Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Peterson v. Aaron's, Inc.

United States District Court, N.D. Georgia, Atlanta Division

October 3, 2017

MICHAEL PETERSON, et al., Plaintiffs,
AARON'S, INC., et al., Defendants.



         This is a tort action in which the Plaintiffs Michael Peterson and Matthew Lyons allege that the Defendant Aspen Way Enterprises, Inc., a franchisee of the Defendant Aaron's, Inc., unlawfully accessed their computers from a remote location and collected private information stored therein. It is before the Court on the Defendant Aaron's, Inc.'s Motion for Summary Judgment [Doc. 144] and the Defendant Aspen Way Enterprises, Inc.'s Motion for Summary Judgment [Doc. 152]. For the reasons set forth below, Aaron's Motion for Summary Judgment [Doc. 144] is GRANTED and Aspen Way's Motion for Summary Judgment [Doc. 152] is GRANTED in part and DENIED in part.

         I. Background

         The Defendant Aaron's franchises independently-owned stores that are in the business of, inter alia, selling and leasing consumer electronics.[1] The Plaintiff Matthew Lyons - an Oklahoma resident - entered into a lease agreement to rent laptop computers from Aspen Way - a Montana-based franchisee of Aaron's.[2] The Plaintiffs contend that Mr. Lyons entered into the lease agreement on behalf of his law firm, Peterson & Lyons, LLC. The Plaintiff Michael Peterson - a Colorado resident - was the other named partner at the law firm, which is now defunct.[3]

         The Plaintiffs allege that Aspen Way remotely accessed their computers and captured private information. They contend that Aspen Way was able to obtain their private information through a spyware software program named PC Rental Agent (“PCRA”), which was installed on their computers without their consent.[4] Aspen Way directly licensed PCRA from a third-party developer, and its primary function was to locate and shut down a computer in the event of theft or missed payment.[5]

         The software also had an optional function called “Detective Mode.” When activated, Detective Mode could collect screen shots, keystrokes, and webcam images from the computer.[6] On October 21, 2010, Aspen Way installed and activated Detective Mode on Lyons' rented computer, and continued to use Detective Mode until February 7, 2011.[7] Aaron's, meanwhile, contends that it was unaware of Aspen Way's use of Detective Mode whatsoever until May 2011.[8]

         The Plaintiffs originally filed their Complaint as a class action against both Aaron's and Aspen Way, alleging common law invasion of privacy, aiding and abetting, unjust enrichment, and violations of the Georgia Computer Systems Protection Act (“GCSPA”). Eventually the Court dismissed the unjust enrichment and GCSPA claims, [9] and denied the Plaintiffs' Motion to Certify.[10] Aaron's now moves for summary judgment on the Plaintiffs' single claim against it for aiding and abetting Aspen Way's alleged intrusion upon seclusion.

         II. Legal Standard

         Summary judgment is appropriate only when the pleadings, depositions, and affidavits submitted by the parties show no genuine issue of material fact exists and that the movant is entitled to judgment as a matter of law.[11] The court should view the evidence and any inferences that may be drawn in the light most favorable to the nonmovant.[12] The party seeking summary judgment must first identify grounds to show the absence of a genuine issue of material fact.[13] The burden then shifts to the nonmovant, who must go beyond the pleadings and present affirmative evidence to show that a genuine issue of material fact does exist.[14] “A mere ‘scintilla' of evidence supporting the opposing party's position will not suffice; there must be a sufficient showing that the jury could reasonably find for that party.”[15]

         III. Discussion

         A. Standing

         Prerequisite to any action, a plaintiff must show that he has standing to bring a claim. There are three elements to standing: “First, [the plaintiff] must show that he has suffered an ‘injury-in-fact.' Second, the plaintiff must demonstrate a causal connection between the asserted injury-in-fact and the challenged action of the defendant. Third, the plaintiff must show that ‘the injury will be redressed by a favorable decision.'”[16]

         Aspen Way challenges the Plaintiffs' standing with regard to the first required element: injury. The Supreme Court has said that a plaintiff must show “he or she suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'”[17] For reasons similar to those contained in the Court's previous Order, [18] it is clear that at least one plaintiff, Michael Peterson, has not met this standard. Peterson was not on the lease, Lyons was.[19] The Plaintiffs have failed to demonstrate any “legally protected interest” Peterson had in the laptop at all.

         Regarding Lyons, Aspen Way argues that simply because his rights were violated does not necessarily mean he suffered an injury. In support of its argument, Aspen Way cites three cases: Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1543 (2016), Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), and Storm v. Paytime, Inc., 90 F.Supp.3d 359 (M.D. Pa. 2015). All three cases, however, are different from this case in at least one significant respect: the nature of the right violated.

