A recent decision from the United States District Court for the District of Columbia highlights the importance of pleading specific facts in support of unfair business practices claims to survive a Motion to Dismiss. In Command Consulting Group, LLC v. Neuraliq, Inc., 2009 U.S. Dist. Lexis 48082 (D.D.C. June 9, 2009), click here, the defendant counterclaimed for, among other things, interference with prospective business advantage and breach of fiduciary duty arising out of a government contracts consulting agreement.
Apparently, the plaintiff entered into a consulting agreement with the defendant pursuant to which he agreed to assist the defendant in developing business in the federal government defense community. When the plaintiff sued for unpaid fees, the defendant counterclaimed, alleging that the plaintiff used confidential information obtained from the defendant to interfere with the defendant's business. The plaintiff then moved to dismiss two of the claims.
The court first addressed the pleading requirements for the claim of interference with a prospective business advantage under D.C. law. That claim requires: "(1) the existence of a valid business relationship or expectancy, (2) knowledge of the relationship or expectancy on the part of the interferer, (3) intentional interference inducing or causing a breach or termination of the relationship or expectancy, and (4) resultant damages. Valid business expectancies that are "commercially reasonable" include "lost future contracts and lost opportunities to obtain customers. In addition, the plaintiff must make a strong showing of intent to "disrupt a business relationship or expectancy to establish a claim for interference." Intent can be shown if the conduct is egregious, such as libel, slander, physical coercion and fraud.
Here, the court found that the allegations were both unspecific and conclusory, thus failing to meet the standard required to allow the claim to proceed. Perhaps most notable is the requirement under D.C. law that the claimant must plead the particulars of the valid business expectancy, including the names of the third parties with which the claimant had the relationship or expectancy. Simply alleging categories of relationships that may have been affected is inadequate.
The court found similar flaws in the allegations supporting the claim for breach of fiduciary duty. Preliminarily, the court noted that, even though the relationship between the consultant and his client arose out of a written contract, "where circumstances show that the parties extended their relationship beyond the limits of the contractual obligations to a relationship founded upon trust and confidence" a fiduciary duty may exist. Here, the client alleged that the duty arose because "in its capacity as a consultant to the defendant, the plaintiff was privy to sensitive, confidential and proprietary information, including financial information."
Despite alleging that the plaintiff used that information "as part of a scheme to disrupt the operation and ownership of [the defendant], with the objective ... [of placing] financial pressure on [the defendant] that would force [the defendant] to enter business deals favorable" to individuals aligned with the plaintiff "and/or [to] gain control of [the defendant] for the benefit of [the plaintiff] and its co-conspirators" the court found those allegations deficient. It noted the defendant had failed to allege: (1) specific information regarding the confidential information wrongfully used, (2) that the defendant entered into any specific deals as a result of the pressure exerted by the plaintiff, and (3) that the defendant suffered any injury as a result of that pressure. Additionally, the defendant failed to allege that the efforts of the plaintiff to gain control of the defendant resulted in any injury. Accordingly, the court granted the Motion to Dismiss.
This case points out the importance of carefully crafted, factual-laden pleadings. Two recent Supreme Court decisions, Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) and Ashcroft v. Iqbal, 129 S.Ct. 1937 (2009), significantly tightened the pleading requirements in civil cases. Under the new standards, federal complaints must allege sufficient facts, that when accepted as true for purposes of a motion to dismiss, "state a claim to relief that is plausible on its face." Id. at 1949. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. In short, mere recitals of the elements of a cause of action, accompanied by conclusory statements, fail the test.
Thursday, June 18, 2009
Monday, June 8, 2009
Competitor Raids Company's Computer Data: Passwords Are Not Trade Secrets
Your company operates a website that provides data to paid subscribers that access your website through individual passwords. Your database is so successful that one of your former clients, which is also in a similar business, offers to buy it. But you decline. Around the same time you fire your marketing director. But you think your company is protected from being injured by that employee because he is subject to a non-compete and non-disclosure agreement.
Readers of this blog, by now, know where this story is going.
You then discover that your former client--now competitor--hired your former marketing director to compete against your company, despite his non-compete agreement. Then one of your long-time clients informs you that it is switching to your competitor's services.
Suspicious, you begin to investigate and discover that for the last four years, your database had been accessed 735 times from an IP address traced to your competitor's home city. And your competitor seems to have accessed your database by using the passwords assigned to your long-time client that switched to your competitor.
What do you do?
