Documente Academic
Documente Profesional
Documente Cultură
TABLE OF CONTENTS
PRELIMINARY STATEMENT .....................................................................................................1
PROCEDURAL BACKGROUND..................................................................................................5
ALLEGATIONS OF THE SECOND AMENDED COMPLAINT.................................................7
Alleged Misappropriation of Confidential Information .......................................................7
Alleged Internal Chubb Policies ..........................................................................................9
Chubbs Purported Federal Claims ....................................................................................10
ARGUMENT .................................................................................................................................12
I.
II.
III.
B.
C.
B.
C.
CONCLUSION ..............................................................................................................................30
TABLE OF AUTHORITIES
Page(s)
CASES
Accenture Glob. Servs. GmbH v. Guidewire Software Inc.,
581 F. Supp. 2d 654 (D. Del. 2008) .........................................................................................28
Adams Arms, LLC v. Unified Weapon Sys., Inc.,
No. 16-cv-1503, 2016 WL 5391394 (M.D. Fla. Sept. 27, 2016) .................................23, 24, 25
Advanced Fluid Sys., Inc. v. Huber,
28 F. Supp. 3d 306, 329 (M.D. Pa. 2014) ................................................................................16
Advantage Ambulance Grp., Inc. v. Lugo,
No. 08-cv-3300, 2009 WL 839085 (E.D. Pa. Mar. 30, 2009) ...........................................20, 30
Ashcroft v. Iqbal,
556 U.S. 662 (2009) .................................................................................................................12
Bell Atl. Corp. v. Twombly,
550 U.S. 544 (2007) .................................................................................................................12
Block v. Seneca Mortg. Servicing,
No. 16-cv-0449, 2016 WL 6434487 (D.N.J. Oct. 31, 2016) ...................................................12
Brett Senior & Assocs., P.C. v. Fitzgerald,
No. 06-cv-1412, 2007 WL 2043377 (E.D. Pa. July 13, 2007) ................................................18
Carnegie Strategic Design Engrs, LLC v. Cloherty,
No. 13-cv-1112, 2014 WL 896636 (W.D. Pa. Mar. 6, 2014) ..................................................16
Chas. S. Winner, Inc. v. Polistina,
No. 06-cv-4865, 2007 WL 1652292 (D.N.J. June 4, 2007) .......................12, 13, 16, 18, 20, 21
Chubb INA Holdings Inc. v. Chang,
No. 16-cv-2354, 2016 WL 6841075 (D.N.J. Nov. 21, 2016) ..................................................12
Clinmicro Immunology Ctr., LLC v. Primemed, P.C.,
No. 3:11-cv-2213, 2016 WL 4107710 (M.D. Pa. July 7, 2016) ..............................................16
Consulting Profl Res., Inc. v. Concise Techs. LLC,
No. 09-cv-1201, 2010 WL 1337723 (W.D. Pa. Mar. 9, 2010), report &
recommendation adopted, 2010 WL 1337720 (W.D. Pa. Mar. 31, 2010).........................19, 30
Davis v. City of Philadelphia,
821 F.3d 484 (3d Cir. 2016).....................................................................................................12
ii
STATUTES
18 U.S.C. 1030, Computer Fraud and Abuse Act ............................................................... passim
18 U.S.C. 1831, et seq., Defend Trade Secrets Act ............................................................ passim
18 U.S.C. 1836 ......................................................................................................................22, 27
18 U.S.C. 1839 ......................................................................................................................22, 23
28 U.S.C. 1367 ......................................................................................................................29, 30
FED. R. CIV. P. 12 .......................................................................................................................1, 12
N.J. STAT. ANN. 56:15-1, et seq., New Jersey Trade Secrets Act .............................................5, 8
iv
OTHER AUTHORITIES
MERRIAM-WEBSTER DICTIONARY (2002) ................................................................................25, 26
RESTATEMENT (THIRD) OF UNFAIR COMPETITION 40 cmt. c (1995) ...........................................25
S. 1890, 114th Cong. (2016) ....................................................................................................22, 23
S. REP. No. 114-220 (2016) ...............................................................................................21, 22, 26
Pamela Taylor, Comment, To Steal or Not to Steal: an Analysis of the Computer
Fraud and Abuse Act and Its Effect on Employers, 49 HOUS. L. REV. 201
(2012) .......................................................................................................................................16
Samantha Jensen, Abusing the Computer Fraud and Abuse Act: Why Broad
Interpretations of the CFAA Fail, 36 HAMLINE L. REV. 81 (2013) .........................................16
Sarah Boyer, Current Issues in Public Policy: Computer Fraud and Abuse Act:
Abusing Federal Jurisdiction?, 6 RUTGERS J. L. & PUB. POLY 661, 662
(Spring 2009) ..................................................................................................................... 16-17
As of July 21, 2016, Endurance Reinsurance Corporation of America changed its name to
Endurance Assurance Corporation.
2
Although named as a new defendant in the SAC, Daryl Dubrovich has not yet been
served (nor has Chubb asked us to accept service), and thus she is not yet a party. A resident of
Arizona (SAC 15), Ms. Dubrovich is not alleged to be a party to any contract in which she
consented to personal jurisdiction in this Court or in New Jersey. (See SAC 24.) This motion
is not made on behalf of Ms. Dubrovich, who reserves her right to seek dismissal from this
action for lack of personal jurisdiction.
unauthorized access under the CFAA or improper acquisition, use or disclosure under the DTSA.
In this digital age when so many people work from home or virtually, white collar
workers invariably have documents belonging to their employers in their personal possession. If
that were enough to sue them in federal court, it would truly open the floodgates and hand their
employers an unjustified weapon that could be used to interfere with lawful competition and
employee mobility, which is exactly how Chubb is trying to use this action. It is time to send
this dispute to state court, where it has always belonged.
