Opinion
Case No.: 5:13-cv-02201-PSG
01-23-2014
ORDER GRANTING-IN-PART
DEFENDANTS' MOTION TO
DISMISS
(Re: Docket No. 32)
When a former employee uses a customer's working log-in credentials to access his former employer's scripts, are he and the customer hackers? Plaintiff Enki Corporation says yes; Defendant Keith Freedman, along with his current employer and co-defendant, Zuora, Inc., say no. Freedman and Zuora now move to dismiss Enki's claims under the Computer Fraud and Abuse Act and the California Computer Data Access And Fraud Act for failure to state a claim upon which relief may be granted and the remainder of Enki's claims for lack of subject matter jurisdiction. Having reviewed the papers and considered the arguments of counsel, the court GRANTS Defendants' motion.
I. BACKGROUND
The court draws the following facts, taken as true for the purposes of the motion to dismiss, from Enki's First Amended Complaint.
From 2006-2011, Freedman was a 12% interest holding member of Enki. Enki's business is to acquire, manage, develop, improve, and operate cloud computing and other IT services for enterprises. In May of 2011, Freedman resigned. Under the terms of Freedman's separation agreement with Enki, Enki bought out Freedman's interest, neither party was to disparage the other in any way, and Freedman was barred from soliciting Enki's clients or competing with Enki for a year.
See Docket No. 25 at ¶ 18.
See id. at ¶ 19.
See id. at ¶ 19.
See id. at ¶¶ 21-22.
Shortly after Freedman's departure, Enki entered into a master service agreement with Zuora under which Enki was to provide consulting, cloud computing services, and other IT services. As part of these services, and as set forth in various statements of work, Enki installed "Nimsoft" on Zuora's network. Nimsoft is a "software based system monitor" used to monitor computer resources and performance. Although the software was installed on Zuora's network, under the terms of the agreement Enki was the sole administrator of the software and the only one allowed to "write" Nimsoft scripts.
See id. at ¶ 23.
See id. at ¶ 48.
Id.
See id. at ¶ 50-53. Scripts are typically programs written for a particular runtime environment, such as Unix.
In order to fulfill this contract, Enki hired Freedman and retained his new company, Freeform, as a contractor to provide certain services to Zuora. Even though the separation agreement remained in effect, Freedman proceeded to spread negative stories about Enki and its work product throughout Zuora for several months, leading to the termination of his contract with Enki. Zuora then hired Freedman and retained Freeform's services directly.
See id.at ¶ 30.
See id. at ¶ 35.
See id. at ¶ 40.
In February 2013, Zuora terminated its contract with Enki "for convenience." Before this termination, however, Freedman and Zuora accessed the Nimsoft servers on Zuora's network without authorization. Freedman and Zuora then copied Enki's proprietary information, including Enki's Nimsoft scripts, in order to terminate the contract and receive the benefits of Enki's enterprise and technology without continuing to pay for Enki's services. Enki brings this action to recover for various breaches of contract, as well as violations of state and federal anti-hacking statutes.
Id. at ¶ 54.
See id at ¶ 56.
See id.
II. LEGAL STANDARDS
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." If a plaintiff fails to proffer "enough facts to state a claim to relief that is plausible on its face," the complaint may be dismissed for failure to state a claim upon which relief may be granted. A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Accordingly, under Fed. R. Civ. P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, "[d]ismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." "A formulaic recitation of the elements of a cause of action will not do."
Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007).
Ashcroft v. Iqbal, 556 U.S. 662, 663 (2009).
Balistreri v. Pacifica Police Dep't., 901 F.2d 696, 699 (9th Cir. 1990).
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007).
On a motion to dismiss, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party. The court's review is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice. However, the court need not accept as true allegations that are conclusory, unwarranted deductions of fact, or unreasonable inferences.
See Metzler Inv. GMBH v. Corinthian Colls., Inc., 540 F.3d 1049, 1061 (9th Cir. 2008).
See id. at 1061.
See Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001); see also Twombly, 550 U.S. at 561 ("a wholly conclusory statement of [a] claim" will not survive a motion to dismiss).
"Dismissal with prejudice and without leave to amend is not appropriate unless it is clear... that the complaint could not be saved by amendment."
Eminence Capital, LLC v. Asopeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003).
III. DISCUSSION
A. Enki's CFAA Claim Fails to Allege Sufficient "Unauthorized Access"
Zuora and Freedman put forth two main theories as to why Enki's claim under the CFAA should be dismissed: 1) the complaint fails to allege loss or damage within the meaning of the statute; and 2) the complaint fails to allege unauthorized access within the Ninth Circuit's interpretation of the statue.
Regarding Defendants' first argument, although the Ninth Circuit has not yet ruled on whether costs of investigation may be included in the calculation of loss under the CFAA, this district and others within the circuit have long accepted that theory. The statutory definition of loss includes "the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense." Before the incident at issue here, Enki's proprietary information was secured, and afterward, it evidentially was not. It therefore stands to reason that the cost of investigating the source of the breach and remedying it would qualify as "loss" within that definition, as they would be required to return the system to its secured state. The undersigned therefore joins with his colleagues in holding that the costs of investigating a security breach may be included in the calculation of "loss" under the CFAA.
