United States District Court, W.D. Wisconsin
OPINION AND ORDER
WILLIAM M. CONLEY, District Judge
In this highly contentious lawsuit, plaintiff Epic Systems Corporation asserts a variety of federal and state law claims against defendants Tata Consultancy Services Limited and Tata America International Corporation, respectively, a much larger, India-based company and its smaller U.S. arm. Among other things, defendants provide information technology services to the U.S. healthcare industry, while Epic is a leading provider of software to this industry. Essentially, plaintiff claims that defendants accessed its web portal without authorization while servicing a mutual client, and then used information obtained to help develop their own competitive software product and for other improper purposes. Before the court are the parties’ cross-motions for partial summary judgment. (Dkt. ##195, 197.)
As noted by the court in earlier opinions and explained in greater detail below, plaintiff has compelling evidence of unauthorized access by a number of defendants’ employees over an extended period of time. Based on this and other undisputed evidence, the court will grant plaintiff partial summary judgment on breach of contract claims for failure to provide written notice of unauthorized access and failure to maintain the confidentiality of Epic information and documents. The court will also grant partial summary judgment to plaintiff under the first element of the Computer Fraud and Abuse Act, 19 U.S.C. §1030(g), finding a violation of the CFAA based on defendants’ unauthorized access. Finally, the court will grant plaintiff’s motion with respect to its claims under the Wisconsin Computer Crimes Act, Wis.Stat. § 943.70(2)(a), based on unauthorized access and sharing of password information. In all other respects, plaintiff’s motion for partial summary judgment will be denied for the reasons explained below.
In their motion, defendants correctly point out weaknesses in plaintiff’s evidence of improper use of the accessed documents, as opposed to improper access. Nonetheless, a reasonable jury could find improper use based on circumstantial evidence in this record. Accordingly, the court will deny defendants’ motion for partial summary judgment, save for plaintiff’s conversion claim, because the property at issue is not “chattel” as a matter of Wisconsin law.
A. The Parties and Key Third Parties
Epic Systems Corporation is a Wisconsin corporation with its headquarters in Verona, Wisconsin. Since its inception in 1979, Epic has developed, installed and supported an integrated suite of software used by hospitals, medical groups and other healthcare organizations. Epic’s software is recognized in the industry as a market leader, being used by an estimated 281, 000 physicians worldwide to manage the care and records of approximately 169 million patients. Epic itself now has approximately 9, 500 employees located in the United States.
Epic maintains a web portal called the “UserWeb, ” which contains product materials, updates, training materials and other documents detailing Epic’s software and its data model, as well as information on training, setup, support and operation, and details the features and configuration of Epic’s software. The UserWeb also contains discussion forums where Epic customers can communicate. Epic provides access to the UserWeb to customers, who then use information from the UserWeb to install, maintain and support its software. Epic also allows third-parties (such as consultants working for customers) to access information through Epic’s UserWeb web portal necessary to further implementation, integration or testing. Epic contends, however, that only a portion of the UserWeb is available to consultants working with a customer. Furthermore, it appears that consultants generally need to sign a UserWeb Access Agreement that expressly restricts their use of this information.
The parties dispute whether Epic takes sufficient precautions to protect access to the UserWeb, including how Epic authorizes individual registration of UserWeb accounts. Because these facts are marginally relevant to the issues before the court on summary judgment, these factual disputes are not recounted except where germane to the specific issue being discussed in the opinion below. (See Defs.’ PFOFs (dkt. #210) ¶¶ 23, 82-92; Pl.’s Resp. to Defs.’ PFOFs (dkt. #417) ¶¶ 23, 82-92; Pl.’s Add’l PFOFs (dkt. #415) ¶¶ 583-87.)
Defendant Tata Consultancy Services Limited (“TCS India”) is an Indian corporation that provides information technology services, consulting and business solutions on a global scale, and offers a wide portfolio of infrastructure, engineering and assurance services. TCS India is part of the Tata Group. TCS India has more than 318, 000 employees in 42 countries.
Defendant TCS America International Corporation (“TCS America”) is a New York corporation, wholly owned by TCS India. Plaintiff presents evidence that TCS America is simply the U.S. arm of TCS India, including the testimony of defendants’ corporate representative, Syama Sundar, that (1) defendants do not “distinguish” between TCS America and TCS India and (2) the two entities are considered “one and the same.” (Pls.’ PFOFs (dkt. #213) ¶¶ 49-61.) Defendants do not dispute the specific facts proposed by plaintiff, but dispute that “there is any evidence that TCS India and TCS America were the agents of each other at the times mentioned” in the complaint. (See, e.g., Defs.’ Resp. to Pl.’s PFOFs (dkt. #308) ¶ 58.) The court need not resolve this agency issue either. Instead, the court will at times simply refer to defendants jointly as “TCS, ” consistent with the parties’ treatment.