In State Analysis, Inc. d/b/a Statescape v. American Financial Services, Assoc., et al., found here, the plaintiff, Statescape, brought suit in the U.S. District Court for the Eastern District of Virginia, asserting claims arising out of facts like those described above. Statecape filed suit against: 1) its former client -- who set-up a competing business (the "Competitor"); 2) its former client that allegedly provided its password to the competitor ("Former Client"); and 3) its former employee.
The defendants moved to dismiss many of StateScape's claims. Several of the court's findings are noteworthy because they involve unfair business practices claims.
Computer Fraud and Abuse Act ("CFAA")
"18 U.S.C. Sec. 1030 (a) (2) prohibits 'intentially access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . ."
"Exceeds authorized access" is explicitly defined as 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.'"
Having recited the provisions, the court discussed the split between courts, some of which have limited the applicability of the CFAA to "computer hackers" who access computers without authorization. Those courts "reject[] attempts to apply the CFAA to cases where the defendants are not alleged to have 'broken into' the system but to have abused the privileges of a license." "Other courts have held that the CFAA does apply to authorized users who use programs in an unauthorized way, including employees who obtain and use proprietary information in violation of a duty of loyalty, and licensees who breach an agreement restricting their use of the software." (Internal citations omitted).
The court then found that the plaintiff stated a claim against its competitor for accessing "StateScape's website using usernames and passwords that did not belong to it. StateScape has pled that under the terms of their contract, only clients were authorized to use StateScape's subscription services, and that [the Competitor] was not so authorized. [The Competitor] therefore acted 'without authorization.'"
But the court found that StateScape did not state a claim against its Former Client because the Former Company "never went beyond the areas that StateScape authorized [it] to access." And the court did not have to resolve the case split because StateScape only reserved the right to terminate the Former Client's contract instead of having the contract automatically terminate if the Former Client breached the contract. Thus, the Former Client was never without authorization.
We have recently written about the applicability of the Computer Fraud and Abuse Act to departing employees who access their employer's computer data after they intend to join a competitor, which can be found here.
Electronic Communications Privacy Act ("ECPA")
The ECPA forbids "intentionally access[] without authorization a facility through which an electronic communication service is provided, or intentionally exceed[] an authorization to access that facility; and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage."
The court found that "StateScape has stated a claim against [the Competitor] by alleging that [the Competitor], without any authorization from StateScape, accessed the password-protected areas of StateScape's site."
StateScape's claim against its Former Client, however, was dismissed under one of the ECPA's exceptions because the Former Client was "contractually entitled to see all of the information it is alleged to have accessed."
Virginia Computer Crimes Act
The court's opinion is also noteworthy because it held that StateScape's Virginia Computer Crimes Act claim was preempted by the federal Copyright Act. The claim was preempted since "software is within the subject matter of copyright" and, based on the alleged facts, the claims were not "'qualitatively' different from the Copyright Act claims."
Trespass
StateScape's claim for trespass to chattels is "based on the allegation that [the Former Client] accessed password-protected areas of StateScape's website without authorization. A trespass to chattels occurs 'when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization' and 'if the chattel is impaired as to its condition, quality, or value.'" (Internal citations omitted.)
The Former Client argued that no "impairment" was alleged. But the court found the impairment criterion was satisfied: "given that StateScape charges fees for its passwords, the value of StateScape's possessory interest in its computer network is diminished if unauthorized users access its password-protected areas."
Misappropriation of Trade Secrets
StateScape alleged that the Former Client's "sharing of its passwords for StateScape's database with [the Competitor]" violated the Virginia Uniform Trade Secrets Act ("VUTSA"). The defendants attacked the VUTSA claim, arguing that "passwords lack 'independent economic value,' but are instead a security mechanism designed to control access to information, and therefore are not trade secrets."
The court first reviewed the definition of a "trade secret" under the VUTSA: "'Trade secret' means information, including but not limited to, a formula, pattern, compilation, program, device, method, technique or process, that: 1. Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and 2. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy."
"Although the passwords at issue clearly have economic value given that they are integral to accessing StateScape’s database, they have no independent economic value in the way a formula or a customer list might have. Where a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, the passwords are not trade secrets."
Blog Conclusion
This case is another spin on the types of unfair business practices that can arise in today's electronic world. Many companies make their money by providing password-protected data on their websites. Protecting that data through security features and, if needed, litigation is critical. But, on a positive note, this case again demonstrates that unfair business practices can often be unmasked by tracing electronic footprints.
Readers of this blog, by now, know where this story is going.
You then discover that your former client--now competitor--hired your former marketing director to compete against your company, despite his non-compete agreement. Then one of your long-time clients informs you that it is switching to your competitor's services.
Suspicious, you begin to investigate and discover that for the last four years, your database had been accessed 735 times from an IP address traced to your competitor's home city. And your competitor seems to have accessed your database by using the passwords assigned to your long-time client that switched to your competitor.
