NovelPoster v. Javitch Canfield Group et al
Filing
124
ORDER DENYING DEFENDANTS' SECOND MOTION FOR JUDGMENT ON THE PLEADINGS by Hon. William H. Orrick denying #111 Motion for Judgment on the Pleadings. (jmdS, COURT STAFF) (Filed on 11/3/2014)
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
NOVELPOSTER,
Case No. 13-cv-05186-WHO
Plaintiff,
8
v.
9
10
JAVITCH CANFIELD GROUP, et al.,
Defendants.
ORDER DENYING DEFENDANTS'
SECOND MOTION FOR JUDGMENT
ON THE PLEADINGS
Re: Dkt. No. 111
United States District Court
Northern District of California
11
INTRODUCTION
12
13
This order concerns the second motion for judgment on the pleadings filed by defendants
14
in this case. I granted the first motion with respect to plaintiff NovelPoster’s claims under the
15
Computer Fraud and Abuse Act (“CFAA”) and California’s Comprehensive Computer Data
16
Access and Fraud Act (“CDAFA”) on the ground that NovelPoster had failed to adequately plead
17
damage or loss within the meaning of either statute. NovelPoster has since filed an amended
18
complaint (“First Amended Complaint”) with additional details concerning the damage and loss
19
NovelPoster allegedly sustained as a result of defendant’s conduct. Defendants contend that the
20
First Amended Complaint still fails to adequately plead damage or loss under the CFAA and
21
CDAFA, and that it fails to properly allege that defendants accessed or used a computer “without
22
permission,” as required to state a claim under the CDAFA. For the reasons discussed below, the
23
motion is DENIED.
BACKGROUND
24
25
26
I. FACTUAL BACKGROUND
The following facts are alleged in the First Amended Complaint and are presumed true for
27
the purposes of this motion. Except where otherwise indicated, most of the facts are also alleged
28
in NovelPoster’s initial complaint and are set out in the Court’s August 4, 2014 order granting
1
defendants’ first motion for judgment on the pleadings. See Dkt. Nos. 1, 93. I repeat them here
2
for ease of reference.
3
A. Failed business arrangement between the parties
4
NovelPoster is an online retailer that designs, sells, and distributes “text-based poster
5
products.” FAC ¶ 3. NovelPoster has no physical presence and is accessible only through its
6
website, www.NovelPoster.com, and other online shopping portals. FAC ¶ 11. The business was
7
founded by Matt Grinberg and Alex Yancher in 2011. FAC ¶ 10.
8
9
NovelPoster’s operations are conducted exclusively online through a number of software
programs and websites, including Google and Google Adwords, Goodsie, Etsy, Storenvy,
Facebook and Facebook Ads, Twitter, MailChimp, Stripe, and PayPal. FAC ¶ 12. NovelPoster
11
United States District Court
Northern District of California
10
uses several email accounts hosted by Google. FAC ¶ 12. These include
12
Contact@NovelPoster.com, Matt@NovelPoster.com, and Alex@NovelPoster.com. FAC ¶ 12.
13
Contact@NovelPoster.com is the administrative account for all of NovelPoster’s Google email
14
accounts, and access to Contact@NovelPoster.com allows the user to access and control both
15
Matt@NovelPoster.com and Alex@NovelPoster.com, which are the individual email accounts for
16
Grinberg and Yancher, respectively. FAC ¶ 12. Grinberg and Yancher used
17
Contact@NovelPoster.com and their individual email accounts to communicate with customers
18
and to store contact information for designers, marketers, and other entities “essential to the
19
growth and operation of NovelPoster.” FAC ¶ 14.
20
NovelPoster first came into contact with defendants through Yancher, who met defendant
21
Daniel Canfield at a social event in San Francisco, California in March 2013. FAC ¶ 16. Yancher
22
and Canfield agreed to pursue a potential business arrangement by which Canfield’s company,
23
defendant Javitch Canfield Group, would assume responsibility for running NovelPoster “until it
24
could be sold.” FAC ¶ 16. Grinberg and Yancher met with Canfield and his business partner,
25
defendant Mark Javitch, several times between March 2013 and May 2013 to discuss and
26
negotiate the details of the arrangement. FAC ¶ 17.
