Opinion
1:24-cv-00012-BLW
09-03-2024
MOONLIGHT MOUNTAIN RECOVERY, INC., an Idaho Corporation, Plaintiff, v. JUSTIN MCCOY, an individual; ERIC MINNIG, an individual; COREY RICHARDSON, an individual; XAVIER “FRANCISCO” FLORES, an individual; JONATHON HUNT, an individual; JOHN DOES 110, ROE ENTITIES 11-20, Defendants.
MEMORANDUM DECISION AND ORDER
B. LYNN WINMILL, U.S. DISTRICT COURT JUDGE
INTRODUCTION
Before the Court is Eric Minnig's Motion to Dismiss (Dkt. 9), Corey Richardson's Motion to Dismiss (Dkt. 34), and Jonathon Hunt's Notice of Joinder (Dkt. 27). For the reasons described below the Court will grant Minnig's motion and deny Richardson's motion.
BACKGROUND
Moonlight Mountain Recovery provides residential behavioral health and substance abuse disorder recovery services. Complaint at ¶ 19, Dkt. 1. It alleges that three former employees, Justin McCoy, Eric Minnig, and Corey Richardson, conspired to misappropriate Moonlight's confidential and proprietary information to form competing businesses. Id. at ¶¶ 11-14. The other two defendants, Jonathan Hunt and Xavier Flores, operate or are members of the competing business and were part of the conspiracy as recipients of the misappropriated information. Id. at ¶¶ 15, 16. The Complaint clearly positions McCoy as the ringleader of the alleged conspiracy. See e.g., id. ¶¶ 3, 11, 14, 48, 50, 60.
Moonlight alleges the defendants accessed Moonlight's internal system called “BestNotes” to obtain confidential and proprietary information. Id. at 55. BestNotes is a secure healthcare record system that Moonlight uses to organize and maintain client records. Id. at ¶ 22. Authorized users are permitted access to BestNotes through the creation of a User ID which, among other things, allows Moonlight to monitor and control access to the system and to client's records. Id. at ¶ 24. Minnig, McCoy, and Richardson were all issued User IDs which enabled access to BestNotes. Id. at ¶ 24.
After McCoy left Moonlight, his BestNotes User ID was recorded attempting to login from the same devices he used to remotely access the system while employed with Moonlight. Id. at ¶¶ 57, 58. Moonlight alleges that McCoy was attempting to obtain patient information and, importantly, to enhance Minnig's access permissions. Id. at ¶ 60. Minnig, who was still employed by Moonlight at this time, was then able to access data and files without Moonlight's knowledge or authorization and provide that information to McCoy. Id. While Minnig was still employed with Moonlight, Minnig's User ID logged into BestNotes using the same IP address McCoy used. Id. at ¶ 64. McCoy and Minnig continued to access BestNotes through an administrative account and Minnig's User ID, even after he was fired and was a member of a competing business. Id. at ¶ 62-63.
Moonlight alleges that, as a result of the defendants' conduct it sustained over $5,000 in damages. Id. at ¶¶ 68-69. That amount includes damages from loss of business information, misappropriation of information, damage to or loss of data, and the costs of investigating and remedying the unauthorized access. Id. at ¶¶ 62, 68, 69. Minnig and Richardson now move to dismiss the Complaint and Moonlight opposes both motions as well as Hunt's joinder in Minnig's motion.
LEGAL STANDARD
The motions request dismissal of Moonlight's Complaint under Federal Rules of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction and 12(b)(6) for failure to state a claim. Where both jurisdictional and merits grounds are presented, the Court looks to the jurisdictional issues first. Sinochem Int'l Co. v. Malaysia Int'l Shipping Corp., 549 U.S. 422, 431 (2007).
Under Rule 12(b)(1), a complaint must be dismissed if it fails to adequately allege subject matter jurisdiction. Federal courts are of “limited jurisdiction” and a court is “presumed to lack jurisdiction in a particular case unless the contrary affirmatively appears.” Stock W., Inc. v. Confederated Tribes of the Colville Reservation, 873 F.2d 1221, 1225 (9th Cir. 1989). The plaintiff bears the burden of establishing such jurisdiction exists. Kokkonen v. Guardian Life Ins. Of Am., 511 U.S. 375, 377 (1994).