*
In January 2016, global insurance giant ACE Limited completed its acquisition of The
Chubb Corporation, creating the worlds largest publicly traded property and casualty insurance
company.3 (Chubb is ten times the size of Endurance, itself a NYSE company.) As a direct
result, and as frequently happens following a major corporate transaction, Chubb has suffered a
number of prominent employee departures not just to Endurance but to other industry
participants as well. In trying to paint the employee departures at issue in this case as the result
of some kind of conspiracy, the SAC glaringly fails to even mention the merger or the many
other departures. Chubb is unhappy and is clearly trying to send a message to other employees
and competitors because thirteen at-will employees, none of whom had non-compete
restrictions, decided to leave Chubb to join Endurance. Chubb complains that the employees
were offered more money by Endurance. Three others who received offers to join Endurance
were convinced by Chubb to stay. This is the way competition is supposed to work.
See Press Release, Chubb, ACE Completes Acquisition of Chubb; Adopts Chubb Name
and Launches New Chubb Brand (Jan. 14, 2016), available at http://news.chubb.com/2016-0114/ACE-Completes-Acquisition-of-Chubb-Adopts-Chubb-Name-and-Launches-New-ChubbBrand.
2
Chubbs fourth attempt to frame a complaint that invokes this Courts subject matter
jurisdiction fares no better than its first three attempts. Chubb alleges that the departing
employees downloaded or emailed to themselves purportedly confidential information prior to
their resignations. Yet the SAC fails to describe the alleged contents of any of these transfers,
offering nothing but conclusory allegations that the information was confidential. More
significantly, the SAC acknowledges that these alleged transfers all took place while the
employees were still working for Chubb, and at a time when they all had full access (SAC
59, 67) to Chubbs computer systems and were authorized to access the information. The
SAC alleges no facts, or any basis for an inference, that these employees improperly acquired
any confidential information, or that the information was thereafter used or disclosed for any
improper purpose. The allegations are fully consistent with the use of Chubb information solely
in the ordinary course of business while the employees worked for Chubb, and solely for
Chubbs benefit. Indeed, as the SAC acknowledges (SAC 50), Chubbs policies expressly
permit employees to remove information from its offices and systems to the extent necessary
for an employee to perform his or her job responsibilities.4
As we show in Point I, Chubb cannot state a viable claim for relief under the CFAA
because it cannot allege that any of the Defendants accessed computer data that they were not
authorized to access, a necessary element of a violation. While the Third Circuit has yet to
confirm the standard under the CFAA for alleging unauthorized access to computer data, or
access that exceeds authorization, the clear trend among the other Circuits, and the clear
weight of authority among district courts in this Circuit, is that the CFAA is not violated by an
In actuality, as Chubb knows, many of the Chubb employees commonly worked from
home and had Chubb materials at home and on their personal devices in the ordinary course of
their employment.
3
employee who accesses an employers confidential data unless the employee took the data from
a database or system that the employee had no permission to access. Because the allegations of
the SAC establish that the employees all had full access to Chubbs confidential information,
they could not have violated the CFAA. (Point I.A) Moreover, a violation of internal corporate
policies is not unauthorized access or exceeding authorized access within the meaning of the
CFAA. (Point I.B) Chubbs CFAA claim also fails because it has not incurred any costs to
repair damage to its computers or data, and therefore cannot allege the cognizable loss
necessary to state a private right of action under the CFAA. (Point I.C)
As we show in Point II, Chubbs claim under the recently-enacted DTSA fails because
the supposed trade secrets upon which it attempts to manufacture a case were all received in the
ordinary course of business by its former employees prior to the effective date of the DTSA, and
there are no well-pled allegations of either unauthorized use or disclosure. Thus, Chubb has
failed to plead (and cannot plead) misappropriation under the DTSA, which requires either an
improper acquisition or subsequent unauthorized use or disclosure. Mere possession or
retention of properly acquired information which is all Chubb has alleged or can allege is not
enough to state a claim.
Chubbs DTSA claim also fails because, according to the allegations of the SAC, all of
the alleged conduct, other than mere possession, preceded the enactment of the DTSA, which is
not retroactive and does not reach pre-enactment conduct. The only allegations that relate to
post-enactment conduct are entirely speculative and conclusory, to the effect that Defendants
supposedly will use or disclose or are likely to use or disclose Chubb information. Apart from
being false and contradicted by actual facts known to Chubb long before its latest amendment,
conclusions and speculation are not facts and are thus insufficient to state a claim under the
DTSA.
Endurance has no interest in, or need for, any of Chubbs purportedly confidential
information. All Chubb business information was collected from the Former Chubb Employees
before any of them started working for Endurance, and before the enactment of the DTSA on
May 11, 2016. Those materials, in hard copy and electronic form, have all been returned to
Chubb in accordance with Court-ordered stipulations and Chubbs directions.
Trade secret and anti-hacking laws, and non-solicitation and other post-employment
restrictive covenants are intended to protect companies from unfair competition. Here, the only
acts of unfair competition are those that have been perpetrated by Chubb. Chubb has no bona
fide trade secret or computer hacking claims; it is attempting to wield its non-negotiated, vague
and overbroad non-solicitation restrictions as swords, to intimidate and bully its former
employees and Endurance, to the detriment of the Defendants, customers and brokers, and the
marketplace for property and casualty insurance. The Court should dismiss this case and
entertain an application by the Defendants for bad faith fee shifting under the DTSA and the
New Jersey Trade Secrets Act.