         In Spokeo, the defendant was a technology company that operated a search engine which allowed users to find out publicly available personal information about individuals.[20] The plaintiff eventually discovered that his personal search results contained inaccurate information, which he argued violated the Fair Credit Reporting Act of 1970 (“FCRA”).[21] The Supreme Court found that the plaintiff did not show enough of a concrete injury to have standing for two reasons. First, the Court said that bare procedural violations of the FCRA - like a failure to provide notice - do not necessarily result in harm.[22] “For example, even if a consumer reporting agency fails to provide the required notice to a user of the agency's consumer information, that information regardless may be entirely accurate.”[23] Second, using the example of an incorrect zip code listing, the Court said that “not all inaccuracies cause harm or present any material risk of harm.”[24] In other words, the Court merely reiterated the truism that violations of rights do not necessarily entail actual harm.

         The other two cases, Reilly and Storm, were data breach cases in which the plaintiffs feared that their identities were stolen after their personal information had been exposed in a data breach. The courts in those cases found that the fear of future harm did not necessarily give them standing. In the words of the Reilly court, “[u]nless and until [identity theft occurs], Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”[25]

         By contrast, the rights violated in those cases are substantially different than that violated in this case. In Spokeo, it was the plaintiff's right to have certain procedures followed under the FCRA. In the data breach cases, it was the plaintiffs' right to due care on the part of the defendants. In this case, however, it was Lyons' right to privacy that was violated. A violation of the right to privacy necessarily entails an injury. If a voyeur installs a camera in a person's home, or opens their mail, the victim suffers a harm as soon as their privacy is violated. That remains true whether or not the tortfeasor does anything with the information collected; indeed, it remains true whether the victim knows about it or not.[26]

         In this case, as soon as Aspen Way activated Detective Mode and screenshots were taken and keystrokes logged, Lyons suffered a harm. And unlike plaintiffs in other data collection cases, [27] Lyons did not consent to the collection of his data, nor did he give it willingly to Aspen Way.[28] Lyons has sufficiently demonstrated that he suffered an injury-in-fact and therefore has standing to pursue his claims against the Defendants.

         B. Choice of Law

         This case is before the Court based on diversity jurisdiction. The Court therefore looks to Georgia's choice of law requirements to determine the appropriate rules of decision.[29] Georgia follows the traditional approach of lex loci delecti in tort cases, which generally applies the substantive law of the state where the last event occurred necessary to make an actor liable for the alleged tort.[30] Usually, this means that the “law of the place of the injury governs rather than the law of the place of the tortious acts allegedly causing the injury.”[31]

         Lyons accuses Aspen Way of intruding upon his seclusion, and Aaron's of aiding and abetting that intrusion. The injury is to his privacy, and the nature of the right to privacy being what it is, it follows that any injury that occurred to Lyons occurred wherever he was located at the time of the injury.[32] At the time Aspen Way accessed his computer, Lyons was residing in Oklahoma. As such, the Court will apply Oklahoma law.[33]

         C. Intrusion Upon Seclusion Claim Against Aspen Way

         Aspen Way moves for summary judgment on Lyons' intrusion upon seclusion claim. Oklahoma has adopted the Restatement (Second) of Torts for claims of intrusion upon seclusion.[34] Section 652B of the Restatement (Second) of Torts defines intrusion upon seclusion as “intentionally intrud[ing], physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns...if the intrusion would be highly offensive to a reasonable person.” To sustain the tort claim, the Plaintiff must therefore prove two elements: (1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.

         1. Reasonable Expectation of Privacy

         Aspen Way first argues that it did not intrude upon Lyons' privacy because Lyons did not have a reasonable expectation of privacy in the computer. In particular, Aspen Way points to the fact that the computer was leased, that it was used for business and not personal reasons, and that Lyons was in default on his payments. None of these reasons, however, means that Lyons did not have a reasonable expectation of privacy in his use of the computer.

         Though the property rights of lessees and owners differ in many respects, they do not differ in their right to privacy. A lessee in possession of property expects reasonably similar levels of privacy as an owner.[35] So the fact that Lyons was a lessee, and not the owner of the property, does not on its own mean he lacked a reasonable expectation of privacy.

         Nor is that expectation undermined by the fact that he used the computer for business purposes. It is true that, generally speaking, employees have less privacy expectations in their work computers than in their personal computers.[36] But the cases which state that rule are generally dealing with either employer-employee relationships or searches by the government.[37] This case, by contrast, is not between Lyons and his firm. Indeed, it is not the firm's computer at all; Lyons was the lessee. The fact that he allowed others to use his leased computer may reduce his expectation of privacy with regard to those users, but it does not diminish his privacy rights vis-avis a third party. To adopt the Defendant's approach would mean that granting access to some people necessarily means granting access to all people. Such an outcome would be absurd.

