United States District Court, D. Colorado
ORDER DENYING SECUREW2 B.V.'S RULE 12(b)(2) MOTION TO DISMISS AMENDED COMPLAINT, AND GRANTING IN PART AND DENYING IN PART ALL DEFENDANTS' RULE 12(b)(6) MOTION TO DISMISS AMENDED COMPLAINT
WILLIAM J. MARTÍNEZ, District Judge.
Plaintiff Cloudpath Networks, Inc. ("Cloudpath") sues various parties (collectively, "Defendants") for numerous causes of action related to alleged theft and misuse of Cloudpath's trade secrets. ( See ECF No. 37 (First Amended Complaint) ("FAC").) Currently before the Court is Defendant SecureW2 B.V.'s Motion to Dismiss Amended Complaint, arguing that this Court lacks personal jurisdiction over it ("Rule 12(b)(2) Motion"). (ECF No. 58.) Also before the Court is the remaining Defendants' Motion to Dismiss Amended Complaint, arguing that Cloudpath has failed to state a claim against them ("Rule 12(b)(6) Motion"). (ECF No. 40.) SecureW2 B.V. joins this motion to the extent its Rule 12(b)(2) Motion fails. (ECF No. 58 at 15.)
For the reasons explained below, the Court denies SecureW2 B.V.'s Rule 12(b)(2) Motion, finding that factual questions preclude a personal jurisdiction determination at this stage. The Court grants in part and denies in part the Rule 12(b)(6) Motion, dismissing with prejudice Cloudpath's claims under the Electronic Communications Privacy Act and Stored Communications Act, and dismissing with prejudice in part Cloudpath's claims under the Computer Fraud and Abuse Act.
Unless otherwise noted, the Court assumes the following allegations to be true for present purposes.
Cloudpath is a Colorado company that develops software permitting "users with mobile computing devices to connect seamlessly to secure networks via Wi-Fi or wired connections." (ECF No. 37 ¶¶ 6, 21-22.) In essence, Cloudpath is in the business of assisting organizations to enable secure network access on devices brought from outside the organization (such as an employee's smartphone or a student's laptop).
Beginning in October 2008, Defendant Kashyap and/or his wholly owned LLC, Defendant Basz Universal (collectively, "Kashyap"), became an independent sales representative for Cloudpath ( i.e., a non-employee sales agent). ( Id. ¶ 36.) In exchange for contractual agreements to maintain the confidential and proprietary nature of Cloudpath's trade secrets and to work exclusively on Cloudpath's behalf when it comes to selling and marketing software of the kind Cloudpath creates, Cloudpath granted Kashyap access to its trade secrets, including through login credentials to Cloudpath's secure servers. ( Id. ¶¶ 37-40, 54.)
Kashyap was also an independent sales representative for SecureW2 B.V. ("SecureW2"), a Dutch company that did not, at that time, have a competing product. ( Id. ¶¶ 7, 51-52.) SecureW2 was, rather, "a co-marketing and co-sales partner" with Cloudpath, and had executed a non-disclosure agreement, agreeing to protect Cloudpath's confidential information. ( Id. ¶ 49.)
As discussed further in Part II.B.1, below, the parties dispute the scope of this non-disclosure agreement. In any event, as early as January 2012, Kashyap and SecureW2 allegedly began conspiring to steal Cloudpath's trade secrets and thereby develop a competing product. ( Id. ¶¶ 53, 56.) SecureW2 indeed launched a competing product in June 2012. ( Id. ¶ 61.) Kashyap then notified Cloudpath that he was no longer associated with SecureW2, but he surreptitiously continued the conspiracy, including through allowing SecureW2 to use his Cloudpath login credentials to access Cloudpath's proprietary information. ( Id. ¶¶ 54-63.) Kashyap also began promoting SecureW2's product when approached by potential customers interested in Cloudpath's product. ( Id. ¶¶ 64-66.)
Kashyap ended his relationship with Cloudpath in March 2013. ( Id. ¶ 67.) Just before his departure, he tried to erase his Cloudpath e-mail account, although he was only partially successful. ( Id. ) In May 2014, Kashyap caused the incorporation of Defendant SecureW2, Inc. ("SecureW2-USA"), a Washington corporation and a wholly-owned subsidiary of SecureW2. ( Id. ¶¶ 3, 50, 71.)
