Summary
concluding that there was a question of fact with respect to the plaintiffs' CFAA claim because although the defendants were granted some access to the business email accounts and were provided the administrative password which enabled them to access individual email accounts and change passwords, "that does not mean that the defendants were authorized to do so"
Summary of this case from Abu v. DicksonOpinion
Case No. 13–cv–05186–WHO
2014-08-04
Keenan W. Ng, Katy Marie Young, Ad Astra Law Group, LLP, San Francisco, CA, for Plaintiff. Carlton John Willey, Willey & Bentaleb LLP, San Francisco, CA, for Defendants.
Keenan W. Ng, Katy Marie Young, Ad Astra Law Group, LLP, San Francisco, CA, for Plaintiff.
Carlton John Willey, Willey & Bentaleb LLP, San Francisco, CA, for Defendants.
ORDER GRANTING DEFENDANTS' MOTION FOR JUDGMENT ON THE PLEADINGS
Re: Dkt. No. 60
WILLIAM H. ORRICK, United States District Judge
INTRODUCTION
This case involves the soured relationship between the owners of the plaintiff company, NovelPoster, and the defendant company engaged to operate it, Javitch Canfield Group. Javitch Canfield Group's owners, Mark Javitch and Daniel Canfield, are also defendants. NovelPoster asserts various causes of action under both federal and state law based on the defendants' allegedly unlawful access of NovelPoster's email and other electronic accounts during the start, breakdown, and wake of the parties' relationship.
The defendants filed this limited Motion for Judgment on the Pleadings, arguing that NovelPoster's allegations as pleaded in the Complaint fail to support the First through Fourth Causes of Action for violations of the federal Computer Fraud and Abuse Act, the federal Electronic Communications Privacy Act, California's Comprehensive Computer Data Access and Fraud Act, and California's Invasion of Privacy Act. The motion is GRANTED. NovelPoster fails to adequately plead loss to support its causes of action under the Computer Fraud and Abuse Act and California's Comprehensive Computer Data Access and Fraud Act and fails to plead that the defendants “intercepted” any electronic communications under the Electronic Communications Privacy Act and California's Invasion of Privacy Act.
FACTUAL BACKGROUND
The Complaint alleges the following facts:
Plaintiff NovelPoster is an online retailer that designs, sells, and distributes text-based poster products. Compl. (Dkt. No. 1) ¶¶ 4, 9. NovelPoster has no physical presence and is accessible only through its website and other online internet portals. Compl. ¶ 10. Owners Alex Yancher and Matt Grinberg founded the company in 2011. Compl. ¶ 9. From NovelPoster's inception, Yancher and Grinberg planned to develop and then sell the company. Compl. ¶ 14.
NovelPoster has accounts with internet companies to conduct its advertising, communications, and sales transactions, including with online payment “gateways,” such as PayPal and Stripe; online marketing platforms, such as Google Adwords; the website platform Goodsie; retail sites, such as Etsy and Storenvy; and social media platforms, such as Facebook, Twitter, and Mailchimp. Compl. ¶¶ 11, 38.
NovelPoster's email capabilities are hosted by Google's services for small-business accounts, through which NovelPoster has the email accounts Contact @NovelPoster.com, Matt@NovelPoster.com, and Alex@NovelPoster.com. Compl. ¶ 11(a). Contact@NovelPoster.com is the administrative account for NovelPoster's overall Google account, and access to it allows a user to controlMatt @NovelPoster.com andAlex@NovelPoster.com, which are the individual email accounts of Grinberg and Yancher, respectively. Compl. ¶¶ 11(a), 22. Grinberg and Yancher each used his NovelPoster email account to manage the company's relationships with customers and business partners. Compl. ¶ 11(a). They also used these individual email accounts to store contact information for designers, wholesalers, suppliers, and marketers. Compl. ¶ 13. The contract between NovelPoster and the defendants was negotiated through these email accounts, and the contract itself is electronically stored there. Compl. ¶ 11(a).
NovelPoster first came into contact with the defendants through Yancher, who met David Canfield at a March 2013 social event in San Francisco. Compl. ¶ 15. Yancher and Canfield agreed to meet and discuss forming a business relationship between NovelPoster and Javitch Canfield Group, which Canfield founded with Mark Javitch, to take over NovelPoster operations “until it could be sold.” Compl. ¶¶ 5, 15. Over the next few months, Yancher and Grinberg met with Canfield and Javitch several times to discuss this arrangement. Compl. ¶ 16.
Disagreement about the reach of the defendants' control of the company began even before the parties agreed to the terms governing their relationship. On May 8, 2013, Grinberg emailed the defendants to voice his concern that they had changed the passwords to NovelPoster's PayPal and Stripe accounts and to state that he and Yancher must “maintain access to all NovelPoster accounts.” Compl. ¶ 18. In the same email, Grinberg proposed contract terms to the defendants consisting of the following points:
Although not pleaded in the Complaint, NovelPoster states in its opposition brief that it provided the defendants with the passwords to its Contact@NovelPoster.com, AdWords, PayPal, Goodsie, MailChimp, Twitter, Stripe, and Facebook accounts on May 3, 2013, because it was “optimistic that it would finalize an[ ] agreement” with the defendants. Opp'n (Dkt. No. 64) 1–2. The brief further states that on May 8, 2013, the defendants changed the passwords and access levels to some of these accounts without providing NovelPoster with the new passwords. Opp'n 2.
