OPINION & ORDER Plaintiff Nanobeak Biotech Inc. (“Nanobeak”/”the Company”) asserts claims against defendant James Jeremy Barbera for violation of the Computer Fraud and Abuse Act (“CFAA”), breach of fiduciary duty, fraud, conversion, and an accounting. Defendant moves to dismiss the complaint pursuant to Rules 12(b)(1) and (6) of the Federal Rules of Civil Procedure. For the reasons set forth below, defendant’s motion is granted. I. BACKGROUND The following facts are as alleged in the complaint (Dkt. No. 1). Plaintiff Nanobeak is a privately held corporation that develops technologies focused on the detection of early-stage lung cancer. Compl. 1. Defendant Barbera was Nanobeak’s Chief Executive Officer for around ten years. Id. In October of 2019, Barbera resigned from his role as CEO under pressure from Nanobeak’s Board of Directors and stockholders. Id. After his resignation as CEO, he served as Chief Science Officer until he was suspended from that position in December 2019. Id. Barbera also served on Nanobeak’s Board until he was removed in March 2020. Id. Following his suspension as CSO in December 2019, Nanobeak commissioned a “forensic accounting review of Barbera’s management of Nanobeak.” Id. 74. That review “uncovered facts showing that Barbera engaged in serious misconduct while serving as the CEO of Nanobeak.” Id. Specifically, the review revealed that Barbera treated Nanobeak as his own personal “piggy bank” and that he diverted company funds for his own personal expenses. Id. 4. He also allegedly provided false financial statements to the Board, mismanaged the affairs of the Company, and diverted investor funds into separate entities. Id. 5, 11. The Company also learned that Barbera established other business entities, with the apparent intent to compete with Nanobeak. Id. 78. During the review of Barbera’s misconduct and following his termination, the Company requested that Barbera return the Books and Records of the Company, along with the Nanobeak computer systems (“Nanobeak Systems”). Id. 9-10, 66. The Nanobeak Systems, comprised of “computer and other IT equipment”, were purchased between January 2014 and July 2019 with Nanobeak funds of more than $30,000. Id. 66. “On information and belief, the Nanobeak Systems contain proprietary and confidential information developed by Barbera during his time as a Nanobeak’s CEO such as Books and Records of the Corporation, obligations, contact information, agreements and other valuable information (with the University C License, the ‘Confidential Information’).” Id.1 Barbera has allegedly refused to return “any of the Nanobeak Systems or even copies of the documents maintained on those systems” and has continued to use them and “exploit the information for his own personal gain, including by frustrating Nanobeak’s investigation of his misconduct”. Id. Plaintiff claims that Barbera’s wrongful refusal to return the Books and Records and Confidential Information is a breach of his fiduciary duties of care and loyalty. Id. 81. Plaintiff also claims that the wrongful retention of, refusal to return, and “on information and belief” access, of the Nanobeak Systems since his resignation as CEO constitutes a violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030(g). Id. 10, 88-90. II. DISCUSSION On a motion to dismiss under Rule 12(b)(6), the court accepts all factual allegations in the complaint as true, and draws all reasonable inferences in the plaintiff’s favor. Kelly-Brown v. Winfrey, 717 F.3d 295, 304 (2d Cir. 2013). To survive a motion to dismiss, a complaint must plead “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S. Ct. 1955, 1974 (2007). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S. Ct. 1937, 1949 (2009). COUNT I Violation of the CFAA, 18 U.S.C. §§1030(a)(2)(C), 1030(g) The CFAA is principally a criminal statute prohibiting “fraud and related activity in connection with computers.” 