Also in 2014, Kashyap and the SecureW2 entities managed to convince two Cloudpath employees, Defendants Grimm and Haney, to assist SecureW2 in its efforts to compete with Cloudpath. ( Id. ¶ 73.) In September 2014 or thereabouts, Grimm began preparing to leave Cloudpath for SecureW2-USA. ( Id. ¶ 75.) As part of his preparations, he downloaded substantial amounts of proprietary information and software code, deleted and corrupted sales leads and customer information, and deleted his Cloudpath e-mail account. ( Id. ¶¶ 77-78, 80-81.) He resigned abruptly on January 5, 2015, explaining that "he was starting employment at an oil and gas software company" the next day. ( Id. ¶ 82.) Instead, he began working for SecureW2-USA the next day (January 6), but continued to use his Cloudpath login credentials to access Cloudpath proprietary information on January 6 and 7. ( Id. ¶¶ 84-86.)
Haney was pursuing a similar course at this time. According to the FAC, he intentionally sabotaged Cloudpath's software bug reporting system and "launched a software program within the Cloudpath computer system for the express purpose of creating an unauthorized rogue wireless network that would allow surreptitious and unauthorized access." ( Id. ¶¶ 87-91.) He also gathered "all of Cloudpath's customer account information" from which he could "generate contact lists." ( Id. ¶ 92.) Like Grimm, Haney resigned on January 5, 2015, and then went to work for SecureW2-USA. ( Id. ¶¶ 87, 97.)
Cloudpath has lost at least twenty-six customers to SecureW2 or its affiliates on account of Defendants' conduct. ( Id. ¶ 161.) It has also incurred expenses "to investigate the activities of Grimm and Haney prior to their resignation[s], and to analyze their computer systems revealing the activities [described] above." ( Id. ¶ 101.)
II. RULE 12(b)(2) ANALYSIS
A. Legal Standard
The purpose of a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(2) is to test whether the Court has personal jurisdiction over the named parties. The Tenth Circuit has established a two-part test for personal jurisdiction: "First, we ask whether any applicable statute authorizes service of process on defendants. Second, we examine whether the exercise of statutory jurisdiction comports with constitutional due process demands." Dudnikov v. Chalk & Vermillion Fine Arts, Inc., 514 F.3d 1063, 1070 (10th Cir. 2008). "In a federal question case... [where] the federal statute at issue does not authorize nationwide service, personal jurisdiction is determined according to the law of the forum state." Impact Prods., Inc. v. Impact Prods., LLC, 341 F.Supp.2d 1186, 1189 (D. Colo. 2004).
Colorado's long-arm statute "confers the maximum jurisdiction permissible consistent with the Due Process Clause." Archangel Diamond Corp. v. Lukoil, 123 P.3d 1187, 1193 (Colo. 2005) (citing Colo. Rev. Stat. § 13-1-124). Thus, the Court need only address the constitutional question of whether the exercise of personal jurisdiction over the relevant defendant comports with due process. Dudnikov, 514 F.3d at 1070 (noting that the inquiry into whether any statute authorizes service of process "effectively collapses into the second, constitutional, analysis" in Colorado).
The plaintiff bears the burden of establishing personal jurisdiction over a defendant. Behagen v. Amateur Basketball Ass'n, 744 F.2d 731, 733 (10th Cir. 1984). When the district court does not hold an evidentiary hearing before ruling on jurisdiction, "the plaintiff need only make a prima facie showing" of personal jurisdiction to defeat a motion to dismiss. Id. A prima facie showing is made where the plaintiff has demonstrated facts that, if true, would support jurisdiction over the defendant. OMI Holdings, Inc. v. Royal Ins. Co. of Can., 149 F.3d 1086, 1091 (10th Cir. 1998). To defeat the plaintiff's prima facie case, a defendant "must present a compelling case demonstrating that the presence of some other considerations would render jurisdiction unreasonable." Id. (internal quotation marks omitted).
The Court will accept the well-pleaded allegations (namely, the plausible, nonconclusory, and nonspeculative facts) of the complaint as true to determine whether the plaintiff has made a prima facie showing that personal jurisdiction exists. Dudnikov, 514 F.3d at 1070. Any factual conflicts must be resolved in the plaintiff's favor. Wentz v. Memery Crystal, 55 F.3d 1503, 1505 (10th Cir. 1995).
B. Personal Jurisdiction Analysis
As noted, SecureW2 is a Dutch company. (ECF No. 37 ¶ 2.) Cloudpath's primary argument for personal jurisdiction over SecureW2 is that it contractually agreed to personal jurisdiction in Colorado. (ECF No. 64 at 3-7.) "[A] valid consent or a stipulation that the court has jurisdiction prevents the successful assertion of a Rule 12(b)(2) defense." 5B Charles Alan Wright et al., Federal Practice & Procedure § 1351 (3d ed., Apr. 2015 update) (" Wright & Miller "). The Court will therefore analyze the two contracts through which SecureW2 allegedly consented to personal jurisdiction in Colorado.