• The Javitch Canfield Group would “take over all aspects of operations except for poster design,” for which NovelPoster would be responsible for creating one new poster design per month.
• Operations include “[f]ulfilling posters or subcontracting fulfillment responsibilities”; inventory management; marketing through Google Adwords, Facebook ads, etc.; customer service; outbound sales calls to distributors; maintenance of NovelPoster's website and social media presence; and financial and accounting record keeping.
• “NovelPoster continues to have ownership of all NovelPoster related accounts.”
• The Javitch Canfield Group receives 80 percent of sales and a 10 percent equity share to vest over two years.
Compl. ¶ 17. Canfield accepted these terms on behalf of the defendants via email on May 9, 2013. Compl. ¶ 21.
According to the opposition brief, in response to requests from NovelPoster regarding account access, the defendants provided login credentials for certain accounts to Yancher and Grinberg on May 13, 2013. Opp'n 2.
On June 6, 2013, the defendants accessed Yancher's and Grinberg's individual NovelPoster email accounts and changed their passwords without authorization from or notice to Yancher or Grinberg. Compl. ¶ 22. Canfield responded to a complaint from Yancher that Yancher was not able to access his individual account by stating that “a server change” had made Yancher's account “inaccessible,” but that Canfield could forward emails from these accounts to Yancher and Grinberg. Compl. ¶ 22.
On June 10, 2013, Yancher emailed Canfield and Javitch, stating that he knew the defendants had accessed the individual NovelPoster email accounts and read emails without permission. Compl. ¶ 23. Javitch responded and suggested that the group meet to discuss the situation; Yancher agreed, but reiterated that the defendants did not have authority to access the individual email accounts or change their passwords because they were “personal email accounts.” Compl. ¶ 24.
The parties met on June 13, 2013, during which time Yancher and Grinberg told the defendants that the business relationship “was not working” and NovelPoster wanted to terminate the contract. Compl. ¶ 25. The defendants refused the termination, “insisting they would relinquish their unauthorized control only for a fee.” Compl. ¶ 25. NovelPoster refused. Compl. ¶ 25. Grinberg sent an email to Canfield on June 14, 2013, saying that the defendants were in material breach of the contract and that NovelPoster was terminating their contract; Grinberg also stated that NovelPoster was demanding return of its entire business and an inventory estimate as of May 10, 2013. Compl. ¶ 26. Javitch responded by email, pointing out that there was no clause in the contract regarding termination, and so NovelPoster's attempt to terminate the contract was invalid. Compl. ¶ 27.
Through the time the Complaint was filed, the defendants continued to operate all aspects of NovelPoster and routinely accessed, without authorization, all accounts related to NovelPoster. Compl. ¶ 36. From the time they took control of NovelPoster, the defendants marketed NovelPoster merchandise simultaneously with other brands that the defendants were promoting. Compl. ¶ 34. While doing so, they “misrepresented to vendors and business partners” that they were authorized to bind NovelPoster to business agreements. Compl. ¶ 35.
This dispute caused NovelPoster to lose prospective buyers. In July 2013, a prospective buyer withdrew interest after learning about NovelPoster's conflict with the defendants. Compl. ¶ 29. Afterwards, NovelPoster's business broker told Yancher and Grinberg that he would not help them sell the company until they and the defendants resolved this dispute. Compl. ¶ 30. Without the business broker, NovelPoster was unable to respond to a second interested buyer in October 2013. Compl. ¶¶ 31, 32.
On November 4, 2013, NovelPoster's counsel wrote the defendants and demanded that they return full control of NovelPoster to Yancher and Grinberg, but that has not occurred. Compl. ¶¶ 33, 36. The defendants' actions caused NovelPoster to suffer damages greater than $5,000.00 in 2012 and damages continue to accrue. Compl. ¶ 44.
PROCEDURAL HISTORY
NovelPoster filed this action on November 6, 2013, charging the following: (i) violation of the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(5)(C); (ii) violation of the federal Wiretap Act, 18 U.S.C. § 2511 ; (iii) violation of California's Comprehensive Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code §§ 502(c)(1)–(5), 502(c)(7); (iv) violation of California's Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq.; (v) conversion; (vi) breach of contract; (vii) breach of the implied covenant of good faith and fair dealing; (viii) violation of California's Unfair Competition Law, Cal Bus. & Prof. Code §§ 17200 et seq.; and (ix) unjust enrichment.
Although NovelPoster designates its Second Cause of Action as a violation of the Electronic Communications Privacy Act, because that act both amended the Wiretap Act, 18 U.S.C. §§ 2510–22, and created the Stored Communications Act, 18 U.S.C. §§ 2701–12, and because NovelPoster brings its Second Cause of Action under 18 U.S.C. § 2511, this Order will refer to the Second Cause of Action as alleging a violation of the Wiretap Act to avoid any confusion. See Compl. ¶¶ 47, 50; Opp'n 20.
The defendants filed motions to dismiss on December 4, 2013, and January 13, 2014, both of which I denied. Dkt. Nos. 16, 24, 46. On June 6, 2014, the defendants filed this limited Motion for Judgment on the Pleadings on the First through Fourth Causes of Action. Mot. (Dkt. No. 60). NovelPoster opposes the motion and has stated that it plans to move to file an Amended Complaint. Opp'n (Dkt. No. 64) 7. I heard argument on July 9, 2014.
