Accenture LLP v. Sidhu
Filing
23
ORDER by Judge Thelton E. Henderson granting 13 Motion to Dismiss (tehlc2, COURT STAFF) (Filed on 11/9/2010)
<![CDATA[
Accenture LLP v. Sidhu
Doc. 23
1 2 3 4 5 6 7 8 9 10 v. HARDEV SIDHU,
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA
ACCENTURE, LLP, Plaintiff, NO. C10-2977 TEH ORDER GRANTING MOTION TO DISMISS Defendant.
United States District Court
11
For the Northern District of California
This matter came before the Court on October 18, 2010, on the motion to dismiss filed
12 by Defendant Hardev Sidhu ("Sidhu"). For the reasons set forth below, the motion is 13 GRANTED. 14 15 BACKGROUND 16 This lawsuit arises from a dispute between Sidhu and his former employer, Plaintiff
17 Accenture, LLP ("Accenture"), in which Accenture contends that Sidhu violated various 18 sections of the Computer Fraud and Abuse Act ("CFAA"), misappropriated trade secrets, 19 converted Accenture's secret information, and breached his contract with Accenture. On 20 September 3, 2010, Sidhu moved to dismiss Accenture's causes of action under the CFAA; 21 Accenture opposed the motion. 22 Sidhu is a former employee of Accenture-Australia, Ltd., a sister company to Plaintiff
23 Accenture. Sidhu went to work for Plaintiff Accenture in San Francisco, California, on or 24 about October 2006. Sidhu remained employed by Accenture during the years that followed, 25 and on March 27, 2009, Sidhu began a medical leave of absence. Sidhu continued to receive 26 full pay and benefits while on leave, and he performed services for Accenture's clients. On 27 several occasions during his medical leave, Sidhu confirmed that his illness required 28 extended bed rest, prompting him to take additional leave. His period of leave continued until
Dockets.Justia.com
1 Accenture officials determined that Sidhu had fabricated the medical condition upon which 2 he premised his leave of absence, and had started working for HCL, Accenture's direct 3 competitor, in June 2009. Sidhu resigned from Accenture several days later, on April 27, 4 2010. 5 For the duration of Sidhu's medical leave, Accenture made available to Sidhu its
6 secure online network containing confidential and proprietary information, known as 7 Accenture's Knowledge Exchange ("KX"). Sidhu downloaded more than 900 documents 8 from the KX system while on medical leave, the "vast majority" of them after he began 9 working for HCL. Pl.'s Opp. 4:13, Sept. 27, 2010. Sidhu did so despite having acknowledged 10 and agreed to comply with various policies, including Accenture's "Confidentiality Policy,"
United States District Court
11 "Security Policy," "Dual Employment Policy," "Workstation Security Standard," and
For the Northern District of California
12 "Mobile Device Policy." Accenture contends that these policies proscribed Sidhu's conduct 13 while on medical leave. 14 15 LEGAL STANDARD 16 Dismissal is appropriate under Federal Rule of Civil Procedure 12(b)(6) when a
17 plaintiff's allegations fail "to state a claim upon which relief can be granted." In ruling on a 18 motion to dismiss, the Court must "accept all material allegations of fact as true and construe 19 the complaint in a light most favorable to the non-moving party." Vasquez v. L.A. County, 20 487 F.3d 1246, 1249 (9th Cir. 2007). Courts are not, however, "bound to accept as true a 21 legal conclusion couched as a factual allegation." Ashcroft v. Iqbal, U.S. , 129 S. Ct. 1937, 22 1949-50 (2009). 23 A Rule 12(b)(6) dismissal "can be based on the lack of a cognizable legal theory or
24 the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica 25 Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). To survive a motion to dismiss, a plaintiff 26 must plead "enough facts to state a claim to relief that is plausible on its face." Bell Atlantic 27 Corp. v. Twombly, 550 U.S. 544, 570 (2007). Plausibility does not equate to probability, but 28 it requires "more than a sheer possibility that a defendant has acted unlawfully." Iqbal, 129 2
1 S. Ct. at 1949. "A claim has facial plausibility when the plaintiff pleads factual content that 2 allows the court to draw the reasonable inference that the defendant is liable for the 3 misconduct alleged." Id. Dismissal of claims that fail to meet this standard should be with 4 leave to amend unless it is clear that amendment could not possibly cure the complaint's 5 deficiencies. Steckman v. Hart Brewing, Inc., 143 F.3d 1293, 1296 (9th Cir. 1998). 6 7 DISCUSSION 8 I. Violation of the CFAA 9 Count One of Accenture's First Amended Complaint ("FAC") alleges that Sidhu
10 violated three provisions of the CFAA. According to the Ninth Circuit,
United States District Court
11
For the Northern District of California
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