1. The MNDA
Cloudpath argues that SecureW2 "expressly submitted" to this Court's personal jurisdiction through a Master Non-Disclosure Agreement dated September 9, 2008 ("MNDA"). (ECF No. 37 ¶ 15.) MNDA § 14 states, in relevant part, that
all actions related hereto shall be governed by the laws of the State of Colorado, USA, excluding its choice of law principles. With respect to any action arising under or related to this Agreement, [SecureW2] hereby: (i) agrees that [it] has sufficient contacts with Colorado to subject it to the personal jurisdiction of the state and federal courts of Colorado;... (iii) waives and agrees not to assert any claim that: (a) it is not subject personally to the jurisdiction of the above-named courts....
(ECF No. 59-1 § 14.) Also relevant is MNDA § 17, which states that
[t]he obligations set forth herein shall apply until termination of this Agreement. Further[, ] the confidentiality obligations set forth herein shall remain in full force and effect for a period of five (5) years from the termination of this Agreement. Any causes of action accrued on or before such expiration shall survive the expiration of the applicable statute of limitations.
( Id. § 17.)
By way of employee declarations submitted in support of its Rule 12(b)(2) Motion, SecureW2 argues that it entered into the MNDA solely "to facilitate the negotiations... for a future referral agreement" which "never culminated, " and "[t]he last negotiations between [the two companies] related to the referral agreement occurred in late-spring 2009." (ECF No. 59-2 ¶¶ 13-16; ECF No. 66 ¶¶ 4-6.) SecureW2 therefore argues that the MNDA terminated in 2009, thus terminating the jurisdictional waiver.
Cloudpath responds that the purposes of the MNDA were broader than just a prospective referral relationship, and that neither it nor SecureW2 ever provided any indication to one another that the MNDA had been terminated. (ECF No. 64-1 ¶¶ 3-5.) Cloudpath argues, moreover, that the provision extending the MNDA's "confidentiality obligations" for five years after termination means that "the provisions related to enforcing the MNDA, including personal jurisdiction, must also have survived termination for at least the same five-year period." (ECF No. 64 at 5-6.)
Cloudpath raises a question of contract interpretation under Colorado law, which is usually a question of law for the Court. See, e.g., Ad Two, Inc. v. City & Ctny. of Denver ex rel. Manager of Aviation, 9 P.3d 373, 376 (Colo. 2000). The Court's primary task in this regard is to "interpret the agreement in a manner that best effectuates the intent of the parties." Allen v. Pacheco, 71 P.3d 375, 378 (Colo. 2003). Intent is usually discerned "from the language of the instrument itself." Ad Two, 9 P.3d at 376. Indeed, "[w]ritten contracts that are complete and free from ambiguity will be found to express the intention of the parties and will be enforced according to their plain language. Extraneous evidence is only admissible to prove intent where there is an ambiguity in the terms of the contract." Id. (citation omitted). Thus, much turns on "whether an ambiguity exists, " which itself turns on "whether the disputed provision is reasonably susceptible on its face to more than one interpretation." Allen, 71 P.3d at 378. This determination is necessarily made in the context of "the agreement as a whole." Id.
Taking the MNDA as a whole, the Court concludes-on this record at least-that an ambiguity exists through tension created by the relationship of MNDA § 14 to § 17. In particular, § 17 states that "[t]he obligations set forth herein shall apply until termination of this Agreement" and only makes explicit exception for "the confidentiality obligations, " which persist for five additional years and survive any applicable statute of limitations to that extent. On the other hand, § 14's jurisdictional waiver states that it applies to "any action arising under or related to this Agreement." That would seem to apply to "any action, " as it says, including one brought after termination. On the other hand, the jurisdictional waiver could also be considered one of the "obligations" that terminates per § 17. Both interpretations are reasonable, and this record is not sufficient for the Court to determine which is correct, or even whether the ambiguity can be resolved as a matter of law.
The Rule 12(b)(2) Motion presents an additional fact question: whether the parties actually terminated the MNDA. This likely turns, in part at least, on the purposes served by the MNDA, which also appear to be disputed.
Although contract interpretation is generally said to be a question of law, that is "only because it [typically] requires application of well-settled principles of contract interpretation to [undisputed] facts." Rich v. Ball Ranch P'ship, 345 P.3d 980, 983 (Colo.App. 2015). Here, the relevant facts are disputed. Assuming Cloudpath can prove its version of the facts, Cloudpath would establish the applicability of the MNDA's jurisdictional waiver. Cloudpath has therefore offered a prima facie case of personal jurisdiction, thus defeating the Rule 12(b)(2) Motion. This, of course, does not prevent SecureW2 from re-raising the personal jurisdiction question at a later stage, such as in a summary judgment motion. See, e.g., 5B Wright & Miller § 1351 nn.32-40 and accompanying text.