PROCEDURAL BACKGROUND
Chubb filed this lawsuit on April 26, 2016, shortly after twelve Chubb employees (the
Former Chubb Employees) resigned to accept positions at Endurance. (Dkt. 1) Chubb
immediately demanded expedited discovery. During a teleconference with Magistrate Judge
Douglas E. Arpert on May 11,5 the parties, with the Courts assistance, discussed the steps being
taken by the Defendants to ensure that no Chubb information would reach Endurance. On May
13, Defendants produced acknowledgements signed by the Former Chubb Employees at the time
they were hired that they would honor their post-employment obligations to Chubb. (Copies of
the signed acknowledgements are annexed as Yablonski Decl. Ex. A.) That same day,
Defendants returned to Chubb all of the hard copy documents that had remained in the
possession of the Former Chubb Employees following their resignations. (Yablonski Decl. 8)
Defendants also provided assurances that there were no more Chubb employees in Endurances
hiring pipeline. (Yablonski Decl. Ex. B) Dissatisfied with these Court-ordered assurances,
Chubb filed its motion for expedited discovery on May 16, 2016. (Dkt. 20)
During a second teleconference on May 23, again at the suggestion of Magistrate Judge
Arpert, Defendants agreed to provide written confirmation that the Former Chubb Employees
had turned over all hard copy documents remaining in their possession, and provide an inventory
of devices and platforms containing Chubb information in electronic form. (Tr. 23-25)6 On May
27, Defendants provided declarations from each of the Former Chubb Employees setting forth
the requested information. (The declarations are annexed as Ex. C to the Yablonski Decl.) Each
declarant expressly represented that I have not used or disclosed any Chubb confidential
business information except in connection with, and during, my employment with Chubb. I have
not disclosed any Chubb confidential business information to Endurance, and I have not used or
disclosed any Chubb confidential business information for Endurances benefit. (Id. at 5)
Chubbs motion for expedited discovery was denied on June 24, 2016. (Dkt. 49)
In August, also at the Courts suggestion, the parties submitted a stipulated protocol for
the return and deletion of Chubb information in electronic form (the Protocol). [Dkt. 71] On
November 15, Defendants completed the return of all electronic documents remaining in the
possession of the Former Chubb Employees in accordance with the Protocol. (See
accompanying Declaration of Tiffany M. Woo dated December 12, 2016 (Woo Decl.) 3.)
Chubb has not claimed, and has no basis to claim, that its documents have not been properly and
completely returned in accordance with the parties stipulation and agreements.
ALLEGATIONS OF THE SECOND AMENDED COMPLAINT7
Michael Chang resigned from Chubb on February 9, 2016. (SAC 10) Endurance made
offers of employment to the Former Chubb Employees on April 20. (SAC 3, 85) There is no
allegation that Chang ever initiated contact with any Chubb employee to discuss or offer
employment at Endurance, or actually offered such employment. Three Chubb employees who
received offers declined them. (SAC 4) The Former Chubb Employees notified Chubb of their
resignations on April 22. (SAC 6) Chang and the Former Chubb Employees were at-will
employees who were not subject to non-compete agreements. They were all therefore free to
accept employment with Endurance.
Alleged Misappropriation of Confidential Information
The SAC alleges that Chubb maintains confidential information about its clients and
business, such as the clients key contact persons, its pricing and discounting preferences and
tolerances, its insurance policies, its insureds, pending projects and proposals, claims experience
and handling practices, sales and marketing strategies, revenues, compensation and personnel
information (Confidential Information).8 (SAC 41)
It is doubtful that the information Chubb labels confidential is in fact legitimately entitled
to trade secret protection. We recognize, however, that this turns on factual questions and so do
not rely upon it as a basis for dismissal on the pleadings.
7
Chubb acknowledges that Chang and each of the Former Chubb Employees had full
access to all of the Confidential Information maintained in the business records of the Real
Estate and Hospitality Division. (SAC 59, 67 [emphasis added]) Confidential Information
stored on company computers and other devices was accessible through the use of a coded
password assigned to Chubb employees. (SAC 44) Chubb Underwriters have access to
pricing, premium and profitability information of the clients they service, as well as all of
Chubbs clients and are free to browse detailed information regarding all of Chubbs clients.
(SAC 46) Chubb did not prohibit the emailing, downloading or other removal of Confidential
Information from Chubbs computers where necessary for an employee to perform his or her
job responsibilities. (SAC 50) The Former Chubb Employees were authorized during their
employment to use, disclose and retain Chubb Confidential Information to further Chubbs
business objectives. (SAC 67)
Chubb alleges that some of the Former Chubb Employees emailed unspecified Chubb
information to themselves or saved unspecified data to personal storage devices. (SAC 71, 73,
74, 78) All of the alleged transfers occurred while the Former Chubb Employees were still
employed by, and performing services for, Chubb. (SAC 71-75)9
While Chubb alleges in conclusory fashion that these transfers were not done for valid
business purposes on behalf of Chubb, but solely for their own personal benefit and/or for the
9
Chubb still alleges that Endurance obtained names and positions of Chubb employees
from a confidential Chubb document supplied . . . by the outside search firm. (SAC 4)
However, because names and positions of Chubb employees are not confidential, this allegation
does not establish wrongful use. Moreover, as Chubb well knows, the organizational chart
supplied by the outside search firm was compiled by a recruiter who assisted Endurance from
publicly-available information and is not a confidential Chubb document at all. This false
allegation, which Chubb has not removed from its amended pleadings despite having learned the
truth more than four months ago, is but one example of Chubbs bad faith pursuit of this action
that will, at the appropriate time, support Defendants request for fee-shifting under the DTSA
and New Jersey Trade Secrets Act.
8
benefit of Endurance (SAC 77, 79), the SAC is utterly devoid of any details from which any
inference of wrongdoing could be drawn. The SAC glaringly fails to describe the contents of
any of the allegedly transferred data, affording no factual basis for an inference that any
confidential or proprietary data was misappropriated. Similarly, no facts are alleged to support
any inference that the transferred information was misused by Endurance or anyone else.10
Chubb additionally alleges that the Former Chubb Employees retained in their
possession a large volume of hard copy documents and have made no representation that they
have returned all hard copy documents in their possession. (SAC 78, 79) We just do not
understand how Chubb can make this statement when it well knows that Defendants returned the
hard copy documents in the Former Chubb Employees possession on May 13, 2016. These
documents were returned two weeks before the proposed second amended complaint was filed,
and four months before the revised version of that pleading was submitted to the Court.11
Alleged Internal Chubb Policies
In an attempt to salvage the CFAA claim, the SAC includes new allegations about
internal corporate policies that Chubb claims were violated by the Former Chubb Employees.
