Opinion
Cause No. 1:06-CV-00173.
October 12, 2006
OPINION AND ORDER
This matter is before the court on the Motion to Dismiss Claims of Negligence, Criminal Mischief, and Violation of 18 U.S.C. § 1030 filed on July 17, 2006, by Plaintiff/Counterclaim Defendant Medical Informatics Engineering, Inc. ("MIE"). Defendant/Counterclaim Plaintiff and Third Party Plaintiff Orthopaedics Northeast, P.C. ("ONE"), filed a response in opposition to the motion on August 9, 2006, and MIE filed a reply on August 24, 2006.
The court granted ONE and MIE a brief extension of time within which to file their respective response and reply.
Defendants/Counterclaim Plaintiffs and Third Party Plaintiffs Todd Plesko and triPRACTIX, LLC ("TPX"), filed a response to MIE's motion to dismiss on August 9, 2006, clarifying that neither of them advanced claims of negligence, criminal mischief, or computer hacking against MIE. On August 24, 2006, MIE filed a separate reply to Plesko's and TPX's response.
For the reasons discussed in this Order, MIE's Motion to Dismiss Claims of Negligence, Criminal Mischief, and Violation of 18 U.S.C. § 1030 will be DENIED.
I. FACTUAL AND PROCEDURAL BACKGROUND
For purposes of its review of MIE's motion to dismiss, the court assumes the truth of all well-pled allegations and draws all reasonable inferences in the light most favorable to ONE. Pearman v. Norfolk W. Ry. Co., 939 F.2d 521, 522 (7th Cir. 1991); Norris v. Wirtz, 719 F.2d 256, 258 (7th Cir. 1983).
ONE is a medical practice group specializing in orthopedic services. MIE sells and supports software products and provides a telecommunications network for the transmission of health information and medical practice data. On October 24, 2004, ONE and MIE entered into a License Agreement, which allowed ONE to use certain software known as "WebChart" that electronically stores medical records. On that same day, the parties also entered into a Maintenance and Support Agreement ("MSA") that obligated MIE to support WebChart for ONE.
Three months after entering into the agreements with MIE, ONE began constructing three wireless towers in Fort Wayne. Shortly thereafter, ONE began to evaluate different software packages in an effort to, among other things, improve its use and storage of medical records. By June 2005, ONE had evaluated twenty-three software packages, including WebChart. WebChart, however, was not ultimately selected by ONE.
Upon hearing that ONE had rejected WebChart, Doug Horner, the President of MIE, contacted ONE to express his disappointment concerning MIE's loss of such a large and valuable customer. Numerous times thereafter, Horner requested additional meetings with various ONE physicians and managers to further express his disappointment. Horner's meetings and communications, however, were to no avail, as ONE did not change its decision. As a result, Horner became increasingly upset.
Apparently, Horner's discontent was fueled by his belief that ONE, or certain employees thereof, were plotting to compete with MIE in the telecommunications industry. Horner's resentment ultimately culminated in his making purported "threats" to ONE. More specifically, at one point Horner allegedly stated that he "intended to keep ONE's technology employee Todd Plesko and his crew busy supporting WebChart rather than trying to steal MIE's customers." (ONE Countercl. ¶ 13.)
Ultimately, on November 1, 2005, MIE terminated the MSA effective November 30, 2005. In light of the MSA's termination and Horner's "threats," ONE installed a firewall to prevent MIE and others from entering its computer network.
Eventually, Horner purportedly decided to make good on his "threats" to ONE. More specifically, between December 6, 2005, through January 16, 2006, MIE allegedly "undertook an unlawful campaign to access ONE's computer network for the purpose of disrupting ONE's network and business operations," which resulted in MIE allegedly accessing ONE's computer network on ten different occasions "without permission and without right to do so," causing deliberate damage on at least three of these occasions. (ONE Countercl. ¶¶ 15, 19.)