LEGAL STANDARD
The standard for a motion for judgment on the pleadings under “Rule 12(c) is ‘functionally identical’ to [the standard for a motion under] Rule 12(b)(6).” Cafasso, United States ex rel. v. Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1055 n. 4 (9th Cir.2011). When deciding such a motion, “the allegations of the non-moving party must be accepted as true, while the allegations of the moving party which have been denied are assumed to be false.” Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542, 1550 (9th Cir.1989). All reasonable inferences from the alleged facts must be construed in favor of the responding party. Fleming v. Pickard, 581 F.3d 922, 925 (9th Cir.2009). “Judgment on the pleadings should be granted when, accepting all factual allegations in the complaint as true, there is no issue of material fact in dispute and the moving party is entitled to judgment as a matter of law.” Chavez v. United States, 683 F.3d 1102, 1108 (9th Cir.2012) (internal citations and quotations omitted).
DISCUSSION
I. FIRST CAUSE OF ACTION: CFAA VIOLATION
A. Applicable Law
Sections 1030(a)(2)(C) and 1030(a)(5)(C) of Title 18 respectively state that one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer” and one who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss” can be subject to a fine or imprisonment. 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(5)(C). The CFAA “targets the unauthorized procurement or alteration of information, not its misuse or misappropriation.” United States v. Nosal, 676 F.3d 854, 863 (9th Cir.2012) (“Nosal I ”) (brackets omitted). Any person may bring a civil cause of action under the CFAA for damages and equitable relief if he or she suffers damages or loss as a result of a violation of its provisions. 18 U.S.C. § 1030(g).
The term “without authorization” is undefined in the CFAA, but the Ninth Circuit has held that “a person uses a computer ‘without authorization’ under §§ 1030(a)(2) [ ] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the [computer's owner] has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir.2009). Even where authorization is given to access a protected computer, the CFAA may be violated if that authorization is exceeded. To exceed authorized access “means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6); see also Brekka, 581 F.3d at 1133 (“an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access' ”). It generally “refer[s] to someone who's authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as ‘hacking.’ ” Nosal I, 676 F.3d at 856–58 (“we find Nosal's narrower [definition] more plausible”). The Ninth Circuit has emphasized that “the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Id. at 864 (original emphasis).
B. The Defendants Fail To Show That They Did Not Act Without Authorization Or Did Not Exceed Authorization As A Matter Of Law.
The parties dispute whether the pleadings show that the defendants acted without authorization or exceeded authorization by accessing and taking exclusive control of NovelPoster's accounts during the parties' alleged contract period, and continuing to do so after the contract allegedly terminated on June 14, 2013.
Under the CFAA, a “protected computer” is a computer “used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B). The parties do not seriously dispute that NovelPoster's online accounts are “protected computers” under the statute. Compl. ¶ 39;
The defendants argue that they are entitled to judgment on the pleadings for this cause of action because NovelPoster provided the defendants with “unrestricted access” to all of NovelPoster's accounts when the parties agreed that the defendants would “take over all aspects of operation” of NovelPoster, and because NovelPoster provided the defendants with certain passwords, including the password for the Google administrative account. Mot. 9–12; Reply (Dkt. No. 76) 3–4 (quoting Compl. ¶ 17). In doing so, NovelPoster “failed to retain any technical control or legal right to exclusive access” of the accounts. Reply 10. With regard to the individual email accounts, though Yancher and Grinberg call them “personal email accounts,” the defendants point out that NovelPoster admits that those accounts “are, in effect, the customer relationship management [ ] tool” Yancher and Grinberg use to “manag[e] relations between a company and a customer.” Mot. 9–10 (quoting Compl. ¶ 11(a)). But because NovelPoster's Complaint admits that the defendants were charged with operating “all aspects” of NovelPoster, the defendants argue that their access of those accounts at all times was neither unauthorized nor in excess of authorization. See generally Mot. 9–14.
The defendants further argue that the alleged violations are not within the scope of the CFAA, which they emphasize deals with hacking. Mot. 16. They attempt to characterize NovelPoster's cause of action as one merely concerning a “disputed business arrangement” and a simple “breach of contract” claim. Mot. 15–16. In particular, the defendants assert that NovelPoster complains of nothing more than the misappropriation of information, which the CFAA does not cover, but lacks allegations that the defendants wrongfully circumvented a “technological access barrier,” which they say the statute requires, because NovelPoster “willingly transferred its website domain and all accounts” to the defendants. Mot. 3–4, 16 (citing Nosal I, 676 F.3d at 863 (holding that the CFAA targets “the circumvention of technological access barriers—not misappropriation of trade secrets”)); Reply 4.
NovelPoster responds that their allegations against the defendants do not involve mere misuse or misappropriation; rather, it asserts that the defendants both exceeded any authorization by accessing and changing the passwords to the relevant accounts when the parties had a formal business relationship, and acted without any authorization after NovelPoster says the contract was terminated, which thus rescinded any authorization to access any of the accounts. Opp'n 8–11. NovelPoster argues that neither “hacking” nor “circumventing technological access barriers” appears in the CFAA, and neither is a requirement for establishing unauthorized access of information. See Opp'n 4, 8 (citing United States v. Nosal, 930 F.Supp.2d 1051, 1060 (N.D.Cal.2013) (“Nosal II ”) (“Nowhere does the [Ninth Circuit's] opinion in Nosal [I ] hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4)”); NetApp, Inc. v. Nimble Storage, Inc., 41 F.Supp.3d 816, 831 (N.D.Cal.2014) (“a nontechnological barrier can revoke authorization”)). NovelPoster contends that this case is analogous to NetApp, Inc. v. Nimble Storage, Inc., in which the court refused to dismiss a CFAA cause of action based on an allegation that the defendant exceeded the authorization given to him to use his former employer's computer systems when he repeatedly accessed the systems and took confidential data from them after his employment ceased. See Opp'n 8–9 (discussing NetApp, 41 F.Supp.3d at 832–33). There, the court rejected the argument that the CFAA requires pleading circumvention of a technological access barrier. NetApp, 41 F.Supp.3d at 832–33.