18 U.S.C. §1030. The Act also establishes a private cause of action against a person who “knowingly accessed a computer without authorization or exceeding authorization,” and whose prohibited access result in: (a) “loss” in excess of $5,000; (b) interference with a person’s medical treatment; (c) physical injury; (d) a threat to public health or safety; or (e) damage to a specific category [of] computers used by the United States Government and its affiliates. See 18 U.S.C. §1030(g), referencing 18 U.S.C. §1030(c)(4)(A)(i)(I)-(V), see generally 18 U.S.C. §1030(a). LivePerson, Inc. v. 24/7 Customer, Inc., 83 F. Supp. 3d 501, 511 (S.D.N.Y. 2015). The crux of plaintiff’s federal civil claim is that once Barbera was no longer employed at the Company, he no longer had any right to use or access the Nanobeak Systems, and when he “retained possession” of those systems after his termination, purportedly for an improper purpose, any subsequent use or access of any information (which specific information is not alleged) was effectively without authorization or in a manner that exceeds the permitted authorization, in violation of Section 1030(a)(2)(C) of the CFAA.2 Compl. 88. To support that claim, plaintiff must plead that defendant “(1) accessed a ‘protected computer’; (2) ‘without any authorization or exceeding its authorized access’; and (3) caused ‘loss’ in excess of $5,000.”3 Reis, Inc. v. Lennar Corp., No. 15 CIV. 7905 (GBD), 2016 WL 3702736, at *4 (S.D.N.Y. July 5, 2016). Defendant argues that plaintiff has not sufficiently pled any of those elements. Because plaintiff does not sufficiently allege “loss” in excess of $5,000, the Court does not address defendant’s other arguments for dismissal. (1) “Loss” in excess of $5,000 Under the CFAA, loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. §1030(e)(11). The costs typically found to be recoverable in satisfaction of this jurisdictional threshold are those related to remedying damages to the computer. See Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 475 (S.D.N.Y. 2004), aff’d, 166 F. App’x 559 (2d Cir. 2006) (“the types of costs which the CFAA allows recovery for are related to fixing a computer.”); accord DCR Mktg. Inc. v. Pereira, No. 19-CV-3249 (JPO), 2020 WL 91495, at *2 (S.D.N.Y. Jan. 8, 2020) (“Courts in this jurisdiction have construed ‘loss’ narrowly, holding that the types of costs which the CFAA allows recovery for must be related to fixing a computer.”) (internal citations and quotation marks omitted); see also Tyco Int’1 (US) Inc. v. John Does 1-3, No. 01 CIV. 3856 RCCDF, 2003 WL 21638205, at *1 (S.D.N.Y. July 11, 2003) (“While it is true…that the CFAA allows recovery for losses beyond mere physical damage to property, the additional types of damages awarded by courts under the Act have generally been limited to those costs necessary to assess the damage caused to the plaintiff’s computer system or to resecure the system in the wake of a hacking attack.”). Plaintiff’s main argument as to loss is that defendant’s physical retention of the systems amounts to a “total functional impairment” of the devices at issue and a “deprivation” of the information contained in the systems (including the Company’s Books and Records and other “confidential information” such as the University C License). Pl. Br. at 6-8. Effectively, plaintiff argues that it has lost all use of its property as well as use of the data stored therein, and the value of that “loss”, over $30,000 (the initial purchase price of the systems), satisfies the jurisdictional threshold. Pl. Br. at 6. (“Nanobeak has lost all use of its corporate property, as well as the data stored on the Nanobeak Systems. This loss exceeds $30,000, which plainly satisfies the jurisdictional limits of the CFAA.”). But while defendant’s retention of the property may indeed “functionally impair[]” plaintiff’s access to, and therefore use of, the systems and data, there are no allegations that defendant’s misconduct has caused any damage or impairment to the computer itself or to the information contained therein, and thus no allegations that plaintiff had to incur costs to remedy those types of damages. Instead, the losses plaintiff alleges stem from its own lack of access to the seemingly fully functional systems and unimpaired information, thus requiring it to replace the systems and to “ reconstruct the information Barbera unlawfully retained and refused to return.” Pl. Br. at 