Opinion
2:22-cv-00246-DAK-DBP
04-07-2023
Dale A. Kimball District Judge
REPORT AND RECOMMENDATION
Dustin B. Pead Chief Magistrate Judge
This matter is before the court on Defendant Gregory Alexander Elliott's motion to dismiss all claims. (ECF No. 23.)Defendant argues the First Amended Complaint fails to state a claim against him for a violation of the Computer Fraud and Abuse Act because “it has failed to plead the essential elements of ‘unauthorized access' or ‘loss.'” (ECF No. 23 p. 2.) For the reasons set forth herein, the undersigned recommends that Defendant's motion be DENIED.
This case is referred to the undersigned pursuant to 28 U.S.C. § 636(b)(1)(B). (ECF No. 9.) The court decides the motion based on the parties' written memoranda. DUCivR 7-1(g).
The following facts are taken from Plaintiff's Amended Complaint. The court accepts all well-pleaded facts as true and views them in the light most favorable to the non-moving party. See, e.g.,Beedle v. Wilson, 422 F.3d 1059, 1063 (10th Cir. 2005).
Plaintiff Speed of Light Ops, LLC (Solo) is a software company that provides document management, computer-aided design, and engineering software products to a variety of industries and companies. (ECF No. 21 ¶ 9.) One such industry is the solar industry. Customers obtain licenses to use Solo's software, which “enables them to prepare and provide quick and personalized bids to potential customers interested in purchasing solar panels for their homes or businesses.” Id. ¶ 10. To help protect the software, Solo limits licenses to those who sign written agreements regarding access, use, and the disclosure of confidential or trade secret information. Each Licensee has login credentials that they use to access the software platform. The transfer of data is also protected by Google. Id. ¶ 11.
In the solar industry, Licensees use Solo's software to create, access, and save proposals for new and existing customers. Licensees are limited from viewing and accessing proposals created by other Licensees. When a proposal is created and saved it is assigned an identification number. Defendants, who are salespersons or agents for one or more licensees, were provided login credentials to the Solo platform. Defendants used these credentials to access, view, and edit proposals for customers that were saved under their employer license.
In October 2021, Solo learned that Defendants had also used their credentials to access portions of the Solo software platform they were unauthorized to access. Defendants took the identification numbers from their proposals and reverse engineered numbers to gain access to other proposals in the system. These proposals contained confidential information of customers created, or saved by, other Licensees. The confidential information included proposals, proposal information, and customer information such as names, addresses, phone numbers and in some instances, driver's license numbers. Defendants copied and exchanged the confidential information amongst themselves and competitors.
Solo notes this unauthorized access has “impaired the integrity of the Confidential Information on the Solo Software Platform” and necessitated it contacting other end-user customers to inform them that their data was improperly obtained. Id. ¶ 23-24. This has resulted in damaging business goodwill and the reputation of Solo. In addition, Solo “has also been forced to spend many thousands of dollars conducting a forensic investigation of Defendants' unauthorized access of the Solo Software Platform assessing the scope and harm of Defendants' unauthorized access, and mitigating the damages caused by Defendants' actions.” Id. ¶ 25.
LEGAL STANDARDS
To prevail on a motion to dismiss under Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). When determining whether a complaint meets these standards, the court will “assume the factual allegations are true and ask whether it is plausible that the plaintiff is entitled to relief.” Gallagher v. Shelton, 587 F.3d 1063, 1068 (10th Cir. 2009). A “well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of [the alleged] facts is improbable, and ‘that a recovery is very remote and unlikely.'” Twombly, 550 U.S. at 556, 127 S.Ct. 1955 (citation omitted). As noted by the Tenth Circuit, “The court's function on a Rule 12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to assess whether the plaintiff's complaint alone is legally sufficient to state a claim for which relief may be granted.” Miller v. Glanz, 948 F.2d 1562, 1565 (10th Cir. 1991). In this matter, the court looks to the Amended Complaint as it supersedes the original. Seeid.
