to obtain a benefit[.]
It is apparent from the plain text of the statute that Plaintiffs have alleged neither the actus reus nor the mens rea required to state a claim under either subsection. The Identity Theft Statute is meant to punish individuals who "impersonate another or assume [a] person's identity for the purpose of obtaining a benefit for himself or for the purpose of defrauding another."*fn70 In an effort to fit its claim to the statute, Plaintiff alleges that Capital One, "'purport[ed]' to act on behalf of CPH." But the act of pretending requires an individual to intentionally adopt a false pretense. And here, Plaintiffs do not assert any facts consistent with the claim that Capital One ever pretended to be someone it is not.
Moreover, subsection four is clearly aimed at combating identity theft. The actus reus of the crime is to "'obtain personal information'... in order to assume the identity of or represent himself as another person." Plaintiffs do not allege that Capital One obtained information; rather, they allege that Capital One received information. Further, even if the allegations do properly state that Capital One "obtained" information, there is no allegation that they did so for the purpose of "assum[ing] the identity or represent[ing] [its]elf as another person."
Finally, imposing liability on Capital One for Mr. Ciacco's alleged misrepresentations would misconstrue the intent of the New Jersey legislature. As noted in Piscitelli v. Classic Residence by Hyatt,*fn71 the civil remedy provided under the Identity Theft Statute is "directed against the thief."*fn72 It is not intended to punish third parties who are unwittingly are involved in a fraudster's scheme. It is unclear how, as Plaintiffs claim, their allegations fit the statute "like a glove." This claim is dismissed.
C. Count XI: Breach of Warranty
Plaintiffs allege that under the National Automated Clearing House Association ("NACHA") rules,*fn73 Capital One warranted to CPH that it would not debit accounts without authorization.*fn74 Therefore, when Capital One carried out the unauthorized debit transfers (Automatic Clearing House ("ACH" transactions), it breached its warranty.*fn75 In response, Capital One argues that Plaintiffs do not have standing to assert a breach of warranty claim because the warranty provisions of the NACHA Rules apply only to the obligations between banks.
The NACHA Rules establish the contractual obligations between the parties to ACH transactions.*fn76 The ACH is a national network of banks and financial institutions which transfers funds electronically to and from bank customers' accounts.*fn77 In a typical transaction, the Originator is any individual that initiates entries into the ACH network.*fn78 Here, the originator was Ciaccio, who fraudulently initiated the ACH transfer from CPH's bank account. Ciaccio sent his request to Capital One, the Originating Depository Financial Institution ("ODFI").*fn79 A financial institution is an ODFI if it agrees to originate ACH entries at the request of its customers. After receiving Ciaccio's (the originator's) response, Capital One (the ODFI) sent a request for a debit transfer to the ACH,*fn80 who processed the request and forwarded it to CPH's bank, the Receiving Depository Financial Institution ("RDFI").*fn81 Because CPH had entered into ACH agreements authorizing its Bank (the RDFI) to honor ACH requests to debit its account, it was categorized as a Receiver.*fn82 A Receiver is the consumer whose account is accessed. Therefore, the bank (the RDFI) approved Capital One's (the ODFI) debit requests and debited CPH's (the receiver's) account.
Here, an important precondition to any ACH transfer-authorization-was missing. But Capital One relied on the Ciacco's (the originator's) representation that the transfer was authorized and carried out the transaction. When this type of unauthorized ACH transfer occurs, the NACHA Rules protect certain parties by requiring: "[e]ach ODFI sending an entry [to] warrant the following to each RDFI, ACH Operator, and Associations*fn83 §22.214.171.124.... each entry transmitted by the ODFI to an ACH Operator is in accordance with proper authorization provided by the Originator and that is in accordance with proper authorization provided by the Originator and the Receiver; [and] §2.2.3 Each ODFI breaching any of the preceding warranties [here, §126.96.36.199] shall indemnify each RDFI, ACH Operator, and Association from and against any and all claim, demand, loss, liability, or expense, including attorney's fees and costs, that result directly or indirectly from the breach of warranty or the debiting or crediting of the entry to the receivers account.*fn84
Plaintiffs do not have standing to raise a breach of warranty claim pursuant to the NACHA Rules. Neither section creates an authorization warranty that runs to any party outside the RDFI, ACH Operator, and Associations.*fn85 Plaintiffs direct the Court to consider Security First Network Bank v. C.A.P.S., Inc,*fn86 where an Illinois federal district court considered a breach of warranty claim directly analogous to the one raised by Plaintiffs. In that case, Joseph Sykes, using the name Marvin Goldman, opened a deposit account at Security First Bank in Chicago.*fn87 Security First was unaware of Sykes' true identity at the time.*fn88 Using the Goldman alias, Sykes was able to fraudulently debit accounts held by two companies at other banks in the Chicago area and transfer the funds into his Goldman account at Security First.*fn89 One of the accounts debited was Consolidated Artists Payroll Service, Inc. ("CAPS"), an Illinois firm that used electronic fund transfers to provide payroll services to its customers.*fn90 The other account that Sykes defrauded was a Saks Fifth Avenue ("Saks") payroll account held at LaSalle Bank.*fn91
Both Saks and CAPS alleged that they entered into agreements with their banks for ACH services, and that the agreements incorporated the NACHA Rules.*fn92 Security First argued that neither company could enforce the NACHA warranty provisions because they run only to RDFIs and ACH operators, and not to receivers. The court began by drawing a distinction between §§2.2.3 and 188.8.131.52. Although it agreed that Saks could not enforce the warranty provisions under §2.2.3 because "it [was] an agreement to indemnify an RDFI, ACH Operator or Association for the breach of the warranty in §184.108.40.206,"*fn93 it interpreted §220.127.116.11 to create a direct warranty between Saks (the receiver) and Security First (the OFDI). Accordingly, the court allowed the breach of warranty claim to survive the Motion to Dismiss.*fn94
The Court does not find the reasoning of Security First persuasive. First, the Security First court apparently ignored the clear text of the warranty provision, which limits its reach to RDFIs, ACH Operators, and Associations. Sections 18.104.22.168 and 2.2.3 fall under that limitation, so it is unclear how the Security First court interpreted §22.214.171.124 to have a broader reach then §2.2.3. Second, NACHA clarified its own rules in a 2008 Amendment entitled "Beneficiaries of the Rules," which states that:
§1.9 Nothing in these rules is intended to, and nothing in these rules shall be implied to, give any legal or equitable right, remedy, or claim to other entity, including to any Originator, Receiver, Third-Party Service Provider, or Third-Party Sender.*fn95
Notably, the Security First decision predates the rule clarification offered in §1.9. In this case, Capital One was an ODFI, Plaintiffs' banks were RDFIs, and CPH was a receiver. Since CPH has receiver status, it does not have standing to bring a breach of warranty claim under NACHA.
Based on the foregoing discussion, the Court finds that Plaintiff has failed to sufficiently allege that Defendant Capital One violated the CFAA, New Jersey Identity Theft Statute, or the terms of a warranty owed to Plaintiffs. Accordingly, Capital One's Motion to Dismiss is GRANTED in full.
An appropriate Order follows.