|Chapter 09||Title Page||Email Listserve|
[NOTE: This case has been edited for classroom use by the omission of text, citations, and footnotes. See this alternate source for the full opinion.]
U.S. District Judge Alice H. Stotler
ORDER FINDING FEDERAL QUESTION JURISDICTION; GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS; GRANTING IN PART PLAINTIFF'S MOTION FOR PRELIMINARY INJUNCTION
In 1994, Congress amended the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("Act" or "CFAA"), the application of which in this case will confer jurisdiction on the district court for some or all of plaintiff's claims. Plaintiff, a medical diagnostics company, seeks to assert the revised provisions of the Act as private rights of action against defendant software providers. Resolving ambiguities in the legislation in plaintiff's favor, the Court by this Order concludes that plaintiff has stated a claim under federal question jurisdiction and pled two claims under the revised Act. The jurisdictional issue is examined first, followed by a discussion of defendants' motion to dismiss plaintiff's First Amended Complaint ("FAC") and plaintiff's motion for preliminary injunction.
II. PROCEDURAL HISTORY
Plaintiff filed this lawsuit on January 23, 1996, alleging only diversity jurisdiction. On March 11, 1996, plaintiff filed the First Amended Complaint ("FAC"), alleging federal question jurisdiction on the basis of the Computer Fraud and Abuse Act.
On April 9, 1996, plaintiff filed a motion for preliminary injunction. . . .
On April 15, 1996, defendants filed a motion to dismiss the complaint for failure to state a claim. . . .
III. SUMMARY OF FIRST AMENDED COMPLAINT
Plaintiff North Texas Preventive Imaging L.L.C. ("NTPI") is a Dallas-based provider of medical diagnostic imaging (i.e., CAT scans), a method of diagnosing coronary artery disease, cancer, osteoporosis, and other medical conditions. To assist with its diagnostic imaging, plaintiff purchased a computer system (the "Scribe system") from defendant Medical Diagnostic Imaging, Inc. ("MDI"). The Scribe system performs computer enhancement of medical images.
Defendant MDI is a California corporation which allegedly owns and controls the Scribe system software at issue. . . . Non-party DVI Financial Services, Inc. ("DVIF") is a financing company which helped plaintiff finance the purchase of the Scribe system software by buying it from defendants and leasing it to plaintiff. DVIF purchased the Scribe system according to the terms of price quotation 950103 on January 22, 1995. DVIF leased the software under the terms of lease #8 on February 27, 1995.
In May 1995, the Scribe system was installed in plaintiff's facility. Plaintiff has allegedly paid 90% of the sales price for the Scribe system software. The core of the dispute is the parties' disagreement over the licensing rights conferred by defendant's sale of the Scribe system. The parties have no formal licensing contract; their arrangement is reflected in a price quotation which contains the following provision:
Software License Agreements: Software products provided by Multi-Dimensional Imaging are copyrighted, and all rights are reserved by Multi-Dimensional Imaging. The distribution and sale of Multi-Dimensional Imaging software products are intended for the use of the original purchaser only and for use only on the computer system(s) specified. Lawful users of this product are licensed to use the software as loaded on computers and/or provided on floppy disk for copying to computers. Users are also allowed to make back-up copies for safety. Any other copying, duplicating, selling, or otherwise distributing these products is a violation of the law.FAC paragraph 13; Friede Decl. Ex. 7 at 7 (full text of price quotation number 950103).
Plaintiffs were dissatisfied with the operation of the Scribe system and on December 27, 1995, sent a letter to MDI "cancelling" the purchase of the Scribe system and demanding return of $161,721 which had been "overpaid." FAC paragraph 15. Defendants responded with a letter asking plaintiff to enter into a new licensing arrangement and noting that the software would be disabled on January 31, 1996, if the new license were not executed.
When the software was installed in March 1995, it contained no time restrictions or other disabling codes. Defendants apparently sent plaintiffs "update disks" periodically to update the Scribe system. In late 1995, defendants sent an "update" floppy computer disk to plaintiff which, unbeknownst to plaintiff, contained disabling codes. Disabling codes, or "time bombs," are computer software codes which render a software program inoperable at a pre-set time and date. The software which plaintiffs loaded onto their computer in late 1995 contained a time bomb set to go off on January 31, 1996. The software was prepared on MDI's computers in California.