ANALYSIS
The Computer Fraud and Abuse Act (CFAA) “subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,' and thereby obtains computer information.” Van Buren v. United States, 210 L.Ed.2d 26, 141 S.Ct. 1648, 1652 (2021) (quoting 18 U.S.C. § 1030(a)(2)). The CFAA is primarily a criminal statue, but it also provides a civil cause of action. “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). Thus, subsections (a)(2) and (a)(4) of the CFAA, each create civil liability either for “exceeding authorized access” or for accessing protected information “without authorization.” For ease of reference the court refers to these as the “exceeds authorized access element” and the “without authorization element.”
Helpful in applying the CFAA is a recent 2021 decision from the Supreme Court found in Van Buren v. Untied States, where the Court considered the applicability of the CFAA. In Van Buren a police officer was convicted under the CFAA after he was paid by an individual to use his access to a license plate database to locate records at their request. Van Buren, 141 S.Ct. at 1653. The government argued the police officer had “exceeded authorized access” under the CFAA because he used his authorized access to the license plate database for “an improper purpose.” id. The Supreme Court reversed the conviction, holding that the exceeds authorized access element does not apply to situations like Van Buren's, where someone with authorized access to a system uses that access in an unauthorized manner. Id. at 1655. In essence, the CFAA does not cover those who have improper motives for obtaining information that is otherwise available to them.
Defendant Gregory Elliott argues Solo's claim under the CFAA fails for two reasons. First, Solo fails to plead the required element of “unauthorized access” or “exceed authorized access” because Elliott had authorization to access Solo's platform. Second, Solo fails to adequately allege “loss” within the meaning of the CFAA. The court turns to these arguments.
i. Solo adequately pleads Elliott's access was without authorization
To plead a civil cause of action under the CFAA Plaintiff must allege that Defendant “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S.C. § 1030(a)(2). Elliott argues Plaintiff fails to plead that he accessed Solo's platform without authorization or exceeded authorized access. Elliott primarily relies on Van Buren in support of his position. Elliott had authorized access and at most utilized it for an improper purpose. The court agrees with Elliott as to the applicability of Van Buren that precludes liability under the exceeds authorized access element for those who use authorized access to a computer for an unauthorized purpose. Yet, Plaintiff adequately alleges liability under the without authorization element.
Following Van Buren, many district courts have recognized that Van Buren's holding applies only to the exceeds authorized access element and did not equally limit the scope of the other provisions of the CFAA, including the without authorization element. For example, a Pennsylvania district court, interpreting the CFAA in a criminal case, noted the interplay and discussion in Van Buren between without authorization and exceeds authorized access. The court noted:
[E]ven where the Court in Van Buren discusses the interplay between liability for access “without authorization” and access that “exceeds authorization,” nothing in the analysis [precludes] the Government's theory of prosecution. In particular, the Supreme Court agreed with Van Buren that access “without authorization” “protects computers themselves by targeting so-called outside hackers-those who ‘acces[s] a computer without any permission at all.' ” The Court went on to state that “[u]nder Van Buren's reading, liability under both clauses stems from a gates-up-or-down inquiry-one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” ... Eddings argues that there can be no criminal liability under the access “without authorization” clause because Denis was not an “ ‘outside hacker' attempting to get ‘gates down' unauthorized access to the IFC server.” ... However, the Government's theory of the case is that Denis was akin to an “outside hacker”- someone “who acces[sed] a computer without any permission at all.” ... [T]he
mere fact that [Defendant] retained possession of a password which allowed her to access the server post-employment does not, under Van Buren, mean that she necessarily was “authorized” to access the server. Rather, the issue of whether, after she terminated her employment, Denis remained authorized to access the IFC server is properly a question of fact for determination by a jury.United States v. Eddings, No. 5:19-CR-00535, 2021 WL 2527966, at *4-5 (E.D. Pa. June 21, 2021).