The SAC alleges that Chubb had a Global Security Data Policy that provided that Highly
Confidential Data and Confidential Data should only be placed in Chubb protected and approved
third-party environments backed up by Chubb, and should only be accessible to individuals who
10
The only reason the Former Chubb Employees retained this information in the first
place was because, once this action was filed on April 26 (while they were still employed by
Chubb), a document preservation obligation arose.
9
have a business need to access it. (SAC 48) The policy allegedly prohibited: 1) forwarding of
Chubb emails containing confidential data to personal email accounts; 2) storage of confidential
data on local computer drives without encryption; 3) posting of confidential data on public
drives; and 4) storage of confidential data on unapproved applications or services without
permission from Chubbs security officer. (SAC 48)
The SAC further alleges the existence of a written policy that prohibited the Former
Chubb Employees from stor[ing] or transport[ing] data containing Confidential Information on
a CD-Rom, DVD, USB Drive or any other portable storage media without consent and approval
from the data owner and information security department. (SAC 49) The Former Chubb
Employees access to Chubb information was subject to these policies. (SAC 48, 67)
The alleged policies are not attached to the SAC. There is no allegation concerning when
these policies were put into effect, whether or how the Former Chubb Employees were notified
of the policies, whether they agreed to be bound by them, what data the policies apply to,
whether or how the policies were enforced, or how they can be reconciled with another Chubb
policy quoted in the SAC that Chubb employees were permitted to remove Chubb information
from Chubbs offices to the extent necessary for an employee to perform his or her job
responsibilities. (SAC 50)
Chubbs Purported Federal Claims
Chubb alleges that Defendants are liable for a civil violation of the CFAA (Count IX).
The gravamen of this claim is that Defendants accessed Chubbs protected computer system to
place and store data containing Confidential Information in unapproved applications and
services, email Confidential Information to personal email accounts, and store or transport data
containing Confidential Information on USB drives or other portable storage media. (SAC
145-46) These actions allegedly violated Chubbs corporate data security policies and were
10
11
ARGUMENT
To survive a motion to dismiss under Fed. R. Civ. P. 12(b)(6), a complaint must contain
factual allegations which, if accepted as true, state a facially plausible claim. Davis v. City of
Philadelphia, 821 F.3d 484, 488 (3d Cir. 2016) (citing Ashcroft v. Iqbal, 556 U.S. 662, 678
(2009)); Mu Sigma, Inc. v. Affine, Inc., No. 12-cv-1323, 2013 WL 3772724, at *2 (D.N.J. July
17, 2013). A claim is plausible when the plaintiff pleads factual content that allows the court to
draw the reasonable inference that the defendant is liable for the misconduct alleged. Iqbal, 556
U.S. at 678. A formulaic recitation of the elements of a cause of action will not do. Bell Atl.
Corp. v. Twombly, 550 U.S. 544, 555 (2007); Block v. Seneca Mortg. Servicing, No. 16-cv-0449,
2016 WL 6434487, at *7 (D.N.J. Oct. 31, 2016) ([t]hreadbare recitals of the elements of a cause
of action, supported by mere conclusory statements, do not suffice and [a] plaintiff must show
that there is more than a sheer possibility that the defendant has acted unlawfully). Assuming
the factual allegations in the complaint are true, those factual allegations must be enough to raise
a right to relief above the speculative level. Chubb INA Holdings Inc. v. Chang, No. 16-cv-2354,
2016 WL 6841075, at *4 (D.N.J. Nov. 21, 2016).
In reviewing a motion to dismiss for lack of subject matter jurisdiction under Rule
12(b)(1), the Court must assess whether the moving party is making a facial attack based on the
allegations of the complaint, or a factual attack that challenges the facts supporting jurisdiction.
Chas. S. Winner, Inc. v. Polistina, No. 06-cv-4865, 2007 WL 1652292, at *2 (D.N.J. June 4,
2007). A motion to dismiss an action for lack of subject matter jurisdiction on the ground that
plaintiffs have failed to plead a cognizable claim under the CFAA or DTSA is a factual attack.
Id. In a factual attack, the District Court do[es] not presume the truthfulness of the allegations
in plaintiffs complaint, [but] evaluate[s] the jurisdictional claims on the merits. The plaintiff
12
bears the burden to prove that this Court can exercise jurisdiction over their CFAA and DTSA
claims. Id.
I.
Defendants violated, but only one provision, 18 U.S.C. 1030(a)(2)(C), could even conceivably
apply to the SACs allegations. That provision imposes liability on someone who intentionally
accesses a computer without authorization or exceeds authorized access, and thereby obtains . . .
information from any protected computer. 18 U.S.C. 1030(a)(2)(C). The statute affords a
civil remedy to [a]ny person who suffers damage or loss by reason of a violation of this section
but only if the conduct involves one of the factors set forth in certain subsections of
Section 1030(c)(4)(A)(i). 18 U.S.C. 1030(g). [T]he term exceeds authorized access means
to access a computer with authorization and to use such access to obtain or alter information in
the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. 1030(e)(6).
Subsection (c)(4)(A)(i)(I) requires an allegation of loss to 1 or more persons during any
1-year period . . . aggregating at least $5,000 in value. (SAC 143) [T]he term loss means
any reasonable cost to any victim, including the cost of responding to an offense, conducting a
damage assessment, and restoring the data, program, system, or information to its condition prior
to the offense, and any revenue lost, cost incurred, or other consequential damages incurred
because of interruption of service. 18 U.S.C. 1030(e)(11).
The SAC fails to state a claim for relief under the CFAA in at least two respects. First,
Chubb cannot allege that Defendants accessed the computer data at issue without authorization
or by exceed[ing] authorized access because Defendants, while still employed by Chubb, were
authorized to access all of the data at issue. Second, Chubb has not alleged a cognizable loss
13
necessary to state a civil claim because Defendants conduct is not alleged to have caused, and
did not cause, any damage to Chubbs computer systems or data.