27
28
On or around May 3, 2013, optimistic that an agreement with defendants would soon be
reached, NovelPoster provided defendants with the passwords to a number of its online accounts,
2
1
including Contact@NovelPoster.com and NovelPoster’s accounts with Google Adwords, Goodsie,
2
Facebook, Twitter, MailChimp, Stripe, and PayPal. FAC ¶ 18. Grinberg and Yancher did not
3
authorize defendants to change the passwords to any of the accounts. FAC ¶ 18. Nevertheless, on
4
or around May 8, 2013, defendants changed the passwords to each of the accounts without
5
providing the new passwords to NovelPoster. FAC ¶19. Grinberg emailed defendants to inform
6
them that while changing the passwords was “totally fine for now,” Grinberg and Yancher “would
7
need access to NovelPoster’s accounts going forward.” FAC ¶ 21. In the same email, Grinberg
8
proposed final contract terms between the parties, including the following points:
9
(i) Javitch Canfield Group would “take over all aspects of operations except for poster
design,” while NovelPoster would “continu[e] to be responsible for additional poster
11
United States District Court
Northern District of California
10
design at a rate of one poster per month.”
12
(ii) NovelPoster would maintain “ownership of all NovelPoster related accounts.”
13
(iii) Javitch Canfield Group would receive 80 percent of all NovelPoster sales, as well as a
14
ten percent equity share to vest in two years.
15
(iv) Javitch Canfield Group would not compete with NovelPoster “by creating their own
16
text-based poster product.”
17
FAC ¶ 21.
18
19
Defendants accepted the terms via email on May 9, 2013. FAC ¶ 24.
On or around May 13, 2013, in line with the contract provision that NovelPoster would
20
maintain “ownership of all NovelPoster related accounts,” Canfield provided NovelPoster with the
21
new passwords the defendants had created. FAC ¶ 27. On or around June 6, 2013, however,
22
defendants reversed course and again changed the passwords for Contact@NovelPoster.com,
23
Google Adwords, Goodsie, Facebook, Twitter, MailChimp, Stripe, and PayPal, again without
24
providing the new passwords to NovelPoster. FAC ¶ 29. On the same date, defendants also
25
accessed and changed the passwords to Grinberg and Yancher’s individual email accounts,
26
Matt@NovelPoster.com and Alex@NovelPoster.com. FAC ¶ 30. Neither Grinberg nor Yancher
27
had authorized defendants to access the individual email accounts or to change the accounts’
28
passwords. FAC ¶ 30. The First Amended Complaint alleges that by changing the various online
3
1
account passwords, defendants exceeded their authority “to operate, but not own, NovelPoster”
2
and “prevented [NovelPoster] from restoring and reasserting the technical access barriers that
3
defendants had just overcome.” FAC ¶ 29-30, 92.
4
On June 10, 2013, Yancher emailed Canfield and Javitch, alerting them that he knew they
5
had accessed the individual email accounts and read emails therein without permission. FAC ¶ 31.
6
Javitch replied and suggested a meeting to discuss the situation. FAC ¶ 32. Yancher agreed to
7
meet but reiterated that defendants were not authorized to access the individual email accounts or
8
to change the accounts’ passwords. FAC ¶ 32.
9
The parties met on June 13, 2013. FAC ¶ 33. Grinberg and Yancher told defendants that
“their business relationship was not working” and that they wished to terminate the agreement.
11
United States District Court
Northern District of California
10
FAC ¶ 33. Defendants refused, insisting they would relinquish control of NovelPoster only for a
12
$10,000 fee. FAC ¶ 33. The next day, Grinberg sent Canfield an email terminating the
13
agreement and demanding that defendants return all of NovelPoster’s business operations,
14
including the passwords to NovelPoster’s online accounts. FAC ¶ 34. In a reply email sent the
15
same day, Javitch “refused to acknowledge the termination of the agreement, reasoning . . . there
16
was no clause in the contract that addressed termination and therefore the termination was not
17
valid.” FAC ¶ 36.
18
Between June 2013 and January 2014, defendants maintained control of all aspects of
19
NovelPoster’s business and routinely accessed, without authorization from Grinberg or Yancher,
20
NovelPoster’s online accounts. FAC ¶ 41. Throughout that period, defendants “cross-marketed
21
NovelPoster with other brands [they] promote” and misrepresented to vendors and other business
22
contacts that defendants were authorized to enter binding agreements on NovelPoster’s behalf.
23
FAC ¶¶ 39-40. In early December 2013, NovelPoster discovered that defendants had shut down
24
Novelposter’s website. FAC ¶ 43. This was “right at the apex of the holiday season and the most
25
profitable part of the year for NovelPoster.” FAC ¶ 43. NovelPoster asserts that in 2012, it earned
26
thirty percent of its revenues in December; because its website was shut down in December 2013,
27
NovelPoster “could not conduct sales, interact with customers, or generally operate, and lost
28
significant revenue as a result.” FAC ¶ 43.