The defendants have not carried their burden of showing that they are entitled to judgment on the pleadings regarding the issue of whether they exceeded, or acted without, authorization. Based on the pleadings, issues of fact remain concerning whether the defendants truly had authorization to access NovelPoster's various accounts and change the passwords during the business relationship and, if they did, to continue to access the accounts after the contract supposedly terminated. In other words, the defendants' contention that NovelPoster gave them “unrestricted” access to the accounts is not as “clearly demonstrate[d]” as they assert. See Reply 3, 5.
Throughout the Complaint, NovelPoster has alleged that (i) Yancher's and Grinberg's individual email accounts were “personal email accounts associated with their business”; (ii) the defendants accessed those and other accounts and changed the passwords without providing the new passwords to NovelPoster; (iii) NovelPoster never gave the defendants permission to take any of the accused actions; (iv) Yancher and Grinberg expressed concern about the defendants' actions before entering the agreement; (v) the defendants refused to turn over the new passwords to NovelPoster despite its demand that they do so; and (vi) the defendants continued to access the accounts after the agreement purportedly ended. See Compl. ¶¶ 22–24, 36. That NovelPoster's owners “expressed concern that Defendants had changed the passwords” and asked to retain access to all of its accounts the same day it proposed contract terms weakens the defendants' argument that they did not access NovelPoster's accounts “without authorization.” See Compl. ¶ 18. Indeed, NovelPoster's attempts to restore its exclusive control of the individual NovelPoster email accounts and to terminate its contract with the defendants further cuts against the defendants' assertion that they had, and continue to have, unrestricted authorization. This is a case where “whether authorization existed may require a factual inquiry beyond the scope of the threshold motion stage.” Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 631, 636 (E.D.Va.2009).
Contrary to the defendants' argument, the pleadings do not establish that NovelPoster granted them “unrestricted access” to the accounts at issue. See Reply 3–4. Though the parties' agreement states that the defendants shall “take over all aspects of operations except for poster design,” Compl. ¶ 17, that does not unambiguously entail unrestricted access to all accounts, especially those accounts that NovelPoster has characterized as Yancher's and Grinberg's “personal email account[s],” Compl. ¶ 22. While NovelPoster admits that the individual email accounts were “in effect, the customer relationship management [ ] tool for Mr. Grinberg and Mr. Yancher,” Compl. ¶ 11(a) (emphasis added), it is not apparent that those email accounts were the exclusive means for NovelPoster to reach customers such that it would have impossible for the defendants to operate NovelPoster without access to the individual email accounts. Notably, the Complaint does not allege, and the defendants do not argue, that NovelPoster gave the defendants the passwords to the individual email accounts. And though NovelPoster gave the defendants the password to the Contact@NovelPoster.com account, which conferred on the defendants the ability to access the individual email accounts and change their passwords, that does not mean that the defendants were authorized to do so, especially in the face of Yancher and Grinberg's complaints when the defendants exercised that ability. NovelPoster may have simply intended that the defendants have capabilities limited to the administrative account only but not the individual accounts. The pleadings are silent on this point and it is a factual issue inappropriate for decision on this motion. But the fact that Yancher and Grinberg protested that the defendants changed the passwords to two NovelPoster accounts and stated that they “would need to maintain access to all NovelPoster accounts” before the agreement was confirmed indicates that the scope of the defendants' authorization with regard to NovelPoster's accounts may have been more circumscribed than the defendants assert. See Compl. ¶ 18 (emphasis added).
The defendants' argument that their actions may constitute misuse or misappropriation, but do not fall under the CFAA as a matter of law, is unpersuasive. The Complaint focuses primarily on the defendants' access to the accounts, not what the defendants did with the information stored in those accounts, so the defendants are incorrect to argue that this case is merely about misappropriation or misuse of information. The defendants suggest that, as in Nosal I, in which the court dismissed a CFAA cause of action where an employee accessed a company database and transferred source lists to a competitor because the accused activity constituted misuse rather than unauthorized access, they did not access any protected computer “without authorization” and, at most, engaged in misappropriation. See Mot. 15–16 (citing Nosal I, 676 F.3d at 863). Nosal I is different from this case, however, because the defendants there undoubtedly had permission to access the company files but were accused of misusing those files to start a competing business. See Nosal I, 676 F.3d at 856. Here, there remains a question of whether the defendants were allowed to access the accounts at issue at all.
The defendants argue that NovelPoster fails to plead that they circumvented a “technological access barrier” and that “the Complaint [does not] show that Plaintiff made any efforts to erect a ‘technological access barrier,’ ” such as by revoking the defendants' password access. See Mot. 5, 7, 14 (“Nowhere in Plaintiff's Complaint is there any allegation that Defendants' password access was ever rescinded”), 21–22. The defendants further reject NovelPoster's argument that it does not need to plead circumvention of a technological access barrier by distinguishing cases in which courts have said there is no such requirement from this case because those cases “involve former employees gaining access to the employer's computer system on false pretenses, post-termination,” whereas this case involves a failed business relationship. Reply 7 (original emphasis); see also Mot. 21 (“Plaintiffs failed to allege that Defendants overcame a technical barrier”).
