IN THE UNITED STATES DISTRICT COURT DISTRICT OF HOSMER

CKM Employment Services, Inc., Plaintiff, v. Peter Henderson and Temporary Employees for Organizations, Inc., Defendants.

) ) ) ) ) ) ) )

Case No. 10-Civ-073 Judge Alexandra Marks

COMPLAINT FOR INJUNCTIVE RELIEF AND OTHER RELIEF

______________________________________/ Justin Grimske Attorney for the Plaintiff The ALTA Law Firm 1996 Main Street Hosmer City, Hosmer 55555 MEMORANDUM IN OPPOSITION TO DEFENDANTS MOTION TO DISMISS PURSUANT TO FED. R. CIV. P. 12(B)(6).

INTRODUCTION Plaintiff, CKM, by and through its attorneys, respectfully requests that this Court deny Defendants Peter Henderson and Temporary Employees for Organizations, Inc. (TEFO), Motion to Dismiss under Federal Rules of Civil Procedure 12(b)(6). The Computer Frauds and Abuse Act (CFAA), prohibits unauthorized access of a protected computer and the confidential information contained thereon, causing damage or loss exceeding $5,000. 18 U.S.C. 1030. This Court must deny Defendants Motion to Dismiss for two reasons. First, CKM has successfully alleged that Defendant acted without authorization when he accessed CKM computers. See International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (defendant acted without authorization when he acted contrary to the scope of his
1

employment). Second, CKM has successfully alleged that Defendants conduct caused damage or loss as defined by the CFAA. See A. V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (costs incurred as part of the response to a CFAA violation constitute loss). Furthermore, legislative history of the CFAA, canons of statutory construction, and the irrelevant applicability of the rule of lenity support CKMs position.

LEGAL STANDARD FOR REVIEW This court follows the Sixth Circuits standard of review for a 12(b)(6) motion based on standards set forth by Bell Atlantic Corp. v. Trombly, 550 U.S. 544 (2007) and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009). Rule 12(b)(6) permits dismissal of a lawsuit for failure to state a claim upon which relief can be granted. Fed.R.Civ.P 12(b)(6). This rule requires the court to accept all of the complaints factual allegations as true, and determine whether the plaintiff undoubtedly can prove a set of facts that would entitle relief. Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009). Thus, the court is to construe the complaint in the light most favorable to the plaintiff. Grindstaff v. Green, 133 F.3d 416, 421 (6th Cir.1998). Furthermore, [t]o avoid dismissal under Rule 12(b)(6), a complaint need only state enough facts to state a claim that is plausible on its face. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. (2007). CKM has more than satisfied its burden to state a claim on both counts. CKM also sets forth a short and plain statement of the claim showing that it is entitled to relief. Fed.R.Civ.P 8(a)(2).Therefore, this Court should deny Defendants Motion to Dismiss in its entirety.

STATEMENT OF FACTS CKM Employment Services, Inc., provides temporary workers to its clients in a variety of professional and technical fields. (Factual Background. 10.) Defendant, Peter Henderson

was formerly employed by CKM as Vice President and Director of Operations from January 2002, until he abruptly quit in December 2009. (Id. 15.) While employed by CKM, Defendant was in charge of developing a complex computer system that improved service to existing CKM clientele, identified potential clients and analyzed those clients needs. (Id. 16.) Defendant also oversaw CKMs computer programming that tracked the needs of its existing clientele. Id. Therefore, the scope of Defendants employment provided him with access to significant proprietary and confidential information. (Id. 17.)

Defendant also played a significant role in the strategic development of a computer database that sorted CKMs roster of temporary workers by education, skills, reviews, and availability. (Id. 18.) CKM expanded substantial time, labor, and money into developing these strategies in its efforts to expand its business and its workforce. Id. As a result, by the end of 2002, CKM was serving clients in several states, and by 2006, CKM had over 1,000 clients in ten states. (Id. 14.) Also, due to the popularity of this database by existing clients, CKM used it as a recruitment tool to differentiate its services from competitors and land new clients. (Id. 18.)

