Opinion
Case No. 15–cv–02462–WHO
09-11-2015
Ali S. Razai, Amy Christensen Chun, Michael K. Friedland, Knobbe Martens Olson and Bear, Irvine, CA, Boris Zelkind, Knobbe Martens Olson & Bear, LLP, San Diego, CA, for Plaintiff. Jeremy Matthew Mittman, Anthony J. Oncidi, Proskauer Rose LLP, Los Angeles, CA, John P. Barry, Pietro A. Deserio, Proskauer Rose LLP, New York, NY, for Defendants.
Ali S. Razai, Amy Christensen Chun, Michael K. Friedland, Knobbe Martens Olson and Bear, Irvine, CA, Boris Zelkind, Knobbe Martens Olson & Bear, LLP, San Diego, CA, for Plaintiff.
Jeremy Matthew Mittman, Anthony J. Oncidi, Proskauer Rose LLP, Los Angeles, CA, John P. Barry, Pietro A. Deserio, Proskauer Rose LLP, New York, NY, for Defendants.
ORDER GRANTING MOTION TO DISMISS WITH LEAVE TO AMEND
WILLIAM H. ORRICK, United States District Judge
INTRODUCTION
The central issue in defendants SunEdison, Inc., Shane Messer, Kendall Fong, and Vikas Desai's motion to dismiss is whether current employees violate the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, if they breach their employer's computer use policies while accessing files that they were authorized to use. Because the CFAA is an anti-hacking statute, not a misappropriation statute, I GRANT the motion to dismiss because Messer and Fong accessed the disputed information with authorization while they were SunPower's employees. Lacking another federal claim, SunPower's complaint is DISMISSED for lack of subject matter jurisdiction under 29 U.S.C. § 1331.
BACKGROUND
I accept the allegations pleaded in the complaint as true for purposes of SunEdison's motion to dismiss. SunPower is an energy services provider that manufactures, installs, and distributes solar panel systems for residential and commercial markets. Messer and Fong were once employed by SunPower as Area Sales Manager and Senior Director of Global Brand, respectively. SunPower asserts that Messer and Fong, prior to leaving SunPower, accessed thousands of its files and likely copied them onto one or more devices such as a personal Universal Serial Bus (“USB”) drive or other non-SunPower owned device. After their departures from SunPower, they began to work for SunEdison.
SunPower identifies two specific instances of illegal copying. It contends that Messer accessed and copied over 4,300 files from a SunPower computer or server during a fifteen-minute span on July 30, 2011. In the weeks preceding his departure, Fong allegedly accessed over 9,500 SunPower files over an 80–minute span. The accessed files purportedly contained SunPower's highly confidential information and trade secrets.
SunPower also alleges that Desai, a former Vice President at SunPower, encouraged Fong and Messer to leave SunPower and to share SunPower's confidential information with SunEdison, where Desai was employed as the company's Chief Executive Officer. SunPower believes that SunEdison has used and continues to use SunPower's proprietary information for its own benefit and to the detriment of SunPower.
SunPower contends that Messer and Fong's actions violated SunPower's computer use policies that prohibited its employees from connecting any non-SunPower devices to SunPower's network or from using personal USB drives for file storage or transfer. It also claims that Messer and Fong violated their employment confidentiality agreement by transferring the allegedly stolen SunPower files to SunEdison. These agreements obliged Messer and Fong to keep SunPower's information confidential and to protect it from outside disclosures or use for others' benefit.
SunPower brings fourteen causes of action: (1) violation of the CFAA; (2) trade secret misappropriation under the California Uniform Trade Secrets Act (“CUTSA”); (3) breach of contract; (4) breach of confidence; (5) conversion; (6) trespass to chattels; (7) interference with prospective business advantage; (8) breach of implied covenant of good faith and fair dealing; (9) tortious interference with contractual relationship; (10) induced breach of contract; (11) conspiracy to breach contract; (12) breach of duty of loyalty; (13) unfair competition, and (14) statutory unfair competition. Thirteen of SunPower's fourteen causes of action arise under state law. Its only federal cause of action is based on the purported violation of the CFAA. Defendants move to dismiss the first, fourth, fifth, sixth, seventh, ninth, tenth, eleventh, twelfth, thirteenth, and fourteenth causes of action for failure to state a claim upon which relief may be granted under Federal Rule of Civil Procedure 12(b)(6). I heard argument on September 9, 2015.
LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570, 127 S.Ct. 1955.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the Court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir.1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir.2008).
If the court dismisses the complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir.2000).
DISCUSSION
Defendants raise three arguments in their motion to dismiss: (i) SunPower fails to state a claim under CFAA; (ii) CUTSA preempts all non-contractual claims based on misappropriation of confidential information; and (iii) SunPower fails to state a claim for interference with business advantage. Because I find that SunPower's complaint fails to state a claim under CFAA, its only federal cause of action, I will not address the state law claims. If there is no federal claim, I will not exercise supplemental jurisdiction.
The CFAA prohibits various computer-related crimes, including accessing a computer without authorization or exceeding authorized access. 18 U.S.C. § 1030(a)(1). It was enacted in 1984 to “target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to access and control high technology processes vital to our everyday lives.” See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir.2009)(internal quotations and citations omitted). “The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.” Id. at 1131.
SunPower alleges that the defendants' behavior violated 18 U.S.C. § 1030(a)(2)(c), (a)(4) and (g). Compl. ¶ 1. (Dkt. No. 33). Section 1030(a)(2)(c) provides for criminal penalties when a person “[i]ntentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...information from any protected computer.” Section 1030(a)(4) provides for penalties if a person:
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
In addition to criminal penalties, the CFAA creates a private right of action for “[a]ny person who suffers damage or loss by reason of a violation” of the statute. 18 U.S.C. § 1030(g). However, a claim may only be brought if the conduct involves the factors delineated in subclause (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Id. Therefore, to bring a successful CFAA claim based on this subjection, a plaintiff must show:
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.
Although SunPower does not allege which of the specific 18 U.S.C. § 1030(c)(4)(A)(i) factors is triggered by SunEdison's behavior, it does claim that its losses and damages amount to over $5,000 over a one year period. Comp. ¶ 79. This is sufficient to implicate 18 U.S.C. § 1030(c)(4)(A)(i)(I).
A plausible claim under either 18 U.S.C. § 1030(a)(2)(c) or (a)(4) requires SunPower to allege that the defendants acted “without authorization” or by “exceed[ing] authorized access.” The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The term “without authorization” is not defined within the statute. The Ninth Circuit has determined that a person uses a computer “without authorization” when “the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Brekka, 581 F.3d at 1135. Specifically, the Ninth Circuit has articulated a “sensible interpretation of §§ 1030(a)(2) and (4), which gives effect to both the phrase ‘without authorization’ and the phrase ‘exceeds authorized access': a person who ‘intentionally accesses a computer without authorization’ accesses a computer without any permission at all, while a person who ‘exceeds authorized access' has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” Brekka, 581 F.3d at 1133 (internal citations omitted).
The Ninth Circuit has held that the plain language of the CFAA targets “the unauthorized procurement or alteration of information, not its misuse or misappropriation.” United States v. Nosal, 676 F.3d 854, 863 (9th Cir.2012) (internal quotation and citations omitted). Specifically, “the phrase ‘exceeds authorized access' in the CFAA does not extend to violations of use restrictions.” Id. The Ninth Circuit's narrow reading intentionally focused the statute's application to its purpose of punishing hackers and not misappropriating trade secrets. Id. at 863. Subsequent cases have similarly limited their interpretation of the CFAA. See, e.g., Koninklijke Philips N.V. v. Elec–Tech In'l Co., 14–cv–02737–BLF, 2015 WL 1289984, at *4 (N.D.Cal. Mar. 20, 2015) (following Ninth Circuit precedent in Nosal and dismissing plaintiff's CFAA claim based in part on the fact that the statute targets hacking, not trade secret misappropriation); Quad Knopf, Inc. v. S. Valley Biology Consulting, LLC, 13–cv–01262, 2014 WL 1333999, at *3 (E.D.Cal. Apr. 3, 2014) (same); Synopsys, Inc. v. ATopTech, Inc., 13–cv–02965 SC, 2013 WL 5770542, at *9 (N.D.Cal. Oct. 24, 2013) (same).