[t]he CFAA was enacted in 1984 to enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives . . . ." H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984). The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009). The CFAA is not strictly a criminal statute; it also allows plaintiffs to bring civil actions under its provisions. See 18 U.S.C. § 1030(g). Count One of Accenture's FAC alleges that Sidhu violated 18 U.S.C. sections 1030(a)(2)(C), (a)(4), and (a)(5)(A)(iii) of the CFAA. Section 1030(a)(2)(C) makes it unlawful if a person "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." Section 1030(a)(4) makes it unlawful if a person "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . ." Section 1030(a)(5)(A)(iii) does not correspond to a current section of the CFAA, but 3
1 according to Accenture's FAC, the statute makes it unlawful if a person "intentionally 2 accessed a protected computer network without authorization and/or exceeded authority, and, 3 as a result of such conduct, caused damage . . . ."1 This language seems to correspond with 4 18 U.S.C. section 1030(a)(5)(C), a current section of the CFAA that makes it unlawful if a 5 person "intentionally accesses a protected computer without authorization, and as a result of 6 such conduct, causes damage and loss." The Court assumes that Accenture intended to cite 7 the latter statutory section, and thus all of Accenture's allegations under the CFAA share the 8 element of authority Sidhu must have acted "without authorization" or "exceed[ed] 9 authorized access" to have violated sections 1030(a)(2)(C) and 1030(a)(4), and "without 10 authorization" to have violated section 1030(a)(5)(C).
United States District Court
11
For the Northern District of California
The CFAA does not define the phrase "without authorization." In Brekka, the Ninth
12 Circuit held that "an employer gives an employee `authorization' to access a company 13 computer when the employer gives the employee permission to use it."2 Brekka, 581 F.3d at 14 1133. Under the CFAA, the phrase "exceeds authorized access" "means to access a computer 15 with authorization and to use such access to obtain or alter information in the computer that 16 the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). This statutory 17 definition "implies that an employee can violate employer-placed limits on accessing 18 information stored on the computer and still have authorization to access that computer," the 19 Brekka court wrote in dicta. Brekka, 581 F.3d at 1135. Our sister court endorsed this 20 interpretation in United States v. Nosal, determining after thorough analysis that employees 21 "exceed[] authorized access" when they access computer information beyond what the 22 employer has made available to them. Nosal, 2010 WL 934257, at *7 (N.D. Cal. Jan. 6, 23 2010). As the court reasoned, 24 18 U.S.C. section 1030(a)(5)(A)(iii) is a valid citation to the 2002 version of the 25 CFAA, and it applies to a person who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage." 26 2 Brekka did not consider amendments to the CFAA enacted in 2008. Brekka, 581 27 F.3d at 1131 n.3 (citing Pub. L. 110-136, §§ 203-208). However, these amendments do not change the meaning of "without authorization" and "exceeds authorized access," nor does 28 Accenture argue that they have this effect. 4
1
1 2 3 4 5 6 7 8 9 10
United States District Court
11
For the Northern District of California
12 13 14
[a]n individual only "exceeds authorized access" if he has permission to access a portion of the computer system but uses that access to "obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) (emphasis added). There is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate. Such an interpretation would defy the plain meaning of the word alter, as well as common sense. A person does not necessarily alter information on a computer when they access it with a nefarious intent. Furthermore, the government's proposed interpretation of "exceeds authorized access" would create an uncomfortable dissonance within section 1030(a)(4). Pursuant to the government's reading of the statute, an individual's intent would be irrelevant in determining whether that person accessed a computer "without authorization," but as long as the company had policies governing the use of the information stored in its computer system, that same individual's intent could be dispositive in determining whether they "exceed[ed] authorized access." Finally, the government's proposed interpretation of "exceeds authorized access" raises the same rule of lenity concerns with which the Ninth Circuit already grappled regarding the "without authorization" prong of the statute. Thus, although Brekka does not squarely address the reach of the "exceeds authorized access" prong of section 1030(a)(4), it emphasizes that access and intent are separate elements.
