Information security has become an increasingly important concern for modern businesses. As businesses move their information storage to the “cloud,” rather than keeping it in computers on site, the need for appropriate security controls becomes more pronounced. Companies (and their IT vendors) often devote substantial resources to ensuring that their employee work product and competitively sensitive information remains private. But that is no small task: It can be very difficult to control the spread of electronically-stored information, which may be transmitted around the world a dozen times before the security team has finished their morning coffee.
Such concerns are only heightened upon the departure of employees who have had legitimate access to confidential information. A few years ago, a company might have felt that its data was secure if it simply escorted departing employees out of the building and took their company laptops and keycards. But the modern workplace is more complex: Employees work from a variety of locations on company data stored remotely using a wide range of access systems. It is now common for employers to devote significant resources to searching through an employee’s electronic communications, including work emails, texts, and access logs to ensure no company confidential information has been removed or improperly accessed prior to the employee’s departure.
Perhaps the most complex issues arise when employees work from home. Increasingly, employees are able to access company systems from home—using home computers or work-issued laptops—and thereby access their work files. In such instances, employers face yet a further challenge: how do they ensure the employee does not have any competitively sensitive information on their personal devices? While some companies will seek authorization to search an employee’s personal devices as part of a separation agreement, many take the view that company-supplied hardware belongs to the company and can be reviewed without authorization. In a recent case, one financial services company allegedly took that approach a step too far by placing software on a computer it had supplied for an employee’s home and using it to access and inspect his personal files, without his permission, upon his departure from the company.
Unlawful access to electronically stored information can give rise to both state and federal claims for “hacking,” and the employee in this case asserted those claims in both state and federal court. The initiation of separate proceedings in state and federal court can raise concerns about duplicated efforts and the potential for inconsistent results. The doctrine of abstention provides federal courts a framework for exercising their discretion to abstain from adjudicating a matter, leaving it instead to the state court. However, in this case, the U.S. District Court for the Southern District of New York declined to do so. Its opinion in Iacovacci v. Brevet Holdings, 2019 WL 2085989 (S.D.N.Y. May 13, 2019), explains the bounds of that doctrine in this area, where the protections of state and federal law overlap.
Background to the Dispute
Brevet Holdings is a Delaware limited liability company with principal place of business in New York. Along with its affiliates, Brevet Holdings is in the business of providing investment management and advisory services to its clients.
Until October 2016, Paul Iacovacci was a managing director of Brevet Capital Management (a Brevet Holdings affiliate and codefendant). In connection with his employment, Brevet purchased a desktop computer “for Iacovacci’s personal use, which he set up in his home.” Upon its installation, Brevet configured the computer with a “primary” account entitled “Family” for use by Iacovacci’s wife and children. According to Iacovacci, the computer was used by both him and his family for personal matters as well as by Iacovacci for work-related matters. “When Iacovacci used the computer for Brevet-related work, he would log into the Brevet network using a remote access program.”
In addition to his work access, Iacovacci used the Brevet-provided computer to store various personal files, including “financial and tax-related documents.” On occasion, Brevet would attach one of two external hard drives (purchased with his own funds) to export his personal files.
Beginning in December 2015, Iacovacci began to suffer from health issues, culminating in a surgery on Dec. 18, 2015. As a result of those health issues, Iacovacci announced in January 2016 that he intended to retire. In the ensuing months, Iacovacci engaged in negotiations with Brevet regarding the terms of a potential retirement package. However, on Oct. 14, 2016, Brevet put an end to those negotiations by terminating Iacovacci.
State Court Action
Shortly after his termination, Iacovacci initiated a state court action against certain of the Brevet entities alleging wrongful termination. Iacovacci also asserted claims for breach of contract, unjust enrichment, and conversion. Over the course of two and a half years, the parties engaged in substantial discovery in the state court action, including the production of over 160,000 pages of documents, discovery motion practice, and the taking of several depositions. In the course of that discovery, documents were produced that Iacovacci asserts demonstrated a “hacking campaign” against him, including by unlawfully accessing his home computer and hard drives on multiple occasions between January 2016 (when the retirement negotiations began) and October 2016 (when Brevet terminated Iacovacci). Brevet “admitted in an affidavit in state court that they reviewed ‘hundreds of files on Iacovacci’s computer, eternal hard drives, and Yahoo! E-mail inbox.”