A.
The CFAA was enacted in 1984 to criminalize computer hacking. P.C. Yonkers, Inc. v.
Celebrations Party & Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005). As the Third
Circuit noted, [e]mployers . . . are increasingly taking advantage of the CFAAs civil remedies
to sue former employees and their new companies who seek a competitive edge through
wrongful use of information from the former employers computer system. Id. However, the
courts have properly been reluctant to extend the reach of the CFAA to criminalize mere
employee disloyalty and thus transform the CFAA from an anti-hacking statute into an
expansive misappropriation statute. United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012)
(en banc). That is exactly how Chubb seeks to use the CFAA here and then some, because
here, there has not even been a misappropriation.
Just last year, the Second Circuit joined the growing consensus that the CFAA, construed
narrowly as a criminal statute must be, requires an actual trespass into computer systems or data,
and does not extend liability to the subsequent misuse of computer data that the user was
authorized to access. See United States v. Valle, 807 F.3d 508, 527-28 (2d Cir. 2015) (police
officer did not violate CFAA where he accessed informational database in violation of
departmental policy prohibiting access except for official police business, because he was
authorized to access the database for his employment). See also Nosal, 676 F.3d at 856, 864
(employees did not violate CFAA by downloading employers confidential data for use by
competitor in violation of policy against disclosing confidential information, where employees
were authorized to access the data in their employment); WEC Carolina Energy Sols. LLC v.
Miller, 687 F.3d 199, 206 (4th Cir. 2012) (same); LVRC Holdings LLC v. Brekka, 581 F.3d 1127,
14
1135 (9th Cir. 2009) (employee did not violate CFAA by emailing employers confidential
information to himself for use in a competing business where he was authorized to access the
information in connection with his employment).
The Second and Ninth Circuits expressly declined to follow prior contrary decisions of
other Circuits extending liability under the CFAA to cases involving an employees
misappropriation of employer data, noting that those courts had looked only at the culpable
behavior of the defendants before them, and failed to consider the effect on millions of ordinary
citizens caused by the statutes unitary [civil and criminal] definition of exceeds authorized
access. Valle, 807 F.3d at 527. We therefore respectfully decline to follow our sister circuits
and urge them to reconsider instead. Nosal, 676 F.3d at 863. As the Ninth Circuit en banc
noted in Nosal, [b]asing criminal liability on violations of private computer use policies can
transform whole categories of otherwise innocuous behavior into federal crimes simply because
a computer is involved. Id. at 860; see also Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610,
618-19 (E.D. Pa. 2013) (same, following Nosal).12
Although the Third Circuit has not yet ruled on this issue, courts in the District of New
Jersey have consistently held that liability under the CFAA does not, and should not, extend to
alleged misappropriation of an employers confidential data. See Givaudan Fragrances Corp. v.
Krivda, No. 08-cv-4409, 2013 WL 5411475, at *2 (D.N.J. Sept. 26, 2013) (the reach of the
CFAA does not extend to instances where the employee was authorized to access the information
he later utilized to the possible detriment of his former employer), affd, 639 F. Appx 840 (3d
Cir. 2016); Robinson v. New Jersey, No. 11-cv-6139, 2013 WL 3894129, at *4 (D.N.J. July 26,
12
The fact that Nosal and Valle involved criminal prosecutions rather than civil claims does
not undermine the applicability of their holdings. See WEC, 687 F.3d at 204 (Where, as here,
our analysis involves a statute whose provisions have both civil and criminal application, our
task merits special attention because our interpretation applies uniformly in both contexts.).
15
2013) (noting district courts in this circuit have held, in the employer-employee context, that an
employee who may access a computer by the terms of his employment is authorized to use that
computer for purposes of [the CFAA] even if his purpose in doing so is to misuse or
misappropriate the employers information). As Judge Hillman of this District held in
Polistina, 2007 WL 1652292, at *5:
We find nothing in the structure or language of the statute to suggest that
Congress intended to create a private cause of action against employees
whose crime, if you will, merely involved the use of ordinary e-mail in a
manner disloyal to their employer and in breach of their employment
contract. . . . If such conduct violates the CFAA there would be no
principled limit to the kinds of business disputes that Section 1030, and
perforce its private right of action, would reach.
Other courts in the Third Circuit are overwhelmingly in accord. See QVC, Inc. v.
Resultly, LLC, 159 F. Supp. 3d 576, 595 (E.D. Pa. 2016) (This Court is persuaded by the
reasoning of those opinions that have concluded that those who have permission to access a
computer for any purpose, such as employees, cannot act without authorization unless and until
their authorization to access the computer is specifically rescinded or revoked.); Clinmicro
Immunology Ctr., LLC v. Primemed, P.C., No. 3:11-cv-2213, 2016 WL 4107710, at *9 (M.D.
Pa. July 7, 2016); Advanced Fluid Sys., Inc. v. Huber, 28 F. Supp. 3d 306, 329 (M.D. Pa. 2014);
Carnegie Strategic Design Engrs, LLC v. Cloherty, No. 13-cv-1112, 2014 WL 896636, at *6
(W.D. Pa. Mar. 6, 2014); Eagle v. Morgan, No. 11-cv-4303, 2011 WL 6739448, at *7 (E.D. Pa.
Dec. 22, 2011).
Commentators also agree that requiring unauthorized access for a CFAA violation is the
better-reasoned approach. See, e.g., Samantha Jensen, Abusing the Computer Fraud and Abuse
Act: Why Broad Interpretations of the CFAA Fail, 36 HAMLINE L. REV. 81 (2013); Pamela
Taylor, Comment, To Steal or Not to Steal: an Analysis of the Computer Fraud and Abuse Act
and Its Effect on Employers, 49 HOUS. L. REV. 201 (2012); Sarah Boyer, Current Issues in
16
Public Policy: Computer Fraud and Abuse Act: Abusing Federal Jurisdiction?, 6 RUTGERS J. L.