CKM provided its clients with a password that allowed them to search this database and request the assistance of particular employees. (Id. 18.) To protect the privacy of the employees, each employee is assigned a code name. Id. The President of CKM, Defendant, and the Director of Personnel were the only executives trusted to access the database that matched employee code names with their real identities. Id. Furthermore, only five individuals at CKM had the same access to the CKM networks and databases that Defendant had. (Id. 19.) CKMs Information Technology Department also expended significant time and effort to ensure that no unauthorized users were accessing the data. (Id. 19.)
3

On December 31, 2009, Defendant abruptly quit both of his executive positions at CKM. (Id. 21.) Defendant immediately founded TEFO on January 11, 2010 and was named President of the company. (Id. 22.) TEFO is a direct competitor to CKM, providing identical services. Id. On March 1, 2010, a former CKM client informed the President of CKM that Defendant contacted her and offered her a lower rate if she would terminate her CKM contract and utilize TEFOs services. (Id. 22.) Accordingly, between March 2, 2010, and May 3, 2010, numerous additional CKM clients terminated their contracts with CKM. Id. On May 4th, 2010, CKM hired a forensic expert to determine whether Defendant stole any information from CKMs databases, and if so, to identify the databases whose information was compromised. (Id. 27.) The forensic expert irrefutably determined that by December 29, 2009, two days before Defendant abruptly resigned, he had downloaded to a USB drive all of the information contained in CKMs databases. (Id. 27.) This information included detailed lists of existing CKM clients, confidential analyses of those clients needs, their contact information, and the terms of their contracts with CKM. (Id. 23.) The forensic expert also determined that Defendant downloaded all of the marketing plans and projections that CKM had developed for the fiscal years 2009, 2010, and 2011. Id.

The expert further concluded that Defendant used this information to identify those employees who were in high demand. (Id. 27.) Defendant also used this confidential information to identify those temporary workers who were in high demand and recruit them to TEFO. (Id. 27.) Finally, it was asserted that Defendant designed a program for TEFOs clients that was identical to the program that CKM used. (Id. 28.)

On June 1, 2010, CKM sent Defendant a letter directing him to immediately cease and desist his conduct and to return any and all client data, temporary worker data, and confidential and trade secret information within ten days. Id. Defendant did not respond to this letter. Id.

CKM has spent significant time and resources determining how to respond to Defendants conduct, including meetings among CKM executives and meetings between the forensic expert and the President of CKM. (Id. 28.) These efforts resulted in CKM executives and employees expending many hours of valuable time away from day-to-day responsibilities during the month of May 2010. Id. Therefore, Defendants conduct has caused and will continue to cause serious monetary loss, damage, and interference to CKM and harm to its position and business in the competitive marketplace, including, but not limited to, a loss in revenue of at least $50,000 to date. (Id. 31.).

ARGUMENT In 1984, Congress drafted the Computer Fraud and Abuse Act to protect government interest computers from malicious attacks by hackers. S. Rep. No. 101-544 (1990). However, as computer use has rapidly expanded over the past two decades, consistent amendments to the statute now address a much broader scope of computer related crimes. America Online Inc. v. National Health Care Discount, Inc., 174 F. Supp. 2d 890 (N.D. Iowa 2001). More specifically, the addition of a civil cause of action now allows [a]ny person who suffers damage or loss by reason of an employee misappropriating information may maintain a civil action under the CFAA. Thurmond v. Compaq Computer Corp., 171 F. Supp. 2d 667 (E.D. Tex. 2001). THIS COURT SHOULD DENY DEFENDANTS MOTION TO DISMISS BECAUSE CKM HAS SUFFICIENTLY ALLEGED DEFENDANT EXCEEDED AUTHORIZED ACCESS OR ACTED WITHOUT AUTHORIZATION AS DEFINED BY THE CFAA.
5

I.

The Computer Fraud Abuse Act, 18 U.S.C. 1030, prohibits accessing a computer to obtain information without authorization or by exceeding authorized access. Defendant violated 18 U.S.C. 1030 (a)(2)(C), which states: (a)whoever2(c) intentionally access a computer without authorization, or exceeds authorized access, and thereby obtains information from any protected computer shall be punished as provided in subsection (c) of this section. 18 U.S.C. 1030(a)(2)(C). Therefore, to successfully allege a violation of this section CKM must prove: (1) defendant intentionally accessed a protected computer; (2) without authorization or by exceeding authorized access; and (3) as a result obtained information. America Online, Inc. v. National Health Care Discount, Inc., 174 F.Supp.2d 890, 899 (N.D. Iowa 2001). Defendants motion presents the question of whether he accessed CKM confidential material without authorization. Therefore, for the purposes of this first allegation, the court is most concerned with element (2). Circuits have split on this issue. See Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). A few courts have aligned with the Ninth Circuits narrow interpretation, such that the CFAA does not extend to an employees misappropriation of confidential information. LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). However, numerous courts have found this interpretation unsound because legislative history of the CFAA, canons of statutory construction, and the irrelevant applicability of the rule of lenity support a contrary interpretation. Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). Therefore, courts aligning with the First and Seventh Circuits broad interpretation hold that an employees authorization to access an employers computer terminates at the time he breaches his duty of loyalty to the employer. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); see also; EF Cultural Travel BV v.
6

Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir.2001) (legislative history supports a broad CFAA interpretation); Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000) (subsequent amendments of the CFAA support a broad interpretation); NCMIC Finance Corporation v. Artine, 639 F. Supp. 2d 1042 (2009) (an employer does not give authorization to an employee for contrary interest of the company).