4
It was not until January 10, 2014 that defendants finally turned over the passwords to all
1
2
but one of NovelPoster’s online accounts. FAC ¶ 44. 1 Prior to returning access, defendants
3
deleted the email accounts Mark@NovelPoster.com and Becky@NovelPoster.com, along with all
4
data and communications stored within those accounts. FAC ¶ 45-46. 2 Defendants also withheld
5
from NovelPoster all emails and other communications that had been sent or received through any
6
of NovelPoster’s online accounts during the approximately seven months that defendants
7
controlled the business. FAC ¶ 48. On February 10, 2014, I ordered defendants to provide those
8
emails and communications to NovelPoster within seven days. Dkt. No. 38.
9
B. NovelPoster’s allegations concerning damage and loss
10
With respect to NovelPoster’s CFAA and CDAFA causes of action, the damage and loss
United States District Court
Northern District of California
11
allegations in the initial complaint were limited to a single boilerplate sentence: “As a result of
12
defendants’ conduct, NovelPoster has suffered damages and/or loss in excess of $5,000 in the year
13
preceding the date of this filing, but the damages grow each day that defendants refuse to
14
acknowledge [the] termination of the agreement.” Order at 14; Dkt. No. 1 ¶ 44. 3
15
The damage and loss allegations in the First Amended Complaint are substantially more
16
detailed. They can be grouped into three categories. First, NovelPoster alleges “impairment of
17
data” damage caused by defendants’ extended period of exclusive control over NovelPoster’s
18
online accounts. See FAC ¶ 42 (“Because plaintiff was locked out of its own accounts, it had no
19
way to . . . investigate what had been done with its . . . accounts, what data had been deleted, what
20
false information had been created, or how its accounts had been used while they were hijacked by
21
defendants.”).4
22
1
23
NovelPoster alleges that defendants still have not turned over the password to NovelPoster’s
Stripe account. FAC ¶ 44.
24
2
25
26
27
28
NovelPoster does not state who created these email accounts or who was licensed to use them.
See FAC ¶¶ 45-46. Defendants assert, and NovelPoster appears to concede, that the accounts were
created either by defendants or by persons associated with defendants. Mot. 10; Opp. 9.
3
NovelPoster filed its initial complaint on November 6, 2013, when, according to NovelPoster’s
allegations, the business was still under defendants’ control and it was conceivable that
NovelPoster’s damages were still “grow[ing] each day.” See Dkt. No. 1.
4
NovelPoster also alleges “impairment of data” damage caused by defendants’ alleged deletion of
5
1
Second, NovelPoster alleges “investigation and recovery” losses. Opp. 2-3. NovelPoster
states that between June 14, 2013 (the date NovelPoster terminated its agreement with defendants)
3
and February 17, 2014 (the date by which defendants were ordered to turn over all emails and
4
other communications that had been sent or received through NovelPoster’s online accounts
5
during defendants’ period of exclusive control), Grinberg and Yancher each spent approximately
6
ten hours per week “on their efforts to secure the restoration of NovelPoster and its data and
7
information” to the condition they were in “prior to when defendants took control of
8
NovelPoster.” FAC ¶ 70. These efforts included restoring the data and information to their prior
9
condition, as well as responding to and conducting a damage assessment of defendants’ alleged
10
CFAA and CDAFA violations. FAC ¶ 50. NovelPoster states that Grinberg and Yancher have
11
United States District Court
Northern District of California
2
previously received $150 per hour for computer work, and that, based on that figure, the value of
12
the time and services they expended in their restorative efforts is approximately $105,000. Id.
13
NovelPoster also hired attorneys in its efforts to restore its data and information. FAC ¶ 71. The
14
attorneys “charge in excess of $300/hour and spent in or around in excess of 100 hours securing
15
the return of NovelPoster’s data and information.” Id.
16
Finally, NovelPoster alleges “interruption of service” losses. Opp. 3, 7-8. NovelPoster
17
states that as a result of defendants’ control of NovelPoster’s website and online accounts,
18
NovelPoster suffered lost revenue in the form of: (i) approximately $13,000 in NovelPoster sales
19
that occurred while the website was under defendants’ control and that was “unjustly retained” by
20
defendants; (ii) “unrealized revenues,” including those due to defendants’ shutdown of the
21
NovelPoster website in December 2013 during the height of the holiday shopping season; and (iii)
22
23
24
25
26
27
28
the Mark@NovelPoster.com and Becky@NovelPoster.com email accounts. See FAC ¶¶ 45-46;
Opp. 9. However, as noted above, NovelPoster does not allege who created the accounts or who
was licensed to use them. Damage or loss is only relevant to NovelPoster’s CFAA and CDAFA
claims if it was caused by defendants’ violation of one or both of the statutes. See 18 U.S.C. §
1030(g) (“Any person who suffers damage or loss by reason of a violation of [the CFAA] may
maintain a civil action against the violator.”) (emphasis added); Cal. Penal Code § 502(e)(1)
(“[T]he owner or lessee of the computer . . . or data who suffers damage or loss by reason of a
violation of [the CDAFA] may bring a civil action against the violator.”) (emphasis added).
