United States District Court, W.D. Pennsylvania
CYNTHIA REED EDDY, Magistrate Judge.
Presently before the Court for disposition is defendants' motion to dismiss [ECF No. 7] plaintiff's complaint. For the following reasons, defendants' motion to dismiss is granted.
Plaintiff, Carnegie Strategic Design Engineers, LLC, ("plaintiff") is a "full-service, professional engineering firm having expertise in several major engineering disciplines" and employed the defendants at its Pittsburgh, Pennsylvania office for a time up to approximately fall of 2012. See Compl. [ECF No. 1] at ¶¶ 1-7, 9. Defendants Burger and Piontek were employed by plaintiff as Senior Process Control Systems Engineers until they voluntarily terminated their employment on or about August 13, 2012. Id. at ¶¶3-4. Defendant Shaner was employed by plaintiff as a Process Control/Electrical Technical Specialist until he voluntarily quit on approximately September 12, 2012. Id. at ¶ 5. Defendant Moyer was employed by plaintiff as an Electrical Engineer until she voluntarily quit on or about August 13, 2012. Id. at ¶ 6. Defendant Moyer is also a licensed Professional Engineer. Id . Each defendant unilaterally left plaintiff's employment to work for plaintiff's competitor. Id. at ¶ 13.
Plaintiff owns and maintains a password-protected computer system with a file and email server for use in operating its business, storing confidential company and client information and performing work on client projects. Id. at ¶ 11. Each defendant had access to this system and plaintiff limited their access for purposes related to client work on plaintiff's behalf. Id. at ¶ 15. Upon leaving plaintiff's employ, each defendant copied and stole "valuable data from [p]laintiff's password protected computer system and took that data for use unrelated to his or her subsequent employment [with] [p]laintiff's competitor. Pl.s' Op. Br. [ECF No. 12] at 3. Plaintiff claims that defendants had "no authority to access [p]laintiff's password-protected computer system or the data therein for any other purpose, and any such access for purposes other than serving [p]laintiff was... without authorization. Compl. [ECF No. 1] at ¶ 15. All told, defendants took more than 285 Gigabytes of data from plaintiff's system, including confidential company and customer data. Id. at ¶¶ 22-26; See Pl.'s Op. Br. [ECF No. 12] at 1. Specifically, the data taken by defendants included "detailed company and client information including client project data, engineering drawings, cost estimating data, customer contact information, vendor contact information and other non-public proprietary, business and trade secret information." Compl. [ECF No. 1] at ¶ 31. In some instances, defendants took data unrelated to any client work or other matters in which that particular defendant was involved, and plaintiff claims that defendant could not have any possible legitimate business purpose or use for. Id. at ¶ 33. Plaintiff claims that the commercial value of the non-public business information taken is worth approximately $10, 000, 000. Id. at ¶ 27. Plaintiff has suffered losses of out-of-pocket expenses in excess of $5, 000 related to computer forensic investigation, analysis, review and mitigation of the data breach and theft and also loss of productivity incurred as plaintiff's senior-level management and in-house staff investigated the data breach and theft. Id. at ¶ 34.
Plaintiff asserts that defendant's retrieval and copying of its data was in direct violation of its employee policies. During their employment, each defendant was given and required to comply with plaintiff's employee handbook, which set forth employee policies regarding confidentiality of client and customer matters, Internet usage, laptop security, work created by employees, protecting company information, conflicts of interest and code of ethics, outside employment and resignation. Id. at ¶ 14.
Plaintiff filed the instant complaint alleging defendants violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("CFAA"). Plaintiff therefore argues that counter to defendants' obligation and agreement to return all property owned by plaintiff, the defendants accessed, copied, removed and stole valuable data from Plaintiff's password-protected computer system and took that data for use unrelated to their employment with plaintiff and for use in connection with their employment by plaintiff's competitor. Plaintiff argues that defendants "lost all authority to access [p]laintiff's password-protected computer system the instant they undertook to do so for their own benefit or the benefit of any third person." Compl. [ECF No. 1] at ¶ 20. Moreover, under 18 U.S.C. § 1030(e)(6), "[t]o the extent [d]efendants might otherwise have had any authority to access the data on [p]laintiff's password-protected computer system, they exceeded their authority by accessing such data for anything other than legitimate business purposes relating to [p]laintiff's business operations. Id. at ¶ 21.
In response to plaintiff's claims, defendants filed a motion to dismiss setting forth two discrete arguments: (1) plaintiff has not properly asserted damage or loss under the CFAA; and (2) plaintiff has failed to plead that defendants' access to its computer system was "unauthorized" under the CFAA. See Br. in Supp. of Mot. to Dismiss [ECF No. 8] at 2. The Court will address each argument in turn.
This Court has original jurisdiction over this matter pursuant to 28 U.S.C. § 1331 as the action raises questions of federal law under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("CFAA").
IV. STANDARD OF REVIEW
Generally, a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) tests the legal sufficiency of a complaint. For a complaint to survive a Rule 12(b)(6) challenge, it must include factual allegations that "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 697 (2009). A court in determining whether a complaint meets this standard must read the complaint in the light most favorable to the plaintiff and all well-pleaded facts must be taken as true. Id. at 677. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (citing Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 556 (U.S. 2007)). That a court must accept all factual allegations in a complaint does not apply to legal conclusions of the complaint. Iqbal, 556 U.S. at 678. Additionally, "[t]hreadbare recitals of the elements of a cause of action supported by mere conclusory statements, do not suffice." Id. (citing Twombly, 550 U.S. at 555.) (the court is not "bound to accept as true a legal conclusion couched as a factual allegation")). Accordingly, "a complaint must do more than allege the plaintiff's entitlement to relief. A complaint has to show' such an entitlement with its facts." Fowler v. UPMC Shadyside, 578 F.3d 203, 210-11 (3d Cir. 2009). Doing so "does not impose a probability requirement at the pleading stage, but instead simply calls for enough facts to raise a reasonable expectation that discovery will reveal evidence of the necessary element." Phillips v. County of Allegheny, 515 F.3d 224, 232 (3d Cir. 2008) (quoting Twombly, 550 U.S. at 556, n.3).
The CFAA is generally an anti-hacker statute that prohibits unauthorized access or the exceeding of authorized access of computers connected to interstate commerce and subjects such violators to criminal and/or civil liability. See Dresser-Rand Co. v. Jones, ___ F.Supp.2d ___, ___, 2013 WL 3810859, at *3 (E.D.Pa. July 23, 2013) (" Dresser-Rand "); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz. 2008) ("[t]he general purpose of the CFAA was to create a cause of action against computer hackers (e.g., electronic trespassers)"). The scope of the CFAA has been expanded in recent years and "[e]mployers... are increasingly taking advantage of the CFAA's civil remedies to sue former employees and their new companies who seek a competitive edge through ...