OPINION AND ORDER ADOPTING REPORT AND RECOMMENDATION AND GRANTING PRELIMINARY INJUNCTION
GUSTAVO A. GELPI, United States District Judge.
Pending before the Court is Phillips Medical Systems Puerto Rico, Inc. ("Phillips") motion for preliminary injunction, Docket No. 2. Phillips contends that it is entitled to a preliminary injunction under the CFAA, 18 U.S.C. § 1030(a)(2), as well as under Puerto Rico's Industrial and Trade Secret Protection Act ("Trade Secret Protection Act"), P.R. LAWS ANN. tit. 10, § 4136. (Docket No. 2.) Defendants contend that Phillips-PR is unable to maintain an action under § 1030, but provided no argument for denying injunctive relief on the basis of the Trade Secret Protection Act. (Docket No. 53.)
Magistrate Judge Bruce J. McGiverin issued a Report and Recommendation on August 15, 2016, finding that the preliminary junction should be granted. (Docket No. 105.) The parties did not object within the deadline set by the Court at Docket No. 106. The Court has reviewed Judge McGiverin's Report and Recommendation at Docket No. 105 and
I. Standard of Review
The Court reviews an un-objected report and recommendation for plain error.
Absent objection, ... [a] district court ha[s] a right to assume that [the affected party] agree[s] to the magistrate's recommendation."
Judge McGiverin discussed the factors that must be weighed by the Court when ruling upon a motion for preliminary injunction. As to Phillip's claims under the CFAA, the R & R focuses on the likelihood of success of the merits of Phillip's claim under 18 U.S.C. § 1030(a)(2), addressing the different elements of Plaintiff's cause of action under the CFAA. (Docket No. 105.)
Turning to the rest of the factors, the Judge further reasoned that "Phillips is likely to suffer irreparable harm in the absence of the injunction for several reasons."
III. Preliminary Injunction
Upon review and adoption of Magistrate Judge McGiverin's R & R, preliminary injunction is hereby issued as follows. Preliminary injunction is hereby
Magistrate Judge McGiverin's Report and Recommendation at Docket No. 105 is hereby
REPORT AND RECOMMENDATION
BRUCE J. McGIVERIN, United States Magistrate Judge.
Phillips Medical Systems Puerto Rico, Inc. ("Phillips-PR") brought this action against GIS Partners Corp. ("GIS"), Hernan Toro ("Toro"), David Sumpter ("Sumpter"), and Radames Bracero ("Bracero"), alleging breach of contract, unfair competition, violation of four sections of the Computer Fraud and Abuse Act ("CFAA" or "Act"), 18 U.S.C. § 1030, and violation of Puerto Rico's Industrial and Trade Secret Protection Act, P.R. Laws Ann. tit. 10, §§ 4131-4141. Docket No. 38. Only the § 1030(a)(2) and state-law claims survived the motion to dismiss. Docket Nos. 76, 99. Phillips-PR moved for a preliminary injunction, Docket No. 2, and GIS, Toro, and Sumpter opposed.
For the reasons set forth below, injunctive relief should be
Phillips-PR, a subsidiary of Royal Phillips Electronics ("Phillips"), is a Puerto
Toro, Sumpter, and Bracero are former employees of Phillips-PR. Toro served as a field service engineer of CT scan products for 15 years, and left the company in 2009. Sumpter worked as an equipment salesperson for 20 years, and also left the company in 2009. Docket No. 92 ¶¶ B, C. Bracero was a field service engineer of MRI machines, and left the company in February 2012. During their employment, each of these employees signed an agreement with Phillips-PR containing a confidentiality and non-disclosure clause that prohibited them from using, publishing, or disclosing secret or confidential information "during or after" their employment.
GIS is a Puerto Rico corporation founded by Toro and Sumpter, who were the company's sole stockholders prior to April 2014. Id. ¶ A(ii). GIS competes with Phillips-PR, and provides repair and maintenance services to hospitals and healthcare providers. Docket No. 91 ¶ 5. After April 2014, Toro became GIS's sole stockholder. Docket No. 92 ¶ A(iii). General Imaging Services Corporation ("General Imaging") is a Puerto Rico corporation founded by Sumpter after he left GIS. Id. ¶ A(vii). The inventory of parts for GIS and General Imaging is stored in GIS's warehouse and is "interchangeable" between the two companies. Id. ¶¶ A(vi)-(vii). The two companies have also "interchangeably" provided services to the Mennonite General Hospital ("Hospital"), though the obligor on the service agreements with the Hospital has alternated between GIS and General Imaging. Id. ¶¶ A(vii)-(xiii).
