From Casetext: Smarter Legal Research

Saffron Rewards, Inc. v. Rossie

United States District Court, Northern District of California
Jul 25, 2022
22-cv-02695-DMR (N.D. Cal. Jul. 25, 2022)

Opinion

22-cv-02695-DMR

07-25-2022

SAFFRON REWARDS, INC., Plaintiff, v. ALEX ROSSIE, Defendant.


ORDER ON MOTION TO DISMISS RE: DKT. NO. 14

Donna M. Ryu, United States Magistrate Judge.

Plaintiff Saffron Rewards (“Saffron”) alleges that its co-founder Defendant Alex Rossie breached his contractual and legal obligations to Saffron after Rossie left the company. [Docket No. 1 (“Compl.”).] Now pending is Saffron's motion to dismiss. [Docket No. 14 (“Mot.”); 18 (“Reply”).] Rossie opposes the motion. [Docket No. 17 (“Opp'n”).] This matter is suitable for resolution without a hearing. Civ. L.R. 7-1(b). For the following reasons, the motion is granted in part and denied in part.

I. BACKGROUND

The following facts are in the complaint. Saffron was co-founded on November 10, 2021 by Rossie and non-party Saumil Nanavati to democratize co-branded reward cards for businesses of every size. Compl. ¶¶ 4, 23. Saffron is a Delaware corporation with its principal place of business in San Francisco, California. Id. ¶ 1. Rossie was a member of Saffron's board of directors who resides in Washington and who was responsible for various technical aspects of the company. Id. ¶¶ 2, 4, 24.

When reviewing a motion to dismiss for failure to state a claim, the court must “accept as true all of the factual allegations contained in the complaint.” Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation omitted).

The complaint alleges that there is sufficient personal jurisdiction over Rossie because Rossie entered into the contract with a California-based entity and accessed Saffron's accounts in California, and that Rossie has “systematic and continuous contacts” here. Compl. ¶¶ 19-20. As Rossie did not raise lack of personal jurisdiction in his motion, any challenge to personal jurisdiction has been waived. See Fed.R.Civ.P. 12(h)(1).

On November 10, 2021, Saffron and Rossie entered into a Technology Assignment Agreement (the “Agreement”) in which Rossie assigned all “Intellectual Property” rights to Saffron. Compl. ¶¶ 5, 28. Rossie agreed not to “use or disclose anything assigned to [Saffron] hereunder or any other technical or business information or plans of [Saffron].” Id. ¶ 27.

The Agreements defines “Intellectual Property” as encompassing:

(a) all technology, know-how, information, intellectual property and other materials for or relevant to [Saffron's] business as currently conducted and presently proposed to be conduct, including without limitation, all business plans, technical plans, specifications, templates, demonstration versions, equipment, software, devices, methods, apparatus, and product designs (collectively, “Technology”), (b) all precursors, portions and work in progress with respect thereto and all inventions, works of authorship, mask works, technology, information, know-how, materials and tools relating thereto or to the development, production, use, support or maintenance thereof and (c) all copyrights, patent rights, trade secret rights, trademark rights, mask works rights, sui generis data base rights and other intellectual property rights and all business, contract rights and goodwill in, incorporated or embodied in, used to develop or produce or use, or related to any of the foregoing.
Compl. ¶ 28.

Thereafter until February 23, 2022, Rossie created numerous online business accounts through third-party vendors that Saffron requires to conduct its business, including software development, communications, website development, and finance (the “Company Accounts”). Id. ¶¶ 7, 25. The Company Accounts included Saffron's website domain, Google Workplace (email, storage, etc.), software development platform, banking accounts, and Amazon Web Services, among others. Id. ¶¶ 7, 26. The Company Accounts contain Saffron's confidential technical and business information including software code, product design and schematics, strategy materials, investor and customer lists, legal documents, and debit card accounts with company funds. Id. ¶¶ 7, 25. When Rossie created the Company Accounts, he assigned himself sole ownership and administrator access. Id. ¶ 25.

On February 23, 2022, Rossie stopped providing services to Saffron and terminated his engagement with the company, although he remained on the board of directors until April 29, 2022. Compl. ¶¶ 6, 29. Over the following weeks, Rossie refused to comply with Saffron's requests made on February 23, 2022 and March 30, 2022 to return company property to Nanavati, including by withholding access to Saffron's Company Accounts. Id. ¶¶ 7, 30-31. Saffron alleges that Rossie's refusal to return all administrator rights to the Company Accounts violated his legal obligations, including under the Agreement. Id. ¶¶ 8, 30-31. On March 30, 2022, Rossie logged into Saffron's Google Workspaces and accessed information on the account without Saffron's permission or authorization. Id. ¶¶ 9, 32.