For example, on December 31, 2005, MIE purportedly accessed ONE's network "through two other medical providers' networks in an attempt to conceal MIE's identity," making a change to the software that prevented a patient's chart from being ready at the time of his or her appointment. (ONE Countercl. ¶ 16.) Likewise, on January 6, 2006, MIE allegedly accessed ONE's network through two different medical providers' systems, this time making a change to significantly slow the retrieval of medical records. Similarly, on January 15, 2006, Horner purportedly accessed ONE's network, effecting a change that caused the system's printing functions to fail. On each of these occasions, ONE secured TPX's assistance to remedy the computer network problems allegedly caused by MIE.
On November 11, 2005, TPX was formed. TPX is owned by certain shareholders of ONE and Todd Plesko, the Chief Executive Officer of MIE and past Chief Information Officer of ONE. Not long after its formation, TPX purchased the assets of another telecommunications company, Physcal Practice Management. By February 2006, TPX had begun to offer for sale computer software usable by the physician practice community. Apparently, ONE promptly became a customer of TPX, as TPX reported to third parties that it had transferred all of ONE's documents from WebChart to software that TPX was offering for sale.
Ultimately, on April 25, 2006, MIE filed a complaint with this court against ONE, TPX, Plesko, and Raymond Kusisto, the Chief Executive Officer of ONE, advancing claims of copyright infringement, breach of contract, criminal mischief, defamation, trade secret misappropriation, and tortious interference with a business relationship. In response, on June 14, 2006, ONE asserted counterclaims of computer hacking, criminal mischief, breach of contract, and negligence against MIE.
On that same day, ONE and Kusisto filed a separate counterclaim and third party claim against MIE and Horner, asserting that MIE and Horner had made defamatory statements about ONE and Kusisto. Not long thereafter, TPX and Plesko also filed a counterclaim and third party claim alleging defamation against MIE and Horner. The defamation claims brought by ONE, Kusisto, TPX, and Plesko are the subject of a separate motion to dismiss filed by MIE and Horner on July 17, 2006, and will be addressed in a separate order.
In addition, TPX advanced a counterclaim of tortious interference against MIE, which is not subject to either of MIE's motions to dismiss.
On July 17, 2006, MIE filed the instant motion to dismiss the counterclaims of negligence, criminal mischief, and computer hacking advanced by ONE.
II. STANDARD OF REVIEW
A complaint should not be dismissed for failure to state a claim unless it appears that the plaintiff can prove no set of facts which would support his claim for relief. Kelley v. Crosfield Catalysts, 135 F.3d 1202, 1205 (7th Cir. 1998). In determining the propriety of dismissal under Rule 12(b)(6) of the Federal Rules of Civil Procedure, the court must "accept as true all well-pled factual allegations in the complaint and draw all reasonable inferences therefrom in favor of the plaintiff." Perkins v. Silverstein, 939 F.2d 463, 466 (7th Cir. 1991). The purpose of the motion to dismiss is to test the legal sufficiency of the complaint and not to decide the merits. Triad Assocs., Inc. v. Chicago Hous. Auth., 892 F.2d 583, 586 (7th Cir. 1989), abrogated on other grounds by, Bd. of County Comm'rs, Wabaunsee County, Kansas v. Umbehr, 518 U.S. 668 (1996). "If it appears beyond doubt that plaintiffs can prove any set of facts consistent with the allegations in the complaint which would entitle them to relief, dismissal is inappropriate." Perkins, 939 F.2d at 466.
III. DISCUSSION
MIE contends that ONE's counterclaims of negligence, criminal mischief, and violation of 18 U.S.C. § 1030 (fraud and related activity in connection with a computer) fail to state a claim upon which relief may be granted and thus should be dismissed as a matter of law. While the court will consider each claim in turn, MIE fails to provide any persuasive basis upon which to grant its motion to dismiss.
A. ONE's Negligence Claim Will Not Be Dismissed
MIE first asserts that the facts alleged by ONE in its counterclaim indicate that ONE cannot establish one of the elements of negligence — that MIE owed a duty to ONE. MIE's argument, however, reaches the wrong conclusion because it fails to perform a complete analysis to determine whether a duty may exist under the circumstances presented.