Servicing of Phillips-Branded MRI Machines
Calo testified that Phillips-PR had a 60-month service agreement with the Hospital that was supposed to run from September 19, 2008 to September 19, 2013. Exs. 8, 15. The Hospital cancelled the service agreement in August 2012, and Calo highlighted that the time period in which the contract was cancelled coincided with the time period when Bracero ended his employment with Phillips-PR. Ex. 16. Before the contract was cancelled, Calo met with the Hospital's administrator, among others, and was told that the Hospital would now go to "GIS Corp. for services."
Jose Rivera-Rivera ("Rivera") is the owner of Medical X-Ray ("Medical X-Ray") in Ponce, and is familiar with the persons who service the company's Phillips-branded MRI machine. Since February 2012, GIS has "mostly" serviced Medical X-Ray's MRI machine, though Phillips serviced the machine once or twice. When GIS serviced the machine, Sumpter, Bracero, and Toro were the ones who provided that service. Recently, Alpha Medical has taken over the servicing of the MRI machine. Rivera testified that Bracero works for Alpha Medical and that Bracero has been the "main" servicer of the MRI machine since Medical X-Ray has owned it.
The MRI Machines
Ives Sakuyoshi ("Sakuyoshi"), a magnetic resonance national support specialist for Phillips, is responsible for training and assisting field service engineers in the United States and Canada. These responsibilities include helping a field service engineer during an "escalation," which is a situation where a field service engineer is unable to resolve an issue and seeks additional guidance from the company's national support specialists. According to Sakuyoshi, an MRI machine has three components: (1) the operator's console, where an operator controls the machine by using, among other things, the machine's host computer ("Host Computer"); (2) the admission room, where the machine's magnet is located and the patient is placed; and (3) the technical room, where the machine's equipment is housed. These components were the same for the Phillips-branded MRI machines sold to the Hospital and Medical X-Ray. Ex. 1, §§ 11-3, 11-4; Ex. 2 §§ 11-3, 11-4. Both machines are equipped with Ethernet cards and a remote services network router ("Router"), which permit Phillips to remotely access the MRI machines through an encrypted Internet connection.
To service, calibrate, or maintain an MRI machine without using any of Phillips's proprietary information, a customer or non-Phillips representative may use the Basic Level. A Phillips-employed field service engineer has additional tools at his or her disposal to service an MRI machine: embedded on the Host Computer's software is the CSIP Tool, which permits a viewer to access Phillips's proprietary information. The CSIP Tool, which is not available to the public,
To protect — and restrict access to — the CSIP Tool, Phillips has developed two security solutions: Phillips Medical System Security ("PMSSec"), and Integrated Security Tool ("IST"). One method of accessing the CSIP Tool requires a field service engineer to connect a Smart Card to the Host Computer. A Smart Card is a USB-like device that contains a microchip. The microchip is embedded with a password-protected digital certificate that is issued only with a valid IST account. An IST account, which is issued by Phillips, allows a person to have a username/identification and password (i.e., login credentials).
Another way to access the CSIP Tool is through the MR Response Generator Tool. Under this method, the MRI system sends a challenge to the field service engineer's laptop, the field service engineer types into the MRI system the response to the challenge, and the MRI system then grants access to the CSIP Tool. Access via this method requires an IST account, too. None of the tools that are used to access the CSIP Tool are available to the public. But according to Sakuyoshi, it is possible to transfer to others the IST account login credentials, as well as the MR Response Generator Tool, which can be installed on any laptop.
Unauthorized Access to CSIP Tool
On October 20, 2014, Sakuyoshi received a call from a field service engineer in Puerto Rico who was unable to resolve a system problem with Medical X-Ray's MRI machine. After receiving this call, Sakuyoshi asked the local field service engineer to send him the log files for the system. Those files showed some "unusual activities" and indicated that an IST account deactivated in 2012 was being used to access CSIP Levels 0, 1, and 2. Each IST account has a unique identification number that is not reassigned to subsequent employees.
After consulting Phillips's database where all assigned identification numbers are recorded, Sakuyoshi learned that Bracero's deactivated credentials were being used to enter access-restricted areas of the system's software, specifically, CSIP Levels 0, 1, and 2. See Ex. 3. The logs for Medical X-Ray's MRI machine indicate that Bracero's login credentials were used numerous times between October 2012 and October 2015 to access CSIP Levels 0, 1, and 2. See Ex. 3. Sakuyoshi also learned that the MR Response Generator Tool — as opposed to a Smart Card — had been used to access the CSIP Tool. Phillips began paying attention to the log files of Phillips-branded MRI machines, and discovered that Bracero's deactivated credentials were also being used to access the Hospital's MRI machine. See Ex. 4. The log files for the Hospital's MRI machine indicate that Bracero's login credentials were used numerous times between October 2012 and March 2015 to access CSIP Levels 0, 1, and 2. Id.