On April 7, 2022, Saffron's counsel sent a letter to Rossie demanding that he return all Saffron property, provide complete access to Company Accounts, and confirm that he had complied with his obligation under the Agreement that if he had removed any of Saffron's property, he restored it immediately with appropriate permissions and access, and that he deleted or destroyed any other Saffron documents. Compl. ¶¶ 10, 33. That same day, Rossie responded by falsely claiming that he had already returned access rights to the Company Accounts and that he no longer had access. Id. ¶¶ 11, 34.

Saffron subsequently filed this lawsuit on May 4, 2022, claiming that Rossie breached his legal obligations under the Agreement and his fiduciary duties as a member of Saffron's board by intentionally withholding from Saffron the administrator rights to the Company Accounts, which is Saffron's property and contain confidential information. Compl. ¶¶ 35-36. Saffron also claims that Rossie acted in bad faith for the purpose of harming Saffron and to obtain leverage to negotiate his exit package. Id. ¶ 37. Saffron claims that Rossie's conduct jeopardized its business by causing a direct loss of customers, disrupting funding discussions with investors, and impeding Saffron's ability to hire employees. Id. ¶ 38. Saffron alleges (1) breach of the Agreement; (2) breach of the fiduciary duty of loyalty; (3) breach of the implied covenant of good faith and fair dealing; (4) a violation of the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and (5) conversion. Saffron seeks injunctive relief, damages including punitive damages, an accounting and order requiring restitution and/or disgorgement of funds, interest, and reasonable fees and costs.

II. LEGAL STANDARD

A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of the claims alleged in the complaint. See Parks Sch. of Bus., Inc. v. Symington, 51 F.3d 1480, 1484 (9th Cir. 1995). When reviewing a motion to dismiss for failure to state a claim, the court must “accept as true all of the factual allegations contained in the complaint,” Erickson, 551 U.S. at 94, and may dismiss a claim “only where there is no cognizable legal theory” or there is an absence of “sufficient factual matter to state a facially plausible claim to relief,” Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001)) (quotation marks omitted). A claim has facial plausibility when a plaintiff “pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 554, 555 (2007).

Under Federal Rule of Civil Procedure 15(a), leave to amend should be granted as a matter of course, at least until the defendant files a responsive pleading. Fed.R.Civ.P. 15(a)(1). After that point, Rule 15(a) provides generally that leave to amend the pleadings before trial should be given “freely . . . when justice so requires.” Fed.R.Civ.P. 15(a)(2). “This policy is to be applied with extreme liberality.” Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1051 (9th Cir. 2003) (quotation omitted). However, leave to amend may be denied “where the amendment would be futile.” Gardner v. Martino, 563 F.3d 981, 990 (9th Cir. 2009).

III. DISCUSSION

Rossie asks the court to consider the entire Agreement, attached as Exhibit A to his motion (“Ex. A”), under the incorporation by reference doctrine. Mot. at 5; see also Reply at 4. A district court generally may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion. Lee v. City of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001). “A court may, however, consider certain materials-documents attached to the complaint, documents incorporated by reference in the complaint, or matters of judicial notice-without converting the motion to dismiss into a motion for summary judgment.” United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003). The incorporation by reference doctrine is “a judicially-created doctrine that treats certain documents as though they are part of the complaint itself.” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018). Incorporation by reference is appropriate “if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim.” Id. at 1002 (quoting Ritchie, 342 F.3d at 907); see also Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005) (the doctrine applies in “situations in which the plaintiff's claim depends on the contents of a document, the defendant attaches the document to its motion to dismiss, and the parties do not dispute the authenticity of the document, even though the plaintiff does not explicitly allege the contents of that document in the complaint”). Saffron's breach of contract and implied covenant claims are based on the written Agreement, and Saffron quotes from or refers extensively to the Agreement. See, e.g., Compl. ¶¶ 5, 10, 27, 28, 31, 43, 66. Saffron does not object to incorporation by reference of the Agreement. See generally Opp'n. The court finds that incorporation by reference of the Agreement is appropriate and grants Rossie's request.