In similar fashion, a New York district court explained that “while Van Buren resolved a circuit split as to how to interpret the phrase ‘exceeds authorized access,' that is not the theory that [Better] is pursuing here....” Better Holdco, Inc. v. Beeline Loans, Inc. No. 20-CV-8686 (JPC), 2021 WL 3173736, at *3 n.3 (S.D.N.Y. July 26, 2021). Rather, it is that after the defendant left, he gained “unauthorized access” and “Van Buren thus has little relevance-and is surely not ‘arguably dispositive'-as to the question of whether Better has adequately pleaded that Abramowitz's access was ‘unauthorized.'” Id. See also, Leitner v. Morsovillo, No. 21-CV-3075-SRB, 2021 WL 2669547, at *4 (W.D. Mo. June 29, 2021) (denying motion to dismiss CFAA claim when plaintiff adequately alleged defendants had accessed information “without authorization” and also explaining: “The question of the scope of authorization, including the issue of which party controlled the various computer systems or platforms at issue in this case, remains a fact-intensive inquiry ill-suited for resolution on a Rule 12(b)(6) motion.”); Bowen v.Porsche Cars, N.A., Inc., 561 F.Supp.3d 1362, 1370, 2021 WL 4726586, at *4 (N.D.Ga. Sept. 20, 2021) (denying motion to dismiss CFAA claim and observing Van Buren's holding on the exceeds authorized access prong of CFAA “has no application” to claims brought under the without authorization prong).
Finally, a recent decision from this court, Vox Marketing Group v. Prodigy Promos, 556 F.Supp.3d 1280, 1285, 2021 WL 3710130 (D. Utah 2021), noted the limits of Van Buren.
To be sure, in Van Buren v. United States, the Supreme Court endorsed a “gates-up-or-down” inquiry to determine whether an individual's access to a computer was “without authorization” under the CFAA, explaining that “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” But the court expressly declined to decide whether “this inquiry turns only on technological (or ‘code-based') limitations on access, or instead also looks to limits contained in contracts or policies.”id.
Here, Plaintiff alleges Defendant had access to certain items under a valid license, and then exceeded that license by manipulating numbers to access other proposals and customer information. Plaintiff alleges that to maintain confidentiality, Licensees “sign written agreements containing strict restrictions on the access, use, and disclosure of confidential or trade secret information within the platform.” (ECF No. 21 ¶ 11.) Although password protection is one example of a technological limitation on access, as suggested by Elliott, there are other possible limitations on access. There is no requirement under the CFAA that hacking a password is the only way to obtain access without authorization. Thus, Plaintiff need not raise an allegation that Elliott “hacked” the Solo software platform to bring a CFAA claim. The cases relied on by Defendant do not persuade the court to find otherwise. For example, in SecureInfo Corp v. TelosCorp., 387 F.Supp.2d 593, 598 (E.D. Va. 2005), the court held that the plaintiff failed to properly allege that the defendants had “unauthorized access” or exceeded their authority. This is not the case here as set forth above. Moreover, unlike in SecureInfo, the licenses used by Defendants in this case, that belonged to their employers, did not authorize them to access all sections of Solo's platform.
On the facts before it, Plaintiff adequately alleges liability under the without authorization element. See, e.g.,United States v. Willis, 476 F.3d 1121, 1123, 1125-27 (10th Cir. 2001) (noting that a defendant accesses a computer “without authorization” by falsely posing as someone else and using the login credentials created for the other person to gain access to a protected computer).
ii. Solo adequately alleges “loss” under the CFAA
Elliott argues that Solo fails to allege the required element of loss under the CFAA. The CFAA defines “loss” into two categories: (1) “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense”, and (2) “any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). Damage is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8). Plaintiff must have incurred a “loss” within a one-year period “aggregating at least $5,000 in value” to bring a claim under the CFAA. 18 U.S.C. § 1030(c)(4)(A)(i)(I).