A.

Authorization should be interpreted consistently with general common law agency principles because the term was left undefined by Congress.

When construing undefined words in a statute, the courts objective is to ascertain and give effect to the legislative intent. United States v. Wells, 519 U.S. 482, 490-92 (1997). Therefore, the Supreme Court has established a legislative-interpretation framework for undefined terms that includes: reviewing the common-law meaning of the statutory terms and giving consideration to statutory and legislative history for guidance. Id. In addition, when statutes, such as the CFAA, use words which have definite and well-known meaning at common law, it will be presumed that those terms are used in the same sense in which they are understood at common law, and they will be so construed unless it clearly appears that it was not so intended. State ex rel. Quest Communications Corp. v. Baldridge, 913 S.W.2d 366 (Mo. Ct. App. S.D. 1996). The legal concept of authorization is extremely fluid because even when

authorization exists, it can be withdrawn or it can lapse. Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). Consequently, courts left with the undertaking of determining whether an individual possessed or retained authorization will invoke common law agency law principles to effect a statute. Faragher v. City of Boca Raton, 524 U.S. 775, 803 n. 3, 118 S.Ct. 2275, 141 L.Ed.2d 662 (1998). Common law agency principles

impose a duty of loyalty on an employee to act solely for the benefit of his employer. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). Moreover, the employees authority terminates when he obtains interest adverse or nefarious to the employer; for example, if he decides to work for a competitor. Restatement (Second) of Agency 112. In Citrin, the Seventh Circuit Court of Appeals applied agency principles to conclude that defendant acted without authorization when he permanently deleted data on a company computer prior to forming his own, competing business. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). Judge Posner stated the difference between the CFAA terms exceeds authorized access and without authorization is paper thin. Id. Exceeds authorized access is statutorily defined as accessing a computer with authorization and to use such access to obtain or alter information that the accessor is not entitled so to obtain. 18 U.S.C. 1030(e)(6). Without authorization is not statutorily defined, however, Posner stated the term is to be defined pursuant to common law agency principles such that: When an employee has permission but accesses the material for improper use, the employer breaches his duty of loyalty and [acts] without authorization because the only basis of his authority had been that relationship. Id. Applying this definition, Citrin concluded that the only basis the employee was granted authorization rested in his agency relationship, and was terminated when he breached his duty of loyalty by acting contrary to the scope of his employment. Id. Similarly, in NCMIC Finance Corp., the court ruled an employee acted without authorization when he became an agent for a direct competitor. See NCMIC Finance Corporation v. Artine, 639 F. Supp. 2d 1042 (2009) (an employer does not give authorization to his employees to access proprietary information for contrary use and interest of that company). Equally, in Shurgard, the court ruled an employee acted without authorization when he emailed confidential information to a competitor despite

being authorized. Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). Defendant was hired to CKM as Vice President and Director of Operations. These positions instilled enormous trust, confidence, and admiration into Defendant. Defendants employment scope provided him with access to significant proprietary and confidential information, requiring CKM to grant him a heavily controlled password. Defendant was aware of the magnitude of this password due to the limited number of employees who were granted them and the countless measures taken by CKM to ensure unauthorized users did not access the information. Accordingly, Defendants employment scope implied a duty of loyalty to act solely for the best interests of CKM. Defendant breached this duty when he chose to act contrary to the scope of his employment and use the information for reasons in which he knew his authorization was not granted by CKM. As a result of Defendant breaching his duty of loyalty, he voided his agency relationship and terminated his authorization to access confidential information via CKM computers. Therefore, this Court should deny Defendants 12(b)(6) Motion to Dismiss. The subsequent amendments to the CFAA demonstrate Congresss intent of authorization to be interpreted broadly.

B.