What do you do?
In State Analysis, Inc. d/b/a Statescape v. American Financial Services, Assoc., et al., found here, the plaintiff, Statescape, brought suit in the U.S. District Court for the Eastern District of Virginia, asserting claims arising out of facts like those described above. Statecape filed suit against: 1) its former client -- who set-up a competing business (the "Competitor"); 2) its former client that allegedly provided its password to the competitor ("Former Client"); and 3) its former employee.
The defendants moved to dismiss many of StateScape's claims. Several of the court's findings are noteworthy because they involve unfair business practices claims.
Computer Fraud and Abuse Act ("CFAA")
"18 U.S.C. Sec. 1030 (a) (2) prohibits 'intentially access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . ."
"Exceeds authorized access" is explicitly defined as 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.'"
Having recited the provisions, the court discussed the split between courts, some of which have limited the applicability of the CFAA to "computer hackers" who access computers without authorization. Those courts "reject[] attempts to apply the CFAA to cases where the defendants are not alleged to have 'broken into' the system but to have abused the privileges of a license." "Other courts have held that the CFAA does apply to authorized users who use programs in an unauthorized way, including employees who obtain and use proprietary information in violation of a duty of loyalty, and licensees who breach an agreement restricting their use of the software." (Internal citations omitted).
The court then found that the plaintiff stated a claim against its competitor for accessing "StateScape's website using usernames and passwords that did not belong to it. StateScape has pled that under the terms of their contract, only clients were authorized to use StateScape's subscription services, and that [the Competitor] was not so authorized. [The Competitor] therefore acted 'without authorization.'"
But the court found that StateScape did not state a claim against its Former Client because the Former Company "never went beyond the areas that StateScape authorized [it] to access." And the court did not have to resolve the case split because StateScape only reserved the right to terminate the Former Client's contract instead of having the contract automatically terminate if the Former Client breached the contract. Thus, the Former Client was never without authorization.
We have recently written about the applicability of the Computer Fraud and Abuse Act to departing employees who access their employer's computer data after they intend to join a competitor, which can be found here.
Electronic Communications Privacy Act ("ECPA")
The ECPA forbids "intentionally access[] without authorization a facility through which an electronic communication service is provided, or intentionally exceed[] an authorization to access that facility; and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage."
The court found that "StateScape has stated a claim against [the Competitor] by alleging that [the Competitor], without any authorization from StateScape, accessed the password-protected areas of StateScape's site."
StateScape's claim against its Former Client, however, was dismissed under one of the ECPA's exceptions because the Former Client was "contractually entitled to see all of the information it is alleged to have accessed."
Virginia Computer Crimes Act
The court's opinion is also noteworthy because it held that StateScape's Virginia Computer Crimes Act claim was preempted by the federal Copyright Act. The claim was preempted since "software is within the subject matter of copyright" and, based on the alleged facts, the claims were not "'qualitatively' different from the Copyright Act claims."
Trespass
StateScape's claim for trespass to chattels is "based on the allegation that [the Former Client] accessed password-protected areas of StateScape's website without authorization. A trespass to chattels occurs 'when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization' and 'if the chattel is impaired as to its condition, quality, or value.'" (Internal citations omitted.)
The Former Client argued that no "impairment" was alleged. But the court found the impairment criterion was satisfied: "given that StateScape charges fees for its passwords, the value of StateScape's possessory interest in its computer network is diminished if unauthorized users access its password-protected areas."
Misappropriation of Trade Secrets
StateScape alleged that the Former Client's "sharing of its passwords for StateScape's database with [the Competitor]" violated the Virginia Uniform Trade Secrets Act ("VUTSA"). The defendants attacked the VUTSA claim, arguing that "passwords lack 'independent economic value,' but are instead a security mechanism designed to control access to information, and therefore are not trade secrets."
The court first reviewed the definition of a "trade secret" under the VUTSA: "'Trade secret' means information, including but not limited to, a formula, pattern, compilation, program, device, method, technique or process, that: 1. Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and 2. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy."
"Although the passwords at issue clearly have economic value given that they are integral to accessing StateScape’s database, they have no independent economic value in the way a formula or a customer list might have. Where a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, the passwords are not trade secrets."
Blog Conclusion
This case is another spin on the types of unfair business practices that can arise in today's electronic world. Many companies make their money by providing password-protected data on their websites. Protecting that data through security features and, if needed, litigation is critical. But, on a positive note, this case again demonstrates that unfair business practices can often be unmasked by tracing electronic footprints.
Subscribe to:
Posts (Atom)