Summary
finding that defendants did not exceed authorized access where defendants "were not permitted . . . to disseminate the information," but nonetheless "clearly had permission to access the work product or other electronically stored information."
Summary of this case from Zoom Imaging Solutions, Inc. v. RoeOpinion
CASE NO. 1:13-CV-01262 AWI SKO
04-03-2014
ORDER GRANTING DEFENDANTS'
MOTION TO DISMISS
(Doc. 12)
Plaintiff Quad Knopf, Inc. ("Plaintiff") brings this action against South Valley Biology Consulting LLC ("SVBC"), James W. Jones, Jr. ("Jones"), Jason H. Kang ("Kang"), Nina E. Hostmark ("Hostmark"), Michael V. Phillips ("Phillips"), and Paul Rosebush ("Rosebush") (collectively "Defendants") for violations of the Computer Fraud and Abuse Act when Hostmark, Phillips, and Rosebush allegedly transmitted information from Plaintiff's computers while employed by Plaintiff without Plaintiff's consent, and that information was then used by Defendants to compete with Plaintiff and caused Plaintiff to suffer loss. Plaintiff's Complaint also alleges nine causes of action arising under California law related to Defendants' use of Plaintiff's work product and clients. Defendants moves to dismiss eight causes of action. For the following reasons, Defendants' motion is granted:
I. BACKGROUND
Plaintiff, a consulting firm with offices in central California, provides professional services in the areas of civil engineering, land planning, land surveying, landscape architecture, environmental planning, permitting, and biology consulting services. Doc. 1, ¶¶ 2, 9. Plaintiff's biologists conduct biological field studies and provide detailed reports to its clients. Doc. 1, ¶ 11-12. Among about eighty-five individuals, Plaintiff employed Defendants Jones, Kang, Hostmark, Phillips, and Rosebush. Doc. 1, ¶¶ 11, 14, 15, 6-8. In 2010, Jones and Kang formed SVBC, a competing firm providing the same services as Plaintiff in the area of biological studies and reporting. Doc. 1, ¶ 14. Jones and Kang recruited Hostmark, Phillips, and Rosebush, staff biologists, who left Plaintiff's employ and joined SVBC. Doc. 1, ¶ 15. Plaintiff soon discovered that biological studies and reports were missing or copied from Plaintiff's computer, and that identical portions of Plaintiff's studies and reports were incorporated into SVBC's reports. Doc. 1, ¶¶ 16, 18. Plaintiff later found that SVBC's website and promotional materials contained Plaintiff's work product. Doc. 1, ¶ 19.
Plaintiff alleges that Hostmark, Phillips, and Rosebush intentionally removed Plaintiff's work product for two years while still employed by Plaintiff without Plaintiff's knowledge or consent and transmitted that product to SVBC, Jones, and Kang by e-mail or in person. Doc. 1, ¶¶ 22-24. Plaintiff also alleges that Defendants intentionally solicited Plaintiff's clients on behalf of SVBC, and, in fact, several of Plaintiff's clients terminated contracts with Plaintiff to give them to SVBC. Doc. 1, ¶¶ 23, 17. Plaintiff has suffered damages in investigating the adequacy of its computer security systems, replacing the work product, and lost income. See e.g. Doc. 1, ¶¶ 25, 31.
Plaintiff's Complaint brings ten causes of action and seeks compensatory damages, injunctive relief, restitution, punitive damages, costs, and attorney's fees. Doc. 1. Plaintiff alleges that this Court has subject matter jurisdiction over this action because Plaintiff's first cause of action is for violations of the Computer Fraud and Abuse Act ("CFAA"), codified at 18 U.S.C. Section 1030. Doc. 1 ¶ 1. Defendants move to dismiss the Complaint as to the first eight causes of action, and, if the first cause of action is dismissed, for lack of subject matter jurisdiction. Doc. 12. Plaintiff filed an opposition (Doc. 13), Defendant filed a reply (Doc 14), and the matter was taken under submission without oral argument (Doc. 15).