The defendants' arguments are unconvincing. As Judge Koh cogently explained:
“The [Ninth Circuit] did not ... explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute....
Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase ‘circumvention of technological access barriers' was an aside that does not appear to have been intended as having some precise definitional force.”
To be clear, NovelPoster also accuses the defendants of exceeding authorization, a context in which circumventing a technological access barrier makes little sense.
Nosal II, 930 F.Supp.2d at 1060–61. Moreover, to the extent that the defendants fault NovelPoster for not erecting a technological access barrier, it was the defendants' own alleged actions that prevented NovelPoster from doing so after they purportedly exceeded and acted without authorization concerning the accounts: by changing the passwords on the various accounts and refusing to turn over the new passwords to NovelPoster despite its demands that they do so, the defendants kept NovelPoster from taking the precise action they now assert it failed to take.
The defendants make much of the fact that the parties are not in an employer-employee relationship, noting that many of the CFAA cases cited by NovelPoster involve such a relationship. Reply 4–5; see also Mot. 5 (“Plaintiff's use of the CFAA is novel in other ways as well. Most CFAA cases in the Ninth Circuit deal with a former employee accessing an employer's computer with adverse interests to the employer ....”). They do not explain why this is relevant—no authority cited states that a CFAA violation can only occur in an employment context. Though many cases dealing with exceeding authorization involve employers and employees, as NovelPoster correctly observes, “While theNosal and Brekka cases dealt with an employer authorizing its employee to access its protected computers, the rule applies equally to other situations as it is the owner of the protected computer that decides whether someone is authorized to access its computer's [sic] or not.” Opp'n 11. Regardless of whether an employment relationship was involved, the relevant question is whether authorization to access a protected computer was absent or exceeded, and NovelPoster has raised an issue of fact in that regard.
The defendants also raised a number of issues about the scope of the parties' contract itself and whether it was effectively terminated when NovelPoster claims to have done so. For example, the defendants assert that any of NovelPoster's and its owners' statements outside of the contract cannot modify what the contract explicitly states. Reply 5–6. They also assert that NovelPoster did not have the unilateral authority to terminate the agreement. Mot. 3–4.
As the defendants rightly recognize, “this dispute is entirely about two parties with differing interpretations of the terms of a business relationship,” Opp'n 4, but the “terms” of that business relationship include the extent to which the defendants could access the accounts at issue. The scope of those terms remain issues of fact. Though the defendants argue that the language of the contract is clear and nothing NovelPoster, Yancher, or Grinberg said or did could modify its terms, they are incorrect. As the Supreme Court of California has said, “rational interpretation [of a contract] requires at least a preliminary consideration of all credible evidence offered to prove the intention of the parties,” and this evidence includes the “circumstances surrounding the making of the agreement ... so that the court can place itself in the same situation in which the parties found themselves at the time of contracting.” Pac. Gas & Elec. Co. v. G.W. Thomas Drayage & Rigging Co., 69 Cal.2d 33, 39–40, 69 Cal.Rptr. 561, 442 P.2d 641 (1968) (internal quotation marks and citations omitted). The scope of NovelPoster's authorization is in dispute and the defendants are not entitled to judgment on the pleadings on this basis.
C. NovelPoster Fails To Adequately Plead Loss.
The parties dispute whether NovelPoster has alleged losses sufficient to sustain a claim under the CFAA. “Damage” under the CFAA includes “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Loss” under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). “[D]istrict courts in the Ninth Circuit have held that it is not necessary for data to be physically changed or erased to constitute damage to that data.... It is sufficient to show that there has been an impairment to the integrity of data, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures ‘to prevent the infiltration and gathering of confidential information.’ ” Multiven, Inc. v. Cisco Sys., Inc., 725 F.Supp.2d 887, 894–95 (N.D.Cal.2010) (Ware, J.) (citations omitted). The cost of investigating unauthorized access and securing a computer network constitutes losses. Kimberlite Corp. v. Does 1–20, No. 08–cv–2147–TEH, 2008 WL 2264485, at *2, (N.D.Cal. June 2, 2008).
The defendants assert that NovelPoster cannot meet the CFAA's loss requirement because NovelPoster's claim of loss is too vague. Mot. 18. Regarding loss, NovelPoster's sole allegation is that, “[a]s a result of Defendants' conduct, [NovelPoster] has suffered damages and/or loss in excess of $5,000 in the year preceding the date of this filing, but the damages grow each day that Defendants refuse to acknowledge termination of the Agreement.” Compl. ¶ 44. The defendants point out that NovelPoster claims a loss of business, but not that customers were impeded from making purchases while NovelPoster's owners could not access its email accounts. Mot. 18; Reply 12.
The defendants also maintain that NovelPoster cannot bring a CFAA claim because it does not have standing to allege loss to “protected computers” that it does not actually own, operate, or maintain. Mot. 18–19 (citing Nexans Wires S.A. v. Sark–USA, Inc., 319 F.Supp.2d 468, 475 (S.D.N.Y.2004) (defining “loss” as the “cost of investigating or remedying damage to a computer, or a cost incurred because the computer's service was interrupted”)). They reason that because NovelPoster's business is conducted on third-party software programs, NovelPoster does not actually own, operate, or maintain these “computers” and, thus, cannot be said to have suffered any loss to those computers.