The tort of negligence is comprised of three elements: (1) a duty of to conform to a particular standard of conduct owed to the plaintiff by the defendant; (2) a breach of that duty; and (3) injury to the plaintiff proximately caused by the breach. Paniaguas v. Endor, Inc., 847 N.E.2d 967, 970 (Ind.Ct.App. 2006); Pelak v. Indiana Indus. Servs., Inc., 831 N.E.2d 765, 769 (Ind.Ct.App. 2005); City of Muncie v. Weidner, 831 N.E.2d 206, 211 (Ind.Ct.App. 2005). Whether a duty exists is a question of law for the court to decide and involves the balancing of three factors: "(1) the relationship between the parties, (2) the reasonable foreseeability of harm to the person injured, and (3) public policy concerns." Paniaguas, 847 N.E.2d at 970; see also Guy's Concrete, Inc. v. Crawford, 793 N.E.2d 288, 295 n. 4 (Ind.Ct.App. 2003). "Imposition of a duty is limited to those instances where a reasonably for[e]seeable victim is injured by a reasonably for[e]seeable harm." Hawn v. Padgett, 598 N.E.2d 630, 632 (Ind.Ct.App. 1992); see also Paniaguas, 847 N.E.2d at 970; Guy's Concrete, 793 N.E.2d at 293. "Absent a duty, there can be no breach of duty and thus no negligence or liability based upon the breach." Peters v. Forster, 804 N.E.2d 736, 738 (Ind. 2004); see also Horine v. Homes by Dave Thompson, LLC, 834 N.E.2d 680, 683 (Ind.Ct.App. 2005).
In arguing that it owed no duty to ONE, MIE focuses exclusively on the first factor of the three-factor duty analysis — the relationship between the parties. It contends that since it terminated the MSA between the parties in November 2005, it "could owe no duty to ONE" in December 2005 and January 2006 when it purportedly accessed ONE's network and that therefore ONE's negligence claim should instantly collapse. (MIE's Reply at 3.) In reaching its desired conclusion, however, MIE fails to balance the three factors to determine whether a duty may exist in this type of circumstance. It is to this three-factor analysis that the court will now turn.
As to the first factor, MIE and ONE had a direct relationship derived from a contractual agreement between the parties. Compare Orkin Exterminating Co. v. Walters, 466 N.E.2d 55, 58 (Ind.Ct.App. 1984), abrogated on other grounds by, Mitchell v. Mitchell, 695 N.E.2d 920 (Ind. 1998) (acknowledging that a contractual relationship between the parties can give rise to a tort claim), with Williams v. Cingular Wireless, 809 N.E.2d 473, 477 (noting that no direct relationship existed to support a duty between a seller of cellular telephones and a victim of an accident caused by a driver who was talking on a cellular telephone). While MIE did indeed terminate the MSA in the month preceding the alleged hacking, it may be significant that certain provisions of the License Agreement and MSA, such as confidentiality, indemnification, and warranty, expressly survive the agreements' termination, suggesting that the parties' relationship may not have been immediately extinguished upon termination of the agreements. Regardless, in light of the parties' recent contractual relationship, MIE was hardly a stranger to ONE at the time of the alleged hacking.
As to the second factor, it seems reasonably foreseeable that intentionally hacking into another party's computer network is likely to cause harm, whether through causing actual damage to the computer network itself or through inappropriately accessing confidential information. See Williams, 809 N.E.2d at 477 ("[T]he foreseeability component of duty requires a more general analysis of the broad type of plaintiff and harm involved, without regard to the facts of the actual occurrence."); see also Tibbs v. Huber, Hunt Nichols, Inc., 668 N.E.2d 248, 250 (Ind. 1996) ("To a great extent, duties are defined by the foreseeability of relevant harms.").
And, as to the third factor, it appears that imposing a duty of due care in this context would likely complement public policy concerns, as Indiana has enacted legislation specifically to prevent computer tampering and to protect the privacy of confidential health information. See, e.g., Ind. Code §§ 16-39-5-3, 24-4.8-2-2, 35-43-2-3; see generally Williams, 809 N.E.2d at 478 ("Various factors play into this policy consideration, including convenience of administration, capacity of the parties to bear the loss, a policy of preventing future injuries, and the moral blame attached to the wrongdoer.").