Here, SunPower does not allege that Fong and Messer were not authorized to access a computer or certain information. Instead, SunPower claims that Fong and Messer violated the CFAA by breaching SunPower's computer use policies when they connected USB drives or other non-SunPower owned equipment to SunPower's network, copied files onto these devices, and stored them on an unauthorized device. Comp. ¶¶ 30–45. To support its argument, SunPower relies on Brekka for the proposition that the phrase “exceeds authorized access” includes violations of employer-placed limitations on use. Opp. at 6. (Dkt. No. 26).
For the first time at oral argument, SunPower pointed to two specific provisions of its computer use policies that it alleges are access restrictions. See SunPower Ex. F at 1.1, SunPower Ex. C at 6.2.2. It argued that it is limiting its claims only to violations of these provisions. The extent to which these isolated uses of the word “access” would qualify these subsections as access restrictions defined by Nosal and Brekka is, at best, unclear and should have been briefed. SunPower's policies do not seem to be consistent in their terminology. On the very same pages where SunPower's alleged access restrictions are located, the company employs the word “use” in related subsections. See SunPower Ex. C at 1.1 (clarifying that the purpose and scope of this chapter of SunPower's policy is to avoid damages resulting from “[I]nadvertent or intentional misuse”), SunPower Ex. F at 6.1.1(prohibiting the “use” of USB drives for file storage or transfer). Simply using one word or another does not control the categorization of the restriction.
--------
I do not read Brekka in that manner. In Brekka, the employer alleged that one of its former employees, Christopher Brekka, violated the CFAA by accessing the employer's computer “without authorization” and in excess of authorization both while Brekka was employed and after he left. 581 F.3d at 1129. The Ninth Circuit affirmed summary judgment in favor of Brekka and the other defendants. It found, in part, that Brekka was authorized to use his employer's computer while he was employed and therefore downloading his employer's files and emailing the documents to his personal email did not violate the CFAA. Id. at 1137. The court explicitly held that “for purposes of the CFAA, when an employer authorizes an employee to use a computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates these limitations.” Id. at 1133.
Under Brekka, a CFAA claim hinges not on the use of the information but on whether or not the employee is authorized to access the information in the first place. Id. see also Nosal, 676 F.3d at 857 (rejecting the government's suggestion that unauthorized access encompasses situations involving limitations on use when an employee has unrestricted physical access to the information). Accordingly, it held that Brekka did not violate the CFAA because “there is no dispute that Brekka was given permission to access [the defendant's] computer.” Brekka, 581 F.3d at 1135. Under Brekka, a prohibited action, such as copying or transferring the accessed files onto a USB, does not by itself transform an employee's access from authorized to unauthorized. SunPower's contention that Brekka holds otherwise is incorrect.
SunPower's assertion that subsequent cases have interpreted Brekka to allow violations of employer-placed non-technical restrictions to form the basis of “unauthorized access” ignores the important differences between those cases and its own. Opp. at 6. SunPower relies on two cases involving former employees who exceeded their authorized access by accessing information after their employment ended. See NetApp, Inc. v. Nimble Storage, Inc. 41 F.Supp.3d 816 (N.D.Cal.2014); Weingand v. Harland Fin. Solutions, Inc., 11–cv–03109–EMC, 2012 WL 2327660 (N.D.Cal. June 19, 2012). The key to both courts' analyses was timing—the employees had gained accessed to their previous employers' networks after their access to those networks had been revoked. NetApp, 41 F.Supp.3d at 831–32 (holding that the Ninth Circuit has not precluded applying CFAA to situations where an individual access a former employer's network); Weingard, 2012 WL 2327660, at *3 (same). Because Messer and Fong were current employees at the time of the alleged access, their access was not unauthorized in the same manner as the plaintiffs in NetApp and Weingand.
