Author: Scripta Ad Astra Staff
This is the third part of three part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found here. The second part of this series can be found here.
Overall, California district courts have regularly followed the holdings in Nosaland Brekka regarding “use” versus “access.” In summary, courts in the Ninth Circuit have generally held that the CFAA does not prohibit misusing information, such as in a trade secrets misappropriation violation: if you are allowed to access information, what you do with that information is not a violation of the CFAA, even if it is contrary to the interests of your employer. On the other hand, if were not allowed to access information – say you quit or were fired – then a CFAA claim could likely withstand Ninth Circuit scrutiny.
It will be interesting to see how the courts make their decisions, especially as the divide between employment-based CFAA claims (“inside hacker” claims) and non-employment-based (external “hacker” claims) become more prevalent. Of course, you can always come back to Scripta Ad Astra to read about the latest CFAA, computer crimes, and cyber security developments.
NetApp, Inc. v. Nimble Storage, 2014 U.S. Dist. LEXIS 65818 (N.D. Cal. May 12, 2014)
Judge: Lucy H. Koh, United States District Judge.
Plaintiff NetApp, Inc. filed suit against Defendants Nimble Storage, Inc. (“Nimble”), a competitor of NetApp, some former NetApp employees, and Michael Reynolds, who used to work at Thomas Duryea Consulting (“TDC”). NetApp alleges that when it contracted with TDC, it provided Reynolds with access to NetApp’s computer systems and other information. In April 2013, Reynolds left TDC, but continued to access NetApp’s databases from June 2013 through August 2013, where he used confidential, proprietary information to solicit business for Nimble.
Allegations Against Reynolds
With respect to the CFAA, defendant Reynolds argued that NetApp did not plead any facts supporting that he was acting “without authorization” or had “exceeded authorized access” because his access to NetApp’s system was never revoked, even after he stopped working for TDC, and thus did not breach any “technological barriers.”
NetApp argued that “CFAA liability does not require circumvention of any technological barriers, and that Reynolds lost his permission to access NetApp’s systems (and knew that he lost that permission) as soon as he left TDC and no longer performed services for NetApp.”
Relying on LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009),United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), and Weingand v. Harland Financial Solutions, Inc., 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012), among other cases, the court held that to state a claim under the CFAA it was not necessary to plead circumvention of a technological barrier, especially when such access to the information was performed after termination of contract or employment.
The NetApp court next considered whether the CFAA needed to be pled with particularity as consistent with the fraud pleading standards of Fed. R. Civ. P. 9(b). The court concluded that the CFAA does not need to meet the same pleading standards required under Rule 9(b) as (1) Sections 1030(a)(2) and (a)(5) do not reference “fraud”; (2) most CFAA cases in the Northern District have not applied the Rule 9(b) pleading standard; and (3) even under Section 1030(a)(4), which does mention “fraud,” the heightened pleading standard is only applicable when the claim itself is grounded in patterns of fraudulent conduct.
Reynolds lastly argued that NetApp failed to plead any “damage” under the CFAA with respect to Section 1030(a)(5) (but not Sections 1030(a)(2) and (a)(4), which requires “damage” to a plaintiff’s computer systems. The court held that “damage” means harm to computers or networks, not economic harm due to the commercial value of the data itself. As NetApp only alleged that Reynolds accessed its databases without permission, not that he damaged any systems or destroyed any data, it did not properly plead the damages element under the CFAA with respect to its Section 1030(a)(5) claim.
Allegations Against Nimble
NetApp alleges that Nimble violated the CFAA under two theories: (1) Nimble is vicariously liable for Reynolds’s acts, and (2) Nimble conspired with Reynolds. The court denied both of these claims.
With respect to the first theory, while the court acknowledged that courts have held that an employer can be vicariously liable for an employee’s violations of the CFAA if those transgressions occur in the scope of employment or the employer directs the employee’s conduct, the court found no allegation that Nimble AUS was Nimble’s alter ego, or that Nimble directed Reynolds’s unauthorized access, and that even if Reynolds “used” stolen information “on behalf of Nimble,” it would not establish that Reynolds violated the CFAA at Nimble’s behest.
With respect to conspiracy, the court stated that other courts have required specific allegations of an agreement and common activities to state a conspiracy claim. The court found that NetApp did not allege specific enough facts to indicate conspiracy other than bare facts, and thus dismissed the allegation with leave to amend.