Because NovelPoster has not alleged to whom Mark@NovelPoster.com and
Becky@NovelPoster.com belonged, it is not clear that defendants’ access, use, and deletion of
those accounts was in violation of the CFAA or CDAFA. Accordingly, I will not consider
defendants’ alleged conduct in connection with those accounts for the purposes of this motion.
6
1
“damaged relationships with wholesalers due to the subpar product and customer service
2
[defendants] offered while operating NovelPoster.” FAC ¶¶ 74-75.
3
II. PROCEDURAL BACKGROUND
NovelPoster filed its initial complaint on November 16, 2013, alleging nine causes of
4
5
action against defendants: (1) violation of the CFAA, 18 U.S.C. §§ 1030(a)(2)(C) and
6
1030(a)(5)(c); (2) violation of the Wiretap Act, 18 U.S.C. § 2511 et seq.; (3) violation of the
7
CDAFA, Cal. Penal Code §§ 502(c)(1)-(5), (7); (4) violation of the California Invasion of Privacy
8
Act, Cal. Penal Code § 630 et seq.; (5) conversion; (6) breach of contract; (7) breach of the
9
implied covenant of good faith and fair dealing; (8) violation of California’s Unfair Competition
10
Law; and (9) unjust enrichment. Dkt. No. 1.
On June 6, 2014, defendants filed a motion for judgment on the pleadings on the first
United States District Court
Northern District of California
11
12
through fourth causes of action. Dkt. No. 60. On August 8, 2014, I granted the motion on the
13
CFAA cause of action, reasoning that while NovelPoster had adequately alleged improper conduct
14
under the Act,5 NovelPoster’s barebones loss and damage allegation was too conclusory to support
15
a claim for relief against defendants. Dkt. No. 93 at 6-15. I also granted judgment on the
16
pleadings for defendants on NovelPoster’s CDAFA cause of action, also on the ground that
17
NovelPoster had failed to adequately allege loss or damage within the meaning of that statute. Id.
18
at 16-17. 6 I gave NovelPoster leave to amend both causes of action. Id. at 22.
NovelPoster filed the First Amended Complaint on August 19, 2014, alleging the same
19
20
causes of action as in the initial complaint, minus the Wiretap Act and California Invasion of
21
22
23
24
25
26
27
28
5
In holding that NovelPoster had adequately alleged improper conduct under the CFAA, I rejected
defendants’ contention that NovelPoster’s allegations failed to show that defendants acted without
authorization or in excess of authorization by accessing and maintaining exclusive control of
NovelPoster’s various online accounts. I reasoned that, “[b]ased on the pleadings, issues of fact
remain concerning whether defendants truly had authorization to access NovelPoster’s various
accounts and to change the passwords during the business relationship and, if they did, to continue
to access the accounts” after the relationship was supposedly terminated. Dkt. No. 93 at 9.
6
In addition, I granted judgment on the pleadings for defendants on NovelPoster’s second and
fourth causes of action, for violations of the Wiretap Act and the California Invasion of Privacy
Act. Dkt. No. 93 at 17-22. NovelPoster does not bring those causes of action in the First
Amended Complaint.
7
1
Privacy Act claims. Defendants filed the instant motion on September 10, 2014, and I heard
2
argument from the parties on October 15, 2014.7
LEGAL STANDARD
3
Federal Rule of Civil Procedure 12(c) provides that “[a]fter the pleadings are closed – but
4
5
early enough not to delay trial – a party may move for judgment on the pleadings.” Fed. R. Civ. P.
6
12(c). “Analysis under Rule 12(c) is substantially identical to analysis under Rule 12(b)(6)
7
because, under both rules, a court must determine whether the facts alleged in the complaint, taken
8
as true, entitle the plaintiff to a legal remedy.” Chavez v. United States, 683 F.3d 1102, 1108 (9th
9
Cir. 2012) (internal quotation marks omitted). As with a motion to dismiss under Rule 12(b)(6),
when deciding a motion for judgment on the pleadings, the court “must accept all factual
11
United States District Court
Northern District of California
10
allegations in the complaint as true and construe them in the light most favorable to the
12
nonmoving party.” Fleming v. Pickard, 581 F.3d 922, 925 (9th Cir. 2009). “Judgment on the
13
pleadings is properly granted when there is no issue of material fact in dispute, and the moving
14
party is entitled to judgment as a matter of law.” Id. (footnote and citation omitted).
