RONALD B. LEIGHTON

HONORABLE RONALD B. LEIGHTON

ORDER GRANTING

DEFENDANT'S MOTION TO

DISMISS IN PART

(Dkt. #10)

THIS MATTER is before the Court on Defendant Vern Malpass's Motion to Dismiss (Dkt. #10). Malpass is a former employee of Plaintiff RoadLink Workforce Solutions, L.L.C. RoadLink says Malpass stole customer information and other proprietary resources from his work computer before he went to work for a competitor. RoadLink has sued him for violation of the Stored Communications Act, 1 U.S.C. § 2701 et seq., and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as five state law claims.

Malpass seeks dismissal of the two federal claims under Fed. R. Civ. P. 12(b)(6). He argues that, even if RoadLink's allegations are true, his alleged actions do not raise a cause of action under the plain language of either statute. Malpass also argues that if the federal claims are dismissed, this Court does not have subject matter jurisdiction over the remaining claims. Because RoadLink has failed to allege facts that could show that Malpass violated either of the federal statutes, Malpass's Motion to Dismiss the Stored Communication Act and Computer Fraud and Abuse Act claims is GRANTED. However, because the Court retains supplemental jurisdiction (as well as diversity jurisdiction) over the remaining claims, Malpass's Motion to Dismiss the remaining claims for lack of subject matter jurisdiction is DENIED.

I. INTRODUCTION

RoadLink is a warehouse and workforce logistics company. RoadLink provides various services to its clients, including freight handling, warehousing, unloading of merchandise, and other ancillary services such as light maintenance and sanitation. One of RoadLink's largest clients is the Fred Meyer store in Chehalis, Washington. (Dkt. #1, Compl. at ¶10). Defendant Vern Malpass was a RoadLink employee for ten years, until he resigned on April 23, 2013. During that time, Malpass was promoted through the ranks of the company, serving a majority of his tenure as Site Manager at the Chehalis Fred Meyer. As Site Manager, Malpass was responsible for the day-to-day operations and financial management of RoadLink's Chehalis Fred Meyer site, including managing the 250 RoadLink employees at that site. (Dkt. # 1, Compl. at ¶ 12).

In order to complete his day-to-day duties as Site Manager, Malpass was issued a computer specifically for the Chehalis Fred Meyer site. On that computer, he maintained and updated RoadLink's Trade Resource files specific to the Chehalis Fred Meyer location, which included historical information on hiring needs, communications between RoadLink and the Chehalis Fred Meyer, communications between RoadLink and regional vendors, and other information concerning the operations of the site. Much of the information entered into the computer was stored only on the computer's hard drive, with some communications stored and backed up on the computer's Microsoft Outlook program linked to RoadLink's email system. (Dkt. #1, Compl. at ¶ 13).

At the beginning of 2013, Fred Meyer informed RoadLink it would be releasing a request for proposal in order to receive competitive bids for the services that RoadLink was providing at the Chehalis site. (Dkt. #1, Compl. at ¶ 21). Merit Integrated Logistics, one of RoadLink's competitors, sought to obtain at least a portion of the Chehalis Fred Meyer contract. On April 23, 2013—after it had already secured a piece of RoadLink's previous contract with the Chehalis Fred Meyer, but before it began performing on that contract—Merit offered Malpass employment as its Site Manager at the Chehalis Fred Meyer. (Dkt. #1, Compl. at ¶ 26). Malpass accepted the offer.

As part of his employment with RoadLink, Malpass had signed multiple non-compete, non-solicit, and confidentiality agreements. Nevertheless, before resigning at RoadLink, Malpass copied and permanently deleted Trade Resource files stored on the RoadLink-issued computer for the Chehalis Fred Meyer site.

On June 12, 2013, RoadLink filed its complaint against Malpass, alleging multiple state claims and two federal claims relating to his alleged copying and deleting of the Trade Resources files. The two federal claims are based on alleged violations of the Stored Communications Act, 18 U.S.C. § 2701, et seq., and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. RoadLink argues that Malpass has hacked and destroyed many RoadLink files that he was not authorized to access, raising claims under the two federal statutes.