II. THE LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a claim may be dismissed because of the plaintiff's "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). A dismissal under Rule 12(b)(6) may be based on the lack of a cognizable legal theory or on the absence of sufficient facts alleged under a cognizable legal theory. Conservation Force v. Salazar, 646 F.3d 1240, 1242 (9th Cir. 2011); Johnson v. Riverside Healthcare Sys., 534 F.3d 1116, 1121 (9th Cir. 2008). In reviewing a complaint under Rule 12(b)(6), all allegations of material fact are taken as true and construed in the light most favorable to the non-moving party. Faulkner v. ADT Sec. Servs., 706 F.3d 1017, 1019 (9th Cir. 2013); Johnson, 534 F.3d at 1121.
To avoid a Rule 12(b)(6) dismissal, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 129 S. Ct. 1937, 1949, 173 L. Ed. 2d 868 (2009); see Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 570, 127 S. Ct. 1955, 167 L. Ed. 2d 929 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 129 S.Ct. at 1949.
"[A] district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts." Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc), quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir. 1995). Leave to amend should be granted "with extreme liberality," so long as factors such as undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of the amendment, or futility of amendment are not present. Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1051-52 (9th Cir. 2003).
III. THE COMPUTER FRAUD AND ABUSE ACT
The CFAA was enacted to enhance the government's ability to prosecute computer crimes. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009). The CFAA prohibits various computer crimes, which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, such as from obtaining information and damaging a computer or computer data. See 18 U.S.C. § 1030(a)(1)-(7).
A private plaintiff may maintain a civil action under Section 1030(g) if the defendant's conduct violated one of the provisions of § 1030(a)(1)-(7), and that the violation involved one of the factors listed in § 1030(a)(5)(B). 18 U.S.C. § 1030(g); Brekka, 581 F.3d at 1131. To bring an action based on a violation of 18 U.S.C. § 1030(a)(2), a plaintiff must show that the defendant "(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value." Id. at 1132. Sections 1030(a)(4) and 1030(a)(5) similarly require intentional access of a protected computer without authorization. 18 U.S.C. §§ 1030(a)(4), 1030(a)(5). The CFAA defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
The Ninth Circuit has found that the plain language of the CFAA "targets the unauthorized procurement or alteration of information, not its misuse or misappropriation." United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012). Hence, the requirement that the access was without authorization or exceeded authorized access "does not extend to violations of use restrictions." Id. at 864. The broader interpretation "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute." Id. at 863. The "narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere." Id. In Nosal, the government failed to meet the element of "without authorization, or exceeds authorized access" under 18 U.S.C. § 1030(a)(4) because the defendant's accomplices had permission to access the company database and obtain the information contained within. Id. at 864. The defendant was a former employee who convinced some of his former coworkers to use their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transfer that information to him, in support of his establishing a competing business. Id at. 856. The employees were authorized to access the database, but the company had a policy that forbade disclosing confidential information. Id.
Similar facts arose in Farmers Ins. Exch. v. Steele Ins. Agency, Inc., in which the defendants were former employees of an insurance agency who left and began a competing agency. Farmers Ins. Exch. v. Steele Ins. Agency, Inc., 2013 U.S. Dist. LEXIS 104606, *5-6 (E.D. Cal. July 23, 2013). One defendant was still employed when he began accessing the insurance agency's information, including the customer list, for the benefit of the competing agency. Id. The court found that the employee had permission to access the employer's confidential proprietary information and did not exceed authorized access, "even though he may have used the information for an improper purpose." The motion to dismiss the cause of action for violation of the CFAA as to that defendant was dismissed. Id. at 53.
IV. DISCUSSION
The facts of Nosal and Farmers Insurance are substantially similar to those alleged in Plaintiff's Complaint. In these cases former employees began a competing business and convinced current employees to access the employer's computer database to transmit confidential information to the competing business to the detriment of the employer. Plaintiff's Complaint alleges that Jones and Kang were former employees of Plaintiff who began a competing firm. They then recruited Hostmark, Phillips, and Rosebush, all still employed by Plaintiff, to transmit confidential data and documents to SVBC and/or Jones and Kang, and then leave Plaintiff's employ for SVBC's. The Complaint alleges that Hostmark, Phillips, and Rosebush were staff biologists who produced the studies and reports that Plaintiff alleges were illegally taken and used by Defendants. Doc. 1, ¶¶ 15, 11, 18-19. It says that the removal of Plaintiff's confidential work product and intellectual property from Plaintiff's computers was done "prior to their leaving Plaintiff's employ." Doc. 1, ¶ 21. Plaintiff also alleges that the solicitation of clients was done "while still employed by Plaintiff." Doc. 1, ¶ 23.