Although TCS’s number one source of revenue is work done in the United States, which accounts for 56% of total revenue, it appears that TCS has only recently begin to penetrate the market for healthcare software. TCS’s software product, Med Mantra, is a consolidated, comprehensive, integrated hospital management system. TCS began development of Med Mantra’s predecessor, EHIS, in 2006. Med Mantra has been implemented at 17 hospitals and 44 clinics, all part of the Apollo Group in India and the Cancer Institute in Adyar, Chennai. Defendants contend that the development of Med Mantra has been driven by Apollo and that it is not a good fit for other Indian hospitals. Still, as plaintiff points out, some marketing materials describe Med Mantra’s vision “to be recognized as a world leading Health Care Provider solution.” (Pl.’s PFOFs (dkt. #213) ¶ 45 (quoting Richmond Decl., Ex. 12 (dkt. #227-1) 26.) Defendants nevertheless claim that Med Mantra is an Indian solution and not something TCS planned to implement worldwide, at least in the short term. (See Defs.’ Resp. to Pl.’s Add’l PFOFs (dkt. #460) ¶ 562.)
iii. Kaiser Permanente
While not a party to this action, Kaiser Permanente figures prominently in the parties’ dispute. Kaiser Permanente, sometimes referred to as “KP, ” is a not-for-profit healthcare organization with approximately 150, 000 employees who provide care to approximately 8.7 million members. Kaiser Permanente is the largest managed healthcare organization in the United States. Kaiser Permanente consists of Kaiser Foundation Health Plan, Kaiser Foundation Hospitals and their subsidiaries, and the Permanente Medical Groups. Kaiser Foundation Hospitals (“Kaiser”) operates a chain of medical centers, hospitals, medical offices and clinics, primarily on the West Coast of the United States.
iv. Philippe Guionnet
Because his role is central to the development of plaintiff’s claims, the court will introduce one more key player to this dispute upfront. In October 2012, TCS hired Philippe Guionnet as the vendor engagement executive for the Kaiser account. TCS’s CEO Natarajan Chandrasekaran (commonly referred to as “Chandra”) recommended Guionnet to Sundar, the head of the Kaiser account at that time. Before his employment with TCS, Guionnet worked as a Chief Information Officer at Cendant and Avis, a Deputy Chief Information Officer at Disneyland Paris and a national Director of KPMG. As will be described below in more detail, Guionnet was the individual who informed the parties and Kaiser of his suspicion that TCS was accessing Epic’s UserWeb without authorization and improperly using documents from the UserWeb.
B. Epic, Kaiser and TCS’s Business Relationship
i. Epic licenses software to Kaiser
On February 4, 2003, Epic entered into a written agreement with Kaiser to license computer software to Kaiser. Kaiser uses Epic’s software as an electronic health record (“EHR”) that gathers and utilizes patient information. Kaiser refers to specific Epic modules it uses at KPHealthConnect. As an Epic customer, Kaiser has access to the UserWeb.
Pursuant to the terms of their agreement, Kaiser is accountable to Epic for inappropriately sharing Epic’s intellectual property with third parties, but that agreement does not require Kaiser to ensure that those third parties enter into a separate contract directly with Epic.
ii. Epic enters into 2005 Agreement with TCS
TCS began working with Kaiser in 2005. In early August of 2005, Epic learned that four individuals from TCS had registered for some classes at Epic. Originally, Epic thought that the individuals attempting to attend Epic classes were Kaiser employees. When Epic learned that the individuals were actually TCS employees, it asked Kaiser for more details about TCS’s role with Kaiser. Upon learning that Epic did not have a nondisclosure agreement with TCS, Epic removed the individuals from the class and required that they leave their materials behind. Epic later explained in an email to a contact at Kaiser that Epic was being “extra vigilant” because, in the past, “a student [had] claim[ed] to be from [Kaiser] but was actually from a competitor.” (Pl.’s PFOFs (dkt. #213) ¶ 90 (quoting Richmond Decl., Ex. 19 (dkt. #230-1) 4).)