Malpass moves to dismiss the federal claims under Fed. R. Civ. P. 12(b)(6). Malpass argues that his alleged actions do not raise a cause of action under the plain language of the statutes. Malpass also seeks to dismiss the remaining state law claims under Fed. R. Civ. P. 12(b)(1), arguing that the Court does not have subject matter jurisdiction over them once the federal claims are dismissed, because the complaint does not allege an amount in controversy exceeding $75,000.

This position is wrong as a matter of law. The Court has jurisdiction over the case under 28 U.S.C. § 1331 (federal question) and supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367. Dismissal of the federal claims might cause the Court to decline to exercise its supplemental jurisdiction and to dismiss the claims under § 1367(c)(3)—unless, as is the case, the Court also has original diversity jurisdiction over the claims under 28 U.S.C. §1331. In no event, however, is it true that the court does not have subject matter jurisdiction over the claims asserted in Plaintiffs complaint.

II. DISCUSSION

A. Standard of Review

Dismissal under Fed. R. Civ. P. 12(b)(6) may be based on either the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory. Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). A complaint must allege facts to state a claim for relief that is plausible on its face. See Ashcroft v. Iqbal, 556 U.S. 662, 129 S. Ct. 1937, 1949 (2009). A claim has "facial plausibility" when the party seeking relief "pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Although the Court must accept as true the Complaint's well-pled facts, conclusory allegations of law and unwarranted inferences will not defeat an otherwise proper Fed. R. Civ. P. 12(b)(6) motion. Vasquez v. L.A. County, 487 F.3d 1246, 1249 (9th Cir. 2007); Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). "[A] plaintiff's obligation to provide the 'grounds' of his 'entitle[ment] to relief' requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do. Factual allegations must be enough to raise a right to relief above the speculative level." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (citations and footnote omitted). This requires a plaintiff to plead "more than an unadorned, the-defendant-unlawfully-harmed-me accusation." Iqbal, 129 S. Ct. at 1949 (citing Twombly).

B. Stored Communications Act

RoadLink alleges violation of the Stored Communication Act 18 U.S.C. § 2701, et seq. ("SCA"). The SCA creates criminal and civil liability for certain unauthorized access to stored communications and records. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002). The SCA creates a private right of action against anyone who "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electric communication while it is in electronic storage in such system." 18 U.S.C. § 2701(a)(1) and (2); see id. § 2707 (creating a private right of action). The SCA's general prohibitions do not apply, however, "to conduct authorized (1) by the person or entity providing a wire or electronic communication service; [or] (2) by a user of that service with respect to a communication of or intended for that user." 18 U.S.C. § 2701(c).

RoadLink asserts that Malpass violated (a)(2) when he accessed the computer provided to him by RoadLink and copied and then permanently deleted information and emails contained on the computer. Malpass urges the Court to dismiss the claim because (1) the computer system that he accessed was not a "facility" through which an electronic communication service is provided; (2) the files contained on the computer hard drive and in Microsoft Outlook were not in "electronic storage," and; (3) even if the computer is determined to be a "facility" and the files were in "electronic storage," RoadLink "authorized" the access. Because Malpass's work computer was not a "facility" as defined by the SCA and because the files contained on the hard drive and Microsoft Outlook were not in "electronic storage," RoadLink has failed to state a claim under the SCA for which relief can be granted.

