United States District Court, D. Arizona
June 15, 2015
Marc A. Wichansky, Plaintiff,
David T. Zowine, et al., Defendants.
DAVID G. CAMPBELL, District Judge.
Defendants have brought a motion for partial summary judgment. Doc. 106. The matter is fully briefed and neither party has requested oral argument. The Court will grant the motion in part and deny it in part as explained below.
The parties' relationship in this case is long and contentious, and a more detailed statement of facts is set forth in the Court's order on Defendants' motion to dismiss. See Doc. 82 at 1-4. For several years, Plaintiff Marc Wichansky and Defendant David Zowine co-owned Defendant Zoel Holding Company ("Zoel"). Doc. 107, ¶¶ 1, 2. In 2010, a heated dispute arose, and in January 2011, Zowine established an office on 24th Street in Phoenix (the main office was located on 44th Street). Id., ¶¶ 3, 5. On January 31, 2011, Zowine instructed several employees, who are named Defendants in this action, to remove several desktop computers from the 44th Street office and move them to the 24th Street office. Id., ¶ 6. On February 2, 2011, the same employees unsuccessfully attempted to image Zoel's servers at the 44th Street office and instead physically removed them to the 24th Street office. Id., ¶ 7.
On February 4, 2011, Plaintiff filed a complaint seeking a temporary restraining order in Maricopa County Superior Court against Zowine for return of the equipment, alleging that the servers were a "core component" of Zoel's operations and were necessary for Zoel to "perform its essential functions." Id., ¶ 8. That same day, the parties entered into an agreement pursuant to Arizona Rule of Civil Procedure 80(d) that each office would continue to operate and that all parties would have full access to all company information at both locations. Id., ¶ 12. According to Plaintiff, Zowine refused to allow access to the computers and servers for several months. Doc. 117, ¶¶ 20, 22. Eventually, Plaintiff hired The Intelligence Group to image the servers, which occurred in July 2011. Doc. 108, ¶¶ 27, 31.
On March 31, 2011, Plaintiff sought judicial dissolution of Zoel and applied for a receiver to be appointed to manage the company's assets. Doc. 107, ¶¶ 3, 24. Ted Burr was appointed receiver in April 2011. Id., ¶ 25. On June 10, 2011, Zowine filed an election to purchase Plaintiff's shares in lieu of dissolution. Id., ¶ 33. The Superior Court held a five-day valuation hearing in March 2012 to establish the terms of Zowine's purchase of the shares. Id. Shortly thereafter, Zowine made the initial payment and the Superior Court granted him full control of Zoel's property and assets. Id., ¶¶ 34, 35.
On June 14, 2013, Plaintiff filed suit against Zoel, MGA Home Healthcare, LLC, Zowine, and several individuals. Doc. 1. Plaintiff filed a first amended complaint in February 2014 alleging twenty causes of action. Doc. 54. Defendants now move for summary judgment on counts two through five, which allege violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. Doc. 106.
"The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009). Plaintiff brings four claims: (1) violation of § 1030(a)(2)(C), which prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer"; (2) violation of § 1030(a)(4), which prohibits unauthorized access or exceeding authorized access of a computer with intent to defraud; (3) violation of § 1030(a)(5)(C), which prohibits "intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss"; and (4) violation of § 1030(b), which prohibits conspiracy to violate any of the above-referenced sections.
A. Statute of Limitations.
The CFAA provides that "[n]o action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage." 18 U.S.C. § 1030(g). "[D]amage' means any impairment to the integrity or availability of the data, a program, a system, or information[.]" Id., § 1030(e)(8). Thus, there are two possible kinds of damage: damage resulting from impairment to the integrity of the data, and damage resulting from impairment to the availability of the data.
"[I]n general, the discovery rule applies to statutes of limitations in federal litigation[.]" Mangum v. Action Collection Serv., Inc., 575 F.3d 935, 940 (9th Cir. 2009); see also Aloe Vera of Am., Inc. v. United States, 699 F.3d 1153, 1159 (9th Cir. 2012) (noting that the Ninth Circuit has "long applied this general rule in many different statutory contexts"). Indeed, the discovery rule appears to be incorporated into § 1030(g) of the CFAA (referring to "the date of discovery of the damage"). Therefore, the "limitations period begins to run when the plaintiff knows or has reason to know of the injury which is the basis of the action." Aloe Vera of Am., 699 F.3d at 1159 (internal quotation marks omitted); see also Ashcroft v. Randel, 391 F.Supp.2d 1214, 1224 (N.D.Ga. 2005) (applying discovery rule to CFAA claim).
"Ordinarily, we leave the question of whether a plaintiff knew or should have become aware of a fraud to the jury." Gen. Bedding Corp. v. Echevarria, 947 F.2d 1395, 1397 (9th Cir. 1991). But where the facts are undisputed as to when the statute of limitations began to run, the court may decide the issue at the summary judgment stage. See id. Summary judgment on a defense is appropriate "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). Once the movant makes this showing, the burden shifts to the opposing party to identify, with supporting evidence, "specific facts showing there is a genuine issue for trial." Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986).
Much of Plaintiff's amended complaint focuses on Defendants' seizure of computers and servers in late January and early February of 2011. To the extent Plaintiff's CFAA claims are based on any lack of availability of data resulting from this seizure, they clearly are time-barred. The seizure occurred more than two years before the CFAA claims were asserted on June 14, 2013. Doc. 1. Moreover, to the extent Plaintiff's CFAA claims are based on a lack of availability between the seizure and June 14, 2011 - two years before the complaint was filed - they likewise are time-barred.