Given the CFAA is unambiguous, it is not necessary to rely on the legislative history. However, if legislative history were consulted, it supports Congress intent of a broad interpretation. Since the original enactment in 1984, subsequent amendments in 1988, 1989, 1990, 1994, 1996, 2001, 2002, and 2008 are described as Congresss reaction to keep pace with technological advances and computer crime sophistication. Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). Most prominent among these are the 1994 and 1996 amendments. In 1994, Congress expanded the CFAA's scope to include civil

claims challenging the unauthorized removal of information or programs from a company's computer database. Pacific Aerospace & Electronics, Inc. v. Taylor, 295 F.Supp.2d 1188, 1196 (E.D. Wash. 2003). In 1996, Congress further expanded the CFAAs scope by replacing the phrase "federal interest computer" with "protected computer." Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000)(a protected computer includes any computer connected to the internet). The 1996 Senate Report described this amendment as a reaction to the concern about [the illegal conversion of trade secrets] becoming more pronounced as computers proliferate in businesses and homes across the nation. Id. (quoting S. Rep. No. 104-357, at 7-8 (1996). Most importantly, this Senate Report highlighted, while a violation of the CFAA may also violate various intellectual property statutes, the crux of an offense under the CFAA is the abuse of a computer to obtain information. S. Rep. No. 104-357, at 7-8 (1996). Therefore, a dishonest employee who wrongfully abuses a computer to download confidential information is in violation of the CFAA. Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (2000). In summary, the legislative history of the CFAA 18 U.S.C. 1030(a)(2)(c) irrefutably shows Congressional intentions of a broad scope. Therefore, restricting the statute otherwise would ignore Congresss clear intention of evolving the CFAA with technology. Consequently, the Defendants 12(b)(6) Motion to Dismiss should be denied.

C.

The rule of lenity is not applicable because the CFAA is not ambiguous. Given the CFAA has criminal applications, Defendant will argue the rule of lenity is

applicable to construct a narrow scope. LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). However, the mere possibility that a narrower construction may be articulated does not itself make the rule of lenity applicable. State v. Davis, 255 Conn. 782, 772 A.2d 559 (2001);

10

Mann v. State, 273 Ga. 366, 541 S.E.2d 645 (2001).The rule of lenity only applies if, after considering text, structure, history, and purpose, there remains a grievous ambiguity or uncertainty in a statute imposing a criminal penalty, such that the court must simply guess as to what Congress intended. Barber v. Thomas, 130 S. Ct. 2499 (2010); People v. Robles, 23 Cal. 4th 1106, 99 Cal. Rptr. 2d 120, 5 P.3d 176 (2000); State v. Moler, 269 Kan. 362, 2 P.3d 773 (2000). Moreover, as articulated in McBoyle, the court stated the rule of lenity is not applicable because the plain meaning of the statutes text and legislative intent were clear. McBoyle v. United States, 562 F.3d 630, 646 (4th Cir. 2009). The court also stated today, the lenity doctrine often is not applied....As the [twentieth] century wore onthe lenity canon has lost considerable force. Id. The rule of lenity is also applied to avoid interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants. LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). The court must also consider how its ruling might affect potential criminal defendants and other civil defendants. Id. Here, an unexpected burden cannot be imposed because Defendant had reason to know of the importance of the information by the trust and dependence conferred upon him and the control CKM placed on the authorization. Defendant ignored his notice by abusing his authorization to download confidential and proprietary information to an external USB drive for personal and commercial gain. Accordingly, the rule of lenity is not applicable to preclude this claim. Furthermore, construing the CFAA narrowly focuses solely on the criminal aspects of the statute, thus ignores the addendum of the civil component 1030(g). THIS COURT SHOULD DENY DEFENDANTS MOTION TO DISMISS BECAUSE CKM HAS SUFFICENTLY ASSERTED DEFENDANTS CONDUCT CAUSED LOSS AS DEFINED BY 1030(e)(11).

II.

11

The Computer Fraud Abuse Act, 18 U.S.C. 1030 provides a civil cause of action against dishonest employees who obtain information from protected computers without authorization. Specifically, 1030(g) states that, any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages. 18 U.S.C. 1030(g). The disjunctive damage or loss in this section, confirms that Congress anticipated recovery in cases involving other than purely physical damages. P.C. of Yonkers, Inc. v. Celebrations! The Party and Seasonal Superstore, L.L.C., 2007 WL 708978 (D.N.J. 2007). The CFAA defines damage as: [a]ny impairment to the integrity or availability of data, a program, a system. 18 U.S.C. 1030(e)(8). Under the CFAA, loss is treated differently than damage, and is defined as:

[a]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C. 1030(e)(11). Therefore, the term loss is to be interpreted broadly to encompass two types of harm: (1) costs to investigate and respond to a computer intrusion; and (2) costs incurred because of a service interruption. Nexus Wires S.A. v. Sark-USA, Inc., 319 F. Supp.2d 468, 472 (S.D.N.Y.2004). Accordingly, an individual must claim loss or damages in an amount aggregating at $5,000 in value during any 1-year period to one or more individuals. See 18 U.S.C. 1030(e)(8). Defendants violation of the CFAA has caused CKM to suffer two bases of damage and loss. First, its reasonable costs incurred from responding to Defendants actions including: time and resources spent by CKM employees away from their day-to-day responsibilities, and the cost of hiring a forensic expert to research and ascertain what information Defendant had downloaded

12

from CKM computers. Second, the economic value of its attention including loss in revenue in excess of $50,000 for the 2010 fiscal year. A. Statutory construction and legislative history support Congresss intention for loss to encompass reasonable costs of responding to a violation of the CFAA despite an interruption of service. The CFAA was intended to remedy instances where, as here, a computer breach results in the theft of commercially valuable information despite an interruption of service. Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004). Canons of statutory construction support this broad interpretation. Specifically, the last antecedent rule of statutory construction provides that, the last qualifying word, phrase or clause only modifies the words immediately before them, without impairing the meaning of the entire sentence. In re Sehome Park Care Ctr., Inc., 127 Wash.2d 774, 781, 903 P.2d (1995). Therefore, the qualifying phrase because of an interruption of service in (e)(11) only modifies the term consequential damages and has no significance on the remaining statutory definition of loss. Furthermore, numerous courts have found legislative history of the CFAA clearly supports Congress intention for loss to support a broad interpretation. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Specifically, the 1996 Senate Report stated: [When] a hacker steals a password from a computer neither the computer nor its information is physically damaged. However, the system administrator [must] devote resources to re-secure the system therefore, although there is arguably no damage, the victim does in fact suffer loss. S.Rep. No. 104-357, at 11 (1996). Embarking on this Senate Report, the court in EF Cultural Travel BV stated to parse [the terms damage and loss] in any other way would not only impair Congresss intended scope of the Act, but would also serve to reward sophisticated intruders. If we were to restrict the statute as appellants urge, we would flout Congresss intent

13

by effectively permitting the CFAA to languish in the twentieth century, as violators of the Act move into the twenty-first century and beyond. Id. at 579. Relying on legislative history and canons of statutory construction, courts have consistently interpreted loss to encompass two types of harm: (1) any reasonable costs to any victim, including the cost of responding to an offense, conducting a damage assessmentand any revenue lost; and (2) costs incurred because of a service interruption. Nexus Wires S.A. v. Sark-USA, Inc., 319 F. Supp.2d 468, 472 (S.D.N.Y.2004).

Here, CKM adequately alleges loss well in excess of $5,000 comprised of its: (1) costs of investigating and responding to Defendants conduct, including hiring a forensic expert, expending significant time and resources determining how to respond to Defendants conduct, and; (2) loss in revenue attributable to time away from day-to-day responsibilities. These reasonable costs incurred are explicitly identified in the statutory scope of (e)(11). See Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 963-964 (D. Ariz. 2008) (the cost of conducting a forensic analysis of the Defendant's computer was a loss under the CFAA); Lasco Foods, Inc. v. Hall and Shaw Sales, 600 F.Supp.2d 1045, 1052 (E.D. Mo. 2009)(forensic analysis is a loss under the CFAA); A. V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (costs incurred as part of the response to a CFAA violation, including the investigation of an offense constituted loss); Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 642 (E.D.Va.2010) (lost revenue damages may qualify as losses, when they result from time spend responding to an offense).

CKM has sufficiently alleged loss exceeding $5,000 in responding to Defendants actions and conducting a damage assessment. Supported by legislative history, canons of statutory construction, and irrelevant applicability of the rule of lenity, CKMs incurred costs are
14

explicitly identified within the CFAA's definition of loss. Therefore, Defendants Motion to Dismiss must be denied.

CONCLUSION For the reasons set forth above, CKM requests that this Court deny Defendants Motion to Dismiss under 12(b)(6) in its entirety and grant any other appropriate relief.

Dated:

__________________________________

Respectfully submitted,

Attorney for the Plaintiff The ALTA Law Firm 1996 Main Street Hosmer City, Hosmer 55555 Justin Grimske

15