1. The Computer was not a Facility

"To state a claim under the SCA, Plaintiff must allege that Defendant accessed without authorization 'a facility through which an electronic communication service is provided." In re iPhone Application Litigation, 844 F.Supp.2d 1040, 1057 (N.D. Cal. 2012). The Act defines "electronic communication service" as "any service which provides to users thereof the ability to send and receive wire or electronic communications." 18 U.S.C. § 2510(15). The court in In re iPhone Application Litigation granted a motion to dismiss for failure to state a claim, holding that iOS devices were not facilities through which an electronic communication service is provided. 844 F.Supp.2d at 1057-58. The court followed the reasoning in Crowley v. CyberSource Corp, and Chance v. Ave. A, Inc., which held that including a personal computing device within the definition of "facility" rendered other parts of the SCA illogical. Id. at 1058; 166 F.Supp.2d 1263, 1271 (N.D. Cal.2001); 165 F.Supp.2d 1153, 1161 (W.D. Wash.2001). To avoid this illogical outcome, the courts have drawn a distinction between communication services providers and users. In In re iPhone Application Litigation, the court recognized that "the computer systems of an email provider, a bulletin board system, or an [internet service provider]" were providers, whereas the iPhone, iPod, and iPad, like a personal computer, were not. 844 F.Supp.2d at 1057-58.

Here, if the computer issued to Malpass was a "facility," then any web site accessed on the computer would be a user of the communication service provided by the computer, and consequently any communication between the individual computer and the web site is a communication "of or intended for" that web site, triggering the § 2701(c)(2) exception for authorized access. Instead, Malpass and others authorized to access the computer are the user and the computer would not classify as a facility for the purposes of § 2701(a). RoadLink provides no facts to suggest that the computer was a communication service provider.

2. Malpass did not Access Electronic Communications in Electronic Storage

To state a claim under the SCA, RoadLink must show not only that Malpass accessed a facility through which an electronic communication service is provided, but furthermore that Malpass "obtained, altered, or prevented authorized access to a wire or electronic communication while it was in electronic storage in the system." 18 U.S.C. § 2701(a). The SCA defines "electronic storage" as: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication. 18 U.S.C. § 2510(17).

RoadLink alleges that Malpass destroyed and copied messages that remained on RoadLink's server after delivery and were stored "by an electronic communication service for purposes of backup protection" within the meaning of subsection (B). In particular RoadLink argues that Malpass destroyed historical communications that were stored on the computer's Microsoft Outlook program for backup purposes. However, in Lazette v. Kulmatycki the court dismissed the plaintiff's SCA claim in part for failure to show that e-mails accessed by the defendant were in electronic storage. - F. Supp. 2d - (N.D. Ohio 2013), 2013 WL 2455937. Finding that, "in light of the restriction of 'storage' in 2510(17)(B) solely for 'backup protection,' e-mails [that] the intended recipient has opened, but not deleted (and thus remain available for later re-opening) are not-being kept 'for backup protection." Id at 7 (citing Jennings v. Jennings, 736 S.E.2d 242, 245 (S.C. 2012). Following the reasoning that emails which are opened but not deleted are not in "electronic storage" for the purpose of backup protection, RoadLink has failed to assert facts that support that Malpass accessed communication in electronic storage.

Because RoadLink has failed to allege facts that could show that the computer hard drive was a "facility" and that the files accessed were communications in "electronic storage," the Court does not need to address—for the purposes of the SCA claim—whether RoadLink authorized Malpass to access the information, or whether that authority terminated when he went to work for Merit. RoadLink has failed to state a claim under the SCA for which relief can be granted. Therefore, Malpass's Motion to Dismiss RoadLink's SCA claim is GRANTED and the claim is dismissed with prejudice.

C. Computer Fraud and Abuse Act

RoadLink also alleges violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. ("CFAA"). The CFAA was enacted in 1984 to enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives..." H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984). The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir.2009); See 18 U.S.C. § 1030(a)(1)-(7).

RoadLink alleges that Malpass violated subsections (a)(4) and (a)(5) of the CFAA. In relevant part, the CFAA prohibits:

(4) Knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5) (A) Knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer;
(B) Intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage; or
(C) Intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.

Malpass argues that RoadLink has failed to state a claim under § 1030 because (1) the computer at issue was not a "protected computer" and (2) he had authorization to access the computer and information contained within it.

1. The Computer at Issue was a Protected Computer

Malpass first contends that the RoadLink has failed to prove that the computer at issue was a "protected computer" under § 1030. However, the Ninth Circuit has concluded that a computer falls within the definition of a "protected computer" if it has internet access. U.S. v. Nosal, 676 F.3d 854, 859 (9th Cir.2012). RoadLink has pled facts showing that the computer at issue was able to send and receive email communication and therefore would need to have internet access. Therefore, Malpass's argument that the computer at issue is not a "protected computer" is without merit.