Federal Court Action
On Sept. 4, 2018, almost two years after the initiation of the state court action, Iacovacci initiated an action in the Southern District of New York asserting violations of the Computer Fraud and Abuse Act, the Federal Wiretap Act, and Stored Communications Act. Iacovacci asserted that Brevet’s “hacking campaign” was in violation of all three federal laws. Additionally, Iacovacci asserted state law claims for conversion and trespass to chattel. On Nov. 12, 2018, Brevet moved to dismiss, asserting that the state and federal actions were parallel and the Southern District should abstain from exercising jurisdiction.
On May 13, 2019, Judge John Keenan of the Sothern District of New York issued an opinion denying a motion to dismiss on abstention grounds. Defendant Brevet Holdings had asked the court to abstain from adjudication of state and federal claims due to a parallel state court action arising under the same facts. Judge Keenan denied the defendants’ motion, holding that the state court action was not parallel and, even if it were, the abstention analysis set forth in Colorado River Water Conservation Dist. v. United States, 424 U.S. 800 (1976), did not “weigh in favor of the Court exercising its discretion to abstain from deicing the federal action.”
Judge Keenan first considered the “threshold” question of whether the state and federal actions were parallel. A state and federal action are parallel if “substantially the same parties are contemporaneously litigating substantially the same issue” in both actions. See First Keystone Consultants v. Schelsinger Elec. Contractors, 862 F. Supp. 2d 170, 182 (E.D.N.Y 2012). In support of their motion, defendants argued that the actions were parallel because they arose from the same set of factual allegations, which all related to defendants’ decision to terminate Iacovacci for cause. According to defendants, because Iacovacci’s amended complaint contained allegations that Brevet hacked his home computer, the federal court and the state court would both have to determine the same issues: whether Brevet unlawfully accessed and utilized Iacovacci’s computer.
But the court rejected that argument because Iacovacci had not asserted any of his federal law claims in the state proceeding, and the state court would not necessarily have to resolve the issues raised in the federal litigation. The state court, Judge Keenan reasoned, could find the defendants liable on the claims relating to Iacovacci’s termination without ever reaching the issue of hacking. Because the state action could be fully adjudicated without ever resolving “the main issues” in the federal proceedings, Judge Keenan held the actions could not be parallel.
Though unnecessary given the threshold finding that the actions were not parallel (a court may only exercise its discretion to abstain from adjudicating if it determines the federal court action is parallel to a state court action), Judge Keenan went on to consider whether the abstention doctrine would be applicable if they were. Under controlling Second Circuit precedent, a court must consider six factors in “deciding whether to abstain” under Colorado River:
(1) whether the controversy involves a res over which one of the courts has assumed jurisdiction; (2) whether the federal forum is less inconvenient than the other for the parties; (3) whether staying or dismissing the federal action will avoid piecemeal litigation; (4) the order in which the actions were filed, and whether proceedings have advanced more in one forum that in the other; (5) whether federal law provides the rule of decision; and (6) whether the state procedures are adequate to protect the plaintiff’s federal rights.
Niagara Mohawk Power v. Hudson River-Black River Regulating Dist., 673 F.3d 84, 100 (2d Cir. 2012).
Judge Keenan considered each of those factors and found that only two—the relative advancement of the state court proceedings and the potential avoidance of piecemeal litigation—favored abstention. However, the court found that those two factors were not enough on their own to overcome “the heavy presumption favoring the exercise of federal jurisdiction,” especially in light of the presence of separate federal claims.
Same Facts, Different Claims
Both the court’s parallelism and abstention analyses boiled down to a similar consideration: Were the claims asserted in each action sufficiently different such that the federal court need not abstain from adjudicating the matter? In Iacovacci, the answer to that question was fairly straightforward. The state proceeding did not assert any federal claims related to “hacking”, while the federal proceeding was mostly premised on the alleged violation of three such federal statutes.
A more complex question arises, however, where the overlap in protection is more obvious. Here, Iacovacci asserted general state law claims (such as fraud) relating to Brevet’s improper access to his personal computer, but he did not bring state law claims under any of New York’s many laws directly related to computer trespass or the protection of electronic information. Such claims would have been more directly parallel to the federal claims and might have required a different analysis. As a general matter, federal courts have been reluctant to abstain from cases involving computer fraud and abuse, as those cases very often cross state lines and touch on issues of federal policy. As it is the court retained jurisdiction here, and the outcome on the merits (assuming it reaches the issue of what an employer may do with a machine it supplies, in part, for “personal” use) will be interesting to watch.
Stephen M. Kramarsky, a member of Dewey Pegno & Kramarsky, focuses on complex commercial and intellectual property litigation. Jack Millson, an associate at the firm, provided substantial assistance with the preparation of this article.