Plaintiff alleges that its losses include “the costs Solo incurred (and will continue to incur) in responding to Defendants' actions, conducting a damages assessment, and designing and implementing additional security measures to prevent further unauthorized access to Solo's Platform by Defendants. This loss is ongoing but amounts to at least $5,000.” (ECF No. 21 ¶ 33.) In addition, Solo claims losses arising from the integrity of the confidential information, economic interference with existing and future economic relations, and a loss of business and goodwill with its Licensees and end-user customers.
There has been little guidance in the interpretation of loss under the CFAA from the Tenth Circuit, and since Van Buren, very few district courts have weighted in on the matter. There does, however, appear to be two trains of thought that have developed. Courts within the Second Circuit have narrowly interpreted the phrase “cost of responding to an offense” and limit it generally “to situations involving damage to or impairment of the protected computer.” BetterHoldco, Inc. v. Beeline Loans, Inc., No. 20-CV-8686 (JPC), 2021 WL 3173736, at *3 (S.D.N.Y. July 26, 2021).
In contrast, courts in other circuits have interpreted “cost of responding to an offense more broadly.” For example, in Bowen v. Porsche Cars, N.A., Inc., 561 F.Supp.3d 1362, 1372, (N.D.Ga. 2021), a district court from the Eleventh Circuit denied a motion to dismiss finding the plaintiff had sufficiently pled loss under the CFAA when he pleaded over $5,000 in loss, which included time he would have spent working had he not been addressing unauthorized access to his car's computer. The court reasoned that although such a value could be disputed at a later stage in the litigation, at the motion to dismiss stage, the court needed to construe pleadings in the light most favorable to the plaintiff. In related fashion, before Van Buren, the Fourth and Sixth Circuits made similar holdings including time spent working in responding to an offense as a loss under the CFAA. SeeYoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073 (6th Cir. 2014) (holding the plaintiff's probe into the false bidding that took him 200300 hours met the definition of “loss” under the CFAA); A.V. ex rel. Vanderhye v. iParadigms,LLC, 562 F.3d 630, 646 (4th Cir. 2009) (“This broadly worded provision plainly contemplates consequential damages of the type sought by iParadigms-costs incurred as part of the response to a CFAA violation, including the investigation of an offense.”).
Two decisions from this district post Van Buren have also applied the broader interpretation of loss under the CFAA. In ACI Payments, Inc. v. Conservice, LLC, the court held that the plaintiff failed to adequately allege loss within the meaning of the CFAA even under the broader standard. SeeACI Payments, Inc. v. Conservice, LLC, No. 121CV00084RJSCMR, 2022 WL 622214, at *12 (D. Utah Mar. 3, 2022). And, in Vox Marketing, 556 F.Supp.3d 1280, the court applied a broader view of loss, considering costs incurred in analyzing the information the defendants obtained and how they might use it as part of the loss calculation under the CFAA.
The undersigned adopts the broader interpretation of loss under the CFAA and rejects Elliott's arguments to adopt a narrower view. Plaintiff has adequately pled loss under the CFAA when taking into consideration the efforts Solo expended in responding to Defendants' actions. At the motion to dismiss stage the court construes the pleadings in the light most favorable to Solo. SeeGallagher, 587 F.3d at 1068. Solo has met its obligation to plead at least $5,000 in losses from Defendants' actions.
RECOMMENDATION
Based upon the foregoing, the undersigned recommends Defendant's Motion to Dismiss be DENIED.
Copies of the foregoing Report and Recommendation are being sent to all parties who are hereby notified of their right to object. Within fourteen (14) days of being served with a copy, any party may serve and file written objections. See 28 U.S.C. §636(b)(1); Fed.R.Civ.P. 72(b). Failure to object may constitute a waiver of objections upon subsequent review.