SunPower's argument that Messer and Fond violated “technological barriers” by physically plugging in USB drives or other non-SunPower equipment into SunPower's computer is similarly unpersuasive. SunPower cites to an inapposite example given by the Ninth Circuit in Nosal. An employer keeps information in a separate database that can be viewed on a computer screen but not copied or downloaded. If the employee circumvents the employer's security measures, copies information on to a USB drive and takes it out of the building, that would have exceeded her authorization in violation of the CFAA. Nosal, 676 F.3d at 858. But that is not the situation here. SunPower has not alleged that either Messer or Fong circumvented any security measures or accessed unauthorized information; instead, they allegedly misappropriated information to which they had access in violation of SunPower's policies.
A more apt comparison would be to another example that the Ninth Circuit discussed in Nosal. The government argued that the CFAA should apply to an employee who is “authorized to access customer lists in order to do his job but not to send them to a competitor,” but nevertheless sends the competitor lists to a competitor. Nosal, 676 F.3d at 857. The court disagreed, observing that applying CFAA to any unauthorized use of information obtained from a computer would “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Id. at 859. Punishing this type of behavior would be incongruent with the statute's focus on prohibiting hacking and other high technology related crimes. That is true here as well.
SunPower relies on American Furukawa, Inc. v. Hossain, 14–cv–13633, 103 F.Supp.3d 864, 2015 WL 2124794 (E.D.Mich. May 6, 2015) to argue that other cases have followed Nosal's approach while holding that downloading files to removable media constitutes a violation under CFAA. Opp. at 7. In American Furukawa, a company sued a former employee alleging that the employee emailed and downloaded the company's files in violation of the CFAA both while he was employed and during a leave of absence. 103 F.Supp.3d at 866–67, 2015 WL 2124794, at *1–2. The court held that the company properly alleged that the employee took some files “without authorization” during his leave of absence. Id. at 875, 2015 WL 2124794, at *11. Additionally, because the company's computer use policy specified that an employee needs permission from a manager before accessing files with removable media, the court also held that the employee exceeded authorized access because he did not seek permission and therefore violated this access restriction. Id. at 883, 2015 WL 2124794, at *19.
American Furukawa does not help SunPower. Fundamentally, it comes from a district court in Michigan that appropriately followed its Sixth Circuit precedent. It explicitly discussed and disagreed with the approach of the Ninth Circuit in Nosal, which binds me. Id. at 882, 2015 WL 2124794, at *18. Moreover, the decision is consistent with this one in that the court rejected the employer's argument that the employee's misappropriation of its files while he was actively employed was a violation of the CFAA because he breached the employer's Secrecy Agreement; the court found the CFAA violation only for the period when the employee was out on leave and violated a condition of his leave—that he could not do any work during that time. Id. at 875, 2015 WL 2124794, at *11. All of the alleged behavior here occurred while Messer and Fong were current employees. Restrictions related to an employee's leave of absence are not at play in this case.
In sum, SunPower's allegations describe misappropriation of its confidential information. They do not constitute a violation of the CFAA. While it is not clear to me how it can successfully plead a plausible CFAA cause of action in light of the allegations it has already made, if it wishes it may amend its complaint within 20 days. If it chooses not to do so, I will remand this case to the California Superior Court for further proceedings since no other basis for federal jurisdiction is alleged.
CONCLUSION
Defendants' motion to dismiss is GRANTED. SunPower's complaint is DISMISSED WITH LEAVE TO AMEND. Any amended complaint shall be filed within 20 days of this Order.
If an amended complaint is not filed within that timeframe, I decline to exercise supplemental jurisdiction over any remaining state law claims under 28 U.S.C. § 1367(c) and will remand the case to state court. If an amended complaint is filed, I will retain jurisdiction as appropriate.