The parties agree that Delaware law governs the breach of contract, breach of duty of loyalty, and breach of the implied covenant claims pursuant to the Agreement. See Ex. A. ¶ 6 (“This Agreement shall be deemed to have been made in, and shall be construed pursuant to the laws of the State of Delaware and the United States); Rennick v. O.P.T.I.O.N. Care, Inc., 77 F.3d 309, 313 (9th Cir. 1996) (“Under California conflict of law rules, the parties may agree to what law controls, unless the choice is contrary to a fundamental interest of a state with a materially greater interest.”). The parties agree that California law applies to the conversion claim. See Allstate Ins. Co. v. Smith, 929 F.2d 447, 449 (9th Cir. 1991) (California law applies to federal diversity cases arising in California).

A. Breach of Contract

Under Delaware law, to state a claim for breach of contract the plaintiff must show “[1] the existence of the contract, whether express or implied; [2] the breach of an obligation imposed by that contract; and [3] the resultant damage to the plaintiff.” VLIW Tech., LLC v. Hewlett-Packard Co., 840 A.2d 606, 612 (Del. 2003).

The complaint alleges the parties entered into the Agreement, which was a binding and enforceable contract that assigned Intellectual Property rights to Saffron and prohibited Rossie from withholding access to the Company Accounts. Compl. ¶¶ 27-28, 31, 40-41, 43; see also Ex. A ¶ 1 (“[Rossie] hereby assigns to [Saffron] exclusively throughout the world all right, title and interest” to Intellectual Property). While Saffron performed its obligations under the Agreement, Rossie breached his obligations by failing to return all company property to Saffron including by not providing Saffron with the administrator rights to the Company Accounts. Id. ¶¶ 35, 42, 44. Specifically, Rossie violated the assignment provision by withholding company property, including confidential information he obtained from Saffron. Id. ¶ 44; see also Ex. A. ¶ 4 (“[Rossie] will not use or disclose anything assigned to the company.”). In sum, Saffron apparently asserts that Rossie breached the Agreement's assignment provision by withholding access to Saffron's Intellectual Property, the rights to which Rossie assigned to Saffron. Saffron suffered damage as a result. Id. ¶¶ 38, 45.

The complaint does not clearly spell out how Rossie's refusal to turn over access to the Company Accounts violated the assignment clause of the Agreement. The court does not examine this because Rossie did not argue a lack of clarity on this point.

Rossie acknowledges that Saffron has pleaded the existence of a valid contract. See Mot. at 1, 6 & n.1; Opp'n at 8; Reply at 4 n.4. As to breach, Rossie contends-albeit confusingly- that he did not breach the Agreement because “it is not clear from the Complaint at what point Mr. Rossie's contractual obligations arose.” Mot. at 6. Rossie challenges the relevance of Saffron's claims that he logged into the account the week of March 28, 2022 without permission, in light of his allegedly false April 7, 2022 representation that he had already returned access to the Company Accounts. See Compl. ¶¶ 31, 36. He argues that the court should ignore Saffron's allegations of falsity because what happened on March 28 “has no bearing on the state of things on April 7.” Mot. at 6. This raises a factual dispute, which is not appropriate for resolution through a motion to dismiss in which the court must presume the truth of the allegations. Saffron's allegations are sufficient to plausibly plead the element of breach.

Rossie apparently disputes certain factual allegations but does not indicate the nature of those disputes. See Mot. at 1 n.1. As Rossie himself recognizes, the court must accept allegations as true for the purposes of this motion. Erickson, 551 U.S. at 94.

Rossie also argues that Saffron's damages are too speculative. “It is axiomatic that a plaintiff, in order to recover damages from a defendant for breach of contract, must demonstrate with reasonable certainty that defendant's breach caused the loss.” Tanner v. Exxon Corp., No. 79C-JA-5, 1981 WL 191389 (Del. Super. Ct. July 23, 1981); see also 24 Williston on Contracts § 64:12 (4th ed.) (“Williston”) (“[D]amages which are considered to be too remote and speculative are not recoverable.”). “Reasonable certainty is not equivalent to absolute certainty; rather, the requirement that plaintiff show defendant's breach to be the cause of his injury with ‘reasonable certainty' merely means that the fact of damages must be taken out of the area of speculation.” Tanner, 1981 WL 191389, at *1; see also Williston, supra, § 64:12 (“The amount of damages must be established with reasonable, not absolute, certainty.”).