Phillips hired Enterprise Risk Management ("ERM") to investigate the breaches into the CSIP Tool. ERM conducted a forensic analysis of these breaches, and had been paid $6,000 at the time of the hearing. Michael Burgess ("Burgess") was employed by ERM, prepared a report (which has an addendum), and was qualified to testify as an expert witness as to the matters examined in his report. Exs. 6, 7. Burgess's report explains each of the six columns in the MRI system's log: the first column identifies the user identification number; the second, the date of access; the third, whether the system was accessed locally or remotely; the fourth, the organization that accessed the system; the fifth, the extent of access (i.e., CSIP Levels 0, 1, or 2); and the sixth, any comments that the user entered. Ex. 6 at 3-4.
Burgess confirmed that Bracero's identification number (35914) did not have any authority to access the MRI systems because it had been deactivated as of May 2012, and that someone was using the MR Response Generator Tool with Bracero's identification number to circumvent the CSIP Tool. Ex. 6 at 5; Ex. 2. On cross-examination, Burgess acknowledged that Bracero had returned all the Phillips-issued hardware (i.e., dongles, laptops, and so forth). He explained, however, that the MR Response Generator Tool could run on any laptop.
Phillips-PR contends that it is entitled to a preliminary injunction under the CFAA, 18 U.S.C. § 1030(a)(2), as well as under Puerto Rico's Industrial and Trade Secret Protection Act ("Trade Secret Protection Act"), P.R. Laws Ann. tit. 10, § 4136. Docket No. 2. Defendants contend that Phillips-PR is unable to maintain an action under § 1030, but provided no argument whatsoever for denying injunctive relief on the basis of the Trade Secret Protection Act. Docket No. 53.
I. Section 1030(a)(2)
A plaintiff seeking a preliminary injunction must demonstrate "that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest." Winter v. Nat. Res. Defense Council, Inc., 555 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008) (Court rejected rule that when "a plaintiff demonstrates a strong likelihood of prevailing on the merits, a preliminary injunction may be entered based only on a `possibility' of irreparable harm").
A. Likelihood of Success
The "CFAA is primarily a criminal statute," but a private cause of action for
The statute "lists seven different types of" prohibited conduct that "ranges from trafficking in passwords to knowing and unauthorized access" to protected computers. P.C. Yonkers, Inc., 428 F.3d at 510. A claim under the CFAA requires "that the defendant violate[ ] one of the provisions of § 1030(a)(1)-(7), and that the violation involve[ ] one of the factors listed" in § 1030(c)(4)(A)(i). See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir.2009); see also 18 U.S.C. § 1030(g).
1. Protected Computer
The CFAA defines the terms "computer" and "protected computer." 18 U.S.C. § 1030(e)(1), (2). Computer is defined as "an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device ...." 18 U.S.C. § 1030(e)(1). As courts have noted, the Act's definition of "computer" is "exceedingly broad" and "captures any device that makes use of a[n] electronic data processor, examples of which are legion." See United States v. Kramer, 631 F.3d 900, 902 (8th Cir.2011) (identifying "MP3 players, refrigerators, heating and air-conditioning units," among others, as examples); see also United States v. Nosal, 844 F.3d 1024, 1032 n. 2, 2016 WL 7190670, at *5 n. 2 (9th Cir. 2016) (Nosal II) (CFAA applies to "computer networks, databases, and cell phones") (collecting cases); United States v. Mitra, 405 F.3d 492, 495 (7th Cir.2005) ("devices with embedded processors and software are [also] covered").
Moreover, "[i]ndividuals other than the computer's owner" may bring an action under the CFAA because they "may be proximately harmed by unauthorized access, particularly if they have rights to data stored on [the computer]." Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir. 2004) (emphasis added) ("district court erred by reading an ownership or control requirement into the Act," leading it to erroneously dismiss CFAA claim "on the theory that the Act does not apply to unauthorized access of a third party's computer"); Mitra, 405 F.3d at 495 ("devices
In this case, the evidence adduced at the hearing revealed that a Phillips-branded MRI machine consists of three components: (1) the operator's console, where the machine's Host Computer is located; (2) the admission room, where the machine's magnet is located and the patient is placed; and (3) the technical room, where the machine's equipment is housed. Because the MRI machines are equipped with an actual computer that controls the operation of the machine, these devices are within the ambit of the CFAA. And this is so even though the hardware is owned by the Hospital and Medical X-Ray because "[i]ndividuals other than the computer's owner may be proximately harmed by unauthorized access ... if they have rights to data stored on [the computer]" — as is the case with Phillips's CSIP Tool, which is embedded on a customer's Host Computer. See Theofel, 359 F.3d at 1078. Thus, Philips will likely be able to show that a computer was involved in the alleged CFAA violation.
