Summary
holding that "CFAA violations require a person to engage in the hacking, not merely benefit from its results"
Summary of this case from Experian Mktg. Solutions, Inc. v. LehmanOpinion
Case No. 14-cv-02737-BLF
03-20-2015
ORDER ON MOTIONS TO DISMISS
[Re: ECF 34, 35, 36]
Plaintiffs Koninklijke Philips N.V. ("Philips") and Philips Lumileds Lighting Company LLC ("Lumileds") bring suit against eleven Defendants, including a Chinese-based competitor, Elec-Tech International Co. ("ETI"), seven of ETI's subsidiaries, two corporate directors (Mr. Donglei Wang and Ms. Eva Chan), and a former Lumileds employee, Dr. Gangyi Chen, currently employed by ETI.
This case involves the global market for Light Emitting Diode ("LED") technology. In general terms, Plaintiffs' suit alleges that Dr. Chen, while still an employee at Lumileds, downloaded thousands of files "containing Philips Lumileds' trade secrets and confidential business information onto a portable storage device." Complaint, ECF 1 ¶ 5. Dr. Chen then began working for ETI in China. Plaintiffs allege that only six months after Dr. Chen began at ETI, the company announced two new high-energy LED lighting products, an amount of time Plaintiffs claim is "unprecedented" in the lighting industry. See, e.g., Compl. ¶ 62. Plaintiffs allege ten causes of action, nine of which arise out of state law. Plaintiffs also plead a single federal cause of action, based on a purported violation of the Computer Fraud and Abuse Act ("CFAA").
Defendants move to dismiss on a number of grounds: most salient for purposes of this order is Defendants' contention that Plaintiffs have failed to state a claim under the CFAA, and that the Court should dismiss this CFAA claim and decline to exercise supplemental jurisdiction over Plaintiffs' pendent state law claims. The Court ultimately agrees with Defendants, and for the reasons stated below DISMISSES this case, with prejudice.
I. BACKGROUND
A. Procedural History and the Motions to Dismiss
Plaintiffs filed their Complaint on June 12, 2014. Defendants then filed three motions to dismiss under Federal Rule of Civil Procedure 12(b), pursuant to a stipulation between the parties: a motion to dismiss for lack of subject matter jurisdiction, based on a lack of diversity between the parties as well as a failure to adequately plead a federal claim; a partial motion to dismiss, on behalf of seven of the eleven Defendants, for lack of personal jurisdiction; and a partial motion to dismiss nine of the ten causes of action for failure to state a claim upon which relief can be granted. Plaintiffs opposed all three motions, but withdrew their assertion of diversity jurisdiction. See ECF 84-6 at 8-9 ("Plaintiffs have chosen to withdraw their reliance on diversity as a basis for federal jurisdiction."). Plaintiffs argued that the Court nonetheless had subject matter jurisdiction over this case because the Complaint stated a claim under the CFAA, and that the Court could exercise supplemental jurisdiction over Plaintiffs' state law claims pursuant to 28 U.S.C. § 1367.
Defendants did not move to dismiss the fifth cause of action, for breach of contract.
At the outset, the Court must decide the appropriate order in which to adjudicate Defendants' arguments presented in the Rule 12 motions. Though Defendants filed three motions, Plaintiffs' withdrawal of their diversity jurisdiction argument really leaves the Court with two: a partial Rule 12(b)(6) motion, which if granted as to the CFAA claim then requires the Court to determine whether it will decline to exercise its discretion to retain Plaintiffs state law claims; and a Rule 12(b)(2) motion for lack of personal jurisdiction as to seven of the Defendants.
In the normal course, the Court would determine personal jurisdiction before reaching the Rule 12(b)(6) motion. In this circuit, however, the Court may "assume the existence of personal jurisdiction and adjudicate the merits in favor of the defendant without making a definitive ruling on jurisdiction." See Lee v. City of Beaumont, 12 F.3d 933, 937 (9th Cir. 1993) overruled on other grounds by Calif. Dep't of Water Resources v. Powerex Corp., 533 F.3d 1087 (9th Cir. 2008). In Lee, the Ninth Circuit found that the district court could assume personal jurisdiction in order to reach the question of whether to dismiss the federal claims asserted against the defendant. 12 F.3d at 937-38. In this case, because the Court determines below that Plaintiffs have not—and cannot—plead a CFAA claim, the Court assumes without deciding that it has personal jurisdiction over all eleven Defendants. See Sameena, Inc. v. U.S. Air Force, 147 F.3d 1148, 1152 n.1 (9th Cir. 1998).