2. The EULA
In its FAC, Cloudpath alleges that SecureW2 also consented to this Court's personal jurisdiction in an End-User License Agreement ("EULA"). (ECF No. 37 ¶¶ 15, 49.) Cloudpath did not attach any EULA to the FAC, but alleges that Cloudpath requires "all those who access its proprietary software products to execute" an "administrator-level EULA" prohibiting commercial exploitation of Cloudpath's proprietary technology. ( Id. ¶¶ 223-26.)
In its Rule 12(b)(2) Motion, SecureW2 argues that the FAC does not make clear which EULA it executed (implying that there may have been more than one). (ECF No. 58 at 7.) SecureW2 also attaches "the only ostensibly applicable EULA, " which is undated but bears a 2009 copyright and does not contain any jurisdictional waiver. ( Id. ) SecureW2 claims that Cloudpath produced this EULA to SecureW 2 (for unexplained reasons), and that SecureW2 does not keep records of EULAs it executed "over seven years ago." ( Id. at 4 n.1.)
In response, Cloudpath submits a declaration from one of its employees, Kevin Koster, stating that the relevant EULA was executed on August 26, 2008. (ECF No. 64-1 ¶ 7.) Koster's declaration then reprints "Section 20 of [that] version of the EULA" as follows:
Governing Law. Unless specified in an Order Form, Colorado state law governs the interpretation of this Agreement, without regard to its choice of law rules.
Resolution of Disputes. Any action seeking enforcement of this Agreement or any provision hereof will be brought exclusively in the state or federal courts located in the County of Jefferson, State of Colorado. Each party hereby agrees to submit to the jurisdiction of such courts.
( Id. ¶ 8 (boldface in original).) Neither Koster nor Cloudpath has placed the 2008 EULA itself into the record.
It is admittedly strange that Cloudpath would: (a) allege the EULA generically in its FAC (in contrast to the MNDA, which it identified by date); then (b) produce a 2009 version of the EULA that does not contain a jurisdictional waiver; and finally (c) defend against SecureW2's motion with the 2008 version of the EULA, although only by quoting excerpts in a declaration, not by attaching the EULA itself. The Court will assume, however, that Cloudpath complied with Federal Rule of Civil Procedure 11 when asserting that SecyreW2 executed the 2008 EULA. Under that assumption, certain factual disputes arise that the Court must resolve in Cloudpath's favor at this stage, such as the scope of the 2008 EULA, whether SecureW2 executed it, and whether it was ever terminated. For this additional reason, the Rule 12(b)(2) Motion must fail.
C. Pendant Jurisdiction
The foregoing is enough, for now, to establish personal jurisdiction over SecureW2 with respect to Cloudpath's claims that SecureW2 breached the MNDA (Count 14) and the EULA (Count 15). However, jurisdiction over these two particular causes of action does not immediately imply jurisdiction over additional causes of action. The question, rather, is whether these additional causes of action "arise from the same facts as the claim over which [the Court] has proper personal jurisdiction." United States v. Botefuhr, 309 F.3d 1263, 1272 (10th Cir. 2002). If so, the Court may exercise "pendant personal jurisdiction" over the additional causes of action. Id.
In this case, those additional causes of action are as follows:
violation of, and conspiracy to violate, the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and Stored Communications Act (Counts One, Two, and Three) based on alleged actions to steal Cloudpath's trade secrets;
misappropriation of trade secrets, based on the same conduct (Count Four);
tortious interference with contract, based on SecureW2's use of Cloudpath's trade secrets to lure away Cloudpath customers, and based on SecureW2's interference with Cloudpath's employment/agency and other contracts with Grimm, Haney, and Kashyap (Count Five);
tortious interference with prospective business advantage, based on essentially the same conduct (Count Six);
conversion, based on conspiracy to steal Cloudpath's trade secrets (Count Seven);
civil theft, based on essentially the same allegations (Count Eight);
unfair competition, based on all of the foregoing (Count Nine);
unjust enrichment, based on all of the foregoing (Count Sixteen); and
conspiracy to commit all of the foregoing (Count Seventeen).
(ECF No. 37 ¶¶ 102-88, 232-40.) These causes of action indisputably arise from the same facts as the breach-of-contract claims. Indeed, all of Cloudpath's causes of action are simply different ways of suing over the same general course of conduct-the alleged theft and misuse of its trade secrets. Accordingly, to the extent the Court has personal jurisdiction over Cloudpath's claims for breach of the MNDA and/or the ...