Plaintiff argues that Defendants' authorization ended when Defendants began acting as agents for the other Defendants, and, according to principles of agency, their agency relationship with Plaintiff ended. Doc. 13, p. 5, line 24 - p. 7, line 12. However, the Nosal definition of "without authorization" as it applies to a violation of the CFAA is the controlling interpretation in this case. Plaintiff relies upon other circuit courts which have interpreted the CFAA to cover violations of corporate computer use restrictions or violations of a duty of loyalty, including International Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). But this interpretation was explicitly rejected in this Circuit for failing to construe ambiguous criminal statutes narrowly. Nosal at 862; Brekka, supra, 581, F.3d at 1134. Plaintiff's argument that agency law should apply to determine whether authorization existed is unpersuasive when specific caselaw in this Circuit exists limiting the "without authorization" element in a CFAA claim.
Plaintiff cannot sustain a cause of action for violation of the CFAA because it does not properly allege that Defendants acted without authorization or exceeded their authorization. Plaintiff's opposition states that will seek recovery under 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), 1030(a)(5)(A), all of which require that the access was without authorization. Taking the facts in the light most favorable to Plaintiff still indicates that Hostmark, Phillips, and Rosebush did not exceed their authorization to access Plaintiff's computers and databases. The Complaint does not allege that Hostmark, Phillips, and Rosebush did not rightfully have access to the computers or databases containing the work product that was transmitted and used without consent. Being staff biologists who generate that type of work product, and being employed at the time of the alleged transmittal, Hostmark, Phillips, and Rosebush clearly had permission to access to the work product or other electronically stored information. They were not permitted by Plaintiff to disseminate the information. In the same way, the defendants in Nosal and Farmers Insurance were current employees when they used their employer-given authorization to access the information on the employer's computers with the intent to transmit the information to the competitor.
Plaintiff appears to be alleging violations of use restrictions or misappropriation of trade secrets, but not a cause of action under the CFAA -a statute designed to target hacking crimes. Defendants were employed with Plaintiff and did not exceed their access. Defendants then took the information that they were entitled as an employee to access, and used it in an inappropriate manner contrary to Plaintiff's interest. As stated in Nosal, the "without authorization" requirement does extend to violation of use restrictions. Nosal, supra, 676 F.3d at 864.
Because Plaintiff cannot meet the necessary element of "without authorization or exceeding authorized access," the Complaint does not state a cause of action under the CFAA upon which relief can be granted. The facts as alleged indicate that Defendants, as Plaintiff's staff biologists, had permission to access to the information at issue. Plaintiff could not possibly cure the deficiency of the CFAA action by the allegation of other facts consistent with those alleged in the present complaint. Amendment being futile, leave to amend the CFAA cause of action is denied and the claim is dismissed with prejudice.
V. JURISDICTION
The CFAA claim is Plaintiff's only federal claim. Plaintiff specifically disclaims a federal Copyright Act claim. Doc. 14, p. 9, lines 17-18. A district court may decline to exercise jurisdiction over supplemental state law claims if "the district court has dismissed all claims over which it has original jurisdiction." 28 U.S.C. § 1367(c)(3). When federal claims are dismissed before trial pendent state claims also should be dismissed. Religious Technology Center v. Wollersheim, 971 F.2d 364, 367-368 (9th Cir. 1992). Considering judicial economy, convenience, fairness, and comity, and because the only federal claim in this case is dismissed with prejudice, the Court declines to exercise supplemental jurisdiction over Plaintiff's remaining state law claims.
VI. ORDER
Defendants' Motion to Dismiss is hereby GRANTED.
The CFAA claim is DISMISSED WITH PREJUDICE.
All other claims are DISMISSED for lack of jurisdiction. IT IS SO ORDERED.
__________
SENIOR DISTRICT JUDGE