15 Id. For these reasons, the court in Nosal held that an employee "exceeds authorized access" 16 when he accesses information without permission, not when he violates company policies. 17 Id. This Court agrees. 18 Accenture argues that Brekka is distinguishable because the former-employer plaintiff
19 in that case had not implemented written agreements or policies governing the defendant's 20 conduct, which involved e-mailing documents to a personal computer. See Brekka, 581 F.3d 21 at 1129. However, district courts interpreting Brekka have not recognized this distinction. For 22 example, in Nosal, the court dismissed charges under CFAA where the defendant, an 23 independent contractor, obtained proprietary information from the plaintiff employer in 24 violation of disclosure policies. Nosal, 2010 WL 934257, at *1-2, *6. In another post-Brekka 25 case, National City Bank, N.A. v. Prime Lending, Inc., a district court held that Brekka 26 required dismissal of CFAA claims where an employee allegedly took confidential 27 information from computers he was permitted to use for work and used that information to 28 compete with the employer. 2010 WL 2854247, at *4 (E.D. Wash July 19, 2010). The court 5
1 reached this holding despite the fact that the employee had agreed not to engage in the 2 activities he allegedly undertook recruiting his employer's employees, using his employer's 3 trade secrets, and soliciting his employer's customers for a period of time after leaving the 4 company. Id. at *1. The Court finds these cases which hold that access is not established by 5 employers' policies, but by the extent the employer makes the computer system available to 6 the employee to be persuasive. The cases Accenture cites to the contrary predate Brekka, 7 are from outside the Ninth Circuit, or both. 8 Accenture also attempts to distinguish Sidhu's alleged violation of the company's
9 Dual Employment Policy from other alleged violations, arguing that because Sidhu lied to 10 human resources personnel and began working for HCL, he was no longer authorized to
United States District Court
11 access the KX system. But for Sidhu's deception he would not have been an employee of
For the Northern District of California
12 Accenture, Accenture contends, and thus he was not authorized to access Accenture's 13 computer network. The Court is not persuaded by this reasoning. Not only does it undermine 14 Brekka by incorporating corporate policy into the substance of the CFAA, but it also asks 15 courts to determine which employee conduct is deceptive, and whether that deception, if 16 known to the employer, would have resulted in the employee's termination. The courts in 17 Nosal and National City Bank engage in no such inquiry, even though the conduct alleged in 18 those cases was arguably deceptive and, if known, might have resulted in the employees' 19 termination. As the court noted in Nosal, "an individual's intent in accessing a computer, be 20 it to defraud or otherwise, is irrelevant in determining whether an individual has permission 21 or is authorized to access the computer." Nosal, 2010 WL 934257, at *6. The court in 22 National City Bank agreed, observing that an "employee's subjective state of mind, the 23 purpose for which the employee accesses the documents, and whether the employee breaches 24 a state law duty of loyalty to the employer by doing so are irrelevant to whether he exceeds 25 the scope of authorization." National City Bank, 2010 WL 2854247, at *4. The relevant 26 inquiry is whether the employer allowed the employee use the computer system, irrespective 27 of whether the employer would have revoked permission if it understood the employees' 28 intent, or knew about the employee's conduct. Here, Sidhu was an Accenture employee with 6