In response to this episode, Epic and TCS America entered into a Standard Consultant Agreement (“the Agreement” or “the 2005 Agreement”), dated August 10, 2005, and signed by Satya Hedge, senior vice president and general counsel of TCS India. (Richmond Decl., Ex. 20 (dkt. #230-2).) The Agreement states that its “validity, construction and enforcement . . . shall be determined in accordance with the laws of Wisconsin, without reference to its conflicts of laws principles.” (Id. at 4.)
Among other provisions, the Agreement contains a section titled “CONFIDENTIALITY AND USE RESTRICTIONS.” (Id. at 2-3.) As part of that section, TCS agreed that “Epic’s Program Property contains trade secrets of Epic protected by operation of law and this Agreement.” (Id. at 2.) The Agreement further contains several obligations for TCS, including:
“Maintain in confidence any Confidential Information, except that [TCS] may disclose Confidential Information relating to the Program Property to Epic’s licensees to the extent necessary for such licensees’ implementation of the Program Property, with the understanding that such information shall be kept confidential by the licensees under their respective license agreements with Epic;”
“Use any Confidential Information only for the purpose of implementing the Program Property on an Epic customer’s behalf;”
• “Limit access to the Program Property to those of [TCS’s] employees who must have access to the Program Property in order to implement the Program Property on Epic’s or its customer’s behalf;”
• “Store all copies of the Program Property in a secure place;”
• “Notify Epic promptly and fully in writing of any person, corporation or other entity that [TCS] know[s] has copied or obtained possession of or access to any of the Program Property without authorization from Epic;” and
“Not permit any employee while in [TCS’s] employment who has had access to the Program Property or any Confidential Information relating to the Program Property to participate in any development, enhancement or design of, or to consult, directly or indirectly, with any person concerning any development, enhancement or design of, any software that competes with or is being developed to compete with the Epic Program Property for a period of at least two (2) years after the date that such employee last has access to such Program Property or Confidential Information.”
(Id. at 2-3.)
“Confidential Information” is defined as
Any information [TCS] employees obtain from Epic or any Epic licensee as to the Program Property, Epic or Epic’s plans or customers, including without limitation information concerning the functioning, operation or Code of the Program Property, Epic’s training or implementation methodologies or procedures, or Epic’s planned products or services, but excluding any information that: (a) is now or hereafter becomes publicly known through no act or failure on the part of [TCS] and without breach of the Agreement; (b) is known by [TCS] on a nonconfidential basis at the time of the receipt of such information from Epic or an Epic licensee, or (c) subsequently becomes known by [TCS] on a non-confidential basis, or (d) developed by [TCS] independently without use of or reliance on Confidential Information.
(Id.) The Agreement defines “Program Property” as “the computer program object and source code and the Documentation for all of Epic’s computer programs.” (Id. at 2.) “Documentation” is defined as “any instructions, manuals or other materials created by Epic in any format, relating to the implementation, operation or Code of the Program Property.” (Id.) “Code” is defined as “both the object and source code of the Program Property.”
The Agreement also provides in relevant part that:
No notice required to be provided shall be effective unless it is in writing; is delivered to the other party by either reputable overnight courier, U.S. mail by registered, certified, or overnight delivery special, with all postage prepaid and return receipt requested, or by personal delivery; and is addressed to:
If to Epic:
Judith R. Faulkner, CEO Epic Systems Corporation 5301 Tokay Boulevard Madison, WI 53711
(Id. at 3-4.)
This Agreement was in effect between TCS America and Epic for the time period relevant to plaintiff’s claims. Epic terminated the Agreement on October 30, 2014, shortly after it filed this lawsuit. The parties agree that the Agreement is enforceable and unambiguous; they also agree it was not modified. Furthermore, TCS does not contend that its performance under the contract was somehow excused.
iii. Kaiser engages TCS to test software
In 2011, Kaiser engaged TCS to test Epic software in its so-called “Testing Center of Excellence” (“TCoE”). The TCoE work included providing testing support for regularly-scheduled Epic releases, major upgrades, steady state maintenance testing and new investment projects. Approximately 1, 000 TCS employees were devoted to the Kaiser account, and “a lot more people” were partially involved with that account. (Pl.’s PFOFs (dkt. #213) ¶ 134.) Defendants do not dispute these numbers, but contends that not all of these individuals were involved with Epic software. Also, employees were located both “offshore” in India and “onshore” at Kaiser facilities in the United States.
