                            UNITED STATES DISTRICT COURT
                            FOR THE DISTRICT OF COLUMBIA



 BEINS, AXELROD, PC,

         Plaintiff,
                v.                                        Civil Action No. 19-3794 (JEB)


 ANALYTICS, LLC, et al.,

         Defendants.


                                  MEMORANDUM OPINION

       This case concerns an old-fashioned heist achieved via 21st-century means. Plaintiff

Beins, Axelrod, PC claims that someone hacked into its managing partner’s email account and

thereby redirected a $60,000 payment intended for Plaintiff’s legal services into the thief’s

account maintained at Citibank, NA. Beins, Axelrod has been unable to recover the funds and

thus brings various causes of action against all the involved parties, including a claim under the

Computer Fraud and Abuse Act against Defendant Citigroup Inc., the parent company of

Citibank. Citigroup now moves to dismiss. The Court is sympathetic to the firm’s plight, but

because Plaintiff improperly named Citigroup as a Defendant and, in any event, has failed to

state a claim under the CFAA, it will grant the Motion.

I.     Background

       Plaintiff is a District of Columbia–based corporate entity engaged in the practice of law.

See ECF No. 7 (Amended Complaint), ¶ 1. Years ago, it provided legal services in tandem with

two other law firms –– Ciresi Conlin, LLP and Defendant McTigue Law, LLP –– for a class-

action lawsuit brought in the Southern District of New York. Id., ¶¶ 15–19; see also Carver v.



                                                 1
Bank of New York Mellon, No. 15-10180 (S.D.N.Y. Mar. 31, 2017). In December 2018, the suit

settled, and the settlement agreement provided, among other things, for $5,966,250 to be

allocated among the various law firms. Id., ¶ 20. The firms hired Defendant Analytics LLC

–– which specializes in class-action-settlement implementation –– to distribute these hefty sums.

Id., ¶ 21. Plaintiff’s share of the fee award came to an undisputed $60,354.67, but McTigue and

Ciresi Conlin fought for months over their respective pieces of the remainder. Id., ¶¶ 22–27.

       On the evening of July 16, 2019, J. Brian McTigue, a partner at McTigue LLP, sent Jon

Axelrod, Plaintiff’s managing partner, an email stating, “Jon I know you changed addresses.

Give me your wire transfer information to which to wire funds.” Id., ¶ 30; see also id., Exh. 1

(July 16, 2019, Email from Brian McTigue to Jon Axelrod). Axelrod responded with his account

information at Eagle Bank, the only bank at which Beins, Axelrod maintained accounts. Id.,

¶¶ 31, 38; see also id., Exh. 2 (July 17, 2019, Email from Axelrod to McTigue).

       Enter thief, stage left. Later that afternoon, McTigue received an e-mail that appeared to

be from Axelrod stating, “So sorry about the mix up. Use the account below instead of the one

sent earlier.” Id., ¶ 39; see also id., Exh. 4 (July 17, 2019, Email from Axelrod to McTigue). The

message then provided wiring instructions for a Citibank account. Id. McTigue forwarded that

information to Analytics, which sent the $60,354.67 payment to the Citibank account. Id.,

¶¶ 42–44. The following day, Axelrod followed up with McTigue, inquiring as to when the

promised funds would arrive. Id., ¶¶ 45–46; see also id., Exh. 6 (July 18, 2019, Email from

Axelrod to McTigue). McTigue responded that the funds had already been wired. Id., ¶ 49; see

also id., Exh. 7 (July 18, 2019, Email from McTigue to Axelrod). He also promised to wire

Axelrod an additional $8,000 for a separate matter. Id. The following morning, Axelrod called

McTigue to inquire again about the status of these two payments, and McTigue responded that he




                                                2
had wired them both to the “Citibank Account.” Id., ¶ 50. (It appears that McTigue was later

able to claw back the $8,000 wire. Id., ¶ 52.)

        A bewildered Axelrod, who did not know of the existence of a Citibank account, soon

realized that his email had been hacked. Id., ¶ 59. Plaintiff alleges that the hacker managed to

gain access to Axelrod’s email, re-direct McTigue’s emails to a separate account, and then

supply the Citibank account information as if it had come from Axelrod himself. Id. Axelrod

journeyed to the nearest Citibank branch with the hacker’s wiring instructions in hand. Id., ¶ 56.

A bank teller confirmed the account’s existence, explained that there was no money remaining in

it, and refused to divulge any further information. Id., ¶ 57.

        Plaintiff has pursued a variety of avenues of relief. It immediately filed a criminal

complaint –– which thus far has not led to any law-enforcement action –– and a month later,

filed an insurance claim, which was denied. Id., ¶¶ 61–63. On December 20, 2019, it filed the

present action. See ECF No. 1 (Complaint). The Amended Complaint asserts common-law

negligence, fraud, and breach-of-contract claims against various involved parties. See Am.