DISCUSSION
15
16
I. DAMAGE AND LOSS UNDER THE CFAA
Defendants contend that the First Amended Complaint still fails to adequately plead either
17
18
damage or loss as defined by the CFAA. Defendants are wrong.
To maintain a civil action under the CFAA, the plaintiff must show that he or she
19
20
“suffer[ed] damage or loss by reason of [the defendant’s] violation” of the Act, and that one of
21
five enumerated circumstances is present. 18 U.S.C. § 1030(g). NovelPoster claims that
22
defendants violated two provisions of the CFAA, 18 U.S.C. § 1030(a)(2)(C) and 18 U.S.C. §
23
24
25
26
27
28
7
In conjunction with the motion, defendants requested judicial notice of various documents,
including NovelPoster’s ex parte application for a temporary restraining order in this case, Dkt.
No. 35, and this Court’s subsequent order, Dkt. No. 38. With the exception of the TRO
application and order, I find that the documents submitted by defendants are not necessary to
resolve this motion, and defendants’ request for judicial notice of those documents is DENIED AS
MOOT. Defendants’ request for judicial notice of the TRO application and order is GRANTED,
although defendants are advised for future reference that they need not seek judicial notice of
documents previously filed in the same case. An accurate citation will suffice.
8
1
1030(a)(5)(C). Section 1030(a)(2)(C) makes liable anyone who “intentionally access a computer
2
without authorization or exceeds authorized access, and thereby obtains . . . information from any
3
protected computer.” 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(5)(C) similarly creates a cause
4
of action against anyone who “intentionally accesses a protected computer without authorization,
5
and as a result of such conduct, causes damage and loss.” 18 U.S.C. § 1030(a)(5)(C). The
6
circumstance relevant to NovelPoster’s claims is whether defendants’ alleged CFAA violations
7
caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in
8
value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). The upshot is that NovelPoster must show that
9
defendants’ violation of each of the alleged CFAA provisions caused loss of at least $5,000, and,
further, that defendants’ violation of section 1030(a)(5)(C) caused both “damage and loss.” 18
11
United States District Court
Northern District of California
10
U.S.C. §§ 1030(a)(5)(C), 1030(c)(4)(A)(i)(I); see also, Network Cargo Sys. Int'l, Inc. v. Pappas,
12
No. 13-cv-09171, 2014 WL 1674650, at *2 (N.D. Ill. Apr. 25, 2014) (noting that a plaintiff
13
bringing a claim under 18 U.S.C. 1030(a)(5)(C) must show both “damage” and “loss”).
14
The CFAA defines “damage” as “any impairment to the integrity or availability of data, a
15
program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Loss” is defined as “any
16
reasonable cost to any victim, including the cost of responding to an offense, conducting a damage
17
assessment, and restoring the data, program, system, or information to its condition prior to the
18
offense, and any revenue lost, cost incurred, or other consequential damages incurred because of
19
interruption of service.” Id. § 1030(e)(11). Thus, while “damage” covers harm to data and
20
information, “loss” refers to monetary harms sustained by the plaintiff. See Phillips v. Ex'r of
21
Estate of Arnold, 13-cv-00444, 2013 WL 4458790, at *4 (W.D. Wash. Aug. 16, 2013).
22
A. Damage
23
The First Amended Complaint adequately alleges damage because it alleges that
24
throughout the approximately seven months that defendants maintained unauthorized control of
25
NovelPoster’s online accounts, NovelPoster was prohibited from accessing the data and
26
communications stored within them. See FAC ¶ 42. This qualifies as an “impairment to the . . .
27
availability of data,” as required to show damage under the CFAA. See 18 U.S.C. § 1030(e)(8);
28
see also, Cassetica Software, Inc. v. Computer Sciences Corp., No. 09-cv-00003, 2009 WL
9
1
1703015, at *3 (N.D. Ill. June 18, 2009) (holding that a plaintiff alleges damage under the CFAA
2
where he alleges that defendant’s conduct “caused a diminution in the completeness or usability”
3
or “affected the availability” of data).