The Act defines a "protected computer" as a computer "which is used in or affecting interstate or foreign commerce or communication ...." 18 U.S.C. § 1030(e)(2)(B). This broad definition of "protected computer" — a computer affected by or involved in interstate commerce — effectively includes "all computers with Internet access." United States v. Nosal, 676 F.3d 854, 859 (9th Cir.2012) (Nosal I)(en banc); see also United States v. Valle, 807 F.3d 508, 523 (2d Cir.2015) (same); United States v. Yucel, 97 F.Supp.3d 413, 419 (S.D.N.Y.2015) (collecting cases) (under the CFAA, "[a]ny computer that is connected to the internet is... part of a system that is inexorably intertwined with interstate commerce") (internal quotations and omitted). And as the Seventh Circuit has explained, "the statute does not ask whether the person who caused the damage acted in interstate commerce; it protects computers (and computerized communication systems) used in such commerce, no matter how the harm is inflicted. Once the computer is used in interstate commerce, Congress has the power to protect it from a local hammer blow, or from a local data packet that sends it haywire." Mitra, 405 F.3d at 496 (emphasis in original).
In this case, Sakuyoshi testified that the MRI machines are equipped with an Ethernet card and a Router that connect the machines to the Internet. This Internet connection permits Phillips to access the MRI machines' computers from a remote location. Sakuyoshi testified, for example, that in October 2014 he remotely accessed Medical X-Ray's MRI machine after receiving a call from a field service engineer who was having difficulty resolving an issue with the machine. There was also testimony to the effect that the Hospital's MRI machine was connected to the Internet until shortly before the preliminary injunction hearing, as that computer's connection to the Internet had been severed. Thus, Phillips-PR can likely establish that a "protected computer" was involved in the alleged CFAA violation.
2. Intentionally Accessed
The statute requires that the defendant "intentionally" access a computer. 18 U.S.C. § 1030(a)(2)(C). The plain language of § 1030(a)(2)(C), as well as its legislative history, indicates that it does not seek to punish those "who inadvertently stumble into someone else's computer file or computer data, which [may be] particularly
In this case, the logs for the MRI machines reveal that they were locally — rather than remotely — accessed multiple times by someone who was using Bracero's login credentials. That it was necessary to circumvent Phillips's security tools in order to access the CSIP Tool indicates that the conduct was intentional and could not have come about inadvertently. And while defendants' counsel homed in on the fact that only Bracero's unique identification number was displayed in the logs, there was some evidence at the hearing from which it can be inferred that Toro and Sumpter likely accessed the CSIP Tool.
As an initial matter, Sakuyoshi and Burgess provided testimony to the effect that the MR Response Generator Tool and Bracero's login credentials could be transferred to other persons. Moreover, Torres — the director of the radiology department at the Hospital — testified that he knew all of GIS's employees who serviced the department's MRI machine. He testified that since February 2012, GIS has serviced the Hospital's Phillips-branded MRI machine and that the machine is presently serviced by "GIS Corporate." Since that time period, he has seen Sumpter, Toro, and their workers service the machine. However, Torres's testimony was to the effect that he has not seen a person named Bracero servicing the machine — as he is familiar with all the persons who service the machine and a person named Bracero has not been one of them.
Moreover, it is uncontested that GIS, which is spearheaded by Toro, and General Imaging, which is led by Sumpter, have treated their inventory and service contracts interchangeably. In light of this arrangement, both companies have provided service to the Hospital's MRI machine. It is also uncontested that Bracero was working for GIS, either on a contract basis or as an employee, and that his login credentials were used to access the CSIP Tool. Because Phillips will likely be able to show that GIS and General Imaging had someone in their employ use Bracero's login credentials to hack into the CSIP Tool for the benefit of these two companies, they are also liable. See Butera & Andrews v. Int'l Bus. Machines Corp., 456 F.Supp.2d 104, 113 (D.D.C.2006) (all the cases under the CFAA where vicarious liability was found "involve intentional conduct that was directed or approved by the corporate defendant in order to gain an unfair business advantage at the expense of a competitor.") (collecting cases). And the foregoing is particularly so because Toro and Sumpter were former employees of Phillips-PR who signed the confidentiality and nondisclosure agreement and likely knew the wrongfulness of having GIS and General Imaging use Bracero's deactivated login credentials to access the CSIP Tool.
