Epic Sys. Corp. v. Tata Consultancy Servs. - No. 14-cv-748-wmc, 2015 U.S. Dist. LEXIS 155713 (W.D. Wis. Nov. 18, 2015)

Rule:

Although the Computer Fraud and Abuse Act (CFAA), 18 U.S.C.S. § 1030, is a criminal statute, a plaintiff may maintain a civil cause of action for economic damages if among other possible alternatives listed in § 1030(c)(4)(A)(i), it suffered damages or loss as a result of a CFAA violation that in the aggregate amount to at least $5,000 within any one-year period. § 1030(c)(4)(A)(i)(I), (g).

Facts:

Kaiser Permanente ("Kaiser") is one of the largest managed healthcare organizations in the United States. On February 4, 2003, Epic entered into a written agreement with Kaiser (the "Kaiser Agreement") under which Epic licensed software to Kaiser to support patient care delivery activities and to provide Kaiser with customer-level access to Epic's UserWeb. The UserWeb is a protected electronic workspace created by Epic to aid customers in maintaining and implementing Epic products by providing training and other useful information. The Kaiser Agreement also provided protection for Epic's confidential information, permitting information to be disseminated from the UserWeb only on a need to know basis and to be used only to fulfill the purposes of the Kaiser Agreement. To access Epic's UserWeb, an individual must register as an employee of either an Epic customer or a consultant to an Epic customer. However, in order for a consultant employee to attain UserWeb access, two additional steps must be completed: (1) the individual attempting to register must sign the UserWeb Access Agreement and (2) the consulting firm must sign the Consultant Access Agreement. Once the applicable steps are completed, that individual attains UserWeb access with no further restrictions, except that a consultant employee's access is purposefully limited solely to the areas of the UserWeb necessary to support his or her customer.

Tata was hired by Kaiser to serve as a consultant. In August 2005, several Tata employees attempted to register for customer-level access. Though they used Tata email addresses when registering, they represented themselves to be customer employees. When Epic discovered the discrepancy, it removed the Tata employees from the UserWeb and informed them that Tata employees could not take training courses on the UserWeb until Tata entered into a Consultant Agreement with Epic. On August 10, 2005, Epic and Tata America proceeded to enter into a Standard Consultant Agreement (the "Tata America Agreement"). Through the Tata America Agreement, Epic allowed certain Tata employees to access training programs on the UserWeb for the purposes of providing consulting services to Kaiser on the implementation of "Epic Program Property," defined in the agreement as "computer program object and source code and the Documentation for all of Epic's computer programs." (Am. Compl. (dkt. #38) ¶ 27.) In return, Tata America agreed to certain obligations, including keeping the information accessed strictly confidential.

As early as 2012, Tata began accessing and downloading information from Epic's UserWeb without authorization. Epic primarily based this allegation on information received from a Tata informant, Philippe Guionnet. Until May 2014, Guionnet was responsible for managing all aspects of Tata's contract with Kaiser, reporting directly to Tata executive management. On multiple occasions, his job responsibilities exposed him to Med Mantra products. He also participated in marketing Med Mantra products to Kaiser and was aware of comparisons between Epic and Med Mantra softwares created by the Med Mantra team. Once aware of the unauthorized downloading, Epic conducted an investigation of its UserWeb, which led to the account of Ramesh Gajaram, a Tata employee, working as a consultant for Kaiser in Portland, Oregon. Gajaram's account revealed that at least 6,477 documents, accounting for 1,687 unique files, had been downloaded, including documents containing Program Property and Confidential Information within the meaning of the Tata America Agreement. Many of these documents were not necessary for Gajaram to perform his job functions for Kaiser. Furthermore, Epic's investigation revealed that Gajaram's access credentials had been used outside Oregon to download documents from an IP address in India registered to Tata. In addition to being misused, Gajaram's UserWeb log-in credentials were also obtained in a deceptive manner. When Gajaram registered for his UserWeb credentials, he registered as a customer employee, rather than as a consultant and used a Kaiser, rather than a Tata, email address. Rather than the more limited consultant-level access, this allowed Gajaram broader, customer-level access.

On October 31, 2014, Epic filed a complaint seeking both injunctive relief and monetary damages. Tata filed a motion to dismiss majority of Epic’s claims.

Issue:

Should Tata’s motion to dismiss Epic’s claim for monetary damages be granted?

Answer:

No.

Conclusion:

Defendants represent that the courts are split on whether a plaintiff must show both damages and loss, or simply one or the other, in order to bring a civil cause of action under the CFAA. Curiously, however, the only case cited by defendants to support this representation is a case that declares the proper construction of the "damages or loss" language to be its plain meaning. Regardless, to the extent the distinction is meaningful, this court joins other courts in concluding that a civil action under the CFAA requires a plaintiff to plead -- and eventually prove -- only damages or loss. Even if it were required, however, plaintiff alleges both damages and loss. Within the CFAA, most courts recognize the term "damages" to require a destructive element.  As plaintiff claims only that files were copied from unauthorized areas of its UserWeb -- not that any files were altered or erased -- at least under the majority view, plaintiff might not have alleged "damages" under the CFAA. Even so, it would be premature to dismiss a claim based on damages without an opportunity to amend. As for "loss," the CFAA requires that there be a loss in excess of $5,000 within a one-year period. The CFAA defines loss as "any reasonable cost to any victim," listing two general categories of loss: (1) "the cost of responding to an offense, conducting a damage assessment . . ." and (2) "any revenue lost, cost incurred, or other consequential damages incurred because of interruption of services." As for the first category, although plaintiff does not expressly allege that it suffered an interruption of services due to defendants' actions, plaintiff alleges "far more than $5,000 in costs and loss related to investigating defendants' unauthorized accessing of Epic's UserWeb." (Am. Compl. (dkt. #38) ¶ 50.) Relying on a case from the Northern District of Illinois, defendants nevertheless persist in arguing that any loss tied to an investigation must still relate to impairment or interruption of services. More recent case law rejects this overly narrow position, particularly in instances where the facts align more closely with those presently claimed by plaintiff. Consistent with the plain language of the statute, the court agrees with the reasoning of other decisions, allowing "loss" associated with the costs of an investigation. Even if this were not so, the court would have allowed for an amended filing.