On a Rule 12(b)(6) motion, the Court must dismiss a cause of action for failure to state a claim upon which relief can be granted. Fed.R.Civ.P. 12(b)(6). “[T]he court accepts the facts alleged in the complaint as true, and dismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged.” UMG Recordings, Inc. v. Shelter Capital Partners LLC, 718 F.3d 1006, 1014 (9th Cir. 2013) (citations, quotations, and alteration omitted). A complaint must plead “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim has facial plausibility when it pleads facts that allow the Court to “draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 556.
ANALYSIS
A. Minnig's Motion to Dismiss
Before turning to the merits of Minnig's motion, the Court will first address a few preliminary matters.
1. Preliminary Matters
Minnig's motion requests dismissal primarily because the Court lacks subject matter jurisdiction over the claims and, secondarily, because the Complaint fails to state a claim upon which relief can be granted. The Court is not convinced that Minnig's motion is properly characterized as a Rule 12(b)(1) motion. He argues that Moonlight has not stated a federal claim, and, upon dismissal of that federal claim, the Court lacks subject matter jurisdiction. “The failure to state a federal claim, either on the pleadings or the facts, is not the same thing as a failure to establish subject matter jurisdiction.” Cement Masons Health & Welfare Trust Fund for Northern California v. Stone, 197 F.3d 1003, 1008 (9th Cir. 1999).
This distinction between a Rule 12(b)(1) and Rule 12(b)(6) motion is relevant here because Minnig filed an affidavit in support of his motion to dismiss. When considering a Rule 12(b)(6) motion to dismiss, the Court may not consider material beyond the complaint. If the Court does consider such material, the motion to dismiss is treated as a motion for summary judgment. Fed.R.Civ.P. 12(d). The same is not true for a motion brought pursuant to Rule 12(b)(1) when a party mounts “a factual attack on jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004).
Factual attacks on jurisdiction, and consideration of facts beyond the complaint, are inappropriate where “‘the jurisdictional issue and substantive issues are so intertwined that the question of jurisdiction is dependent on the resolution of factual issues going to the merits' of an action.” Sun Valley Gas., Inc. v. Ernst Enterprises, Inc., 711 F.2d 138, 140 (9th Cir. 1983) (quoting Augustine v. United States, 704 F.2d 1074, 1077 (9th Cir. 1983)). The issues are so intertwined here. “Whether [Moonlight] alleged a claim that comes within [CFAA's] reach goes to the merits of [Moonlight's] action.” Safe Air, 373 F.3d at 1040. Accordingly, it would be inappropriate to treat Minnig's motion as a Rule 12(b)(1) motion. See id.
For that reason, the Court will treat Minnig's motion as a Rule 12(b)(6) motion and will not consider Minnig's affidavit. Minnig suggests the Court should consider the affidavit and transform his motion to dismiss into a motion for summary judgment in order to consider the affidavit. “Whether to convert a Rule 12(b)(6) motion into one for summary judgment pursuant to Rule 12(d) is at the discretion of the trial court.” Adobe Sys. Inc. v. Blue Source Grp., 125 F. Sup. 3d 945, 968 (N.D. Cal. 2015). A court is not obligated to treat a motion to dismiss as a motion for summary judgment merely because the defendant offers material outside the complaint. Barnes v. Sea Hawai'i Rafting, LLC, 493 F.Supp.3d 972, 976 (D. Haw. 2020) (quoting United States v. Longshoreman's Ass'n, 518 F.Supp.2d 422, 451 (E.D.N.Y. 2007)). The Court will exercise its discretion to decline to transform the motion and will exclude the Minnig affidavit.
2. Merits
Turning now to the merits of Minnig's motion. Minnig argues Moonlight has failed to state a cognizable claim under the Computer Fraud and Abuse Act. “The CFAA was enacted to prevent intentional intrusion onto someone else's computer-specifically, computer hacking.” hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1196 (9th Cir. 2022). Although primarily a criminal statute, the CFAA permits individuals harmed by a violation of the statute to bring a civil action against the violator. 18 U.S.C. § 1030(g). Relevant here, the CFAA prohibits, “knowingly and with intent to defraud,” accessing a “protected computer without authorization” or “exceed[ing] authorized access.” 18 U.S.C. § 1030(a)(4). These two types of violations are designed to target “outside hackers,” those “who access a computer without any permission at all,” and “inside hackers,” those “who access a computer with permission, but then exceed the parameters of authorized access by entering an area of the computer to which that authorization does not extend.” hiQ Labs, 31 F.4th at 1198 (cleaned up). Minnig argues Moonlight cannot state a cognizable claim under the CFAA because it has not alleged a violation of the statute nor has it alleged any loss or damages recognized by the CFAA.