& PUB. POLY 661, 662 (Spring 2009) (arguing that Third Circuit should construe the CFAA
narrowly in order to keep this type of employer/former employee action out of federal court).
The SAC alleges that Defendants, while employed by Chubb, utilized their authorized
access to Chubbs computer systems and databases to download or email Chubbs purportedly
confidential information for the benefit of Endurance, a competitor. This is precisely the kind of
allegation to which courts have refused to extend liability under the CFAA.13
Chubb cannot allege, as it must, that the Defendants gained computer access to any
purportedly confidential Chubb information that they were not authorized to have. In fact, the
SAC alleges just the opposite. Chubb acknowledges that, during their employment, Defendants
had full access to all of the Confidential Information maintained in the business records of the
Real Estate and Hospitality Division. (SAC 59, 67 [emphasis added]) Confidential
Information on Chubbs computers was accessible by Chubb employees through the use of a
coded password that employees were assigned. (SAC 44) Underwriters had access to
pricing, premium and profitability information of . . . all of Chubbs clients. (SAC 46) It was
not even against Chubb policy to email, download or remove Confidential Information from
Chubbs computers, provided it was necessary for an employee to perform his or her job
responsibilities. (SAC 50)
Because Chubb acknowledges that Defendants had full access to the data that was
allegedly accessed without authorization, there is no basis for a CFAA claim. See WEC, 687
F.3d at 207 (finding complaint belie[d] any allegation that defendants had accessed a computer
without authorization because complaint alleged that defendants had access to employers
13
servers and confidential documents stored on the servers); Polistina, 2007 WL 1652292, at *2
n.2 (allegation that defendants had complete access to plaintiffs confidential information
barred inference that defendants had exceeded their authorized access to any data); Brett
Senior & Assocs., P.C. v. Fitzgerald, No. 06-cv-1412, 2007 WL 2043377, at *3 (E.D. Pa. July
13, 2007) (evidence that employee was allowed full access to information on employers
computer system defeated CFAA claim). A bare, conclusory allegation that the defendants
accessed plaintiffs computer system without authorization is insufficient to state a claim under
the CFAA. Mu Sigma, 2013 WL 3772724, at *10.
B.
The SAC attempts to bolster its CFAA claim with allegations that the Former Chubb
Employees exceeded authorized access by accessing data on Chubbs computer system in
violation of internal Chubb policies that purportedly governed data security and confidentiality.
This argument, too, has been repeatedly rejected.
Accessing computer data that is otherwise within the employees authorization does not
become unauthorized access even if the employee is acting in violation of an employers
internal computer use policy. In WEC, one of the defendants had downloaded and emailed
confidential information to himself and used it to solicit a customer. The employer argued that,
although the employee had been authorized to access the information for his employment, he
violated the CFAA because the document had been downloaded in violation of company policies
that prohibited using the information without authorization or downloading it to a personal
computer. 687 F.3d at 202. The Fourth Circuit rejected this construction, holding: Congress
has not clearly criminalized obtaining or altering information in a manner that is not
authorized. Rather, it has simply criminalized obtaining or altering information that an
18
individual lacked authorization to obtain or alter. Id. at 206. The Ninth Circuit in Nosal
rejected the same argument, holding: If Congress meant to expand the scope of criminal
liability to everyone who uses a computer in violation of computer use restrictions which may
well include everyone who uses a computer we would expect it to use language better suited to
that purpose. 676 F.3d at 857. The Court explained:
Basing criminal liability on violations of private computer use policies can
transform whole categories of otherwise innocuous behavior into federal
crimes simply because a computer is involved. Employees who call
family members from their work phones will become criminals if they
send an email instead. Employees can sneak in the sports section of the
New York Times to read at work but theyd better not visit ESPN.com.
And sudoku enthusiasts should stick to the printed puzzles, because
visiting www.dailysudoku.com from their work computers might give
them more than enough time to hone their sudoku skills behind bars.
Id. at 860.
District courts in this Circuit have expressly held that the CFAA does not extend liability
to violations of a company policy. See Dresser-Rand, 957 F. Supp. 2d at 619 (holding CFAA
simply does not support a broad interpretation of authorization based on employer use
policies); Consulting Profl Res., Inc. v. Concise Techs. LLC, No. 09-cv-1201, 2010 WL
1337723, at *6 (W.D. Pa. Mar. 9, 2010), report & recommendation adopted, 2010 WL 1337720
(W.D. Pa. Mar. 31, 2010) (rejecting argument that employees use of the information in violation
of her employment contract gave rise to violation of CFAA).
Dresser-Rand is factually on all fours with the allegations presented here. In that case,
the employees allegedly downloaded Dresser-Rand documents to external hard drives and flash
drives. 957 F. Supp. 2d at 611. The employer had policies limiting use of the computer system
to authorized D-R business use and prohibited use that was not in the best interests of the
Company. Id. at 612. Another policy prohibited [a]ny unauthorized use, disclosure or
transmission of [protected] information or content. Id. The Court held that [i]f [the
19
employees] were authorized to access their work laptops and to download files from them, they
cannot be liable under the CFAA even if they subsequently misused those documents to compete
against Dresser-Rand. Id. at 620. This is because the employers policies governed use, not
access. Id. (emphasis in original).
Chubbs alleged data security policies only govern use of, not access to, its computer
information. The alleged policies do not limit the data or databases that the employees were
authorized to access in the course of their employment but merely purport to limit the
circumstances under which the information may be transferred. Thus, an alleged violation of
these policies does not state a claim for violation of the CFAA.14
C.
To allege a cognizable loss under the CFAA, the plaintiff must allege costs relating to
an investigation of damage caused to the computer system or data resulting from the defendants
conduct. Grant Mfg. & Alloying, Inc. v. McIlvain, 499 F. Appx 157, 159 (3d Cir. 2012) (costs
of technology consultant not directly attributable to restoring data deleted by departing employee
were not cognizable losses under CFAA); Sealord Holdings, Inc. v. Radler, No. 11-cv-6125,
2012 WL 707075, at *5 (E.D. Pa. Mar. 6, 2012) (investigating or remedying damage must be
related to the damage to the computer or due to interruption of the computers service);
Advantage Ambulance Grp., Inc. v. Lugo, No. 08-cv-3300, 2009 WL 839085, at *4 (E.D. Pa.