The plaintiff “need not allege an exact monetary figure in order to sufficiently plead that it suffered damages from the breach of contract.” Weyerhaeuser Co. v. Domtar Corp., 61 F.Supp.3d 445, 453 (D. Del. 2014) ((“Weyerhaeuser sufficiently pled damages by alleging that it has incurred significant expenses in administering workers compensation claims made by Transferred Employees, and that Domtar has refused to reimburse Weyerhaeuser for these incurred expenses.”); see also VLIW Tech., 840 A.2d at 613 (allegations that “H-P has breached its obligations under the 1990 Agreement by sharing trade secrets and know-how related to the Trace compiler with STM” sufficient to withstand motion to dismiss). However, “[u]nder Delaware law, consequential damages in the form of good will, lost future profits, and lost customers are not awarded in breach of contract actions. The Delaware courts have consistently found these damages to be speculative in nature, and, therefore, have barred recovery for them.” Crowell Corp. v. Himont USA, Inc., No. CIV. A. 86C-11-125, 1994 WL 762663, at *3 (Del. Super. Ct. Dec. 8, 1994) (unpublished) (citations omitted); see also Luxul Tech. Inc. v. Nectarlux, LLC, 78 F.Supp.3d 1156, 1175-76 (N.D. Cal. 2015) (under California law, “[t]o establish contractual damages, a plaintiff must establish ‘appreciable and actual damage.... Nominal damages, speculative harm, or threat of future harm do not suffice to show legally cognizable injury” (internal citations and quotations omitted).).

Saffron alleges that “Mr. Rossie's illegal conduct to date has not only caused and continues to cause harm to Saffron's business but is putting Saffron's business in jeopardy. Specifically, Mr. Rossie's illegal conduct has harmed Saffron by causing a direct loss of customers, disrupting funding discussions with investors, and impeding Saffron's ability to hire employees.” Compl. ¶ 38. Saffron further pleads that it “has been deprived of rights and benefits due under the Agreement, and has suffered, and will continue to suffer, compensatory and consequential damages in the amount to be proven at trial.” Id. ¶ 45. Although not a paragon of clarity, these allegations of harm are sufficient to plead damage under Delaware law at this stage. See, e.g., Luxul, 78 F.Supp.3d at 1176 (finding plaintiff sufficiently pled breach where “aver[ring] that that Plaintiff lost potential sales and customers and damage to the value of its brand”). If Rossie contends that certain categories of the requested contract damages are not cognizable, he can challenge those damages at a later stage of the case.

Accordingly, the motion to dismiss the breach of contract claim is denied.

B. Duty of Loyalty

It is a “fundamental principle of Delaware law that the business and affairs of a corporation are managed by or under the direction of its board of directors.” Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 360 (Del. 1993) (citing Del. Code tit. 8, § 141). “In exercising these powers, directors are charged with an unyielding fiduciary duty to protect the interests of the corporation and to act in the best interests of its shareholders.” Id. Directors are charged with a “duty of loyalty, which “mandates that the best interest of the corporation and its shareholders takes precedence over any interest possessed by a director, officer or controlling shareholder and not shared by the stockholders generally.” Id. at 361; see also Pro. Hockey Corp. v. World Hockey Ass'n, 143 Cal.App.3d 410, 414 (1983) (“Under both California and Delaware law the duty of loyalty requires the directors/trustees not to act in their own self interest when the interest of their corporation will be damaged thereby.”).

Courts “presume[] that in making a business decision the directors of a corporation acted on an informed basis, in good faith, and in the honest belief that the action taken was in the best interests of the company.” In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 52 (Del. 2006). “Those presumptions can be rebutted if the plaintiff shows that the directors breached their fiduciary duty of . . . loyalty or acted in bad faith.” Id. “The failure to act in good faith may result in liability because the requirement to act in good faith ‘is a subsidiary element[,]' i.e., a condition, ‘of the fundamental duty of loyalty.'” Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 369-70 (Del. 2006). “Under Delaware law, the duty of good faith is breached where a fiduciary acts with a purpose other than that of advancing the best interests of the corporation, with the intent to violate the law, or where the fiduciary fails to act in the face of a known duty to act.” In re Brocade Commc'ns Sys., Inc. Derivative Litig., 615 F.Supp.2d 1018, 1047 (N.D. Cal. 2009) (citing Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006), and Disney, 906 A.2d at 67).