1 permission to use its computer system. Whether Sidhu was deceptive, and whether he would 2 have been fired pursuant to Accenture's Dual Employment Policy had Accenture learned of 3 his deception, are irrelevant. 4 The only post-Brekka case from within the Ninth Circuit that Accenture cites
5 regarding interpretation of the CFAA is Atpac, Inc. v. Aptitude Solutions, Inc., 2010 WL 6 1779901 (E.D. Cal. Apr. 29, 2010). In Atpac, a company that licensed software to a county 7 agency sued the agency and an agency employee under the CFAA for allegedly sharing the 8 contents of the software with a third party in violation of the license agreement. Id. at *1. In a 9 parenthetical citation within a section discussing third party liability under the CFAA, the 10 court in Atpac noted that the CFAA "presumably" "provides no refuge for a defendant who
United States District Court
11 procures consent by exploiting a known mistake that relates to the essential nature of his
For the Northern District of California
12 access." Id. at *6. Accenture argues that Sidhu exploited a known mistake regarding his dual 13 employment, and thus is liable under the CFAA. Tellingly, however, Accenture does not cite 14 portions of Atpac that analyze plaintiff's CFAA claims against the county agency and its 15 employee, which alleged that they acted "without authorization"or "exceed[ed] authorized 16 access." The court in Atpac held that the agency and employee did not act "without 17 authorization" because they were "authorized to use the computer at issue for at least some 18 purposes." Id. at *4. It further held that they did not "exceed authorized access" because the 19 licensing agreement did not limit access, but merely "how [the county] could use [the 20 software] by making copies of it or disclosing it to third parties." Id. (emphasis in original). 21 Thus rather than support Accenture's reading of the CFAA, Atpac stands for the principle 22 that written agreements and policies do not dictate liability under the statute. 23 In light of the foregoing analysis, the Court finds that Accenture has alleged no facts
24 that would support a finding that Sidhu acted "without authorization" or "exceed[ed] 25 authorized access" under the CFAA. 26 II. Leave to Amend 27 Leave to amend should be granted unless the Court determines that no set of facts
28 could possibly cure the pleading. Steckman, 143 F.3d at 1296. In the FAC, Accenture averred 7
1 that "[w]hile employed by Accenture-Australia and thereafter Accenture . . . Sidhu was given 2 access to and was responsible for the further development of Accenture's trade secrets and 3 confidential information." First Am. Compl. 9:7-9, Aug. 19, 2010. When asked at hearing 4 what additional facts Accenture would allege in an amended complaint, Accenture offered 5 none. The Court therefore finds that amendment could not cure the FAC's deficiencies. 6 This is true even if the Court has incorrectly assumed that when Accenture pleaded a
7 violation of section 1030(a)(5)(A)(iii) in the FAC, it intended to plead a violation of section 8 1030(a)(5)(C). The language of the FAC indicates that the statutory section Accenture 9 intended to cite requires Sidhu to have acted "without authorization" and/or "exceed[ed] 10 authorized access." Therefore, if amendment could not cure the properly pleaded sections of
United States District Court
11 the CFAA, amendment could not cure the improperly pleaded one.
For the Northern District of California
12 13 CONCLUSION 14 For the reasons set forth above, Plaintiff's motion to dismiss is GRANTED. Count
15 One of the First Amended Complaint is DISMISSED with prejudice. 16 17 IT IS SO ORDERED. 18 19 Dated: 11/9/10 20 21 22 23 24 25 26 27 28 8 THELTON E. HENDERSON, JUDGE UNITED STATES DISTRICT COURT
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