Upon balancing the three factors, it is evident at this stage of the proceedings that the recent contractual relationship between the parties, the reasonable foreseeability of the harm, and the public policy concerns could outweigh the fact that MIE had terminated the MSA by the time of the alleged hacking. Clearly, in light of the facts both pled and inferred, MIE's assertion that it "could owe no duty to ONE" is overreaching, as it is possible that "reasonable persons would recognize and agree that a duty exists" in this type of circumstance. Paniaguas, 847 N.E.2d at 970; Guy's Concrete, 793 N.E.2d at 293.
As a result, the court cannot conclude at this stage of the proceedings that ONE's negligence claim would fail as a matter of law, and thus MIE's motion to dismiss the claim will be denied.
B. ONE's Claim of Criminal Mischief Will Not Be Dismissed
MIE next asserts that ONE's statutory claim of criminal mischief under Indiana law should be dismissed because (1) ONE failed to allege that MIE committed deception, a required element of the claim, and (2) ONE failed to plead the claim with particularity. Contrary to MIE's contention, ONE has adequately identified a general outline of the alleged deception and thus has pled its criminal mischief claim with sufficient particularity.
To commit criminal mischief, one must "knowingly or intentionally cause another to suffer pecuniary loss by deception or by an expression of intention to injure another person or to damage the property or to impair the rights of another person." Ind. Code § 35-43-1-2(a)(2). "Because the statute is premised on a claim of knowing or intentional deception, it sounds in fraud, and thus is also subject to the specificity requirements of Rule 9(b)." ABN AMRO Mortgage Group, Inc. v. Maximum Mortgage, Inc., 429 F. Supp. 2d 1031, 1042 (N.D. Ind. 2006); see also Skywalker Commc'ns, Inc. v. Shiriaev, No. 1:00cv298, slip op. at 7 (N.D. Ind. Jan. 8, 2000). To plead a fraud claim with particularity, a complaint "must specify the identity of the person making the misrepresentation, the time, place, and content of the misrepresentation, and the method by which the misrepresentation was communicated to the plaintiff." Sears v. Likens, 912 F.2d 889, 893 (7th Cir. 1990).
In its first argument, MIE essentially attacks the "content" aspect of ONE's pleading, asserting that ONE failed "to allege what MIE said or did that could be considered deception." (Mem. of Law in Supp. of MIE's Mot. to Dismiss at 4.) In response, ONE points to the following sections of its counterclaim, contending that it "plainly and specifically alleged deception twice":
16. More particularly, on December 31, 2005, . . . MIE entered ONE's network. MIE's access was obtained through two other medical providers' networks in an attempt to conceal MIE's identity. . . .
17. After ONE was able to remedy this problem but would not reconsider its decision to drop MIE's WebChart, MIE decided to attack again. On January 6, 2006, MIE accessed ONE's network, again, through two different medical providers' systems.
(Countercl. ¶¶ 16, 17 (emphasis added).) In reply, MIE argues that this language in ONE's pleading is insufficient, asserting that "concealing one's identity is much different from a misrepresentation." (MIE's Reply at 4.)
The criminal mischief statute does not define the term "deception," and neither the parties' briefs, nor the court's independent research, reveal Indiana case law that defines the term as it is used in the criminal mischief statute. Thus, in advancing its argument, MIE relies upon a definition of "deception" from Black's Law Dictionary: "The act of deceiving; intentional misleading by falsehood spoken or acted. Knowingly and willfully making a false statement or representation, express or implied, pertaining to a present or past existing fact." Black's Law Dictionary 281 (6th ed. 1991); see generally State v. CSX Transp., Inc., 673 N.E.2d 517, 519 (Ind.Ct.App. 1996) (emphasizing that if the statute is not ambiguous, the court must "give effect to the plain, ordinary, and usual meaning of the words of the statute").
