Opinion
CIVIL MINUTES-GENERAL
GEORGE H. KING, Chief District Judge.
Proceedings: (In Chambers) Order Re: Defendants' Motion to Dismiss (Dkt. 18)
This matter is before us on the above-captioned Motion. We have considered the papers filed in support of and opposition to the Motion and deem this matter appropriate for resolution without oral argument. L.R. 7-15. As the Parties are familiar with the facts, we will repeat them only as necessary. Accordingly, we rule as follows:
I. Background
Plaintiff BHRAC, LLC ("Plaintiff") filed this action in federal court against Defendants Regency Car Rentals, LLC ("Regency"), Israel Castillo ("Castillo"), and Arno Melikyan ("Melikyan") (collectively, "Defendants") on February 6, 2015. (Dkt. 1.) According to the Complaint, Plaintiff and Regency are both luxury automobile rental companies that compete in the same localized market. (Compl. at ¶¶ 7-8.) Castillo was once employed by Plaintiff, but is now employed by Regency. ( Id. at ¶ 9). While employed by Regency, Castillo allegedly gained access to Plaintiff's computers-using knowledge he learned while working for Plaintiff-and obtained records of recent rental transactions at the company which included the identity and price of the vehicles rented and the contact information of Plaintiff's customers (the "Information"). ( Id. at ¶ 20.) Plaintiff alleges that it was Melikyan, an employee of Regency, that authorized or directed Castillo to do this. ( Id. at ¶ 18.) Defendants then allegedly used this information to contact Plaintiff's customers and convince them to switch their business to Regency. ( Id. at ¶ 22.)
Plaintiff further alleges that Regency has interfered with the operation of its website (hereafter, the "Website Attack"). ( Id. at ¶¶ 42-53.) After Plaintiff's image server went down on December 30, 2014, Plaintiff discovered that Regency had populated its own website with images that reside on Plaintiff's server-specifically, images of "horizontal lines." ( Id. at ¶¶ 43-46.) An average of nine of these horizontal line images appears on every "vehicle-specific" page of Regency's website. ( Id. at ¶ 47.) Because of this, every time someone accessed one of Regency's web pages, Plaintiff's image server was accessed approximately nine times. ( Id. at ¶ 48.) As a result, when there was heavy traffic on Regency's website, Plaintiff's image server overloaded and went down. ( Id. at ¶ 49.) Plaintiff further alleges that "there is no possible legitimate value" to Regency constructing its website in this manner. ( Id. at ¶ 50.)
Based on the these allegations, Plaintiff asserts three claims: (1) intentional or negligent interference with prospective economic advantage, (2) misappropriation of trade secrets, and (3) violation of the Federal Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. On March 23, 2015, Defendants filed this Motion, arguing, among other things, that Plaintiff fails to state a claim under the CFAA and that we lack supplemental jurisdiction over the state law claims. (Dkt. 18)
II. Legal Standard
In order to survive a motion to dismiss, a complaint must set forth "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). The complaint must contain factual allegations sufficient to "state a claim to relief that is plausible on its face." Id. at 570. In considering a motion to dismiss, we must accept the allegations of the complaint as true and construe them in the light most favorable to the plaintiff. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). We need not accept as true, however, legal conclusions "cast in the form of factual allegations." W. Mining Council v. Watt, 643 F.2d 618, 624 (9th Cir. 1981). "In sum, for a complaint to survive a motion to dismiss, the non-conclusory factual content, ' and reasonable inferences from that content, must be plausibly suggestive of a claim entitling the plaintiff to relief." Moss v. U.S. Secret Serv., 572 F.3d 962, 969 (9th Cir. 2009).
III. Computer Fraud & Abuse Act
"The [CFAA] prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009); 18 U.S.C. § 1030(a)(1)-(7). In the Complaint, Plaintiff does not specify which particular subsection of the CFAA Defendants violated, but it appears to be 18 U.S.C. § 1030(a)(5) based on its allegations. This subsection states that a person violates the CFAA when he or she
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss[.]
In addition to imposing criminal penalties for the prohibited conduct, the CFAA creates a private right of action for "[a]ny person who suffers damage or loss by reason of a violation" of the statute. 18 U.S.C. § 1030(g). However, a private claim "may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)." Id. Accordingly, to state a claim under the CFAA, a plaintiff must further show one of the following:
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period
18 U.S.C. § 1030 (c)(4)(A)(i).
Plaintiff alleges that Defendants violated the CFAA in two separate incidents, but only one of them is actionable under the statute. In the first incident, Plaintiff alleges that Castillo, a former employee now working for Regency, accessed its computers without authorization at the behest of Melikyan, another Regency employee, and stole records of Plaintiff's recent transactions with customers. (Compl. at ¶¶ 17-20.) Defendants allegedly then used this Information to take Plaintiff's customers. ( Id. at ¶ 23.)