As noted above, Plaintiff argues that Defendants exceeded their authorized access of the computers and servers after June 14, 2011, but he provides no evidence in support of this assertion - no precise dates and no evidence of specific instances of access. Although Plaintiff's failure to present such evidence would be fatal to his claim under Celotex, if discovery was closed and Defendants had brought a Celotex motion, the Court will not grant summary judgment on this basis without Plaintiff having been afforded a full opportunity for discovery. See Celotex, 477 U.S. at 322 ("the plain language of Rule 56(c) mandates the entry of summary judgment, after adequate time for discovery and upon motion, against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial") (emphasis added).
Plaintiff also claims that his primary form of damage in this case - medical billing fraud - was not discovered until he gained access to the computers and servers in July of 2011. Doc. 116 at 5-6. Plaintiff's own allegations belie his claim that he did not discover evidence of billing fraud until July 2011. Plaintiff alleges in his amended complaint that "by December 2010" his "investigation... threatened to expose the entirety of the false or fraudulent billing scheme[.]" Doc. 54, ¶ 3. In March 2011, he "self-disclosed and reported... billing improprieties that he had discovered and reported internally at the Company in the course of his investigation." Id., ¶ 8. And it is undisputed that Plaintiff knew that the computers and servers had been removed by February 4, 2011 and that Defendants had been accessing company information as of that date. Doc. 116 at 5.
Although he may not have known the full extent of the damage until he imaged the computers in July 2011, Plaintiff had sufficient information to bring claims under the CFAA by March 2011 when he reported the results of his fraud investigation. See Maddalena v. Toole, 2013 WL 5491869, at *5 (C.D. Cal. Oct. 1, 2013) (finding that the plaintiffs' claims under the CFAA were time-barred because they waited "almost two-and-a-half years to file their complaints" after they knew of the "immediate injury giving rise to the federal claims"). Plaintiff has not presented any evidence of what he discovered in July 2011 or thereafter, whether such facts would be material to his CFAA claims, or whether the information could not have been discovered through due diligence, and he does not ask the Court to equitably toll the limitations period. Doc. 116 at 8. The Court concludes that Plaintiff's claims are time-barred as to any billing fraud that occurred before June 14, 2011.
As to billing fraud that occurred after that date, the Court will not grant summary judgment. Although Plaintiff has presented no evidence of such fraud, discovery is not closed and Defendants have not brought a Celotex motion.
B. Scope of Authorization to Access Data.
An essential element of Plaintiff's claims under the CFAA is that Defendants' access of the information must be "unauthorized" or "exceed authorized access." See 18 U.S.C. §§ 1030(a)(2)(C), (a)(4), (a)(5)(C), (b). To "exceed authorized access" means to "access a computer with authorization and to use such access to obtain or alter information in the computer that the accuser is not entitled so to obtain or alter." Id. § 1030(e)(6). If Defendants did not access the data without authorization, or if they did not exceed the scope of their authorization, Plaintiff's claims fail.
On February 4, 2011, the parties appeared before Judge John Rea in Maricopa County Superior Court and entered into a Rule 80(d) Agreement (the "Agreement") on the record. Doc. 107-3 at 52. The parties agreed that with respect to the data contained on the computers and servers, Wichansky and Zowine would have "full access to all company information." Id. at 61. The parties also agreed that "no information stored in electronic format will be deleted" and that the Agreement did waive any claims by either party. Id. at 39, 61.
Defendants argue that because they had authority to access the computers and servers pursuant to the Agreement, Plaintiff's CFAA claims fail. Plaintiff argues that the parties agreed that the Agreement would not operate to waive any claims, and that even if Defendants did have authorization, they exceeded the scope of their authorization by deleting data.
Rule 80(d) agreements are binding, see Ariz. R. Civ. P. 80(d), and there is no doubt the Agreement gave both parties full authorization to access the data contained on the computers and servers as of February 4, 2011. Defendants do not argue, and the Court does not find, that this constituted a waiver of any claim. But it did constitute authorization for Defendants to access the computers and servers. Thus, Plaintiff cannot bring a claim under § 1030(a)(5)(C), which requires unauthorized access, or any claims under §§ 1030(a)(2)(C), (a)(4), or (b) based on unauthorized access, for events that occurred after February 4, 2011, the date of full authorization.
The Agreement does not preclude claims alleging that Defendants "exceeded the scope of their authority" under §§ 1030(a)(2)(C), (a)(4), or (b). Plaintiff asserts that "Defendants continued to access the computers and servers to impair accessibility and destroy data in excess of their authority after June 14, 2011[.]" Doc. 116 at 13. Not only does Plaintiff appear to claim that Defendants' actions after February 4, 2011 exceeded the authorization granted in the Agreement, but the Agreement itself prohibited the parties from deleting data contained on the computers and servers. Thus, claims based on the post-Agreement deletion of data remain viable. Again, Plaintiff has failed to come forward with any evidence of such events, but the Court will not grant summary judgment on this basis given ongoing discovery and the lack of a Celotex motion.
IT IS ORDERED that Defendants' motion for partial summary judgment on counts two through five (Doc. 106) is granted in part as follows: (1) on any CFAA claims based on a lack of availability of data before June 14, 2011 resulting from Defendants' seizure of computers and servers; (2) on any CFAA claim based on billing fraud that occurred before June 14, 2011; (3) on count four - violation of 18 U.S.C. § 1030(a)(5)(C); and (4) on counts two, three, and five to the extent they are based on lack of authorization (as opposed to exceeding authorization). The motion is denied as to any CFAA claim based on a lack of availability of data after June 14, 2011 or any billing fraud that occurred after that date.