B. Factual Background
The facts below are pled in the Complaint, and are presumed true for purposes of adjudicating the Rule 12(b)(6) motion to dismiss.
Dr. Chen worked as a principal development engineer at Lumileds' headquarters in San Jose, California, from 2005 through 2012. In 2011, he began discussions with Mr. Wang about joining ETI. On June 22, 2012, he terminated his employment with Lumileds and, thereafter, began working at ETI. Compl. ¶¶ 5, 58. Between June 15 and June 22, 2012, Dr. Chen used a computer at Lumileds' offices "to copy several thousand files from its secure networks[,] containing] information about Philips Lumileds' proprietary epitaxy technology used in developing its LEDs, as well as other confidential business information." Compl. ¶ 55. Dr. Chen traveled to China, began working for ETI, and disclosed trade secret information regarding Lumileds' proprietary epitaxy technology to Defendants. Compl. ¶ 59.
In the Complaint, Plaintiffs asserted their CFAA claim against five Defendants: ETI, ETI International (H.K.) Co., Ltd. ("ETI-HK"), Mr. Wang, Ms. Chan, and Dr. Chen. In their opposition to the motion to dismiss, and again at oral argument, Plaintiffs conceded their CFAA claim against Dr. Chen. See, e.g., ECF 84-6 at 7 ("ETI, ETI HK, Wang, and Chan themselves were not authorized to access Lumileds' network, and Plaintiffs are not tying their liability under the statute to Chen's.") (emphasis in original). Plaintiffs allege that ETI, ETI-HK, Mr. Wang, and Ms. Chan violated the CFAA by accessing Lumileds' network "through their agent, defendant Chen," because they themselves were not permitted to access Lumileds' network. Compl. ¶¶ 145, 147, 149. They argue that this "indirect access interpretation [of the CFAA] does not implicate current employees otherwise permitted to access their employer's computer (in this case Chen)." ECF 84-6 at 7.
Essentially, Plaintiffs argue that, though Dr. Chen himself was authorized to access Lumileds' network, and did not exceed his authorized access while downloading information prior to his resignation, the other four Defendants implicated in the CFAA claim should be held liable based on their indirect, unauthorized access of the Lumileds' network through Dr. Chen's actions.
II. LEGAL STANDARD
A motion to dismiss under Rule 12(b)(6) concerns what facts a plaintiff must plead on the face of its claim. Under Rule 8(a)(2) of the Federal Rules of Civil Procedure, a complaint must include "a short and plain statement of the claim showing that the pleader is entitled to relief." Any complaint that does not meet this requirement can be dismissed pursuant to Rule 12(b)(6). In interpreting Rule 8(a)'s "short and plain statement" requirement, the Supreme Court has held that a plaintiff must plead "enough facts to state a claim to relief that is plausible on its face," Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007), which requires that "the plaintiff plead factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). This standard does not ask a plaintiff to plead facts that suggest it will probably prevail, but rather "it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. (internal quotation marks omitted).
III. DISCUSSION
Though Plaintiffs present a number of claims against the various Defendants, the Court's task here is a fairly limited one: it must determine whether Plaintiffs have stated a claim against any Defendant under the CFAA, and if not, whether Plaintiffs could amend to state a claim under this circuit's interpretation of the CFAA.
The CFAA was enacted in 1984 as a criminal statute, designed to prohibit various computer crimes related to accessing computers without authorization in order to obtain information or data. In 1994, Congress amended the statute to add a civil provision, exposing violators of the statute to both civil and criminal liability. See 18 U.S.C. § 1030(c)(4)(A). Plaintiffs allege violations of three provisions of the Act: Sections (a)(2)(C) and (a)(4), which prohibit individuals from "exceed[ing] authorized access" to a computer, or otherwise "access[ing] . . . without authorization" a computer; and Section (a)(5), which similarly prohibits a person from "intentionally access[ing] a protected computer without authorization." The statute itself defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). Courts interpreting the CFAA describe the Act as "an anti-hacking statute." United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) ("The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer 'without authorization.'"); see also Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) ("The general purpose of the CFAA was to create a cause of action against computer hackers."); see also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).