Compl., ¶¶ 72–107. As relevant here, Plaintiff also brings one claim under the CFAA, see 18

U.S.C. § 1030, against Defendant Citigroup Inc. See Am. Compl., ¶¶ 64–71. Citigroup has now

filed a Motion to Dismiss, which Plaintiff has opposed.

II.     Legal Standard

        Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of an action where a

complaint fails “to state a claim upon which relief can be granted.” Although “detailed factual

allegations” are not necessary to withstand a Rule 12(b)(6) motion, “a complaint must contain

sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its

face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550




                                                    3
U.S. 544, 570 (2007)). For a plaintiff to survive a 12(b)(6) motion, the facts alleged in the

complaint “must be enough to raise a right to relief above the speculative level.” Twombly, 550

U.S. at 555.

       In evaluating Defendant’s Motion to Dismiss, the Court must “treat the complaint’s

factual allegations as true, and must grant plaintiff ‘the benefit of all inferences that can be

derived from the facts alleged.’” Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C.

Cir. 2000) (citation omitted) (citing Leatherman v. Tarrant Cty. Narcotics Intelligence and

Coordination Unit, 507 U.S. 163, 164 (1993) (quoting Schuler v. United States, 617 F.2d 605,

608 (D.C. Cir. 1979)). The Court need not accept as true, however, “a legal conclusion couched

as a factual allegation,” nor an inference unsupported by the facts set forth in the Complaint.

Trudeau v. FTC, 456 F.3d 178, 193 (D.C. Cir. 2006) (quoting Papasan v. Allain, 478 U.S. 265,

286 (1986)). Finally, even at the Rule 12(b)(6) stage, a court can review “documents attached as

exhibits or incorporated by reference in the complaint” or “documents upon which the plaintiff’s

complaint necessarily relies.” Ward v. D.C. Dep’t of Youth Rehab. Servs., 768 F. Supp. 2d 117,

119 (D.D.C. 2011) (internal quotation marks and citations omitted).

III.   Analysis

       In moving to dismiss, Citigroup argues that Plaintiff named the wrong entity as a

Defendant in this action and that, alternatively, the Amended Complaint fails to state a claim

under the CFAA. The Court agrees on both counts.

       First, Defendant erred in naming Citigroup instead of its subsidiary, Citibank, as a

Defendant in the Amended Complaint. As explained above, the Complaint only contains

allegations regarding Citibank, which Plaintiff does not dispute is a separate legal entity from

Citigroup. See ECF No. 10 (Def. MTD) at 5–6. Generally, a corporation, even if a subsidiary,




                                                   4
“is treated as a separate and distinct juridical entity, independent of its owner.” Alkanani v.

Aegis Def. Servs., LLC, 976 F. Supp. 2d 1, 8 (D.D.C. 2013). Only in unique circumstances may

a parent company be held liable for the actions of its subsidiary, such as where the parent

“dominate[s]” the subsidiary and the “affairs of the group [are] so intermingled that no distinct

corporate lines are maintained.” Transamerica Leasing, Inc. v. La Republica de Venezuela, 200

F.3d 843, 849 (D.C. Cir. 2000) (quoting NLRB v. Deena Artware, Inc., 361 U.S. 398, 403

(1960)). Plaintiff has not attempted to provide factual support for a theory of relief predicated on

the interconnectedness of Citigroup and Citibank, and it has, in fact, conceded that it likely

named the incorrect party. See ECF No. 11 (Pl. Opp.) at 1.

       In any event, the Amended Complaint fails to state a claim under the CFAA against

either Citigroup or its subsidiary, Citibank. “The CFAA was enacted in 1984 to enhance the

government’s ability to prosecute computer crimes.” LVRC Holdings LLC v. Brekka, 581 F.3d

1127, 1130 (9th Cir. 2009). While the Act is a criminal statute, subsection (g) “provides a civil

cause of action to ‘any person who suffers damage or loss by reason of a violation’ of the

CFAA,” if the purported violation satisfies certain enumerated factors. Lewis-Burke Assocs.,

LLC v. Widder, 725 F. Supp. 2d 187, 191 (D.D.C. 2010) (quoting 18 U.S.C. § 1030(g)).

       Plaintiff first points to the CFAA provision that criminalizes “knowingly and with intent

to defraud, access[ing] a computer without authorization, or exceed[ing] authorized access, and

by means of such conduct further[ing] the intended fraud and obtains anything of value, unless

the object of the fraud and the thing obtained . . . is not more than $5,000 in any 1-year period.”