Saffron alleges that Rossie was a member of its board of directors and was charged with technological support and operations, including creating and maintaining the Company Accounts. Compl. ¶¶ 4, 24-25, 47. After he ended his relationship with Saffron, he remained a director until April 29, 2022. Id. ¶¶ 29, 48. Saffron claims that as a director, Rossie “had a fiduciary duty to the company to return all company property to Saffron, including access and ownership rights to the Company Accounts.” Id. ¶ 48. He breached this duty “by refusing to provide Saffron with administrator rights to the Company Accounts and restoring ownership of the Company Accounts to Saffron,” which “prevented . . . Saffron from engaging in its normal business activities.” Id. ¶ 49; see also id. ¶ 36. Saffron also claims that Rossie acted “in bad faith for the purpose of harming Saffron and to keep Saffron's property” and that he acted with the knowledge that Saffron “relied on his services and role as a company director.” Id. ¶¶ 37-38.

Rossie argues that Saffron cannot claim a breach of the duty of loyalty because, per his response to Saffron's demand letter, he had already returned his accounts to Saffron by April 7, 2022. Mot. at 7. This contradicts the complaint, which alleges that Rossie “falsely claim[ed]” and “misrepresented” that he had returned account access rights by that date. see Compl. ¶¶ 11, 34. As discussed above, Rossie raises a factual dispute that is irrelevant at the pleadings stage.

Rossie contends that unlike in Brocade, the complaint in this case fails to “contain[] extensive, particularized allegations of overt acts evidencing a lack of good faith.” Brocade, 615 F.Supp.2d at 1048. To the contrary, Saffron pleads that Rossie “repeatedly refused to comply with Saffron's requests” on two occasions to return company property, and that he logged into one account after his engagement was terminated. Compl. ¶¶ 30-32. These allegations support a plausible inference that “raise[s] serious questions as to whether [Rossie] acted in good faith in accordance with [his] fiduciary duties.” Brocade, 615 F.Supp.2d at 1048.

Next, Rossie contends that a board member has a right to access company information. Consequently, he argues Saffron cannot ground its duty of loyalty claim in the allegation that Rossie improperly logged into the Google Workspace because he was still a director at the time. Mot. at 8. Rossie's argument hinges on the scope of his roles and responsibilities as a director after he separated from Saffron, and whether he was still entitled to unfettered access to the Company Accounts at least during that time period. As previously stated, factual disputes cannot be considered in the present posture.

Rossi points to In re Aerojet Rocketdyne Holdings, Inc., No. CV 2022-0127-LWW, 2022 WL 1446782 (Del. Ch. May 5, 2022) (unpublished), in which the court explained that “a director's right to information is essentially unfettered in nature and includes equal access to board information,” id. at *3 (quotations omitted). That case is inapposite, as it was decided on a motion to compel and involved the assertion of privilege to withhold information provided by a company's outside counsel from the company's directors. See Aerojet, 2022 WL 1446782, at *1.

Accordingly, the motion to dismiss the breach of fiduciary duty claim is denied.

C. Implied Covenant

In order to plead a breach of an implied covenant of good faith and fair dealing, the plaintiff must allege the existence of “a specific implied contractual obligation, a breach of that obligation by the defendant, and resulting damage to the plaintiff.” Anderson v. Wachovia Mortg. Corp., 497 F.Supp.2d 572, 581-82 (D. Del. 2007) (quoting Fitzgerald v. Cantor, Civ. A. No. 16297-NC, 1998 WL 842316, at *1 (Del. Ch. Nov. 10, 1998)). “The implied covenant requires a party in a contractual relationship to refrain from arbitrary or unreasonable conduct which has the effect of preventing the other party to the contract from receiving the fruits of the bargain.” Dunlap v. State Farm Fire & Cas. Co., 878 A.2d 434, 442 (Del. 2005) (internal quotations and footnotes omitted). “Thus, parties are liable for breaching the covenant when their conduct frustrates the ‘overarching purpose' of the contract by taking advantage of their position to control implementation of the agreement's terms.” Id.