Two Ninth Circuit cases, United States v. Nosal and LVRC Holdings LLC v. Brekka, define narrowly the phrases "exceeds authorized access" and "without authorization." Brekka, a civil case, outlines what it calls "a sensible interpretation of §§ 1030(a)(2) and (4)":
[A] person who "intentionally accesses a computer without authorization," §§ 1030(a)(2) and (4), accesses a computer without any permission at all, while a person who "exceeds authorized access," id., has permission to access the computer, but accesses information on the computer that the person is not entitled to access.Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009).
The Ninth Circuit further explicated this interpretation of the language of the CFAA in Nosal, an en banc decision from 2012. The facts of Nosal, a criminal case, are relatively straightforward. David Nosal worked at Korn/Ferry, an executive search firm. He left Korn/Ferry to start a competing business, and, after leaving, convinced several current Korn/Ferry employees to access Korn/Ferry's computers and "download source lists, names and contact information from a confidential database . . . then transfer[] the information to Nosal." Nosal, 676 F.3d at 856. The employees who were accused of accessing the information were authorized to access the database in question. See id. Mr. Nosal was criminally charged under § 1030(a)(4)—one of the three provisions at issue in this suit—for aiding and abetting the Korn/Ferry employees in "exceeding their authorized access with intent to defraud." Id.
The government asked the Ninth Circuit to broadly read the CFAA to include not only a person who accesses information without authorization, but also a person authorized to access the information but who "is limited in the use to which he can put that information." Nosal at 857. Engaging in detailed statutory interpretation, the Ninth Circuit expressly rejected such a reading, stating that "[t]he government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute." Id. at 857; see also id. at 859 ("The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.") (emphasis added). Ultimately, it determined that "the plain language of the CFAA targets the unauthorized procurement or alternation of information, not its misuse or misappropriation." Id. at 863.
Here, it is undisputed that Dr. Chen was authorized to access the information he allegedly stole from Lumileds. Plaintiffs therefore cannot plead a cause of action under the CFAA unless at least one of ETI, ETI-HK, Mr. Wang, or Ms. Chen (hereinafter the "CFAA Defendants") themselves violated the CFAA. Plaintiffs argue that the CFAA Defendants "accessed" Lumileds' information through Dr. Chen as their agent - essentially that Dr. Chen, though himself authorized to access the data, was a conduit by which the CFAA Defendants engaged in their own unauthorized access. See, e.g., ECF 84-6 at 7-8 (arguing that ETI should be liable under the CFAA "when [it] unlawfully induce[s] an 'insider' to give [it] access to a secure computer network").
This indirect access theory of CFAA liability suffers from several problems. First, Plaintiffs have provided no factual pleading regarding agency, instead making a cursory allegation that Dr. Chen "act[ed] as an agent of ETI, ETI HK, Wang, and Chan." Compl. ¶ 55. Second, even a well-pled agency allegation would leave the Plaintiffs no closer to stating a claim under the CFAA with regard to any of these four Defendants, because Nosal forecloses this form of indirect access liability under the CFAA. Nosal explicitly cautions that the CFAA was designed to target hacking, not misappropriation. See, e.g., 676 F.3d at 857. The only reasonable reading of this statutory interpretation is that CFAA violations require a person to engage in the hacking, not merely benefit from its results.
Dresser-Rand Co. v. Jones, a case from the Middle District of Pennsylvania which adopted the Ninth Circuit's reasoning in Nosal, is instructive. 957 F. Supp. 2d 610 (E.D. Pa. 2013). In Dresser-Rand, an company brought suit against three individuals for violations of the CFAA: two former employees, King and Jones, and the president of a competitor, Wadsworth. King and Jones were alleged to have accessed information via their Dresser-Rand laptops - information they were both authorized to access. See id. at 621. They downloaded files and sent them to Wadsworth, who "viewed and edited [the] documents on his own computer." Id. at 615. Though Wadsworth himself was not authorized to access the documents, he did not run afoul of the CFAA because "he never accessed Dresser-Rand computers, as required under the CFAA." Id. The district court found that "Dresser-Rand provide[d] no legal basis in the CFAA or otherwise to justify imputing liability from the individuals who access a computer without authorization to those who may eventually benefit from their actions." Id.