Plaintiff learned of the existence of the time bomb and complained to defendant about its insertion in the Scribe system. A few days before the time bomb was scheduled to go off, MDI sent another set of computer codes which reset the time bomb for May 1, 1996.
The FAC alleges six causes of action. First, plaintiff alleges that defendants breached the DVIF-MDI purchase contract and that plaintiff, as third party beneficiary of the contract and assignee of DVIF's rights, may enforce the contract. Plaintiff asserts that it received invoices for $511,500, but received goods worth only $278,730. MDI has been paid $460,350 for goods supplied, and plaintiff alleges the right to the amount it overpaid for the goods -- $181,620.
Second, plaintiff alleges that defendants breached the express and implied warranties for defect-free performance of the software and hardware. Plaintiff alleges that it has been damaged in the amount of $10,000, representing the cost of labor and measures taken to keep the Scribe system running.
Third, plaintiff alleges that defendants' conduct in secreting the time bomb in its Scribe system constitutes a violation of CFAA sections 1030(a)(5)(A) and (B). In particular, plaintiff claims that defendant, using its computers located in California, clandestinely caused the time bomb to be inserted in the Scribe system at plaintiff's facility in Texas. The time bomb potentially impairs the medical examination, diagnosis, and treatment of NTPI's patients.
Fourth, plaintiff alleges that defendants intentional insertion of the time bomb in the Scribe system constitutes conversion because it interferes with plaintiff's right to quiet possession and use of the Plaintiff requests damages in the amount of $460,350, representing the amount paid for the Scribe system.
Fifth, plaintiff requests a declaratory judgment because it is impossible to determine who owns and controls the Scribe system software at issue in this lawsuit and that several defendants have used the name "MDI." . . .
Sixth, plaintiff alleges that defendants HTW and Harvey Eisenberg committed "fraudulent misrepresentation and constructive fraud." Claim 6, while captioned as a fraud claim, substantively appears to allege a claim for breach of fiduciary duty. . . . Plaintiff requests compensatory damages in the amount of $460,350 plus various additional damages caused by defendants' breach.
1. Federal Question Jurisdiction: Does the Computer Fraud and Abuse Act ("Act" or "CFAA") prohibit the conduct complained of in the complaint?
The CFAA proscribes the unauthorized access to certain computer systems for harmful purposes by means of a modem or direct keyboard entry.
Section 1030(a)(5)(A) of statute reads:
[Whoever] through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if --(i) the person causing the transmission intends that such transmission will--[shall be punished as provided in subsection (c) of this section].(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or(ii) the transmission of the harmful component of the program, information, code, or command--
Section 1030(a)(5)(B) of the statute criminalizes the same conduct when done with "reckless disregard of a substantial and unjustifiable risk that the transmission will" cause harmful effects.
However, it is unclear whether the CFAA prohibits a person from sending a disk containing disabling codes to an authorized person who then unwittingly loads the codes onto a computer. The Court has found no cases on point, and indeed very few cases which construe Section (a)(5) at all.n1 The issue appears to be one of first impression. Although written as a criminal prohibition, the statute also creates a private right of action:
Any person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages. . . .
18 U.S.C. § (g).
A. Legislative History of the CFAA
The CFAA, enacted in 1984, was intended to prohibit the gaining of unauthorized access to "federal interest" computers. The original CFAA focussed on unauthorized "access" to computers causing harm and did not reach harms caused by methods other than unauthorized access. The 1984 CFAA therefore contained a loophole in cases where: (1) an authorized person caused harm to a protected computer system, or (2) an unauthorized person gave a floppy computer disk or computer codes to an authorized person who loads it onto the computer.
The CFAA was amended in 1986 and 1994. The 1994 amendment was intended to broaden the scope of criminalized activities to reflect the broader range of techniques being used in society to wreak havoc on computer systems. The sponsor of the 1994 amendment, Senator Leahy, stated that:
[T]hese amendments clarify the intent standards, the actions prohibited and the jurisdiction of the current Computer Fraud and Abuse Act. . . . Under the current statute, prosecution of computer abuse crimes must be predicated upon the violator's gaining unauthorized access to the affected Federal interest computers. However, computer abusers have developed an arsenal of new techniques which result in the replication and transmission of destructive programs or codes that inflict damage upon remote computers to which the violator never gained "access" in the commonly understood sense of that term.139 Cong. Rec. S16421-03, Nov. 19, 1993 (stmt. of Sen. Leahy) (reprinted at 1993 WL 490040).