Mar. 30, 2009) (dismissing CFAA claim for failure to allege measures taken to remedy damage
to computer system or prevent recurrence); Polistina, 2007 WL 1652292, at *4 (costs must be
14
Spinello Cos. v. Silva, No. 13-cv-5146, 2014 WL 4896530 (D.N.J. Sept. 30, 2014) is not
to the contrary. That decision upholds a CFAA claim based on allegations that the employee
altered files without authorization, an independent violation of the CFAA not at issue here. Id.
at *4 (emphasis added.) There is no allegation that the defendant in that case violated any
employer policy. The Spinello court notes the Circuit split and absence of Third Circuit
precedent, but offers no analysis and does not adopt either position.
20
improper acquisition, use or disclosure of any of the information it claims was taken by the
Former Chubb Employees that occurred after the effective date of the DTSA, or at any time; and
Chubb offers nothing more than conclusions and speculation in a vain effort to state a viable
claim.
The Economic Espionage Act of 1996, codified at 18 U.S.C. 1831, et seq., makes it a
Federal criminal offense to misappropriate a trade secret. S. REP. No. 114-220, at 3 (2016).
Although fighting economic espionage and the theft of trade secrets is a top priority for Federal
21
law enforcement, criminal enforcement remains a limited solution to stopping trade secret theft
as the [FBI] and [DOJ] are limited in the resources they can bring to bear. Id. Thus, in May
2016, the DTSA amended the Economic Espionage Act to add a private right of action. Id.
The intent of Congress in creating a private right of action under the Economic Espionage
Act was to combat trade secret theft. S. 1890, 114th Cong. 5 (2016) (emphasis added). The
statute cannot reasonably or justifiably be construed to criminalize the mere retention of an
employers allegedly confidential information after the employees resignation especially
where, as here, there is no factual basis to support any allegation that any Former Chubb
Employee had any intention to misuse any Chubb information and where there is much evidence
to the contrary, which Chubb simply ignores. This is particularly true where, as here, the Court
must carefully scrutinize the sufficiency of plaintiffs allegations because the existence of federal
subject matter jurisdiction depends on the viability of these claims.
The DTSA civil liability provisions state, in relevant part:
An owner of a trade secret that is misappropriated may bring a civil
action under this subsection if the trade secret is related to a product or
service used in, or intended for use in, interstate or foreign commerce.
18 U.S.C. 1836(b)(1) (emphasis added).
[T]he term misappropriation means:
(A)
acquisition of a trade secret of another by a person who knows or
has reason to know that the trade secret was acquired by improper
means; or
(B)
disclosure or use of a trade secret of another without express or
implied consent by a person . . . .
18 U.S.C. 1839(5) (emphasis added).
[T]he term improper means:
22
23
Pillion downloads occurred on or before April 22, 2016]; SAC 75 [downloads to USB devices
occurred during their employment].) The SAC thus establishes that the Former Chubb
Employees employment, and their acquisition of Chubb information, ceased by April 22. (SAC
10, 67) Because the alleged acquisitions all occurred prior to the May 11, 2016 effective date,
Chubb cannot state a claim for violation of the DTSA on an improper acquisition theory. See
Adams Arms, 2016 WL 5391394, at *7.
The only allegations that could conceivably pertain to the period after the Former Chubb
Employees resigned from Chubb are conclusory, speculative and insufficient to give rise to an
inference based on pleaded facts that Chubbs information was improperly disclosed or used by
any Defendant on or after May 11, 2016. The best Chubb could come up with in the SAC is to
allege:
On information and belief, the Former Chubb Employees inevitably will use or
disclose Chubb Confidential Information to Endurance in performance of their
duties to Endurance. (SAC 154)
On information and belief, Endurance either accepted such information with the
knowledge that it was Confidential Information taken by Chang, Betts and
Dubrovich from Chubb in violation of their duty of confidentiality, or Endurance
was deliberately indifferent or reckless in failing to prevent Chang, Betts and
Dubrovich from using, disclosing or misappropriating Chubbs Confidential
Information. (SAC 155)
There can be no misappropriation of a trade secret under the DTSA unless the
information was acquired by improper means, or was used or disclosed without
24
25
A.
The allegation that the Former Chubb Employees retained and continue to possess
Chubb documents (SAC 8, 78, 79) does not satisfy the statute because mere retention of
documents is not an improper acquisition, disclosure or use that would satisfy the statutory
definition of misappropriation. The definition of retain is to hold or continue to hold in
possession. MERRIAM-WEBSTER DICTIONARY, supra, at 1938. Plainly, retention of documents
does not involve an acquisition, use or disclosure of the documents. The mere retention of
documents obtained in the ordinary course of employment is not an actionable misappropriation.
See JustMed, Inc. v. Byce, 600 F.3d 1118, 1129 (9th Cir. 2010) (holding defendant did not
acquire the [trade secret] through improper means because he already had possession of it as an
employee) (construing Idaho UTSA); Diamond v. T. Rowe Price Assocs., Inc., 852 F. Supp.
372, 412 & n.193 (D. Md. 1994) (finding no actionable misappropriation where employee
worked from home and regularly received employers documents at home) (construing Maryland
UTSA).15
B.
The Inevitable Disclosure Doctrine Does Not Cure the Pleading Deficiencies.
Chubbs allegation that the Former Chubb Employees inevitably will use or disclose
Chubb Confidential Information to Endurance (SAC 154) fails to state a claim under the
DTSA. A purported inevitable disclosure is not actionable as a misappropriation. IDT Corp.
v. Unlimited Recharge, Inc., No. 11-cv-4992, 2012 WL 4050298, at *15 (D.N.J. Sept. 13, 2012)
(dismissing claim for inevitable disclosure of employers confidential information, noting court
was unable to find a case which acknowledges inevitable disclosure as a viable cause of action
15
The DTSAs statutory language is modeled on the Uniform Trade Secrets Act (UTSA),
which has been adopted in almost all states. S. REP. No. 114-220, at 3. The definitions of
misappropriation are virtually identical.