NovelPoster alleges that the defendants caused harm amounting to greater than $5,000, and damages continue to accumulate. Compl. ¶ 44. It claims damages based on the attorney's fees and costs supposedly needed to investigate the alleged misconduct and to prosecute this lawsuit, as well as “lost sales opportunities, unjust enrichment via cross-marketing, and loss of access to data.” Opp'n 13–14. NovelPoster contends this it “is not required to literally own the servers or host computers that have been wrongfully accessed” in order to maintain a CFAA cause of action. Opp'n 12 (quoting Theofel v. Farey–Jones, 359 F.3d 1066, 1078 (9th Cir.2004) (“The civil remedy extends to any person who suffers damage .... Individuals other than the computer's owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it.”) (brackets and emphasis omitted)). NovelPoster further responds that NovelPoster's inability to access the email accounts for which the defendants changed passwords constitutes an “interruption of service” because NovelPoster could not reach or use the data and information contained in the accounts. Opp'n 14.
The defendants are entitled to judgment as a matter of law on the CFAA cause of action because NovelPoster fails to adequately allege loss or damages. Its sole allegation in this regard—that NovelPoster “has suffered damages and/or loss in excess of $5,000 in the year preceding the date of this filing, but the damages grow each day that Defendants refuse to acknowledge termination of the Agreement,” Compl. ¶ 44—is nothing more than a “conclusory allegation[ ] of harm” insufficient to sustain a CFAA claim. See NetApp, 41 F.Supp.3d at 834–35. With respect to damage, NovelPoster does not plead any “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8); see also NetApp, 41 F.Supp.3d at 833–36 (“[the plaintiff] alleges only that [the defendant] accessed its databases without permission, not that he damaged any systems or destroyed any data”). With respect to loss, NovelPoster's allegation “set[s] forth only a bare legal conclusion, couched as fact, that [it] incurred costs.” In re Google Android Consumer Privacy Litig., No. 11–md–2264–JSW, 2013 WL 1283236, at *7 (N.D.Cal. Mar. 26, 2013). Its “assessment of loss” is “entirely speculative” because it is “devoid of any specific details from which a factfinder could calculate an amount of loss.” Doyle v. Taylor, No. 09–cv–158, 2010 WL 2163521, at *3 (E.D.Wash. May 24, 2010), aff'd sub nom. Doyle v. Chase, 434 Fed.Appx. 656 (9th Cir.2011). NovelPoster itself appears to recognize that its pleading is lacking because it requests several times in its opposition brief leave to amend its complaint. As the Complaint now reads, NovelPoster's CFAA claim is deficient and the defendants are entitled to judgment on the pleadings for that cause of action. , II. THIRD CAUSE OF ACTION: CDAFA VIOLATION
The defendants are incorrect to assert that NovelPoster must “own” the protected computers at issue in order to have standing to bring a CFAA claim. See Theofel, 359 F.3d at 1078 (“The district court erred by reading an ownership or control requirement into the Act.”).
The defendants argue that the rule of lenity weighs in their favor with respect to this cause of action. The rule of lenity does not weigh in the defendants' favor. “It is well established that ‘ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.’ ” United States v. Carr, 513 F.3d 1164, 1168 (9th Cir.2008) (citation omitted). The rule is equally relevant in the civil context if the statute at issue is also criminal. Brekka, 581 F.3d at 1134. But as the Ninth Circuit has said in the context of considering how the rule of lenity applied to the CFAA in a civil case, “we hold that a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the [computer's owner] has rescinded permission to access the computer and the defendant uses the computer anyway.” Brekka, 581 F.3d at 1135. The pleadings accuse the defendants of doing exactly that. The defendants identify no other ambiguity warranting application of the rule. Accordingly, the rule of lenity is not a bar to holding the defendants liable under the CFAA if NovelPoster's allegations prove true. In any event, this issue is mooted by this Order.
NovelPoster alleges that the defendants violated the CDAFA, California's corollary to the CFAA. Compl. ¶¶ 57–59. As with the CFAA claim, the parties dispute the existence or extent of the defendants' authorization to access and use NovelPoster's accounts.
The relevant provision of the CDAFA provides that a person is liable who:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services. (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. (5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.... (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
Cal. Penal Code § 502(c)(1)–(5), (7). Parties act “without permission” when they “circumvent[ ] technical or code-based barriers in place to restrict or bar a user's access.” Facebook v. Power Ventures, Inc., 844 F.Supp.2d 1025, 1036 (N.D.Cal.2012) (Ware, J.). An individual “who suffers damage or loss by reason of a violation” may bring a private action for damages and equitable relief. Cal. Penal Code § 502(e)(1). “[T]he necessary elements of Section 502 do not differ materially from the necessary elements of the CFAA ....” Multiven, 725 F.Supp.2d at 895; see also New Show Studios LLC v. Needle, No. 14–cv–1250, 2014 WL 2988271, at *7 (C.D.Cal. June 30, 2014) (disposing of CFAA and CDAFA claims jointly); Integral Dev. Corp. v. Tolat, No. 12–cv–6575–JSW, 2013 WL 5781581, at *3–4 (N.D.Cal. Oct. 25, 2013) (same).
However, under the CDAFA, a plaintiff must also allege that the defendant “overc[a]me some technical or code barrier.” Enki Corp. v. Freedman, No. 13–cv–2201–PSG, 2014 WL 261798, at *3 (N.D.Cal. Jan. 23, 2014).