4
Defendants contend that CFAA-qualifying damage only occurs where data is destroyed or
5
where the underlying computer system is harmed. See Reply at 5 (“Plaintiff does not plead any
6
damage to computers or computer systems.”). Defendants cite several cases in support of this
7
proposition. See NetApp, Inc. v. Nimble Storage, Inc., No. 13-cv-05058-LHK, 2014 WL 1903639,
8
at *12-13 (N.D. Cal. May 12, 2014) (“damage” means “harm to computers or networks”); Doyle v.
9
Taylor, 09-cv-00158, 2010 WL 2163521, at *2-3 (E.D. Wash. May 24, 2010) (to show “damage”
or “loss” under the CFAA, “plaintiffs must identify impairment of or damage to the computer
11
United States District Court
Northern District of California
10
system that was accessed without authorization”); Del Monte Fresh Produce, N.A., Inc. v.
12
Chiquita Brands Int'l Inc., 616 F. Supp. 2d 805, 810 (N.D. Ill. 2009) (a person causes “damage”
13
under the CFAA when she “destroys . . . data”).
14
None of the cases cited by defendants, however, involve a situation where the alleged
15
CFAA violation caused the extended unavailability of the data at issue. Rather, all of the cases
16
involve the mere copying of data. See, e.g., NetApp, Inc, 2014 WL 1903639, at *13 (“[Plaintiff]
17
alleges only that [defendant] accessed its databases without permission, not that he damaged any
18
systems or destroyed any data.”); Doyle, 2010 WL 2163521, at *1 (plaintiff alleged that defendant
19
violated the CFAA by copying and distributing the contents of plaintiff’s thumb drive); Del
20
Monte, 616 F. Supp. 2d at 811 (N.D. Ill. 2009) (“copying electronic files from a computer
21
database . . . is not enough to satisfy the damage requirement of the CFAA”). These cases appear
22
to have used language suggesting a destruction or harm-to-computer-system requirement as a
23
means of emphasizing that the mere copying of data is not enough, not as a means of excluding
24
the extended unavailability of data from the CFAA’s definition of “damage.” Given their factual
25
differences with the instant case, the decisions cited by defendants are not persuasive here.
26
Moreover, district courts in the Ninth Circuit have expressly held that, under the CFAA, “it
27
is not necessary for data to be physically changed or erased to constitute damage to that data.”
28
Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887, 894-95 (N.D. Cal. 2010); see also, T10
1
Mobile USA, Inc. v. Terry, 862 F. Supp. 2d 1121, 1131 (W.D. Wash. 2012) (noting that data need
2
not be “physically changed or erased” to be damaged under the CFAA).
3
Defendants also point to B.U.S.A. Corp. v. Ecogloves, Inc., No. 05-cv-09988, 2009 WL
4
3076042 (S.D.N.Y. Sept. 28, 2009), but the case is plainly distinguishable. The court in B.U.S.A.
5
held that the plaintiffs could not prove “loss” under the CFAA where “[t]he credible evidence in
6
the record does not show that [defendant’s] actions caused an ‘interruption of service’ – at most,
7
plaintiffs were unable to access some of [defendant’s] past emails for an unspecified period of
8
time.” Id. at *9. As the preceding sentence indicates, B.U.S.A. was concerned with “loss” under
9
the CFAA, not “damage.” Id. at *6-9. The court held that the temporary unavailability of emails
does not constitute an “interruption of service” under the CFAA but said nothing about what
11
United States District Court
Northern District of California
10
constitutes damage within the meaning of the Act. Id.
12
Defendants have not presented any persuasive authority for excluding the approximately
13
seven-month unavailability of data from the CFAA’s definition of damage despite that definition’s
14
plain inclusion of “impairment to the . . . availability of data.” 18 U.S.C. § 1030(e)(8).
15
NovelPoster has adequately alleged that defendants’ alleged CFAA violations caused damage
16
within the meaning of the Act.
17
B. Loss
18
The First Amended Complaint also includes sufficient allegations of loss under the CFAA.
19
As defined under section 1030(e)(11), “loss” means two things: first, “any reasonable cost to any
20
victim,” such as conducting a damage assessment and restoring the damaged data or information
21
to its condition prior to the offense; and second, lost revenue or other costs incurred as a result of
22
an “interruption of service.” 18 U.S.C. § 1030(e)(11). NovelPoster may only sue defendants
23
under the CFAA if defendants’ violations of the Act caused a loss of at least $5,000 in value. See