The relationship between TCS America and Kaiser was governed by their Amended and Restated Masters Services Agreement (“MSA”), dated January 29, 2012. (Richmond Decl., Ex. 29 (dkt. #231).) TCS India and TCS America are also parties to their own “back-to-back agreement, ” which in turn governed their work pursuant to the MSA with Kaiser. While the MSA provides an “umbrella framework, ” individual pieces of work are executed in statements of work or work orders, sometimes referred to as “SOWs.” (Pl.’s PFOFs (dkt. #213) ¶ 143 (quoting Sundar Depo. (dkt. #125) 65).)
The MSA required TCS America and TCS India to perform services at approved facilities, referred to as Offshore Development Centers (“ODCs”), and specifically identified the facilities located at “Chennai and Kolkata, India.” (Pl.’s PFOFs (dkt. #213) ¶¶ 150-55.) The ODCs were to be used for Kaiser work only. Only employees who work at the ODC or have a reason to be there are allowed to enter the building. All TCS employees entering the ODC had to pass through security using a badge.
To protect its own confidential information, Kaiser also required that security protocols be implemented in the ODCs, including that: (1) antivirus software had to be up-to-date; (2) any printing had to be on colored paper and shredded after use; (3) CD drives and USB ports had to be disabled to insure that TCS employees could not copy data; (4) access to the TCS email system was prohibited; (5) TCS employees were not allowed to use their phones; and (6) with the exception of lead managers, TCS employees were prohibited from sending emails from Kaiser email addresses to non-Kaiser email addresses. In the ODCs, TCS employees were also provided computers that could only connect to the Kaiser network.
Under the MSA, TCS employees also were not to use Kaiser’s software except as expressly permitted. This included software Kaiser licensed from some third party, which in turn included Epic’s software. In addition, there was a policy against using other people’s log-on and password information.
Kaiser’s security policies were posted at every desk in the ODC, and TCS claims that the importance of information security was continuously communicated to the Kaiser team. In particular, TCS claims that it hosted multiple security awareness sessions where employees were reminded not to share passwords or otherwise compromise client confidential information. (See also Pl.’s Add’l PFOFs (dkt. #415) ¶¶ 570-77, 652-56.)
The TATA Code of Conduct, which governs the behavior of TCS employees, also states that “[a]ny collection of competitive information shall be made only in the normal course of business and shall be obtained only through legally permitted sources and means.” (Pl.’s PFOFs (dkt. #213) (quoting Richmond Decl., Ex. 34 (dkt. #232-2) 3.)
Despite these security provisions, TCS provided separate computers (referred to as “kiosk machines”) in the ODC that could be used to access the internet, TCS’s network and TCS email. Additionally, there were computers outside of the ODC, but in the same building, that could be used to access TCS email and the internet. Defendants maintain that these computers did not have internet access and that the USB ports were disabled, but Epic points out that the deposition testimony on which defendants rely is contradicted by other testimony from the same witness that he did use those computers to access the internet. Moreover, defendants’ Head of Information Security for Insurance and Healthcare admitted in an external audit that the USB ports were not disabled.
iv. TCS attempts to partner with Epic
In May 2011, a delegation of TCS and Kaiser executives visited Epic’s headquarters in Wisconsin. During the meeting TCS presented a deck of slides explaining its business, among other things. The presentation revealed that TCS had developed medical software (Med Mantra) for use at the Apollo Hospital in India. After review of TCS’s website, Epic’s leadership -- particularly, its President Carl Dvorak -- was concerned that TCS had not been forthright about their development of Med Mantra and decided not to work with TCS.
Still, the parties’ mutual customer, Kaiser, continued to push for Epic to work with TCS. Suresh Muthuswami, TCS’s President of Insurance & Healthcare Business Group, also continued to reach out to Dvorak on several subsequent occasions. During the course of these communications, Muthuswami attempted to ease Epic’s concern that “confidential information might somehow find its way to the Med Mantra team” by offering to bring over a TCS expert in Med Mantra to speak with Epic and otherwise ensure that the “unit at TCS that would do Epic work” would remain separate from the unit working on Med Mantra. (Pl.’s PFOFs (dkt. #213) ¶ 212 (quoting Muthuswami Depo. (dkt. #158) 62-63); Defs.’ PFOFs (dkt. #210) ¶ 73 (quoting Dvorak Depo. (dkt. #187) 101).) Despite Kaiser’s assurance that TCS “will sign anything, ” Dvorak continued to express concerns about TCS to his contact at Kaiser, explaining that TCS may have a “competitive interest.” (Pl.’s PFOFs (dkt. #213) ¶ 213-14 (quoting Richmond Decl., Ex. 38 (dkt. #232-6); Defs.’ PFOFs (dkt. #210) ¶ 75 (quoting Robben Decl., Ex. 14 (dkt. #204-14)).)