2. RoadLink Granted Malpass Authorization to Access the Computer and the Information

Malpass also argues that RoadLink's CFAA claims are deficient because Malpass was given authorization for unlimited access to the computer and files at issue. The Ninth Circuit has determined that "an employer gives an employee 'authorization' to access a company computer when the employer gives the employee permission to use it." LVRC Holdings LLC, 581 F.3d at 1133. A person who "exceeds authorized access" "has permission to access the computer, but accesses information on the computer that the person is not entitled to access. Id.; see 18 U.S.C. § 1030(e)(6).

In Nosal, the Ninth Circuit held that the CFAA is concerned only with unauthorized access of information, not its unauthorized use. U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012). There, employees at an executive search firm sent documents from a confidential company database to which they had access to a former employee who had started a competing company. Id. at 856. The Ninth Circuit dismissed the charges of a CFAA violation, holding that the "plain language of the CFAA targets the unauthorized procurement or alteration of information, not its misuse or misappropriation." Id. at 863.

Here, RoadLink granted Malpass authorization to access the information on the computer he is alleged to have to copied and deleted. (Dkt. #1, Compl. at ¶15). RoadLink gave Malpass a computer with which he could maintain and update the Trade Resources and other files. Id. Under the Ninth Circuit's interpretation of the CFAA, Malpass's alleged subsequent actions—copying and deleting the files in the database—do not implicate the CFAA. These alleged actions concern the "misuse or misappropriation" of the Trade Resources, something the CFAA does not target. Therefore, Malpass did not "exceed authorized access" under the CFAA, and RoadLink has failed to state a claim under the CFAA for which relief can be granted. Malpass's Motion to Dismiss RoadLink's CFAA claim is GRANTED and the claim is dismissed with prejudice.

D. Jurisdiction

Malpass argues that, because the only two federal claims have been dismissed and the remaining claims are state claims, the Court should dismiss the remaining claims for lack of subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). This argument fails for two reasons. First, the dismissal of the federal claims does not deprive the Court of subject matter jurisdiction. All of RoadLink's claims are part of the same case or controversy. Thus, the Court had subject matter jurisdiction over all claims when the complaint was filed alleging claims under the two federal acts. 28 U.S.C. §§ 1331, 1367. The Court does not lose subject matter jurisdiction over the state claims when a plaintiff asserting a federal claim does not prevail on that claim. 28 U.S.C. § 1367. Instead, the Court retains supplemental jurisdiction over the claims unless it declines to exercise jurisdiction for reasons such as judicial economy, convenience, fairness, and comity. Sanford v. MemberWorks, Inc., 625 F.3d 550, 561 (9th Cir. 2005). The Court has not declined to exercise jurisdiction here.

Furthermore, and in any event, the Court has diversity jurisdiction over the remaining claims. 28 U.S.C. § 1332(a). The parties are completely diverse, and RoadLink's complaint states plainly that "the amount in controversy exceeds $75,000." (Dkt. #1, Compl. at ¶ 5). Malpass has provided no facts to show that this amount is listed in bad faith or that there is a legal certainty that the claims are really for less than $75,000. Budget Rent-A-Car, Inc. v. Higashiguchi, 109 F.3d 1471, 1473 (9th Cir. 1997) (To justify dismissal, "it must appear to a legal certainty that the claim is really for less than the jurisdictional amount."). Therefore, Malpass's argument fails and the Court retains jurisdiction over the remaining claims.

III. Conclusion

Malpass's Motion to Dismiss the Stored Communication Act claims and the Computer Fraud and Abuse Act claims is GRANTED. Malpass's Motion to Dismiss the remaining claims for lack of subject matter jurisdiction is DENIED.

IT IS SO ORDERED.

____________

RONALD B. LEIGHTON

UNITED STATES DISTRICT JUDGE