3. Without Authorization
or Exceeding Authorized Access
As the Supreme Court recently explained, § 1030 (a)(2)(C) "provides two
"Over the past fourteen years, six ... circuits have wrestled with the question" of properly interpreting "without authorization" and "exceeds authorized access," both of which appear more than once in the CFAA, as well as with explaining the relationship between the two statutory phrases. See Valle, 807 F.3d at 524. Circuit courts have not agreed as to the circumstances in which a defendant "exceeds authorized access," but the First Circuit has held that an employee "likely" exceeds authorized access if he violates an employer's confidentiality agreement. See EF Cultural Travel I, 274 F.3d at 581-84 (former employees who violated confidentiality agreements "likely" exceeded authorized access); see also Nosal II, 844 F.3d at 1036 n. 11, 2016 WL 7190670, at *8 n. 11 (collecting cases).
The Second Circuit recently clarified the distinction between the two phrases, explaining that "because `without authorization' most naturally refers to a scenario where a user lacks permission to access the computer at all, one sensible reading of the statute is that `exceeds authorized access' is complementary, referring to a scenario where a user has permission to access the computer but proceeds to `exceed' the parameters of authorized access by entering an area of the computer to which his authorization does not extend." Valle, 807 F.3d at 524-525 ("the legislative history consistently characterizes the evil to be remedied — computer crime — as `trespass' into computer systems or data, and correspondingly describes `authorization' in terms of the portion of the computer's data to which one's access rights extend.").
The Ninth Circuit (en banc) had previously offered a similar explanation: "it is possible to read both prohibitions as applying to hackers: `Without authorization' would apply to outside hackers (individuals who have no authorized access to the computer at all) and `exceeds authorized access' would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files)." Nosal I, 676 F.3d at 858; see also Valle, 807 F.3d at 525 (one of the legislative history reports "described one instance of `computer crime' in which an individual `stole confidential software by tapping into the computer system of a previous employer from [the] defendant's remote terminal.'") (quoting H.R.Rep. No. 98-894, at 3691-92).
Both the "without authorization" and "exceeds authorized access" prongs of § 1030(a)(2) require the court to determine whether the defendant had some sort of authorization. See 18 U.S.C. § 1030(a)(2)(c). "Implicit in the definition of authorization is the notion that someone,
Power Ventures, Inc., 844 F.3d at 1068, 2016 WL 7190690, at *7. And in addition to obtaining authority to access from a proper person or entity, the grant of access must also be validly granted by that person or entity. See Theofel, 359 F.3d at 1078 (rejecting argument that NetGate, a third-party, "authorized" defendants' access to plaintiffs' information on NetGate's server because defendants had gained that consent by engaging in conduct analogous to the common-law tort of trespass).
In this case, defendants have suggested that because Medical X-Ray and the Hospital granted them access to the Host Computer, any hacking into the proprietary CSIP Tool does not violate the CFAA. As an initial matter, it bears repeating that "[i]ndividuals other than the computer's owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it." Theofel, 359 F.3d at 1078. But "Theofel is silent with respect to the ... issue of whether a licensee can consent to give access to the licensed information to another," and at least one court has adopted "the basic premise that a defendant's deceitful conduct can vitiate consent or authorization by a licensee." ATPAC, Inc. v. Aptitude Sols., Inc., No. CIV. 2:10294WBSKJM, 2010 WL 1779901, at *6 (E.D.Cal. Apr. 29, 2010).
Having adopted this position, the ATPAC court reasoned that "[t]he door remains open for third-parties to be liable under the CFAA for accessing software programs held on a licensee's computers or servers where the defendant engages in the kind of fraudulent conduct that was present in State Analysis." ATPAC, 2010 WL 1779901, at *6. In State Analysis, the defendant used subterfuge, which consisted of "using user names and passwords that did not belong to it," in order to access the plaintiff's proprietary information. State Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F.Supp.2d 309, 316 (E.D.Va.2009). Likewise, another court has held that the CFAA's "`exceeds authorized access' [language] is broad enough" to encompass situations "where people with some authorized access enter into an area of a computer" — such as "a protected software program not owned, but merely licensed, by the owner of the computer" — in order to "decode" the software and "steal its capacity." Workgroup Tech. Partners, Inc. v. Anthem, Inc., No. 2:15-CV-00002-JAW,
In this case, the evidence received during the hearing revealed that: (1) the Hospital and Medical X-Ray owned the hardware (i.e., the MRI machines and the Host Computers); (2) the Hospital and Medical X-Ray permitted defendants to use the Host Computers; (3) the Hospital and Medical X-Ray did not know how to access or use the CSIP Tool; (4) the software licensing that accompanied the sale of the MRI machines did not extend to programs like the CSIP Tool; (5) defendants, who were former employees of Phillips-PR, circumvented or spoofed Phillips's security solutions with Bracero's deactivated login credentials in order to access the CSIP Tool; and (6) none of the defendants had any authority whatsoever to access the CSIP Tool during the instances revealed by the MRI machines' logs.