See, e.g., Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1039 (N.D. Cal. 2012) ("Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute."); Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887, 895 (N.D. Cal. 2010); SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 981 (N.D. Cal. 2008) (holding that "where the offender has actually accessed protected information, discovering who has that information and what information he or she has is essential to remedying the harm" and therefore qualifies as loss under the CFAA).
18 U.S.C. § 1030 (emphasis added).
Defendants' second argument, however, carries more weight. The CFAA imposes liability where the defendant commits certain acts on a "protected computer" either "without authorization" or in "exce[ss of his] authorization." The Ninth Circuit has held that to access a protected computer "without authorization" is to do so "without any permission at all," and to "exceed authorized access" is to "access[] information on the computer that the person is not entitled to access." It has further held that an individual does not "exceed authorized access" simply by misusing information that he or she was entitled to view for some other purpose; the CFAA regulates access to data, not its use by those entitled to access it.
Id.
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009).
See United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).
Here, Enki alleges that Freedman and Zuora violated the CFAA by "unlawfully access[ing] the Nimsoft servers and improperly cop[ying] Enki's Proprietary Information," and in particular Enki's Nimsoft scripts. However, the complaint does not allege that Defendants were unauthorized to access the scripts in question. In fact, the Statement of Work submitted for the court's consideration specifically grants Zuora and its representatives "sudo access" to "non-shell root commands" that would include the scripts at issue. Enki instead hangs its hat on its repeated refusals to grant Zuora or Freedman the authority to write or edit those scripts. That argument, however, speaks to misuse of the scripts, not unauthorized access, which under Nosal does not run afoul of the CFAA. Because Enki's complaint fails to allege that Defendants had no access rights to Enki's scripts, and indeed the documents upon which it relies reveal that Defendants had certain access rights, their CFAA claim must be DISMISSED for failure to state a claim.
Docket No. 25 at ¶¶ 56-61.
See Docket No. 35-1, Ex. B.
See id. at ¶¶ 50-53.
See Docket No. 35-1, Ex. B.
B. Enki's CDAFA Claim Fails to Allege A Sufficient Technical Code or Barrier
The only other claim that Freedman and Zuora substantively address in their motion is the CDAFA claim. With respect to that claim, they argue that because Enki's complaint fails to allege that either Freedman or Zuora overcame any technical barrier in order to view and copy its proprietary information, the claim must be dismissed for failure to state a claim. Enki, however, maintains that a violation of the established terms of use is sufficient to create liability under CDAFA, and because the complaint alleges that Freedman and Zuora copied the information when they were not permitted to do so, they have sufficiently pled their claim.
See Docket No. 32 at 15.
The CDAFA imposes liability where an individual takes certain actions "without permission" on another's computer, network, or website. Enki relies on a single case, Craigslist v. Naturemarket, Inc., to argue that a simple violation of the terms of use meets the requirement that the action be "without permission." Craigslist, however, appears to be an outlier. Just four months after Craigslist, in Facebook v. Power Ventures, Inc., this court held that to take an action "without permission" under the CDAFA, a defendant must overcome some technical or code barrier. This has been the governing standard in this district since that time, and it is the standard that applies here. As Enki itself does not even argue that the complaint alleges a technical obstacle, the court GRANTS Defendants' motion as to the CDAFA claim.
694 F.Supp.2d. 1039 (N.D. Cal. 2010).
See Docket No. 35 at 15-16.
Case No. 5:08-cv-05780-JW, 2010 WL 3291750 (N.D. Cal. July 20, 2010).
See id. at
See, e.g., In re Google Android Consumer Privacy Litig., Case No. 11-md-02264-JSW, 2013 U.S. Dist. LEXIS 42724 (N.D. Cal. Mar. 26, 2013); In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 716 (N.D. Cal. 2011); In re iPhone Application Litig., Case No. 5:11-md-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011).
C. The Court Will Retain Subject Matter Jurisdiction Over the Remaining State Law Claims
Because jurisdiction over state law claims under § 1367 generally requires a federal hook, a court may choose to decline jurisdiction over any lingering state law claims where all federal claims in the case have been dismissed before trial. Further, in the Ninth Circuit, "[i]t is usually appropriate to dismiss pendent state claims when federal claims are dismissed before trial," although in each case, a court must assess the values of "economy, convenience, fairness, and comity" in deciding whether or not to retain jurisdiction.
McCarthy v. Mayo, 827 F.2d 1310, 1317 (9th Cir. 1987).
Acri v. Varian Assocs., 114 F.3d 999, 1001 n.3 (9th Cir. 1994).
Here, although the remaining claims are all grounded in state law, the parties are already eight months into litigation in this forum, and it would hardly serve the interests of economy or convenience to require the parties to begin anew in state court. In addition, because Enki has leave to amend its complaint to remedy the deficiencies identified in its pleadings, the federal claim may yet move forward in another version of the complaint. The court therefore will retain jurisdiction over the lingering state law claims.
IV. CONCLUSION
Defendants' motion to dismiss is GRANTED as to the CFAA and CDAFA claims, which are dismissed without prejudice and with leave to amend. Any amended pleading shall be filed by February 23, 2014.
IT IS SO ORDERED.
__________
PAUL S. GREWAL
United States Magistrate Judge