“[T]he implied covenant does not apply when the contract addresses the conduct at issue, but only when the contract is truly silent concerning the matter at hand.” Oxbow Carbon & Mins. Holdings, Inc. v. Crestview-Oxbow Acquisition, LLC, 202 A.3d 482, 507 (Del. 2019) (internal quotations and footnotes omitted); see also Reklam v. Bellator Sport Worldwide LLC, 2017 WL 5172397, at *5 (D. Del. Nov. 8, 2017) (in evaluating an implied covenant claim, the court decides “whether the language of the contract expressly covers a particular issue, in which case the implied covenant will not apply, or whether the contract is silent on the subject, revealing a gap that the implied covenant might fill.”). The court must “assess the parties' reasonable expectations at the time of contracting and not rewrite the contract to appease a party who later wishes to rewrite a contract he now believes to have been a bad deal.” Nemec v. Shrader, 991 A.2d 1120, 1126 (Del. 2010).

Saffron alleges that the Agreement “contains an implied covenant of good faith and fair dealing under which Mr. Rossie agreed not to take any action that would deprive Saffron of its rights and benefits under the Agreement, and under which Mr. Rossie agreed to perform the conditions of the Agreement fairly, in good faith.” Compl. ¶ 52. Rossie “repeatedly unreasonably breached the covenant . . . and unfairly interfered with Saffron's rights to receive the benefits of the Agreement by refusing to provide Saffron with ownership and administrator rights to the Company Accounts, which are not only Saffron's property but contain Saffron's confidential information.” Id. ¶ 53; see also id. ¶¶ 31-32. As a result, Saffron suffered harm in the form of “compensatory and consequential damages.” Id. ¶ 54.

Rossie argues that the implied covenant claim fails because it is premised on the same conduct as alleged in the breach of contract claim. Neither party disputes that Rossie's alleged misconduct involved withholding access to the same accounts. See Compl. ¶¶ 30-31. As discussed above, the Agreement provides for an assignment of all Intellectual Property rights to Saffron. The Agreement does not, however, contain any express provision governing access to the Company Accounts, requiring the return of those accounts to Saffron after Rossie's separation from the company, or barring Rossie from generally depriving Saffron of its right and benefits under the Agreement. In other words, it is plausible that the Agreement contained an implied covenant obligating Rossie to forbear from conduct that effectively “prevent[ed Saffron] from receiving the fruits of the bargain.” Dunlap, 878 A.2d at 442. It is also plausible that the parties reasonably expected that Rossie would not interfere with the Saffron's rights to receive the benefits of the assignment of his Intellectual Property interests. Accordingly, Saffron adequately pleads a claim for breach of the implied covenant.

Accordingly, the motion to dismiss the implied covenant claim is denied.

D. Computer Fraud and Abuse Act

The CFAA imposes liability for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(5)(C) also establishes liability for anyone who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” The CFAA “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066 (9th Cir. 2016) (quoting Musacchio v. United States, 577 U.S. 237, 240 (2016)). “An individual ‘exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer-such as files, folders, or databases-that are off limits to him.” Van Buren v. United States, 141 S.Ct. 1648, 1662 (2021); see 18 U.S.C. § 1030(e)(6) (defining “exceeds authorized access as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter”). “‘Authorization' is an affirmative notion indicating that access is restricted to those specially recognized or admitted.” hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1195-96 (9th Cir. 2022).

A protected computer is defined as “‘an electronic. . . or other high speed data processing device performing logical, arithmetic, or storage functions' that ‘is used in or affecting interstate or foreign commerce or communication.'” In re Apple Inc. Device Performance Litig., 347 F.Supp.3d 434, 451 (N.D. Cal. 2018) (quoting 18 U.S.C. § 1030(e)(1)-(2)) (holding cellular phones are protected). “This definition captures any device that makes use of a[n] electronic data processor, examples of which are legion.” United States v. Kramer, 631 F.3d 900, 902 (8th Cir. 2011) Saffron's complaint does not specify the specific sub-sections of 18 U.S.C. § 1030 at issue; however, based on its representations in its opposition brief, the court infers they are sub-sections 1030(a)(2)(C) and (a)(5)(C). See Opp'n at 16.

Plaintiffs may file a civil action for damages and equitable relief violations of the CFAA pursuant to 18 U.S.C. § 1030(g). Van Buren, 141 S.Ct. at 1652; Facebook, 844 F.3d at 1066. Section 1030(g) section provides:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).