In 2012, TCS again sought multiple times to build a partnership with Epic, attempting to set up a face-to-face conversation. Again, Dvorak expressed concerns to his contact at Kaiser that “the situation with TCS was a ‘deeper competitive situation than initially understood.’” (Pl.’s PFOFs (dkt. #213) ¶ 218 (quoting Richmond Decl., Ex. 39 (dkt. #232-7)).) Around this same time, Dvorak also exchanged emails with TCS’s Muthuswami, stating that “details relating to competitive activity by Tata” is an “ongoing and key problem, ” and “[i]f you are truly a competitor, it may well be that there is no framework that would be possible.” (Pl.’s PFOFs (dkt. #213) ¶¶ 219-20 (quoting Richmond Decl., Ex. 40 (dkt. #232-8).) In discussions regarding TCS access to Epic’s UserWeb, Epic also wanted to “understand specifically what documents [TCS] need[ed] and what their job functions [were] going to be” before granting access. (Pl.’s PFOFs (dkt. #213) ¶ 205 (quoting Rehm Depo. (dkt. #185) 36-37, 42-43).)
Despite all of these efforts, TCS could not reach an agreement with Epic. Therefore, no TCS associate was allowed to connect directly to the UserWeb. TCS acknowledged this restriction on its access to the UserWeb at depositions during this lawsuit, as well as in earlier, contemporaneous presentations. (See Pl.’s PFOFs (dkt. #213) ¶¶ 224-26 (“TCS is not an Epic partner. As a result, they are not allowed to access Epic Systems UserWeb portal.”) (quoting Medikondra Depo. (dkt. #161) 196-97; Richmond Decl., Ex. 42 (dkt. #233) p.4.).) At summary judgment, TCS does not appear to dispute this restriction either, although it states generally and without explanation that access was somehow permitted under the 2005 Agreement. (Defs.’ Resp. to Pl.’s PFOFs (dkt. #308) ¶ 227.)
v. TCS creates “workaround”
Faced with this obstacle, TCS employees devised a “workaround” to obtain information needed from Epic without accessing the UserWeb, including the information required to create “test scripts.” Under the workaround, Kaiser employees would download release notes from the UserWeb for TCS employees to access. These release notes were to be held in a repository at Kaiser. Defendants’ corporate representative, Syama Sundar, testified at his deposition that there should not be “any Epic documentation at TCS” because everything is “within Kaiser, ” and there was “no reason whatsoever” that “TCS employees needed to go to Epic’s UserWeb.” (Pl.’s PFOFs (dkt. #213) ¶¶ 233, 236 (quoting Sundar Depo. (dkt. #) 415-16.) Still, two TCS employees who figure prominently in this case, Ramesh Gajaram and Aswin Anandhan, explained at their depositions that there were times when relying on either Epic or Kaiser personnel to obtain information took time.
In addition, Anandhan would contact an Epic employee, Michael Buchanan, who sent Anandhan documents from time to time, including information that was similar to that available on the UserWeb. Buchanan also would host WebEx sessions where he would share his screen with Anandhan.
C. TCS Accesses Epic’s UserWeb
i. Gajaram shares UserWeb credentials
At some point, work on the Kaiser account was transferred from TCS to another company, Computer Sciences Corporation (“CSC”), headquartered in Virginia, and later back again to TCS. In particular, a CSC engineer from India, Ramesh Gajaram, began working on the Kaiser account in February 2006. During this time, Gajaram was given a Kaiser email address. In January 2011, Gajaram also registered and was given access to Epic’s UserWeb. In his application for a UserWeb account, Epic represents that Gajaram did not identify that he was a consultant rather than a Kaiser employee.
After a Kaiser employee recommended TCS hire Gajaram, Gajaram left his job at CSC and started work at TCS. From September 2011 until March 2014, Gajaram then worked in Chennai, India, on TCS’s Kaiser account as part of the Testing Center of Excellence. During this time period, his job consisted of testing Epic products for use at Kaiser. In addition, Gajaram served as an Information Security Coordinator, which involved monitoring ...