Here, ONE's assertion that MIE accessed its computer network "through two other medical providers' networks in an attempt to conceal MIE's identity" gives rise to the reasonable inference that MIE intentionally misrepresented itself while hacking into the network. See generally Hentosh v. Herman M. Finch Univ. of Health Sciences/Chicago Med. School, 167 F.3d 1170, 1173 (7th Cir. 1999) (emphasizing that when deciding a motion to dismiss the court must "draw all reasonable inferences in favor of the plaintiff"). Generally, accessing computers requires the entry of user names and passwords, which could arguably constitute a "representation."
A "representation" is defined as "any conduct capable of being turned into a statement of fact." Black's Law Dictionary 902 (6th ed. 1991).
Furthermore, in addition to making a misrepresentation, concealing a material fact under certain circumstances may also constitute deception. For example, a party may have a duty to disclose a material fact if the fact's omission causes a written statement to be misleading. See Concordia Theological Seminary, Inc. v. Henry, No. 1:05-CV-285, 2006 WL 1408385, at *2-3 (N.D. Ind. May 17, 2006). Likewise, the relationship between the parties, such as a contractual relationship between a buyer and a seller where the seller has superior knowledge, may invoke a duty of good faith and fair dealing, requiring the disclosure of material facts. See Am. United Life Ins. Co. v. Douglas, 808 N.E.2d 690, 701 (Ind.Ct.App. 2004). Therefore, ONE's allegation that MIE "attempt[ed] to conceal its identity" in accessing ONE's network adequately alleges the deception element of ONE's criminal mischief claim.
As to MIE's second argument, it fails as well, as ONE has pled the other aspects of the alleged deceptive scheme with sufficient particularity. It identified the "time" of the purported deception — December 6, 2005, through January 16, 2006, and suggested the "place" it was carried out — ONE's computer network. It also articulated the "method" through which it was accomplished — accessing of ONE's network through two different medical providers' networks. Taking this into account, ONE pled a "general outline" of the circumstances constituting the alleged deception sufficient to "reasonably notify" MIE of its claim. See Hirata Corp. v. J.B. Oxford Co., 193 F.R.D. 589, 592 (S.D. Ind. 2000) (quoting Midwest Grinding Co. v. Spitz, 976 F.2d 1016, 1020 (7th Cir. 1992)).
As a result, MIE's argument that ONE failed to allege the element of deception and plead its criminal mischief claim with particularity is unsuccessful. Thus, MIE's motion to dismiss ONE's criminal mischief claim will be denied.
C. ONE's Computer Hacking Claim Will Not Be Dismissed
Finally, MIE contends that ONE's federal statutory claim of computer hacking, 18 U.S.C. § 1030(a)(5), should be dismissed because ONE failed to allege in its complaint that MIE accessed a "protected computer," a required element of the claim. MIE's argument, however, does not warrant the dismissing of ONE's computer hacking claim, as it appears that ONE could prove that its "computer network" is a "protected computer."
Federal law makes a private cause of action available to persons who suffer damages or loss due to the intentional, unauthorized accessing of a "protected computer" by another party. 18 U.S.C. § 1030(a)(5), (g). A "protected computer" is defined as a computer that is "used in interstate or foreign commerce or communication. . . ." 18 U.S.C. § 1030(e)(2)(B).
In its motion, MIE contends that ONE's reference to its "computer network" in its pleading fails to satisfy the "protected computer" element of 18 U.S.C. § 1030. More particularly, MIE asserts that "no facts have been alleged that could support a claim that [ONE's] 'computer network' was involved in interstate commerce or communication. . . ." (Mem. of Law in Supp. of MIE's Mot. to Dismiss at 5.) While MIE does not dispute that the transmission of data via the internet could constitute interstate commerce, it argues that ONE never alleged that its computer network was used to transmit images over the internet, emphasizing that "[n]ot all computer networks are attached to the internet. . . ." (MIE's Reply at 9.) MIE further asserts, albeit somewhat tangentially, that ONE's representation in its pleading that ONE, Kusisto, TPX, and Plesko are all Indiana residents evidences ONE's failure to allege any facts that its computer network is used in interstate commerce.
