Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two

Author: Scripta Ad Astra Staff

This is part two of a three-part series on federal district court opinions in California related to the CFAA.  The first part can be found here.  The third part will be posted on Friday, July 25, 2014.  Stay tuned and check it out.

Enki Corp. v. Freedman, 2014 U.S. Dist. LEXIS 9169 (N.D. Cal. Jan. 23, 2014)
Judge: Paul S. Grewal, United States Magistrate Judge.

The issue in Enki is whether defendant Keith Freedman, a former employee of plaintiff Enki Corp., and his current employer, co-defendant Zuora, Inc. can be held liable for violations of the CFAA for using a customer’s working log-in credentials to access Enki’s scripts.

Enki’s facts are rather convoluted: Freedman, a former 12% stakeholder of Enki, left the firm in 2011.  Shortly after, Enki hired Zuora to provide cloud computing and IT consulting services.  As part of this arrangement, Enki installed Nimsoft on Zuora’s network.  Nimsoft is a “software based system monitor” used to monitor computer resources and performance.  Scripts are typically programs written for a particular runtime environment, such as Unix.

Enki then hired Freedman, and his company, Freeform, to provide services for Zuora.  Freedman then began to spread negative stories about Enki to Zuora, which led to his termination by Enki.  Freedman was, however, then hired by Zuora directly.

In February 2013, Zuora terminated its contract with Enki “for convenience.”  Before the termination, however, Freedman and Zuora accessed the Nimsoft servers on Zuora’s network without authorization and copied Enki’s proprietary software, including Enki’s Nimsoft scripts, in order to terminate the contract and receive the benefits of Enki’s enterprise and technology without continuing to pay for Enki’s services.

The first issue was whether Enki’s costs in investigating the breach and remedying it qualify as a “loss.”  Looking at the statutory definition, which specifically lists the “the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” (court’s emphasis) the court determined that Enki’s investigation costs were considered “loss” as they were costs required to restore their systems back to their original state.

Secondly, the court looked at whether defendant’s access of Nimsoft servers and copying of Enki’s proprietary software was “without authorization” or in “excess of [their] authorization.”  The court found they were not as the complaint did not ever allege that Defendants were not ever unauthorized to access the information in questions – thus an abuse of use, as opposed to an abuse of access, which Nosal has stated does not qualify as an excess of authorization under the CFAA.  See United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).  The CFAA claim dismissed without prejudice and granted leave to amend.

PQ Labs, Inc. v. Qi, 2014 U.S. Dist. LEXIS 11769 (N.D. Cal. Jan. 29, 2014)
Judge: Claudia Wilken, United States District Judge.

Plaintiff, PQ Labs, Inc., manufactures and develops hardware and software for computer touch-screen product.  PQ Labs alleged that between January 2011 and December 2011, defendants, Yang Qi, Jinpeng Li, and ZaagTech sent several “phishing” e-mails to PQ Labs in violation of the CFAA.  These e-mails allegedly contained viruses which infected PQ Labs’ computer system.

In its opinion, the court reviewed the issue of whether there was sufficient evidence of economic loss to meet summary judgment.  The issue in PQ Labs was more a legal issue of whether a declaration submitted by the company’s CEO and co-founder, Frank Lu, after his deposition, was admissible because it conflicted with his prior deposition testimony.

In his declaration, Lu stated that PQ Labs had received five emails containing malicious codes in 2011, and that the company had to expend $36,000 in costs to mitigate the damages to the hardware and network, and $42,000 in consulting fees and service costs.  At his deposition, however, Lu was a little less certain, admitting to some uncertainty about the cause of the network damage.

The court found that the testimony and the declaration did not “clearly and unambiguously” contradict each other. As such, the court held the declaration admissible, and that it contained sufficient evidence to support an inference that defendants violated the CFAA and were not entitled to summary judgment.

Quad Knopf, Inc. v. South Valley Biology Consulting, LLC, 2014 U.S. Dist. LEXIS 46985 (E.D. Cal. Apr. 3, 2014)
Judge: Anthony W. Ishi, Senior United States District Judge.

Plaintiff Quad Knopf, Inc. a consulting firm that provides professional services in the areas of, among other things, biology consulting services, are suing defendants, South Valley Biology Consulting (“SVBC”), and former staff biologists of Quad Knopf who were recruited to SVBC, for violations of the CFAA when defendants allegedly transmitted information from plaintiff’s computers while employed by plaintiff without plaintiff’s consent, and that information was then used by defendants to compete with plaintiff and caused plaintiff to suffer loss.

Citing, United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012), the court reminded the parties that the CFAA is a prohibition of abuse of access of information, not an abuse of information.  Plaintiff argued that defendants’ authorization to access the information in question ended when they began acting against the interests of Quad Knopf, and instead in the interests of defendants’ competing company.

The court rejected this argument affirming that duty of loyalty arguments and computer use restriction arguments are not accepted under Nosal and the Ninth Circuit.  The court noted that defendants were employed with plaintiff and did not exceed their access at the time of the taking. While defendants then took the information that they were entitled to access as employees, they had permission to access the information and used it in an inappropriate manner contrary to plaintiff’s interest, so it did not constitute “without authorization” under Nosal because it was merely a violation of a use restriction.

Leave a Reply

Your email address will not be published. Required fields are marked *