Plaintiffs here make no allegation that either Mr. Wang or Ms. Chan was given Dr. Chen's password and then ran searches, nor do they allege that either individual Defendant in any way accessed or downloaded information from Lumileds' network. By the Complaint's own allegations, none of the CFAA Defendants accessed Lumileds' information—Dr. Chen did, at a time when he was authorized to download this information. Even if he misappropriated the information, and gave it to the CFAA Defendants, Nosal forecloses a claim against those Defendants under the CFAA because they themselves did not hack Lumileds' system. Plaintiffs' argument that Dr. Chen and the CFAA Defendants were essentially "acting as one" for purposes of accessing the files does not save Plaintiffs' CFAA claim. Rather, it shows that this case is factually quite similar to Nosal: it is alleged that outsiders convinced an insider to access information the insider was authorized to access, then hand that information over to the outsiders. While such allegations could possibly state a claim for misappropriation, they cannot state a claim under the CFAA after Nosal. Reading the CFAA in its context as an anti-hacking statute, "access" means something more than persuading someone to procure information you desire. Instead, as described by the district court in Nosal II, "[t]he common definition of the word 'access' encompasses not only the moment of entry, but also the ongoing use of a computer system." Nosal II, 930 F. Supp. 2d 1051, 1063 (N.D. Cal. 2013). None of the CFAA Defendants entered or used Lumileds' network. At most, they encouraged Dr. Chen to do so, and stood to benefit from the alleged misappropriation. This action may give rise to a number of claims, but it does not support a theory of liability under the CFAA.
Similarly, Plaintiffs argue that Nosal was only charged with aiding and abetting liability under the CFAA, and that the Ninth Circuit has therefore "not addressed the indirect access interpretation" of the CFAA. See ECF 77 at 9 n.3. The Ninth Circuit, however, makes clear in Nosal that there is a crucial distinction between one who accesses unauthorized information and one who ultimately receives the information so accessed - the accesser can be held liable under the CFAA, while the beneficiary cannot if he did not himself access the computer. Nosal at 863. Nosal is fairly read to cover Plaintiffs' indirect access interpretation, and this Court holds that Plaintiffs' argument is inconsistent with both the plain language and purpose of the CFAA.
Plaintiffs also argue that Nosal II, decided on remand after Nosal, compels the Court to reach a different result because the district court there "denied a motion to dismiss where the government alleged that defendant, after leaving Korn/Ferry, accessed a Korn/Ferry computer through a current Korn/Ferry employee who logged in and gave him access." ECF 77 at 10. In Nosal II, however, the facts were quite different than they are here: an employee who was authorized to access Korn/Ferry' s network logged into the company's computer system and then "turned the computer over" to another individual who was not authorized to access the system. That unauthorized user then "proceeded to query Korn/Ferry's Searcher database and download information." 930 F. Supp. 2d 1051, 1056, 1063. Thus, in Nosal II, the unauthorized user did not merely view information given to him by the authorized user, he himself physically engaged in the hacking. Here, Plaintiffs make no allegation that Mr. Wang or Ms. Chan physically accessed the computer, only that Dr. Chen did so as their agent. Nosal II expressly declined to extend its holding to the situation where "an unauthorized person looks over the shoulder of the authorized user to view password protected information," id. at 1062, and did not in any way hold that an agency theory of liability, such as the one Plaintiffs proffer here, was viable under the CFAA.
At oral argument, Plaintiffs contended that they could amend in order to plead several facts that they believed would permit them to state a CFAA claim - namely, that at the time Dr. Chen accessed the Lumileds data he had been paid a substantial monetary bonus by ETI and was effectively already working for that company. Plaintiffs argue that this situation is analogous to ETI sending its own employee into Lumileds, unauthorized, to access the network. For the sake of determining whether Plaintiffs could feasibly state a claim under the CFAA if given the chance to amend, the Court considers whether these facts bring Plaintiffs any closer to stating a viable claim. They do not, for two reasons. First, if Dr. Chen signed a contract to later begin employment with ETI, and even if he had already been partially compensated to join the company, it would not have rendered his access of Lumileds' confidential information "unauthorized." Employees regularly leave their companies after signing a new employment contract with their soon-to-be employers. That new contract, even if money exchanges hands prior to the employee's ultimate resignation from his or her current company, does not terminate the existing employer-employee relationship. If Dr. Chen had been stripped of his badge and password, then snuck into Lumileds to download information he was no longer authorized to access, Plaintiffs could state a claim against him under the CFAA. That situation is not present here. Second, even if Dr. Chen was working on ETI's behalf, the liability of ETI, ETI-HK, Mr. Wang, and Ms. Chan relies on Plaintiffs' agency theory. Even if this theory were sufficiently pled, the Court has, for the reasons stated above, found it foreclosed in this circuit after Nosal.