Under these circumstances, Phillips-PR likely cannot establish that defendants accessed a protected computer "without authorization" — because this statutory phrase "most naturally refers to a scenario where a user lacks permission to access the computer at all." Valle, 807 F.3d at 524 (emphasis added). Sakuyoshi acknowledged during the hearing that non-Phillips representatives or the customer can do some of the servicing of the MRI machine so long as they are using the "Basic Level." Because it is uncontested that defendants were authorized by Medical X-Ray and the Hospital to access the Host Computers, and because defendants could have potentially used the "Basic Level" to service the MRI machines, Phillips-PR likely cannot show that the Host Computers were accessed "without authorization." Finding to the contrary, as Phillips-PR has previously urged, would (1) collapse any meaningful distinction between the statutory phrases "without authorization" and "exceeds authorized access," and (2) permit a tech-savvy purchaser of a Phillips-branded MRI machine to be liable under the CFAA for servicing his own MRI machine using the Basic Level.
On the other hand, Phillips-PR will likely be able to show that defendants exceeded any authorized access they obtained from Medical X-Ray and the Hospital. To explain why this is so, I borrow a modified version of the Ninth Circuit's analogy in Power Ventures: while the defendants in this case likely had permission to enter the bank's premises (i.e., the computer), that permission did not allow the defendants to pry open the bank's safe deposit boxes and peruse through or use other people's prized belongings (i.e., Phillips's CSIP Tool). See Power Ventures, Inc., 844 F.3d at 1068-69, 2016 WL 7190690, at *7. Put another way, while defendants likely had some authority to access the computer (which they obtained from Medical X-Ray and the Hospital), they likely exceeded that authority by hacking into proprietary software — the CSIP Tool (where Phillips maintains proprietary data and files) — without any authorization whatsoever from Phillips. See Valle, 807 F.3d at 525; Power Ventures, Inc., 844 F.3d at 1068-69, 2016 WL 7190690, at *7; ATPAC, 2010 WL 1779901, at *6; Anthem, Inc., 2016 WL 424960, at *24.
To be sure, there is some authority that arguably supports defendants' position. See MCS Services., Inc., 748 F.Supp.2d at 487. In MCS, the plaintiff, Océ North America, Inc. ("Océ"), designed, manufactured, sold, and serviced "high volume production printing systems (PPS) for commercial printing functions." Id. at 483. Océ employed Brian DeFazio, George Ulmer, and Lionel Verrette as field engineers, in which capacity they serviced the printing systems and accessed the plaintiffs proprietary software. Id. To work as field engineers, they signed confidentiality
Under these circumstances, the MCS court dismissed Océ's CFAA claim, holding that "[p]laintiff has not demonstrated that Defendants' access of the laptops or printers was unauthorized, and there is no CFAA violation regardless if Plaintiff permitted them to use its software." Id. at 487. The court reasoned that while a plaintiff need not own the computer to assert a CFAA violation, "Theofel does not vitiate... the need for the access to the computers to be unauthorized by whoever controlled such access." Id. And while the plaintiff had alleged "that its software was accessed on laptops and printers," the court further reasoned that there were no allegations in the complaint "that the owners of the laptops and printers, or other person with the requisite authority, denied access such that Defendants' access was unauthorized or in excess of its authorization." Id. (emphasis added). And this was particularly so because "most of the laptops and printers alleged to have been accessed belonged to MCS or its employees." Id.
The MCS court, relying on intra-court authority, has effectively held that the requisite authority is always held by the owner of the computer. See MCS, 748 F.Supp.2d at 487 ("there is no CFAA violation regardless if Plaintiff permitted [defendants] to use its software" in the computers owned by MCS and its employees); see also Role Models Am., Inc. v. Jones, 305 F.Supp.2d 564, 567 (D.Md.2004) (even if NSU had actively retrieved or "accessed" the information from the principal's computer, rather than passively receiving it from the principal, it was the principal's computer and it was his authorization that was relevant). The MCS court's approach is in tension with the approach followed by ATPAC and Anthem. See Anthem, Inc., 2016 WL 424960, at *24; ATPAC, 2010 WL 1779901, at *6.