a. Violation of the CFAA
Moonlight alleges that Minnig and McCoy accessed Moonlight's system both without authorization and exceeded their authorized access in violation of 18 U.S.C. § 1030(a)(4). Complaint at ¶ 67, Dkt. 1. The crux of Minnig's argument is that Van Buren v. United States, 593 U.S. 374 (2021) forecloses any claim under the CFAA. At the outset, Van Buren dealt only with the question of when a defendant exceeds their authorized access. Moonlight alleges McCoy continued to access BestNotes after his employment ended, which is sufficient to state a claim under the CFAA. See Complaint at ¶¶ 57-60, Dkt. 1. “[C]ases interpreting Brekka and Nosal indicate that nontechnological barrier can revoke authorization.” NetApp, Inc. v. Nimble Storage, Inc., 41 F.Supp.3d 816, 831 (N.D. Cal. 2014); see also Van Buren, 593 U.S. at 390 n. 8 (leaving question open). Such nontechnological barriers logically must include termination of employment.
Even setting those allegations aside, Van Buren does not conclusively resolve this claim. Id. at 396. In Van Buren, the defendant, a law enforcement officer, used his patrol computer to run a license plate search in exchange for money. Id. at 378. The search violated the law enforcement department's policy which prohibited database searches for personal use. Id. Because the defendant's search violated the department's use policy, the government charged him with a violation of the CFAA, arguing he exceeded his authorized access. Id. at 380. The Supreme Court, interpreting the “exceeds authorized access” clause of section 1030(a)(2), held that it “covers those who obtain information from particular areas in the computer-such as files, folders, or databases-to which their computer access does not extend.” Id. at 378. The Supreme Court made clear that this provision did not apply to the defendant because it “does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.” Id. Importantly, Van Buren is consistent with existing Ninth Circuit precedent interpreting the CFAA. See hiQ Labs, 31 F.4th at 1196-97.
Moonlight alleges that Minnig received increased permissions in the BestNotes system from McCoy after McCoy left Moonlight and used those permissions to access material in BestNotes that he was not otherwise authorized to access. Complaint at ¶¶ 64, 67, Dkt. 1. Minnig correctly points out that the allegations against him bear some resemblance to the charges in Van Buren: He allegedly used his credentials to access information from his work computer to provide to a third party. Unlike the defendant in Van Buren, Minning was not authorized to access some of the files he allegedly accessed. Id. at 67. Van Buren, in contrast, was always authorized to access the database, he did so, however, for an improper purpose. Van Buren, 593 U.S. at 380.
The Supreme Court has indicated the question of authorized access is a “gates-up-or-down inquiry-one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Id. at 390. Under this framework, the gates were up: Minnig had the credentials and permissions to access the files in BestNotes. That said, the allegations in the Complaint make clear that the gates were up, so to speak, because McCoy impermissibly raised them. Although the Supreme Court in Van Buren relied on this technical gates-up-or-down inquiry, it left open the issue of “whether [the authorization] inquiry turns only on technological (or ‘code-based') limitations on access, or instead also looks to limits contained in contracts or policies.” Id. at 390 n. 8. Further, “questions regarding a person's authorized access and the scope of that authorization, as well as the specific information he or she accessed and the location of that information, are fact-intensive inquiries.” Leitner v. Morsovillo, No. 21-CV-3075-SRB, 2021 WL 2669547, at *4 (W.D. Mo. June 29, 2021). When one employee wrongfully expands another employee's access beyond what was authorized by the employer, that employee may have exceeded their authorization as understood by the CFAA, even if they physically could access that information.
This conclusion is not precluded by Van Buren. Accordingly, the Court cannot conclude, at the motion to dismiss stage, that this conduct falls outside the scope of the CFAA.
b. Damages or Loss under the CFAA
Minnig also argues that Moonlight has failed to alleged any damage or loss recognized by the CFAA. The CFAA provides that anyone who “suffers damage or loss” from a violation of the statute may bring a civil action against the violator. 18 U.S.C. § 1030(g). The CFAA defines loss and damage differently, however, to state a claim for a violation of § 1030(a)(4), Moonlight “need only allege damage or loss, not both.” Custom Packaging Supply, Inc. v. Phillips, No. 2:15-cv-04584-ODW-AGR, 2016 WL 1532220, at * 4 (C.D. Cal. Apr. 15, 2016) (quoting Motorola, Inc. v. Lemko Corp., 609 F.Supp.2d 760, 767 (N.D. Ill. 2009)).
“Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at § 1030(e)(8). The CFAA's definition of damage is limited to “harm to computers or networks, not economic harm due to the commercial value of the data itself.” NetApp, 41 F.Supp.3d at 834. “Loss,” on the other hand, is defined as:
[a]ny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages
incurred because of interruption of service.18 U.S.C. § 1030(e)(11). “[D]istrict courts in the Ninth Circuit and other circuits have found that costs associated with investigating intrusions into a computer network and taking subsequential remedial measures are losses within the meaning of the [CFAA].” Sprint Solutions Inc. v. Pacific Cellupage, Inc., No. 2:13-cv-07862-CAS-(JGx), 2014 WL 3715122, at *5 (C.D. Cal. July 21, 2014) (internal quotation marks omitted). This includes the costs of “upgrading a system's defenses to prevent future unauthorized access.” AtPac, Inc. v. Aptitude Solutions, Inc., 730 F.Supp.2d 1174, 1184 (E.D. Cal. 2010). It does not, however, include “purely economic harm unrelated to computer systems.” SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696, 721 (N.D. Ill. 2009).
Here, some of Moonlight's alleged losses are cognizable under the CFAA while others are not. For instance, the costs incurred investigating the violation and “new information technology solutions” are the type of loss recognized by the CFAA. Am. Complaint at ¶ 62, Dkt. 1-1. Similarly, the allegation that McCoy “deleted, removed, and rendered inaccessible certain files and data” constitutes damage under the Act. Id. at ¶ 74. Other costs, however, are not loss or damage under the CFAA. Most notably, the “loss of business information” and “misappropriation of information” are not considered compensable loss or damage for violations of the CFAA. Id. at ¶ 68. The Ninth Circuit has cautioned against interpretations of the CFAA that would “transform it from an anti-hacking statute into an expansive misappropriation statute.” United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012). Consistent with this warning, district courts have determined the type of losses alleged here by Moonlight are not losses under the statute. See e.g., Sprint Solutions, 2014 WL 3715122, at *6.
Moonlight's statement that it “incurred more than $5,000 of costs to meaningfully respond to McCoy's unlawful release of information” makes plain that some of its alleged costs are not recoverable. Complaint at ¶ 74, Dkt. 1. Under the CFAA, it is not the costs related to the release of the information that are recoverable, but the costs related to the unauthorized access. See Nosal, 676 F.3d at 862 (“The plain language of the CFAA targets the unauthorized procurement or alteration of information, not its misuse or misappropriation.” (cleaned up)). The costs related to the release of the information include misappropriation of information that is not recoverable under the CFAA. Even taking into account that Moonlight has alleged some recoverable costs, it has not plausibly alleged that those recoverable costs exceed $5,000. Accordingly, the Court will dismiss the CFAA claim with leave to amend. Moonlight may file an amended complaint within 28 days of the issuance of this order. If no amended complaint is filed within that time frame, the Court will dismiss this case without prejudice for lack of subject matter jurisdiction.
Further, because the CFAA claim is the only basis for this Court's subject matter jurisdiction, the Court will not address the merits of Moonlight's state claims at this time. See e.g., Delacruz v. State Bar of California, No. 16-cv-06858-BLF, 2017 WL 3129207, at *4 (N.D. Cal. Jul. 24, 2017). If Moonlight files an amended complaint, Minnig may renew his motion to dismiss as to the state claims.
B. Richardson's and Hunt's Motions to Dismiss
Both Richardson and Hunt join Minnig's motion to dismiss. Both defendants agree with Minnig's arguments that Moonlight has not stated a claim under the CFAA. Because, as addressed above, Moonlight has not sufficiently alleged damage or loss under the CFAA, the Court will not address the merits of Moonlight's remaining claims. Accordingly, Richardson's motion to dismiss is denied and the Court will not address Hunt's arguments or Moonlight's objection to his notice of joinder. They may renew, or in Hunt's case file in the first instance, their motions to dismiss if Moonlight files an amended complaint.
IT IS ORDERED that:
1. Minnig's Motion to Dismiss is GRANTED with leave to amend.
2. Moonlight shall file an amended complaint, if any, within 28 of the issuance of this order. Failure to file an amended complaint within the designated time period will result in dismissal of this action without prejudice for lack of subject matter jurisdiction.
3. Richardson's Motion to Dismiss is DENIED without prejudice.