Plaintiffs point to two cases from the Middle District of Pennsylvania, Binary Semantics Ltd. v. Minitab, Inc., 2008 WL 763575 (M.D. Pa. Mar. 20, 2008) and Advanced Fluid Systems, Inc. v. Huber, 28 F. Supp. 3d 306, 327 (M.D. Pa. 2014), and argue that these cases compel the Court to reach a different result. Though these out-of-district cases are not binding on this Court, nor are they even persuasive given the clear direction from the Ninth Circuit in Nosal, at least one is distinguishable: in Huber, the Complaint alleged that the defendant "continued to unlawfully access [plaintiff's] information through his company-issued laptop subsequent to leaving his employment." Huber at 329 (emphasis added). Thus, Huber contained allegations that the defendant exceeded his authorized access which are not present here. In Binary Semantics, it is unclear whether the plaintiff pled that the individual who accessed the files was unauthorized to do so, thus the Court cannot ascertain whether it is factually distinct from this case. See Binary Semantics at *2 ("Plaintiff further alleges that Menon took confidential and proprietary information from Binary at Minitab's direction and gave it to Minitab."). Though the Third Circuit is silent on this question, at least one other district court in Pennsylvania has adopted Nosal's narrow reading of the CFAA. See Dresser-Rand, 957 F. Supp. 2d at 619-21.
If the Court accepted Plaintiffs' argument here, that the mere pleading of an agency relationship between the insider and an outsider could render the outsider subject to liability under the CFAA, it would effectively federalize all trade secret misappropriation cases where parties use a computer to download sensitive or confidential trade secret information - which would be nearly every trade secret case nowadays, when companies maintain their files electronically rather than in physical cabinets. Plaintiffs are really making a policy argument better directed to Congress instead of this Court, which must follow the clear direction from the Ninth Circuit as to who can and cannot be held liable under the CFAA. See Nosal at 863 ("If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.").
The Court recognizes that the various circuits are split on this question: while the Ninth and Fourth Circuits read the CFAA narrowly, the Fifth, Seventh, and Eleventh adopt, in varying degrees, a broader view of the CFAA's ambit. See Nosal at 862 (compiling cases).
The Court therefore DISMISSES Plaintiffs' CFAA claim against Defendants Dr. Chen, ETI, ETI-HK, Mr. Wang, and Ms. Chan. Because the Court finds, for the reasons proffered above, that Plaintiffs' proposed amendments would not cure the CFAA claim's deficiencies, this dismissal is with prejudice. See Lopez v. Smith, 203 F.3d 1122, 1128 (9th Cir. 2000) (declining to grant leave to amend when such amendment would be futile). In light of the Court's dismissal of the CFAA claim, Plaintiffs' Complaint lacks a federal cause of action. "When the single federal-law claim in the action was eliminated at an early stage of the litigation, the District Court had a powerful reason to choose not to continue to exercise jurisdiction." Carnegie-Mellon Univ. v. Cohill, 484 U.S. 614, 619 (1988). For reasons of comity and efficiency, see id., the Court declines to exercise supplemental jurisdiction over Plaintiffs' state law claims under 28 U.S.C. § 1367.
This Court leaves the personal jurisdiction determination to the state court that will fully adjudicate these claims. Thus, no decision on Defendants' motion to dismiss for lack of personal jurisdiction is rendered here, and that motion is terminated. ECF 36.
--------
IV. ORDER
For the foregoing reasons, this action is DISMISSED, with prejudice. Dated: March 20, 2015
/s/_________
BETH LABSON FREEMAN
United States District Judge