In determining whether Phillips-PR is likely to succeed on the merits, this court should follow the reasoning of cases like ATPAC because they are more in keeping with the intent of the CFAA. As an initial matter, the MCS court's approach implicitly ties ownership of the computer to the authority to give access to both the computer itself and any data or files stored therein — regardless of whether the owner of the computer has any authority to access the data or files. See MCS, 748 F.Supp.2d at 487. This approach strays from the meaning Congress sought to give to the term "authorization." See Valle, 807 F.3d at 524-525 ("the legislative history... describes `authorization' in terms of the portion of the computer's data to which one's access rights extend."); see also Power Ventures, Inc., 844 F.3d at 1068-69, 2016 WL 7190690, at *7 (to act lawfully, defendant "needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers)") (emphases added).
The MCS court's approach also forecloses relief to a plaintiff proximately
Moreover, while the contours of the CFAA have developed significantly since EF Cultural Travel I, this court is ultimately bound by that case. 274 F.3d at 583-84. In EF Cultural Travel I, the First Circuit held that former employees who violated confidentiality agreements "likely" exceeded authorized access "by providing proprietary information and know-how to" the plaintiffs competitor in order to create "the scraper," a tool that mined the plaintiffs website for information. 274 F.3d at 583-84. Based on the evidence adduced at the hearing, Phillips-PR will likely be able to show that Toro and Sumpter — both of whom signed agreements with a confidentiality and nondisclosure clause — breached agreements with Phillips-PR by using confidential information and trade secrets to access the CSIP Tool after ending their employment with Phillips-PR. Thus, the court should find that Phillips-PR will likely be able to show that defendants exceeded any authorized access they had.
4. Information & Loss
Section 1030(a)(2) requires that the defendant obtain "information." 18 U.S.C. § 1030(a)(2)(C). Phillips-PR will likely be able to establish that defendants obtained information as a result of their access to the CSIP Tool. Sakuyoshi testified that CSIP Levels 0, 1, and 2 contain proprietary information that is not available to the public. And the logs from the MRI machines reveal that this information was accessed multiple times from the MRI machines. Thus, Phillips-PR will likely be able to establish this element.
Turning to the loss element, defendants suggest that the plaintiff must show damage and loss to maintain an action under § 1030(a)(2)(C). Docket No. 53 at 18. While § 1030(a)(5)(C) requires that a plaintiff show damage, § 1030(a)(2)(C) does not. See Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 439 (2d Cir.2004). Loss "of at least $5,000 in value to one or more persons during any one-year period" is sufficient to maintain an action under § 1030(a)(2)(C). See EquipmentFacts, LLC, 774 F.3d at 1072; 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA defines loss as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11) (emphasis added).
As one court has noted, "the meaning of `loss,' both before and after the term was defined by statute, has consistently meant a cost of investigating or remedying damage to a computer, or a cost incurred because the computer's service was interrupted." Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 475 (S.D.N.Y. 2004), aff'd, 166 Fed.Appx. 559 (2d Cir.
EF Cultural Travel I, for example, was decided before the term "loss" was defined by the CFAA, and the First Circuit held that the plaintiff "unquestionably suffered a detriment and a disadvantage by having to expend substantial sums to assess the extent, if any, of the physical damage to their website caused by [defendants'] intrusion." 274 F.3d at 585 (emphasis added). In so holding, that court further explained: "That the physical components were not damaged is fortunate, but it does not lessen the loss represented by consultant fees." Id.
In this case, Burgess testified that Phillips-PR had paid ERM $6,000 to investigate the breaches into the protected information contained within the CSIP Tool. Sakuyoshi also relayed that he and other employees of Phillips have spent many, many hours attempting to determine how the breaches occurred. This evidence makes it likely that Phillips-PR will be able to establish the loss element. See SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 981 (N.D.Cal.2008) ("where the offender has actually accessed protected information, discovering who has that information and what information he or she has is essential to remedying the harm" and so such efforts are considered "to be part of the loss for purposes of the CFAA").
Moreover, because the Act protects "any victim," 18 U.S.C. § 1030(e)(11), Phillips's efforts can reasonably be characterized as attempts to determine whether it had been a victim of the hacking, particularly because Phillips was connected to the MRI machines via the Internet. See United States v. Millot, 433 F.3d 1057, 1061 (8th Cir.2006) ("Although the damage was done to the Aventis computer system, the statute does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met."); In re DoubleClick Inc. Privacy Litig., 154 F.Supp.2d 497, 521 (S.D.N.Y.2001) (legislative history makes "clear that Congress intended the term `loss' to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker"). Thus, the court should find that Phillips-PR will likely be able to establish that it suffered loss of at least $5,000 during a one-year period.