Though it may be unlawful in other ways, this conduct is not actionable under the CFAA because Plaintiff did not suffer "damage or loss" within the meaning of the statute. See 18 U.S.C § 1030(g). The statute defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). Defendants' alleged use of Plaintiff's Information did not impair the integrity or availability of that data. The statute defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). Plaintiff does not allege that it incurred any costs in responding to the theft of the Information nor that it lost revenue because the theft caused an interruption of service.
The only injury Plaintiff alleges as a result of the theft the Information is the loss of business from Regency poaching its customers. As other courts have observed, that is not the sort of injury for which the CFAA provides a remedy. See SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696, 721 (N.D. Ill. 2009) ("[E]conomic losses are better addressed, as they are here, under state contract and trade secrets law."); Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 477 (S.D.N.Y. 2004) ("[P]ersuasive authority suggests that plaintiffs' lost revenue due to lost business opportunity does not constitute loss' under the statute."), aff'd 166 F.Appx. 559 (2d Cir. 2006); Farmers Ins. Exch. v. Steele Ins. Agency, Inc., 2013 WL 3872950, at *21 (E.D. Cal. July 25, 2013) (rejecting CFAA claim premised on "lost present and future business revenue" because "costs not related to computer impairment or computer damages are not compensable under the CFAA").
Because this aspect of the CFAA claim is deficient, we need not address Defendants' other argument that Castillo's access was not "unauthorized" within the meaning of the statute.
In the second incident, Plaintiff alleges that Defendants interfered with the operation of its website by pointing traffic to the company's image server, which overwhelmed its capacity and caused it to go down. The means by which Defendants allegedly did this was simple. Regency's website was coded to repeatedly call up images found on Plaintiff's server. Whenever one person visited a page on Regency's website, Plaintiff's image server effectively had to process nine times as many visitors.
This allegation is sufficient to suggest that Regency "knowingly cause[d] the transmission of a... code[] or command, and as a result of such conduct, intentionally cause[d] damage without authorization, to a protected computer." 18 U.S.C. § 1030(a)(5)(A). The transmitted code or commands in this case were repeated requests to Plaintiff's image server to deliver images every time a visitor came to one of Regency's webpages. Essentially, that is a rudimentary type of denial of service attack. See Joshua McLaurin, Making Cyberspace Safe for Democracy: The Challenge Posed by Denial-of-Service Attacks, 30 Yale L. & Pol'y Rev. 211, 216 (2011) ("The simplest form of a DoS attack is information overload: A single person with sufficient computing resources sends enough packets of information to a target server for those packets to deplete the server's resources, preventing it from responding to requests from other users.") (footnote and internal quotation marks omitted).
Defendants raise a variety of arguments as to why the allegations of the Website Attack are inadequate, but most of them miss the mark. First, Defendants argue that Plaintiff has not alleged that access to the image server was unauthorized. But that is not requirement of this subsection of the CFAA. It requires only that the damage resulting from the transmission be unauthorized, not the transmission of the code or command itself. 18 U.S.C. § 1030(a)(5)(A)("... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, ....") (emphasis added). It is reasonable to infer that Plaintiff did not authorize Regency to crash their website.
Second, Defendants contend that Plaintiff's image server is not a "protected computer, " as required under the statute, because it is open to the public. But "protected" does not mean nonpublic in this context; it means any computer protected by the CFAA-i.e., a computer "used in or affecting interstate or foreign commerce or communication." 18 U.S.C. § 1030(e)(2)(B). Plaintiff has alleged that its servers are used in or affect interstate and foreign commerce. (Compl. at ¶ 37.)
Third, Defendants argue that Plaintiff suffered no "damage" as a result of the attack. But if the attack caused Plaintiff's server to go down, then it caused an "impairment to the... availability of data, a program, a system, or information, " which is the definition of damage under the CFAA. 18 U.S.C. § 1030(e)(8).
Fourth, Defendants contend that Plaintiff's claim must be pled with particularity under Federal Rules of Civil Procedure 9(b), citing Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012). Oracle does not stand for the proposition that all CFAA claims must be pled under Rule 9(b). In that case, the court found that the plaintiff's CFAA claim required particularity because it involved an allegation of fraud. Id. at *6-7. Plaintiff has not made any similar allegation in its CFAA claim, and fraud is not an element of any claim under section 1030(a)(5).