“Thus, a private plaintiff must prove that the defendant violated one of the provisions of § 1030(a)(1)-(7), and that the violation involved one of the factors listed in § 1030[(c)(4)(A)(i)].” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Those factors are:

(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety; or
(V) damage affecting a computer system used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.]
18 U.S.C. § 1030(c)(4)(A)(i).

The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). A “loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). “The statutory definitions of ‘damage' and ‘loss' thus focus on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data. Limiting ‘damage” and ‘loss' in this way makes sense in a scheme aimed at preventing the typical consequences of hacking. The term's definitions are ill fitted, however, to remediating ‘misuse' of sensitive information that employees may permissibly access using their computers.” Van Buren, 141 S.Ct. at 1660 (internal citations and quotations omitted). The Ninth Circuit has also explained that the CFAA maintains a “narrow conception of ‘loss,'” and that its definition, “with its references to damage assessments, data restoration, and interruption of service-clearly limits its focus to harms caused by computer intrusions, not general injuries unrelated to the hacking itself.” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1262-63 (9th Cir. 2019). “[A]ny theory of loss must conform to the limited parameters of the CFAA's definition.” Id. at 1263.

Saffron alleges that Rossie “intentionally and without authorization[] accessed Saffron's computer systems” after the termination of his engagement with Saffron, including logging into the Google Workspaces account, despite “knowing that he was prohibited from accessing Saffron's computer systems.” Compl. ¶¶ 9, 32, 57-58. Rossie “obtained valuable information” that was “valued at over $5,000” “intentionally and without authorization,” causing a loss exceeding $5,000. Id. ¶¶ 57, 60.

The complaint does not explain what information “valued at over $5,000” was “obtained” by Rossie.

Saffron fails to adequately claim a cognizable “damage” or “loss” that conforms with the “limited parameters” of the CFAA. See Andrews, 932 F.3d at 1262-63. The complaint does not articulate any technological harm or interruption to Saffron's computer-related services, nor that Saffron conducted any damages assessments or data restorations in response to Rossie's withholding of the Company Accounts.

Saffron points to NovelPoster v. Javitch Canfield Grp., 140 F.Supp.3d 954 (N.D. Cal. 2014), and Ross v. AT&T Mobility, LLC, No. 19-cv-06669-JST, 2020 WL 9848766 (N.D. Cal. May 14, 2020), but these cases are distinguishable. In NovelPoster, the complaint adequately pleaded a loss where the founders of an online retail company “spent substantial time and energy” to restore lost data and conduct a damage assessment after defendants changed the passwords to NovelPoster's accounts and took control of its business. 140 F.Supp.3d at 956-58, 962. Ross applied NovelPoster and found that an allegation that the plaintiff “spent in excess of $5,000 investigating who accessed his mobile device and damaged information on it” was sufficiently plead. 2020 WL 9848766, at *17. To the contrary, Saffron's efforts as pled only involve making two requests to Rossie to return company property and sending him a demand letter through counsel. See Compl. ¶¶ 10, 30, 33. These activities do not state a claim of loss under the CFAA. See NovelPoster, 140 F.Supp.3d at 963 (“[U]nder the CFAA, the plaintiff's costs are only cognizable where they arise from the investigation or repair of a damaged computer system or data, or from an ‘interruption of service.'”).

Rossie's other arguments for dismissal of the CFAA claim are unpersuasive. Rossie first argues that because he was still a director on March 28, 2022, he retained authorization to access the accounts when he allegedly logged into the Google Workspaces account. This poses an inappropriate factual dispute about the scope of Rossie's authorization to access the accounts at different points in time. Next, Rossie argues that the CFAA forbids obtaining information without authorization, but the complaint is devoid of any allegations that he “obtained” information, rather than simply being “exposed” to it, Mot. at 10. Facebook, 844 F.3d at 1065-66; see 18 U.S.C. § 1030(a)(2)(C). Saffron adequately alleges that Rossie affirmatively obtained information when he logged into Saffron's Google Workspaces without permission. Compl. ¶¶ 31-32. Finally, Rossie's contention that Saffron “conflates its activity directed to retrieving its account access and negotiating Mr. Rossie's exit package,” Reply at 10, is a factual assertion that is contradicted by the allegations about the communications between Rossie and Saffron and its counsel. See Compl. ¶¶ 30, 33-34.

Accordingly, the motion to dismiss the CFAA claim is granted with leave to amend.