6. Plaintiff may claim compensation for those losses through general common law causes of action (e.g., conversion), but not through the CFAA. See JBCHoldings NY, LLC v. Pakter, 931 F. Supp. 2d 514, 525 (S.D.N.Y. 2013) (“Plaintiffs’ allegation that [defendant] still has not returned two company notebook computers…with Plaintiffs’ electronically stored information still contained thereupon’ fares no better…. [Defendant's] failure to return these computers upon her discharge might give rise to one or more common law causes of action. It does not state a claim under the CFAA.”) (internal citations and quotation marks omitted); see also Fink v. Time Warner Cable, 810 F. Supp. 2d 633, 641 (S.D.N.Y. 2011)(plaintiff’s pleadings of loss, including “the costs of obtaining information elsewhere when they were unable to use their computers”, fell “outside the kind of loss that the statutory definition requires”)(emphasis in original). Plaintiff argues that it has incurred a “loss” in the form of “additional investigative costs to attempt to determine the full extent of Barbera’s fraud”. Pl. Br. at 7. Under Section 1030(e) (11), the definition of “loss” has been interpreted to include “any remedial costs of investigating the computer for damage…”, Penrose Computer Marketgroup, Inc. v. Camin, 682 F. Supp. 2d 202, 208 (N.D.N.Y. 2010) (quoting Nexans Wires S.A., 319 F.Supp.2d at 474), but the costs of investigating non-computer, “business repercussions” of the alleged misconduct do not typically count toward the $5,000 threshold. See, e.g., Nexans Wires S.A., 319 F.Supp.2d at 474. There are no specific allegations connecting the alleged “investigative expenses” to any effort to investigate damage done to the computer systems. Therefore, plaintiff’s allegations regarding investigative expenses do not allege loss of the kind the statute recognizes. See, e.g., Kraus USA, Inc. v. Magarik, No. 17-CV-6541 (ER), 2020 WL 2415670, at *7-8 (S.D.N.Y. May 12, 2020)(insufficient allegation of loss where plaintiff only alleged that “as a result of [Defendant's] access Defendants have obtained items of value and have caused harm in excess of $5,000″, and did not allege that its investigation related to damage to its computer system). At the crux of plaintiff’s complaint are state common law claims founded in breach of fiduciary duty and fraud. The purpose of CFAA is not to remedy those claims, but to prohibit computer hacking. See DCR Mktg. Inc. v. Pereira, No. 19-CV-3249 (JPO), 2020 WL 91495, at *3 (S.D.N.Y. Jan. 8, 2020)(“the CFAA does not apply to a so-called faithless or disloyal employee — that is, an employee who has been granted access to an employer’s computer and misuses that access, either by violating the terms of use or by breaching a duty of loyalty to the employer)(internal citations and quotation marks omitted); see also Deutsch v. Hum. Res. Mgmt., Inc., No. 19-CV-5305 (VEC), 2020 WL 1877671, at *3 (S.D.N.Y. Apr. 15, 2020) (“That focus is consistent with the statute’s purpose: to combat hacking, i.e., trespass into computer systems or data.”) (internal citations and quotation marks omitted). COUNTS II-V Breach of Fiduciary Duty, Fraud, Conversion, and Accounting and Imposition of Constructive Trust Plaintiff also asserts four state law causes of action. Since the federal claim has been dismissed, the exercise of supplemental jurisdiction over the state law claims is discretionary. See 28 U.S.C. §1367(c)(3); Carnegie-Mellon Univ. v. Cohill, 484 U.S. 343, 350 n.7 (1988) (“in the usual case in which all federal-law claims are eliminated before trial, the balance of factors to be considered under the pendent jurisdiction doctrine — judicial economy, convenience, fairness, and comity — will point toward declining to exercise jurisdiction over the remaining state-law claims.”). At this early stage of litigation, the Court declines to exercise jurisdiction over the remaining state law claims, and they are therefore dismissed without prejudice. III. CONCLUSION Count I of the complaint for violation of the CFAA is dismissed. The remainder of the complaint is dismissed without prejudice for lack of jurisdiction. So ordered. Dated: April 13, 2021