         Aspen Way's final argument suggests that Lyons lost any expectation of privacy in the computer because he defaulted in his payments on the lease, but even this does not necessarily excuse all of Aspen Way's alleged actions. First, there seems to be a dispute about if and when Lyons was actually in default.[38] That dispute alone demonstrates that there is a genuine issue about a material fact, for if Lyons was never in default (or was only in default for a portion of the time Detective Mode was activated), then Lyons certainly had a reasonable expectation of privacy regarding his use of the computer. But even assuming arguendo that Lyons was in default for the entirety of the time Detective Mode was activated, that is still not necessarily enough to show that he abandoned any expectation of privacy. Aspen Way argues that because Colorado law allowed it to take immediate possession of the computer once Lyons defaulted, Lyons no longer had a reasonable expectation of privacy in the contents of the computer. In support, Aspen Way cites a dissent in People v. Sotelo, 336 P.3d 188 (Colo. 2014)[39] which surveyed cases in other jurisdictions that found there was no reasonable expectation of privacy in personal effects contained in items such as a stolen car or a fraudulently obtained computer.[40] But Sotelo actually undermines Aspen Way's argument for two reasons.

         First, all three of those cases surveyed by the Sotelo dissent are substantively different than this case because of the defendants' states of mind. The defendants in those cases were thieves. By contrast, Lyons was a lessee in default. Thieves and defaulting lessees have qualitatively different states of mind with regard to the property, and therefore different expectations of privacy. A thief knows that he has no claim to the property in question. A lessee, on the other hand, may not even be aware that he is in default. Checks may have gotten lost in the mail or notices may never have been sent.[41]

         Second, the majority opinion in Sotelo actually supports Lyons' position. The defendant in Sotelo had been pulled over in a rental car she was not authorized to drive.[42] While searching the car, the officer found gift-wrapped boxes in the car and asked to search them.[43] After the defendant refused, the officer eventually obtained a warrant to search the boxes, but not until hours after the original stop.[44] The search discovered that the gift boxes were actually disguising vacuum sealed bags filled with marijuana.[45] The Sotelo court eventually said that while the defendant had no reasonable expectation of privacy in the car itself, given that she was unauthorized to drive it, she did have a legitimate expectation of privacy in the gift-wrapped packages because “society would recognize Sotelo's expectation of privacy in the gift-wrapped packages as reasonable...[i]ndeed, the reason packages are gift-wrapped is to conceal their contents.”[46] Likewise, people protect their computers and digital files with passwords because they want to protect them from the view of others. If anything, therefore, Sotelo suggests that Lyons too had a legitimate expectation of privacy in his files, keystrokes, and use of the internet despite the fact that he was in default on the computer he was using to accomplish those tasks.

         Aspen Way's authority to repossess the computer makes no difference. Being the true owner did not entitle Aspen Way to spy on the person it was trying to repossess the computer from. Lyons' default certainly would have allowed Aspen Way to shut down the computer, or maybe even to use location tracking software in an effort to repossess it. But the other aspects of Detective Mode, the capturing of keystrokes and screenshots, serve no legitimate purpose in repossessing the computer. Defaulting on a rental payment may allow a landlord to repossess a home from a tenant, but it does not allow him to set up cameras to spy on the activities of the tenants. Likewise, if a company defaults on its commercial lease, the landlord may also repossess the property, but the landlord may not break in without the company's knowledge and start going through its files. In other words, wrongdoing vitiates privacy expectations only to the extent of the wrongdoing. It does not eliminate privacy expectations altogether.[47]

         The methods used for repossession must be reasonably related to their end. In this way, the line between reasonable and unreasonable expectations of privacy in the default context is largely influenced by whether the means of repossession are themselves reasonable or not. The Court finds that shutting down the computer or using GPS tracking would have been reasonably related to Aspen Way's goal of repossessing the computer, and if Lyons was in default, he should have expected Aspen Way would take such action. Capturing keystrokes and screenshots, however, served no legitimate purpose in repossessing the computer. Therefore, it would be possible for a jury to find that Lyons still had a reasonable expectation of privacy which Aspen Way violated.

         2. Offensive Nature of the Intrusion

         Aspen Way then argues that even if Lyons had a reasonable expectation of privacy in the computer, it still did not intrude upon that privacy in a way that constituted tortious conduct. Under Oklahoma law, an intrusion upon a person's privacy is tortious only “if the intrusion would be highly offensive to a reasonable person.”[48] As alluded to above, the offensiveness of the intrusion is often directly tied to how reasonable the expectation of privacy is. However, the degree of offensiveness of the conduct is generally a question for the jury.[49] In this case, the ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.