26
in New Jersey). The inevitable disclosure doctrine simply assists the court in determining the
need for, and defining the scope of, preliminary injunctive relief, and does not expand the
definition of misappropriation. See Osteotech, Inc. v. Biologic, LLC, No. 07-cv-1296, 2008
WL 686318, at *4 (D.N.J. Mar. 7, 2008) (holding plaintiffs reliance on inevitable disclosure
doctrine was appropriate to the extent it may be used to show irreparable harm to Plaintiff in
support of request for injunctive relief) (construing N.J. UTSA); IDT Corp., 2012 WL 4050298,
at *15 (inevitable disclosure is a doctrine that may be applied in the context of independent
causes of action to award injunctive relief).16 Similarly, a conclusory allegation that trade
secrets must have been disclosed to Endurance because the Former Chubb Employees possessed
them and went to work for Endurance is not enough. See StrikeForce Techs., Inc. v. WhiteSky,
Inc., No. 13-cv-1895, 2013 WL 3508835, at *8 (D.N.J. July 11, 2013) (dismissing N.J. UTSA
claim for failure to allege facts supporting unauthorized use and disclosure of trade secrets).
C.
Chubb alleges that Defendants continue and will continue to misappropriate, reveal and
disclose Confidential Information, and that Endurance accepted Confidential Information from
the Defendants and will similarly accept Confidential Information from the Former Chubb
Employees. (SAC 153, 155) These formulaic allegations are purely conclusory and are not
supported by any factual averments that would support a plausible inference that any actionable
misappropriation has occurred. See Mu Sigma, 2013 WL 3772724, at *8 (declining to apply
newly-enacted N.J. UTSA where conclusory allegations of continuing misappropriation after
16
The DTSA rejects application of the inevitable disclosure doctrine as a basis for
enjoining employment or even for imposing conditions on the terms of employment. 18 U.S.C.
1836(b)(3)(A)(i)(I). The DTSA expressly prohibits such relief from being granted based
merely on [the nature] of the information the person knows. Id.
27
28
whatsoever by Defendants or any of the Former Chubb Employees, let alone after the DTSAs
May 11 effective date. Accordingly, Chubb cannot state a viable claim under the DTSA.17
III.
claims. (SAC 22) Chubb does not, and cannot, allege diversity jurisdiction. (Compare SAC
11 [Delaware plaintiff] with 16 [Delaware defendant].) Nor does it invoke the Courts
supplemental jurisdiction under 28 U.S.C. 1367. There is no allegation of jurisdiction
whatsoever over Chubbs state law claims.
Upon dismissal of the CFAA and DTSA claims, the Court should decline to exercise
supplemental jurisdiction over the remaining claims and dismiss the Complaint. A district court
may decline to exercise supplemental jurisdiction where it has dismissed all claims over which it
has original jurisdiction. 28 U.S.C. 1367(c)(3); Kalick v. Nw. Airlines Corp., 372 F. Appx
317, 322 (3d Cir. 2010). The district court must weigh considerations of judicial economy,
convenience and fairness to the litigants in deciding whether to exercise its discretion to exercise
supplemental jurisdiction. Shaffer v. Bd. of Sch. Dirs., 730 F.2d 910, 912 (3d Cir. 1984).
Absent extraordinary circumstances, jurisdiction [over claims based on state law] should be
declined where the federal claims are no longer viable. Kalick, 372 F. Appx at 322 (alteration
in original); Sharp v. Kean Univ., 153 F. Supp. 3d 669, 677 (D.N.J. 2015) (in the usual case in
17
which all federal-law claims are eliminated before trial, the balance of factors . . . will point
toward declining to exercise jurisdiction over the remaining state-law claims).
No extraordinary circumstances are present here. This action is still at the pleadings
stage. Written discovery only just began on November 22, 2016. [Dkt. 114] Any discovery
exchanged in this action will be usable in the pending or any subsequent state court action.
Because there is no basis for federal subject matter jurisdiction, the dismissal of the CFAA and
DTSA claims warrants dismissal of the entire action. See Consulting Profl Res., Inc., 2010 WL
1337723, at *8 (dismissing remaining state law claims under 1367(c) following dismissal of
sole federal CFAA count); Advantage Ambulance, 2009 WL 839085, at *4 (same). This is
particularly so where, as here, Chubb never had a good faith basis for invoking federal
jurisdiction in the first place, as it was repeatedly advised.
CONCLUSION
For all these reasons, Chubbs claims under the CFAA and DTSA should be dismissed
for failure to state a claim, and the Court should decline supplemental jurisdiction over the
remaining state law claims and dismiss the Second Amended Complaint in its entirety.
Dated: December 12, 2016
Respectfully submitted,
PROSKAUER ROSE LLP
By: /s/ Catherine I. R. Pontoriero
One Newark Center
Newark, NJ 07102
Tel: (973) 274-3285
Fax: (973) 274-3299
cpontoriero@proskauer.com
Steven M. Kayman (pro hac vice)
Elise A. Yablonski (pro hac vice)
Tiffany M. Woo (pro hac vice)
11 Times Square
New York, NY 10036-8299
Tel.: (212) 969-3000
30
skayman@proskauer.com
eyablonski@proskauer.com
twoo@proskauer.com.
MURPHY ORLANDO LLC
Jason F. Orlando
John Bartlett
30 Montgomery Street, 11th Floor
Jersey City, New Jersey 07302
(201) 451-5000
jorlando@murphyorlando.com
jbartlett@murphyorlando.com
Attorneys for Defendants Michael Chang,
Bentley Betts, Endurance Services Limited,
Endurance Specialty Holdings Ltd. and
Endurance Assurance Corporation
31