B. Remaining Factors
In addition to establishing a likelihood of success on the merits, Phillips-PR must also establish that it is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in its favor, and that an injunction is in the public interest. Winter, 555 U.S. at 20, 129 S.Ct. 365. Based on the evidence submitted at the hearing, the court should find that Phillips-PR is able to establish each of the remaining factors.
Phillips-PR is likely to suffer irreparable harm in the absence of the injunction for several reasons. First, Sakuyoshi testified that Phillips has not found a solution to prevent the breaches into the CSIP Tool and may have to consider other options to resolve the problem, such as removing the MR Response Generator Tool. The extent of damages that would result from such an action are likely difficult to quantitate, and irreparable harm may be found in such circumstances. See, e.g., Register.com, 356 F.3d at 404. Phillips-PR
Under the third factor, the court must balance "the hardship that will befall the nonmovant if the injunction issues... with the hardship that will befall the movant if the injunction does not issue." Mercado-Salinas v. Bart Enterprises Intern., Ltd., 671 F.3d 12, 19 (1st Cir. 2011). If the injunction is granted, defendants will be prevented from accessing the CSIP Tool and, therefore, may lose business because their clients depended on them to provide services that require the use of the CSIP Tool. On the other hand, if the injunction is not issued, Phillips-PR will continue to have its proprietary information available for defendants' use. Because Phillips-PR ultimately owns the information stored in the CSIP Tool and defendants do not suggest that they are somehow entitled to access that information, the balance of the equities tips in favor of granting the injunction. And this is particularly so because defendants may continue doing business so long as they do not breach into access-restricted areas of Phillips-branded medical equipment.
The public interest that is referred to under the fourth factor refers to "the public interest in the issuance of the injunction itself." Braintree Labs., Inc. v. Citigroup Global Markets, Inc., 622 F.3d 36, 45 n.8 (1st Cir.2010). This factor tips in Phillips-PR's favor because defendants have accessed Phillips's proprietary information and "Puerto Rico has a strong public interest in preserving the rights of its citizens against the misappropriation and misuse of their property." Am. Health, Inc. v. Chevere, No. CIV 12-1678 PG, 2013 WL 5297295, at *7 (D.P.R. Sept. 19, 2013). Indeed, the issuance of the preliminary injunction will serve the public interest by ensuring that proprietary software is not breached in order to provide the defendant with proprietary information that the plaintiff has expended time, money, and resources to develop. Because Phillips-PR has demonstrated that each of the preliminary injunction factors weigh in its favor, the court should grant injunctive relief per § 1030(g) of the CFAA.
II. Trade Secret Protection Act
Phillips-PR also moved for a preliminary injunction under the Trade Secret Protection Act. Puerto Rico's Trade Secret Protection Act provides that "[a]ny natural or juridical person who misappropriates a trade secret shall be held accountable for any damages caused to its owner." P.R. Laws Ann. tit. 10, § 4134. The Trade Secret Protection Act also permits the court to grant injunctive relief: "In all cases in which it is proven that an industrial or trade secret has been misappropriated, the court may issue a preliminary injunction order, for which the plaintiff shall not be under the obligation to prove irreparable
As an initial matter, defendants provided no argument as to why a preliminary injunction should not be granted under the Trade Secret Protection Act. Even if they had, there was sufficient evidence adduced at the hearing to prove that defendants are misappropriating trade secrets and confidential information. As explained above, there is some evidence that defendants have accessed CSIP Levels 0, 1, and 2 in the MRI machines belonging to the Hospital and Medical X-Ray. Toro and Sumpter each signed an agreement with a confidentiality and nondisclosure provision that prohibited them from using Phillips's confidential information or trade secrets after their employment. The evidence at the hearing was to the effect that Toro and Sumpter have created companies — GIS and General Imaging — that compete against Phillips-PR and use trade secrets developed by Phillips. Thus, Puerto Rico's Trade Secret Protection Act provides an alternative basis for granting injunctive relief to Phillips-PR, and the court should grant that relief.
For the foregoing reasons, the court should
This report and recommendation is filed pursuant to 28 U.S.C. § 636(b)(1)(B) and Rule 72(d) of the Local Rules of this Court. Any objections to the same must be specific and must be filed with the Clerk of Court
In San Juan, Puerto Rico, this 15th day of August 2016.