E. Conversion

“A conversion claim arises where there is an ‘act of dominion wrongfully exerted over another's personal property in denial of or inconsistent with his rights therein.”” Florey Inst. of Neuroscience & Mental Health v. Kleiner Perkins Caufield & Byers, 31 F.Supp.3d 1034, 1041 (N.D. Cal. 2014) (quoting Weiss v. Marcus, 51 Cal.App.3d 590, 599 (1975)); see also Gonzales v. Pers. Storage, Inc., 56 Cal.App.4th 464, 476 (1997) (conversion “rests upon the unwarranted interference by defendant with the dominion over the property of the plaintiff from which the injury to the latter results.”).

“The elements of a conversion claim are: (1) the plaintiff's ownership or right to possession of the property; (2) the defendant's conversion by a wrongful act or disposition of property rights; and (3) damages.” Nguyen v. Stephens Inst., 529 F.Supp.3d 1047, 1057-58 (N.D. Cal. 2021) (quoting Lee v. Hanley, 61 Cal.4th 1225, 1240 (2015)). “Neither legal title nor absolute ownership of the property in question is necessary for a conversion claim-‘a party need only allege it is entitled to immediate possession at the time of conversion.'” Florey, 31 F.Supp.3d at 1041 (quoting Plummer v. Day/Eisenberg, LLP, 184 Cal.App.4th 38, 45 (2010)). “Money may be the subject of conversion if the claim involves a specific, identifiable sum.” Welco Elecs., Inc. v. Mora, 223 Cal.App.4th 202, 209 (2014). However, “[a] plaintiff may not ordinarily recover for the tort of conversion ‘for the breach of duties that merely restate contractual obligations.'” Nguyen, 529 F.Supp.3d at 1057-58 (citations omitted).

The complaint alleges that the Company Accounts contained “confidential technical and business information belonging to Saffron” and that through the Agreement Rossie assigned all rights to Intellectual Property to Saffron, thereby conferring ownership rights. Compl. ¶¶ 25-26, 63. After Rossie's separation, he continued to withhold administrator access to the Company Accounts despite repeated requests to return access to Saffron's confidential information. Id. ¶¶ 7, 30-34, 64, 66. Saffron claimed compensatory and consequential damages, in addition to punitive damages related to Rossie's specific intent to harm it. Id. ¶¶ 67-69.

Rossie's arguments are similar to those asserted against the other claims and are thus easily dispatched. See Mot. at 11-12. First, his contention that Saffron's claim is based entirely on his March 2022 logging onto the Google Workspaces Account is belied by allegations throughout the complaint that Rossie wrongfully withheld access to the Company Accounts after his separation. His next argument, that accessing the accounts was not wrongful because he was still a director, is an inappropriate factual dispute. Contrary to Rossie's assertion, the conversion claim does not restate any contractual obligations because the Agreement does not contain any express language governing access to the Company Accounts, as discussed above with respect to the implied covenant claim. Finally, Saffron's claim is not based on an alleged conversion of a specific sum of money but rather Rossi's unlawful retention of access to the Company Accounts. While some of the Company Accounts are bank accounts, Saffron's claim does not deal with any attempt by Rossie to exercise ownership rights over the money in those accounts.

Accordingly, the motion to dismiss the conversion claim is denied.

IV. CONCLUSION

For the foregoing reasons, Rossie's motion to dismiss the complaint is granted in part and denied in part. Rossie shall file an amended complaint to address the deficiencies in this order by August 8, 2022.

The initial case management conference set for August 3, 2022 is vacated and continued to September 7, 2022. The parties' joint case management statement is due by August 31, 2022.

IT IS SO ORDERED.


Summaries of

Saffron Rewards, Inc. v. Rossie

United States District Court, Northern District of California
Jul 25, 2022
22-cv-02695-DMR (N.D. Cal. Jul. 25, 2022)
Case details for

Saffron Rewards, Inc. v. Rossie

Case Details

Full title:SAFFRON REWARDS, INC., Plaintiff, v. ALEX ROSSIE, Defendant.

Court:United States District Court, Northern District of California

Date published: Jul 25, 2022

Citations

22-cv-02695-DMR (N.D. Cal. Jul. 25, 2022)

Citing Cases

Cigniti Techs. v. Govinsadamy

And, although Cigniti refers to an individual computer in their allegation against Kote under 18 U.S.C. §…