The defendants' motion for judgment on the pleadings for the CDAFA cause of action succeeds for the same reason their motion succeeds with regard to the CFAA claim: while whether the defendants acted “without permission” remains in dispute, the complaint does not adequately plead that NovelPoster “suffer[ed] damage or loss by reason of a violation.” Cal. Penal Code § 502(e)(1); see also Perkins v. LinkedIn Corp., 53 F.Supp.3d 1190, 1219 (N.D.Cal.2014) (requiring plaintiffs to plead that they “have suffered [ ] tangible harm from the alleged Section 502 violations”).
The defendants correctly note that California Penal Code Section 502(h) contains an exception for acts committed within the scope of employment, and they argue the exception should apply to them even though the parties were not technically in an employment relationship. Mot. 21–22 (citing Cal. Penal Code § 502(h)). As discussed above, the existence and scope of authorization remains a disputed issue of fact, so this exception would not help them.
III. SECOND CAUSE OF ACTION: WIRETAP ACT VIOLATION
The Wiretap Act makes liable any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). A civil cause of action is available to “any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this [law].” 18 U.S.C. § 2520(a). The statute defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). “Such acquisition occurs ‘when the contents of a wire communication are captured or redirected in any way.’ ” Noel v. Hall, 568 F.3d 743, 749 (9th Cir.2009) (citation omitted). “[E]lectronic, mechanical, or other device” includes:
any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than [ ] any telephone or telegraph instrument, equipment or facility, or any component thereof, [ ] furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business.
18 U.S.C. § 2510(5)(a). It is not unlawful, however, for a “party to the communication” “to intercept a wire, oral, or electronic communication ... where one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Consent to an interception can be explicit or implied. See United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir.1996).
A further limitation to the Wiretap Act is described in Konop v. Hawaii Airlines, Inc., where the Ninth Circuit held that for a communication “to be ‘intercepted’ in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage.” 302 F.3d 868, 878 (9th Cir.2002). The court explained that “[t]his conclusion is consistent with the ordinary meaning of ‘intercept,’ which is ‘to stop, seize, or interrupt in progress or course before arrival.’ ” Id. (quoting Webster's Ninth New Collegiate Dictionary 630 (1985)). In other words, “acquisition of email messages stored on an electronic [ ] system, but not yet retrieved by the intended recipients, [i]s not an ‘interception’ under the Wiretap Act.” Id. at 876 (endorsing Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 460 (5th Cir.1994)).
Given the speed of email, the Wiretap Act's application to that form of electronic communication is undoubtedly limited. In adopting the Ninth Circuit's reasoning in Konop, the Eleventh Circuit quoted from a law review article which explained,
There is only a narrow window during which an E-mail interception may occur—the seconds or mili-seconds before
which a newly composed message is saved to any temporary location following a send command. Therefore, unless some type of automatic routing software is used (for example, a duplicate of all of an employee's messages are automatically sent to the employee's boss), interception of E-mail within the prohibition of the Wiretap Act is virtually impossible.
United States v. Steiger, 318 F.3d 1039, 1050 (11th Cir.2003)(quoting Jarrod J. White, E–Mail @Work.com: Employer Monitoring of Employee E–Mail, 48 Ala. L. Rev. 1079, 1083 (1997) (brackets omitted)). The Ninth Circuit has therefore observed that “the existing statutory framework is ill-suited to address modern forms of communication.” Konop, 302 F.3d at 874. Nonetheless, courts have almost uniformly applied this understanding of the statute. Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F.Supp.2d 548, 555 (S.D.N.Y.2008) (“The majority of courts which have addressed the issue have determined that e-mail stored on an electronic communication service provider's systems after it has been delivered, as opposed to e-mail stored on a personal computer, is a stored communication [not subject to the Wiretap Act].”); see also Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113 (3d Cir.2003) (“While Congress's definition of ‘intercept’ does not appear to fit with its intent to extend protection to electronic communications, it is for Congress to cover the bases untouched.”).
Courts have explained that, for a Wiretap Act violation to occur, the defendants' actions must “halt the transmission of the messages to their intended recipients.” Exec. Sec. Mgmt., Inc. v. Dahl, 830 F.Supp.2d 883, 904 (C.D.Cal.2011) (quoting Bunnell v. Motion Picture Ass'n of Am., 567 F.Supp.2d 1148, 1154 (C.D.Cal.2007)). Thus, reading emails that have already been received in an email account's inbox does not constitute “intercept[ion]” under the statute. See Mintz v. Mark Bartelstein & Assocs. Inc., 906 F.Supp.2d 1017, 1031 (C.D.Cal.2012) (granting summary judgment to defendants where “[t]he undisputed facts [ ] show that Defendants did not access, disclose, or use any emails that had been acquired during transmission. Rather, the emails Defendants viewed were stored on Gmail.”); see also Yessin, 686 F.Supp.2d at 638 (“a qualifying ‘intercept’ under the [Wiretap Act] ... can only occur where an e-mail communication is accessed at some point between the time the communication is sent and the time it is received by the destination server”). Nor does it matter if the intended recipient had not read the emails intended to reach that recipient before it was allegedly intercepted. Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 759 F.Supp.2d 417, 431 (S.D.N.Y.2010) (“there was no evidence that the emails were intercepted at the same time they were transmitted, and [ ] the evidence indicated instead that the emails were accessed after they had been delivered ... electronic communications cannot be intercepted for purposes of the [Wiretap Act] after they have been delivered”); Yessin, 686 F.Supp.2d at 638 (“Irrespective of whether Mrs. Yessin read the e-mail messages in question, they had reached their destination server. Accordingly, they were no longer in transmission by the time Mr. Yessin allegedly accessed them.”).