24
18 U.S.C. §§ 1030(c)(4)(A)(i)(I), 1030(g).
25
For pleading purposes, NovelPoster has satisfied this requirement by alleging that
26
Grinberg and Yancher each spent substantial time and energy “on their efforts to secure the
27
restoration of NovelPoster and its data and information” to the condition they were in “prior to
28
when defendants took control of NovelPoster,” efforts which included restoring the data and
11
1
information to their prior condition, as well as responding to and conducting a damage assessment
2
of defendants’ alleged CFAA and CDAFA violations. FAC ¶¶ 50, 70. These allegations fit within
3
the CFAA’s definition of “loss” as “any reasonable cost to any victim, including the cost of
4
responding to an offense, conducting a damage assessment, and restoring the data, program,
5
system, or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). By alleging
6
the approximate number of hours that Grinberg and Yancher spent on their restorative efforts, and
7
the approximate value of their services, NovelPoster has also provided a basis for the plausible
8
inference that defendants’ alleged CFAA violations caused losses of at least $5,000. See FAC ¶
9
50, 70.
Defendants argue that Grinberg and Yancher’s efforts cannot qualify as loss under the
11
United States District Court
Northern District of California
10
CFAA because it is not plausible that their efforts were related to the damage of any computer
12
system or data. According to defendants, the allegations in the First Amended Complaint
13
demonstrate that “there was nothing [for Grinberg and Yancher] to investigate.” Mot. 8.
14
NovelPoster knew that it had transferred its passwords and operations to defendants, and that
15
defendants had changed the passwords and continued to operate the business despite
16
NovelPoster’s attempt to terminate the agreement between the parties. Mot. 8. Defendants assert
17
that “[t]his situation is easily comprehensible for individuals of ordinary intelligence and does not
18
justify a 700-hour ‘investigation.’ ” Id.
19
Defendants’ argument is flawed for two reasons. First, it conflates investigating the
20
circumstances of defendants’ alleged misconduct with “conducting a damage assessment [and]
21
restoring the data . . . to its condition prior to the offense.” See 18 U.S.C. § 1030(e)(11). Just
22
because NovelPoster knew how defendants had violated the CFAA does not mean NovelPoster
23
knew which data had been made unavailable or how to restore it. It is certainly plausible that
24
NovelPoster spent extensive time and energy determining precisely what data was contained
25
within the hijacked accounts and attempting to restore that data, even after ascertaining what
26
defendants had done. See SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 981 (N.D.
27
Cal. 2008) (holding that where “the offender has actually accessed protected information,
28
discovering who has that information and what information he or she has is essential to remedying
12
1
2
the harm” and therefore qualifies as loss under the CFAA) (emphasis added).
The second problem with defendants’ argument is that it requires a factual inquiry into the
accuracy of NovelPoster’s claims that is not appropriate on a motion for judgment on the
4
pleadings. In deciding such a motion, the court “must accept all factual allegations in the
5
complaint as true and construe them in the light most favorable to the nonmoving party.”
6
Fleming, 581 F.3d at 925. Defendants are correct that under the CFAA, the plaintiff’s costs are
7
only cognizable where they arise from the investigation or repair of a damaged computer system
8
or data, or from an “interruption of service.” See, e.g., Mintz v. Mark Bartelstein & Associates
9
Inc., 906 F. Supp. 2d 1017, 1029 (C.D. Cal. 2012) (“Costs associated with investigating intrusions
10
into a computer network and taking subsequent remedial measures are losses within the meaning
11
United States District Court
Northern District of California
3
of the [CFAA].”); Mintel Int'l Grp., Ltd. v. Neergheen, 08-CV-3939, 2010 WL 145786, at *9-10
12
(N.D. Ill. Jan. 12, 2010) (finding no CFAA-qualifying loss where the plaintiff’s expert “was not
13
assessing whether [defendant] had damaged [plaintiff’s] computers or data…; rather, the expert
14
was hired for assistance in [this] lawsuit”) (internal quotation marks omitted); Cassetica Software,
15
2009 WL 1703015, at *4 (to state a CFAA claim based on loss, “the alleged loss must relate to the
16
investigation or repair of a computer system following a violation that caused impairment or
17
unavailability of data”). As explained above, however, NovelPoster has alleged damage as
18
defined by the CFAA. See FAC ¶42. NovelPoster has also alleged that Grinberg and Yancher’s
19
restorative efforts were directly related to that damage. See FAC ¶¶ 50, 70. Whether these
20
allegations are supported by the evidence is not a matter to be determined at this point in the
21
proceedings.