Thus while the pre-1994 CFAA was directed towards the unauthorized "access" of a computer system, presumably by modem or by direct keyboard entry, the post-1994 CFAA is directed towards a broader range of conduct by which a person knowingly "causes" the "transmission" of a program, information, code, or command to a computer. 18 U.S.C. § 1030(a)(5). Senator Leahy stated that:
The new subsection of the CFAA created by this bill places the focus on harmful intent and resultant harm, rather than on the technical concept of computer access. . . .139 Cong. Rec. S16421-03, Nov. 19, 1993 (stmt. of Sen. Leahy) (reprinted at 1993 WL 490040) (emphasis added). The post-1994 CFAA undoubtedly is and was meant to be broader than previous law.
The question, however, is whether the current law proscribes defendants' conduct in this lawsuit -- the act of sending a floppy computer disk containing a time bomb to a party who unknowingly loads it onto a computer.
During debates on the 1994 amendment, software manufacturers objected to the possibility that their practice of inserting "disabling codes" in software programs would be criminalized because disabling codes can be used as a legitimate security measure. On this issue, Senator Leahy stated that the new language would not criminalize the use of disabling codes "when their use is pursuant to a lawful licensing agreement that specifies the conditions for reentry or software disablement." Cong. Rec. vol. 140 no. 122, 103d Cong., 2d sess., 8/23/94 at S. 12313. Although Senator Leahy did not state the converse proposition, i.e., that the bill did criminalize the use of disabling codes which are not specified in a lawful licensing agreement, this is certainly a reasonable implication of the statement. The Court has found nothing in the statute or legislative history to suggest that Congress intended a blanket exemption for the use of time bombs from the CFAA's prohibitions. Rather, time bombs would appear to fall within the statute's proscription on the use of "codes, information, programs, or commands" to cause harm to protected computer systems. Whether the use of a time bomb is illegal appears to require a case-by-case analysis of the defendant's intent, the type of computer involved, and the resulting harm.
[Editor's note: The case does not appear to have a section B.]
By casting the net broadly to include many different "transmission" techniques, the 1994 amendment shifted the CFAA's focus from the act of unauthorized access to the intent of the defendant. The transmission of a disabling code by floppy computer disk may fall within the new language, if accompanied by the intent to cause harm 18 U.S.C. § 1030(a)(5). Accordingly, plaintiff has established federal question jurisdiction in claim 3 of the first amended complaint. The Court also chooses to exercise federal question jurisdiction over claim 5 (declaratory relief) and supplemental jurisdiction over remaining state law claims 1, 2, 4, and 6.
2. Defendants' Motion to Dismiss the First Amended Complaint
Defendants seek to dismiss all six claims in the FAC for failure to state a claim upon which relief can be granted or, alternatively, to require a more definite statement or to strike parts of the FAC. As noted, the FAC alleges causes of action for: (1) breach of contract, (2) breach of implied and express warranties, (3) violation of the CFAA, (4) conversion, (5) declaratory relief, (6) and fraud.
A. Claim 1 -- Breach of Contract
. . . .
Defendants allege that claim 1 fails to identify the contract being sued upon, the provisions of the contract allegedly breached, the breaching act, or the breaching party. . . . Defendants' motion to dismiss claim 1 is granted.
B. Claim 2 -- Breach of Express and Implied Warranty
Defendants seek to dismiss claim 2 because it fails to identify: (1) the source of the express warranty, (2) the source of the implied warranty, (3) the breaching party, or (4) the breaching act.
. . . [D]efendants' motion to dismiss claim 2 is denied.
C. Claim 3 -- Violation of the CFAA
Defendants argue for dismissal of claim 3 on grounds that: (1) claim 3 fails to identify any individual responsible for the acts alleged, (2) claim 3 fails to plead violations of subsections (B)(i) and (B)(ii)(I), as required to state a claim under 18 U.S.C. § 1030 (a)(5)(B). First, claim 3 alleges that "MDI has knowingly developed computer program code which it sent to NTPI in Texas, containing instructions through which MDI has sought to disable the operation of NTPI's Scribe System . . . " FAC paragraph 33. Plaintiff has therefore identified the parties responsible, as well as identified the conduct which allegedly violates the CFAA.