Finally, Defendants argue that Plaintiff's Website Attack fails because it does not allege specific facts from which one might plausibly infer that Defendants were responsible for the incident. As to Regency, Defendants are incorrect. One can reasonably infer that Regency has control over its own website and therefore is responsible for designing it in a way that causes Plaintiff's website to crash. As to Castillo and Melikyan, Defendants are correct. The Complaint contains no allegations from which one could infer that either was involved in the Website Attack. The Complaint alleges only that they were participants in the scheme to steal Plaintiff's Information, an incident which seems to have no direct connection to the Website Attack. Plaintiff does allege, upon information and belief, that Melikyan has "general executive authority" at Regency, (Compl. at ¶ 11), but that is not enough by itself to plausibly suggest that he played some role in designing Regency's website.
In light of the foregoing, Defendants' Motion to Dismiss Plaintiff's CFAA claim is GRANTED to the extent that (1) it is premised on the alleged theft of the Information and (2) seeks to hold Melikyan and Castillo liable for the Website Attack. The Motion is DENIED in all other respects.
IV. Supplemental Jurisdiction
Plaintiff's other claims for misappropriation of trade secrets and tortious interference with prospective economic advantage arise under state, not federal, law. Plaintiff has not alleged the existence of diversity among the Parties. Thus, we have jurisdiction over these state law claims only to the extent that there is supplemental jurisdiction pursuant to 28 U.S.C. § 1367(a). Section 1367(a) provides that
[I]n any civil action of which the district courts have original jurisdiction, the district courts shall have supplemental jurisdiction over all other claims that are so related to claims in the action within such original jurisdiction that they form part of the same case or controversy under Article III of the United States Constitution.
"Nonfederal claims are part of the same case as federal claims when they derive from a common nucleus of operative fact and are such that a plaintiff would ordinarily be expected to try them in one judicial proceeding.'" Trustees of Constr. Indus. & Laborers Health & Welfare Trust v. Desert Valley Landscape & Maint., Inc., 333 F.3d 923, 925 (9th Cir. 2003) (quoting Finley v. United States, 490 U.S. 545, 549 (1989)) (internal quotation marks omitted). "There is no common nucleus of operative fact if there is no evidentiary overlap whatsoever between [the] claims.'" See Titan Global LLC v. Organo Gold Int'l, Inc., 2012 WL 6019285, at *11 (N.D. Cal. Dec. 2, 2012) (quoting U.S. ex rel. Hill v. Teledyne, Inc., 103 F.3d 143 (9th Cir. 1996)).
According to Plaintiff, the common nucleus of operative fact that binds the CFAA claim to its state law claims is the theft of the Information by Castillo. (Opp'n at w (stating that the unauthorized copying of the Information "is essentially the same conduct that forms the basis of each of the two state-law counts") (emphasis removed).) Plaintiff alleges that the Information constitutes a trade secret that was misappropriated by Defendants, and the Information was used to interfere with its ongoing relationships with its customers. (Compl. at ¶¶ 22-23, 31.)
Plaintiff used letters instead of numbers for the pagination of its Opposition. This is a violation of the local rules, and Plaintiff should not do so in the future. See L.R. 11-3.3 ("Pagination. All documents shall be numbered consecutively at the bottom of each page.") (emphasis added).
But as already described, Plaintiff failed to state a plausible CFAA claim based on the theft of the Information. Because of this, Plaintiff's state and federal claims are not closely connected. The state law claims are based on one incident-a Regency employee stealing an alleged trade secret. The federal claim is based on a different incident-Regency crashing Plaintiff's website. The only link between the two incidents is the fact that Regency and Plaintiff are competitors in the same business. Any evidence that would be useful to proving Regency's liability for the Website Attack under the CFAA would have little, if any, relevance to proving its liability for tortious interference and misappropriation of the Information. Accordingly, Plaintiff's state and federal claims do not arise from a common nucleus of operative fact, and we do not have supplemental jurisdiction.
Because we lack jurisdiction, we decline to address the merits of Defendants' arguments against Plaintiff's state law claims.
V. Conclusion
In light of the foregoing, Defendants' Motion is GRANTED in part and DENIED in part. Plaintiff's CFAA claim is DISMISSED without prejudice and with leave to amend to the extent that (1) it is premised on the alleged theft of the Information and (2) seeks to hold Melikyan and Castillo liable for the Website Attack. Plaintiff's tortious interference and misappropriation of trade secret claims are DISMISSED without prejudice and with leave to amend because we lack subject matter jurisdiction over them, as pled.
Should Plaintiff elect to file a First Amended Complaint ("FAC"), it SHALL do so within 30 days hereof. Plaintiff's failure to file a FAC will be deemed its admission that amendment of the dismissed claims is futile. In that event, Defendant Regency SHALL file an Answer to the CFAA claim as narrowed herein within 14 days thereof. All other aspects, claims, and parties to the Complaint will then be dismissed with prejudice.
IT IS SO ORDERED.