Filed: Jul. 21, 2016
Latest Update: Jul. 21, 2016
Summary: OPINION AND ORDER DISMISSING AMENDED COMPLAINT MARCIA S. KRIEGER , Chief District Judge . THIS MATTER comes before the Court sua sponte, upon the Court's May 24, 2016 Order to Show Cause Why Case Should Not Be Dismissed (# 7), the Plaintiff's ("CRC") response (# 8), and CRC's Amended Complaint (# 9). The Court assumes the reader's familiarity with the proceedings to date, particularly the recitation in the prior Order to Show Cause, and will not attempt to summarize those matters.
Summary: OPINION AND ORDER DISMISSING AMENDED COMPLAINT MARCIA S. KRIEGER , Chief District Judge . THIS MATTER comes before the Court sua sponte, upon the Court's May 24, 2016 Order to Show Cause Why Case Should Not Be Dismissed (# 7), the Plaintiff's ("CRC") response (# 8), and CRC's Amended Complaint (# 9). The Court assumes the reader's familiarity with the proceedings to date, particularly the recitation in the prior Order to Show Cause, and will not attempt to summarize those matters. ..
More
OPINION AND ORDER DISMISSING AMENDED COMPLAINT
MARCIA S. KRIEGER, Chief District Judge.
THIS MATTER comes before the Court sua sponte, upon the Court's May 24, 2016 Order to Show Cause Why Case Should Not Be Dismissed (# 7), the Plaintiff's ("CRC") response (# 8), and CRC's Amended Complaint (# 9).
The Court assumes the reader's familiarity with the proceedings to date, particularly the recitation in the prior Order to Show Cause, and will not attempt to summarize those matters.
CRC argues that its Amended Complaint cures the defects addressed in the Court's Order to Show Cause, specifically: (i) it identifies time spent by its staff investigating the unauthorized access as the "loss" that it suffered under 18 U.S.C. § 1030(e)(11), (g); and (ii) that the "threat to public health or safety" required by 18 U.S.C. § 1030(c)(4)(A)(i) and (g) is satisfied by allegations that it was reasonably foreseeable that the publication of the unauthorized message would induce third parties to respond with threats of harm to CRC officers. Although the Court accepts the first proposition, it finds the second to be deficient as a matter of law.
In the Order to Show Cause, the Court previously addressed why 18 U.S.C. § 1030(g)'s "involves" language requires a plaintiff to allege that the unauthorized computer access itself poses a risk to public health or safety, and that the requirement is not satisfied by an allegation that the unauthorized access indirectly caused such a risk to emerge from another source. CRC's response cites to various cases that have used the term "caused" in discussing other provisions of the Act.
The Court finds these cases to be off-point and unpersuasive. For example, Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 642, 646-47 (E.D.Va. 2010), discusses the use of a causal standard when considering the predicate act of a loss exceeding $5,000 under §1030(c)(4)(A)(i)(I). Claims predicated on that section necessarily invoke the statutory definition of the term "loss" in § 1030(e)(11), which broadly encompasses a wide range of costs and "consequential damages" that flow proximately from an unauthorized access. This suggests that a proximate cause-type analysis is appropriate when assessing the components of such a claimed loss, but that same logic does not warrant a similar analysis to the more straightforward "threat to public health or safety" predicate harm in § 1030(c)(4)(A)(i)(IV). The other cases relied upon by CRC invoke the "$5,000 loss" predicate, not the "public health and safety" predicate, and thus, they are all unpersuasive for the same reason.1
The Court's own research has not yielded any caselaw in which a plaintiff invoked the "public health and safety" provision under § 1030(g) where there was exploration of what conduct falls within the provision. As a matter of first impression, this Court concludes, for the reasons previously stated, that an act of unauthorized access "involves" the factor of "a threat to public health or safety" when the access itself creates that threat, but not when a third-party's foreseeable2 reaction to the unauthorized access creates that threat.
As discussed previously, the threat requirement might be met if the unauthorized access disables computers or deletes data essential to providing medical treatment, public utilities, or emergency response services, but not where the unauthorized access has a benign primary effect but induces others to harmful acts. For example, a user who hacks into the social media account of a classmate and encourages him or her to commit suicide might be liable for engaging in conduct posing a risk to health and safety, but a user who hacks into the same classmate's account and merely taunts the classmate for being unattractive cannot be said to have engaged in conduct threatening public health and safety even if the now-despondent classmate reacts to the taunting by committing suicide. Such example entails the user specifically employing the unauthorized access to bring about the risk to public health, and in such circumstances, the use of a predominantly criminal statute to afford civil relief might be proper. The latter example draws upon the complex, wide-ranging, and sometimes attenuated principles of tort causation, importing that sprawling and imprecise inquiry into a statute that was clearly intended to have a narrow, focused reach.
Consistent with this the limited jurisdiction of the federal courts and general rules of statutory construction, the Court finds that a constrained interpretation of § 1030(g) is the appropriate, and thus finds that the CRC's allegations that Doe's unauthorized access induced third parties to make threats to public health and safety fails to state a claim under § 1030(c)(4)(A)(i)(IV) and (g).
Accordingly, the Court finds that the CRC's Amended Complaint fails to state a claim under 18 U.S.C. § 1030(g). The Amended Complaint is DISMISSED and the Clerk of the Court shall close this case.