Second, as discussed above, claim 3 alleges facts which state a claim for violation of Section 1030(a)(5)(A) and Section 1030(a)(5)(B). To state a claim for violation of Section 1030(a)(5)(A), a plaintiff must plead that the defendant: (1) knowingly caused the transmission of a program, information, code, or command to a computer system (2) with the intent to cause damage to a computer system or to withhold or deny the use of a computer system (3) without the authorization of the computer system's owners or operators (4) causing a loss of more than $1,000 or harm to medical examination, diagnosis, treatment, or care of individual(s).n4 Here, claim 3 alleges that defendants developed the time bomb on their California computers; that defendants transmitted the computer code to plaintiff for loading on its computers in Texas; that defendants did not disclose the existence of the time bomb to plaintiff; that plaintiff's facility is involved in the medical examination, diagnosis, and treatment of patients; that these acts were committed with knowledge or reckless disregard of a substantial risk of the resulting potential harm to the Scribe system; and that the conduct has the potential to disrupt plaintiff's medical diagnosis and treatment. Accordingly, defendants' motion to dismiss claim 3 is denied.
D. Claim 4 -- Conversion
. . . .
. . . [P]laintiff fails to allege facts supporting any actual deprivation of its use of the Scribe system stemming from the insertion of the time bomb. Claim 4 fails to allege the element of damages, and therefore defendants motion to dismiss claim 4 is granted.
E. Claim 5 -- Declaratory Relief
. . . .
. . . Defendants disagree . . . that the declaration requested by plaintiff is proper -- all of which suggests that there is a case or controversy before the Court. Accordingly the Court denies defendants' motion to dismiss claim 5.
F. Claim 6 -- Fraudulent Misrepresentation and Constructive Fraud
. . . .
Here, claim 6 is captioned "fraudulent misrepresentation and constructive fraud." However, the substance of claim 6 is breach of fiduciary duty, . . . [P]laintiff fails to plead the requisite element of damages resulting from the alleged breach of fiduciary duty, and defendants' motion to dismiss claim 6 is therefore granted.
3. Plaintiff's Motion for Preliminary Injunction
. . . Because plaintiff is likely to suffer irreparable harm absent an injunction and in order to maintain the status quo, the Court enjoins defendants from withholdinq updated disks from plaintiff during the pendency of this litigation.
For the foregoing reasons, the Court has federal question jurisdiction over claim 3 and chooses, in its discretion, to exercise jurisdiction over claim 5 and supplemental jurisdiction over the remaining state law claims (claims 1, 2, 4, and 6).
The Court grants defendants' motion to dismiss claims 1, 4, and 6 and denies defendants' motion to dismiss claims 2, 3 and 5. . . .
The Court grants plaintiff's motion for preliminary injunction. . . .
IT IS SO ORDERED.
. . . .
1 None of the cases deal with the current post-1994 version of § 1030(a)(5). United States v. Morris, 928 F.2d 504 (2d Cir. 1991) (discussing criminal liability for putting a "worm" on the Internet and causing many computer systems to crash); United States v. Morris, 728 F. Supp. 95, 96 (N.D.N.Y. 1990) (defining elements of crime under 1030(a)(5)); United States v. Fernandez, 1993 WL 88197 (S.D.N.Y.) (overruling vagueness objection to 1030(a)(5) and defining the term "federal interest computer").
4 It is unclear whether a civil action may be maintained at all under Section 1030(a)(5)(B). Congress' creation of a private right of action states that "[a]ny person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action . . . " 18 U.S.C. § 1030(g). This sentence suggests that there is no civil right of action under (a)(5)(B). However, the next sentence states that "[d]amages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages." This sentence suggests that there is a civil right of action for violations of subsection (a)(5)(B). Having decided that plaintiff has stated a claim under subsection (a)(5)(A), and assuming that the damages available upon a finding of liability under each subsection would be coextensive in this case, the Court will permit plaintiff to go forward with its claim under subsection (a)(5)(B).
|Top of Page||Chapter 09||Title Page||Email Listserve|
|(C) 2001-03 Tom W. Bell. All rights reserved. Fully attributed noncommercial use of this document permitted if accompanied by this paragraph.