Opperman v. Path, Inc., 2014 U.S. Dist. LEXIS 67225 (N.D. Cal. May 14, 2014)
Judge: Jon S. Tigar, United States District Judge.
Plaintiffs are a class action of consumers. With the exception of Apple, defendants are app developers (“App Defendants”). In short, plaintiffs allege that the App Defendants’ apps have been surreptitiously stealing and disseminating the contact information stored by customers on Apple devices. Plaintiffs bring their CFAA claims against the App Defendants only.
With respect to the CFAA, the court affirmed that they key issue is whether defendants accessed plaintiffs’ computers “without authorization.” Because the plaintiffs had voluntarily downloaded the software applications in question, defendants had not operated “without authorization” in violation of the CFAA. See, e.g., iPhone I, 2011 U.S. Dist. LEXIS 106865, (“Where the software that allegedly harmed the phone was voluntarily downloaded by the user, other courts in this District and elsewhere have reasoned that users would have serious difficulty pleading a CFAA violation.”).
Flextronics Int’l, Ltd. v. Parametric Tech. Corp., 2014 U.S. Dist. LEXIS 73354 (N.D. Cal. May 28, 2014)
Judge: Paul S. Grewal, United States Magistrate Judge.
Plaintiff Flexatronics International, Ltd. (“Flexatronics”) and Defendant Parametric Technology Corporation (“PTC”), executed an “Enterprise Agreement,” which granted Flextronics a license to use PTC’s software on its computers. PTC brought to Flexatronics attention that Flexatronics was using unauthorized copies of PTC’s software on its systems. In response, Flexatronics began an investigation and discovered that PTC had “concealed certain embedded technology in the PTC software” that it was using to access, obtain and transmit information in, from and about Flextronics’ system back to PTC.
PTC challenges Flextronics’ CFAA claim on two grounds: (1) the complaint does not show that Flextronics suffered a “loss” of at least $5,000, and (2) Flextronics fails to allege facts indicating that PTC accessed its system “without authorization” or “in a manner that exceeds authorized access.”
With respect to the “loss” requirement, the court found that Flexatronics had all alleged that its investigation and response to PTC’s actions imposed costs and expenses to Flexatronics in excess of $5,000 in a single year, thus meeting the CFAA’s loss requirement.
Regarding the second issue, the court noted that in its amended complaint, plaintiff provided specific allegations that “‘[w]ithout notice to or authorization from Flextronics, PTC has concealed certain embedded technology in the PTC software provided to Flextronics [and] used that hidden technology to access, obtain, and transmit information in Flextronics’ computers that PTC is not entitled to access, obtain, or transmit,’ followed by almost five pages of details about how it does so.”
While PTC argued that it could not be held liable under the CFAA because Flexatronics voluntarily installed PTC’s software, the court noted that while this argument may suffice as a defense to a “without authorization” claim, it does not necessarily have the same impact on a “exceeds authorized access” argument. The court then noted that Flexatronics listed the types of information to which PTC gained access, and specifically stated in its amended complaint that “PTC is not entitled to access, obtain, alter, or transmit” that information, and thus had stated sufficient information state claims under Rule 12(b)(6).
New Show Studios LLC v. Needle, 2014 U.S. Dist. LEXIS 90656 (C.D. Cal. June 30, 2014)
Judge: Christina A. Snyder, United States District Judge
Plaintiffs New Show Studios LLC, Anthony Valkanas, and Davison Design & Development, Inc. filed suit against defendants James Needle and Greg Howe. Plaintiffs allege that Needle agreed to supply Howe with New Show’s confidential client data and propriety information for the purposes of persuading New Show’s clients to breach their contracts with New Show and provide their business to one of New Show’s competitors, Television Writer’s Vault.
The court found that the plaintiffs failed to state a claim under the CFAA for two reasons. First, plaintiffs did not allege that defendants accessed a computer. Reminding the parties that the CFAA is not simply a misappropriation statute (citing Nosal), the court pointed out that while plaintiffs allege that their information was taken – information that may have been stored on a computer at one point – plaintiffs did not allege that defendants accessed a computer in order to obtain this information.
Secondly, the court noted that plaintiffs failed to allege that they suffered any “loss” as defined by the CFAA, which the court noted “must be the result of ‘damage to the computer system that was accessed without authorization.” Plaintiffs, in contrast, only pled that they lost “competitive benefit” to their competitor. The court noted that simply alleging that defendants “obtained a thing of value” was insufficient to support a claim of “loss.”