18 U.S.C. § 1030(a)(4). According to the Amended Complaint, Citibank “aided and abetted” the

hacker in violating this CFAA provision and thereby “conspir[ed]” with the hacker to commit a




                                                 5
crime established by the CFAA. See Am. Compl., ¶ 71; see also 18 U.S.C. § 1030(b)

(criminalizing conspiracy and attempt to commit CFAA offenses).

       In support of this claim, Plaintiff argues that “the bank’s maintenance of an account that

was used (possibly solely) for criminal purposes puts it at liability under the CFAA.” Pl. Opp. at

2. This is so because “[t]he funds did not end up in the Citibank account against Citibank’s will.

Citibank must have taken some overt steps to allow [John] Doe to have an account and to use it

[to] deposit criminally obtained funds.” Id. In other words, the bank provided “assistance” to

the hacker by maintaining the account and “transfer[ring] the stolen funds out of it.” Id.

Plaintiff provides the following colorful analogy:

               [T]he bank was the farmer who provided a temporary safe harbor
               for the robber’s loot. Maybe the farmer didn’t know exactly where
               the money came from, but if unfamiliar people wearing ski masks
               keep knocking on his door asking to hide bags of cash in its barn for
               a few days in exchange for a few of the twenties in the bag, the law
               might have reason to hold the farmer accountable

Id.

       As a threshold matter, the bank cannot be held liable under the theory that it conspired

with the hacker given the absence of an allegation of an agreement (or course of conduct

indicating one) between Citibank and the hacker to violate the CFAA. See United States v.

Mellen, 393 F.3d 175, 184 (D.C. Cir. 2004). Plaintiff instead appears to be pursuing an

accomplice theory of liability. As the Supreme Court has explained, accomplice liability

“reflects a centuries-old view of culpability: that a person may be responsible for a crime he has

not personally carried out if he helps another to complete its commission.” Rosemond v. United

States, 572 U.S. 65, 71 (2014).

       A key element of establishing aiding-and-abetting (or conspiracy) liability, however, is

demonstrating the requisite mens rea (state of mind) of the perpetrator. Id. at 77. Courts have



                                                 6
instructed juries that a person may be criminally liable as an accomplice under CFAA if he

“knowingly and intentionally aided, counseled, commanded, induced or procured [a] person to

commit each element of the crime . . . with the knowledge and intention of helping that person

commit the crime.” United States v. Nosal, 844 F.3d 1024, 1039 (9th Cir. 2016). To be sure, “a

statutory requirement that a criminal defendant acted ‘knowingly’ is not limited to positive

knowledge, but includes the state of mind of one who does not possess positive knowledge only

because he consciously avoided it.” Id. Under this standard, “[t]he finder of fact may infer that

a defendant acted knowingly if he deliberately closed his eyes to what otherwise would have

been obvious to him and did not act through ignorance, mistake, or accident,” a state of mind

often referred to as willful blindness. See Cooper v. Nat’l Transp. Safety Bd., 660 F.3d 476, 483

(D.C. Cir. 2011).

       Plaintiff here, however, has failed to plead Defendant’s knowing involvement in the

scheme, even under a willful-blindness theory. Willful blindness is distinct from mere

recklessness or negligence: “(1) The defendant must subjectively believe that there is a high

probability that a fact exists and (2) the defendant must take deliberate actions to avoid learning

of that fact.” Glob.-Tech Appliances, Inc. v. SEB S.A., 563 U.S. 754, 769 (2011). Plaintiff

does not provide any facts that indicate that the bank “closed its eyes” to the hacker’s obvious

crime. Id. at 767 n.7. For example, it does not allege any unusual activity that might have

raised the bank’s suspicion or any vetting irregularities, let alone the existence of “critical facts”

that the Defendant “deliberately shield[ed]” itself from. See Rundquist v. Vapiano SE, No. 09-

2207 2013 WL 12320782, at *4 (D.D.C. Mar. 19, 2013) (alteration in original).

       Returning to Plaintiff’s analogy, a bank that allows a private party to open an account to

which funds are improperly transferred is not akin to a farmer who, in exchange for a bribe,




                                                   7
provides refuge to a group of strangers wearing ski masks and carrying bags of cash. Were it

otherwise, whenever a thief used an unwitting bank in connection with his criminal scheme, the

bank would be both criminally and civilly liable for the offense, regardless of the surrounding

circumstances. Plaintiff’s claim against Citigroup must therefore be dismissed at this stage.

IV.    Conclusion

       For the forgoing reasons, the Court will grant Defendant’s Motion to Dismiss without

prejudice. A separate Order so stating will issue this day.




                                                              /s/ James E. Boasberg
                                                              JAMES E. BOASBERG
                                                              United States District Judge
Date: April 23, 2020




                                                 8