The defendants contend that this cause of action cannot be proved on the facts alleged. They argue that they were authorized to use the accounts as part of their “take over” of NovelPoster's operations. Mot. 8. As the Complaint alleges, the individual NovelPoster accounts were tools for customer relations used by Yancher and Grinberg before the defendants assumed control of the business. Mot. 23–24. Accordingly, the defendants argue, as the operators of NovelPoster, they qualify for the exemption in the Wiretap Act for any “party to the communication” at issue. Mot. 24 (citing 18 U.S.C. § 2511(2)(c)). Furthermore, the defendants assert that because they did not use a “device” to access the emails in the individual NovelPoster accounts other than Microsoft Outlook or Gmail, they did not “intercept” them under the Act. Mot. 23–24; see also Crowley v. Cyber S ource Corp. & Amazon, Inc., 166 F.Supp.2d 1263, 1269 (N.D.Cal.2001) (holding that the plaintiff failed to demonstrate the defendant had intercepted the communication “because [the defendant] did not acquire it using a device other than the drive or server on which the e-mail was received”).
NovelPoster argues the defendants intentionally intercepted and used emails from the individual email accounts without authorization “to unjustly retain money from NovelPoster, and to aid in the marketing of other products [the defendants] sell that are unrelated to NovelPoster.” Opp'n 21–21 (citing Compl. ¶¶ 22–24, 34). It asserts that the defendants were not authorized to use the individual email accounts merely because they were charged with NovelPoster's operation—the accounts were the customer relationship management tools for Yancher and Grinberg individually. Opp'n 21–22. It states that the defendants' wrongful access of the individual email accounts and redirection of emails constitutes use of a “device” under the statute. Opp'n 22. And it contends that, regardless of any rights the defendants may have had prior to the alleged contract termination, the defendants were not a party to any NovelPoster communications after that termination and any consent to view such communications was immediately revoked. Opp'n 23.
None of NovelPoster's arguments make the Wiretap Act applicable. While the Complaint alleges that the defendants wrongfully accessed the accounts at issue and, by changing passwords, prevented NovelPoster from accessing certain ones, nowhere does the Complaint allege that the defendants “intercepted” any “electronic communication” as understood under the Wiretap Act. The Ninth Circuit and other courts have consistently explained that any “interception” under the meaning of the statute must occur during transmission of the communication. Konop, 302 F.3d at 878. Though NovelPoster claims that Yancher and Grinberg were never able to access their email accounts due to the defendants' alleged actions, any subsequent reading or forwarding of those emails by the defendants does not constitute an illegal “interception.” Pure Power Boot Camp, 759 F.Supp.2d at 431. Accordingly, based on the pleadings, NovelPoster is unable to allege a violation of the Wiretap Act.
Neither of the parties briefed this issue. However, it is dispositive.
IV. FOURTH CAUSE OF ACTION: CIPA VIOLATION
At least one court has held that CIPA is preempted by the Wiretap Act. See, e.g., Bunnell v. Motion Picture Ass'n of Am., 567 F.Supp.2d 1148, 1154–55 (C.D.Cal.2007). Neither party raised this issue, but judges on this Court have rejected that conclusion. See, e.g., Shively v. Carrier IQ, Inc., No. 12–cv–290–EMC, 2012 WL 3026553, at *10 (N.D.Cal. July 24, 2012); Valentine v. NebuAd, Inc., 804 F.Supp.2d 1022, 1029 (N.D.Cal.2011) (Henderson, J.); see also Leong v. Carrier IQ Inc., No. 12–cv–1562, 2012 WL 1463313, at *1 (C.D.Cal. Apr. 27, 2012). In any event, the issue is moot because of this Order's holding.
--------
To support their arguments for judgment on the pleadings for the CIPA cause of action, the parties rely upon the arguments they raised with regard to the Wiretap Act claim. Mot. 24–25; Opp'n 23.
The analysis for a violation of CIPA is the same as that under the federal Wiretap Act. See Opperman v. Path, 87 F.Supp.3d 1018, 1063–65 (N.D.Cal.2014) (summarily dismissing CIPA claim for the same reasons the Wiretap Act claim was dismissed); Hernandez v. Path, Inc., No. 12–cv–1515–YGR, 2012 WL 5194120, at *5 (N.D.Cal. Oct. 19, 2012) (same); Bradley v. Google, Inc., No. 06–cv–5289–WHA, 2006 WL 3798134, at *5–6 (N.D.Cal. Dec. 22, 2006) (finding lack of “interception” fatal to CIPA claim). Based on the pleadings, because NovelPoster is unable to allege a violation of the Wiretap Act, it is also unable to allege a violation of CIPA.
CONCLUSION
For the reasons above, the Motion for Judgment on the Pleadings is GRANTED.
I will grant NovelPoster leave to amend its complaint with respect to the four causes of action that are the subject of this Order within 15 days of the date below. I caution that, for the reasons described above, amendment is likely to be futile with regard to the Second and Fourth Causes of Action. In that regard I remind counsel of their obligations under Rule 11(b) of the Federal Rules of Civil Procedure. If NovelPoster wishes to allege any additional causes of action, it shall seek leave of Court before doing so.