In advancing its argument, MIE runs afoul of the basic premise of notice pleading, that "[a] complaint is not required to allege all, or any, of the facts logically entailed by the claim." Am. Nurses' Ass'n v. State of Illinois, 783 F.2d 716, 727 (7th Cir. 1986); see also Bennett v. Schmidt, 153 F.3d 516, 518 (7th Cir. 1998); Daniels v. USS Agri-Chems., 965 F.2d 376, 381 (7th Cir. 1992) (clarifying that "Indiana, like the federal courts, employs a system of 'notice' pleading"). Rather, "a complaint must identify the basis of jurisdiction and contain 'a short and plain statement of the claim showing that the pleader is entitled to relief.'" Bartholet v. Reishauer A.G. (Zurich), 953 F.2d 1073, 1077-78 (7th Cir. 1992) (quoting Fed.R.Civ.P. 8(a)). As emphasized supra, "[a] complaint may not be dismissed unless it is impossible to prevail 'under any set of facts that could be proved consistent with the allegations.'" Albiero v. City of Kankakee, 122 F.3d 417, 419 (7th Cir. 1997) (emphasis added) (quoting Hishon v. King Spalding, 467 U.S. 69, 73 (1984)).
Here, it is quite possible that ONE's computer network is used in interstate commerce or communication. For example, ONE may use the computer network to communicate with patients who are not residents of Indiana or to conduct business with non-resident suppliers. See generally Credentials Plus, LLC v. Calderone, 230 F. Supp. 2d 890, 906 (N.D. Ind. 2002) (concluding that a computer used to send and receive emails to customers in other states qualified as a "protected computer"). Likewise, ONE may use its computer network to transmit and download data from the internet, which may suggest use in interstate commerce. See, e.g., United States v. MacEwan, 445 F.3d 237, 244 (3rd Cir. 2006) ("[O]nce a user submits a connection request to a website server or an image is transmitted from the website server back to user, the data has traveled in interstate commerce."); United States v. Carroll, 105 F.3d 740, 742 (1st Cir. 1997); United States v. Smith, 47 M.J. 588, 592 (Navy Crim. Ct. App. 1997). Furthermore, as ONE asserts in its response brief, a computer network connected through telephone lines may also indicate use in interstate commerce. See generally United States v. Weathers, 169 F.3d 336, 341-42 (6th Cir. 1999) (concluding that the use of a cellular telephone constituted "use of an instrumentality in interstate commerce"); FTC v. Shaffner, 626 F.2d 32, 37 (7th Cir. 1980) (articulating that a telephone is an instrumentality of interstate commerce).
Thus, MIE's assertion that ONE failed to allege facts that could support its claim under 18 U.S.C. § 1030(a)(5) is unavailing, as it is possible that ONE can prove its computer network is a "protected computer" for purposes of 18 U.S.C. § 1030. Accordingly, MIE's motion to dismiss ONE's federal computer hacking claim will be denied.
Additionally, in MIE's reply to TPX's and Plesko's response, MIE requests that the court "enter an Order granting MIE's Motion to Dismiss all claims of criminal mischief and violation of 18 U.S.C. § 1030 that could be found to be alleged in TPX's counterclaim." (Reply in Supp. of Its Mot. to Dismiss TPX's and Plesko's Claims of Criminal Mischief and Violation of 18 U.S.C. § 1030 at 2.) However, it is clear from their pleading that neither TPX nor Plesko advanced claims of criminal mischief or computer hacking against MIE. Furthermore, TPX and Plesko admit in their response that neither party advanced these claims against MIE. Therefore, MIE's request to dismiss "all claims of criminal mischief and violation of 18 U.S.C. § 1030 that could be found to be alleged in TPX's counterclaim" is moot and will be denied.
IV. CONCLUSION
For the reasons stated herein, MIE's Motion to Dismiss Claims of Negligence, Criminal Mischief, and Violation of 18 USC § 1030 (Docket # 45) is DENIED.SO ORDERED.