22
Indeed, the majority of the cases cited by defendants in which the court found an absence
23
of CFAA-qualifying loss are summary judgment cases or similarly fact-intensive decisions. See,
24
e.g., Mintz, 906 F. Supp. 2d at 1029-31 (order on summary judgment); Mintel, 2010 WL 145786,
25
at *9-10 (ruling on bench trial); Del Monte, 616 F. Supp. 2d at 812 (“This is not a motion to
26
dismiss. Therefore, the Court cannot blindly accept the allegation that [plaintiff’s consultant]
27
conducted a ‘damage assessment’ as true.”). Those cases cited by defendants that do concern
28
pleading motions involve situations where the plaintiff failed to allege that the defendant’s
13
conduct caused impairment of data or interruption of service. See, e.g., AtPac, Inc. v. Aptitude
2
Solutions, Inc., 730 F. Supp. 2d 1174, 1185 (E.D. Cal. 2010) (dismissing CFAA claims where
3
plaintiff’s only loss allegation was that defendants, through their unauthorized access, “obtained
4
something of value exceeding $5,000”); Cassetica Software, 2009 WL 1703015, at *3-4 (N.D. Ill.
5
June 18, 2009) (plaintiff failed to allege loss under the CFAA where plaintiff “did not allege any
6
facts that would plausibly suggest that [defendant’s conduct] caused any impairment of data or
7
interruption of service”); SKF USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696, 720-21 (N.D. Ill.
8
2009) (granting defendants’ motion to dismiss CFAA claims where plaintiff’s only alleged loss
9
was due to defendants unauthorized transfer of data to plaintiff’s business competitor). Here, in
10
contrast, NovelPoster has alleged that defendants impaired the availability of NovelPoster’s data,
11
United States District Court
Northern District of California
1
thereby causing damage within the meaning of the CFAA, and that Grinberg and Yancher’s
12
restorative efforts were directly related to that impairment.
13
While it is unlikely that all $105,000 worth of Grinberg and Yancher’s alleged efforts can
14
be provably linked to data restoration or damage assessment or other recoverable losses, at this
15
juncture, NovelPoster’s allegations are sufficient to raise the plausible inference that NovelPoster
16
spent at least $5,000 responding to the unauthorized takeover of its online accounts. Because I
17
conclude that the allegations concerning Grinberg and Yancher’s restorative efforts are sufficient
18
to satisfy the CFAA’s $5,000 loss requirement, I do not consider NovelPoster’s other alleged
19
losses – i.e., the attorney’s fees and “interruption of service” losses. NovelPoster has stated a
20
prima facie claim for relief under sections 1030(a)(2)(C) and 1030(a)(5)(C) of the CFAA, and that
21
cause of action will proceed.
22
II. DAMAGE AND LOSS UNDER THE CDAFA
23
Like the CFAA, the CDAFA allows an individual who “suffers damage or loss by reason
24
of a violation” of the statute to bring a private civil action. Cal. Penal Code § 502(e)(1). Unlike
25
the CFAA, the CDAFA does not impose a $5,000 loss minimum – any amount of damage or loss
26
caused by the defendant’s CDAFA violation is enough to sustain the plaintiff’s claims. Id.
27
Accordingly, courts in this circuit have found that a plaintiff’s alleged damage or loss may be
28
sufficient to support a CDAFA claim even where it is not enough to support a claim under the
14
1
CFAA. See Capitol Audio Access, Inc. v. Umemoto, 980 F. Supp. 2d 1154, 1157-60 (E.D. Cal.
2
2013); Mintz, 906 F. Supp. 2d at 1029-32. By adequately alleging damage or loss under the
3
CFAA, NovelPoster has done the same under the CDAFA. NovelPoster’s CDAFA claims will not
4
be dismissed on this ground.
5
III. “WITHOUT PERMISSION” UNDER THE CDAFA
Defendants also seek judgment on NovelPoster’s CDAFA cause of action on the ground
6
7
that NovelPoster fails to allege that defendants overcame a technical or code-based barrier in their
8
access and use of NovelPoster’s online accounts.
NovelPoster asserts claims under six different CDAFA provisions, each of which requires
9
10
that the defendant acted “without permission.” See Cal. Penal Code §§ 502(c)(1)-(5), (7).8 Five of
United States District Court
Northern District of California
11
12
13
14
15
16
8
The provisions make liable anyone who:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or
otherwise uses any data, computer, computer system, or computer network in order to
either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
18
(2) Knowingly accesses and without permission takes, copies, or makes use of any data
from a computer, computer system, or computer network, or takes or copies any
supporting documentation, whether existing or residing internal or external to a computer,
computer system, or computer network.
19
(3) Knowingly and without permission uses or causes to be used computer services.
17
20
21
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys
any data, computer software, or computer programs which reside or exist internal or
external to a computer, computer system, or computer network.
22
23
24
(5) Knowingly and without permission disrupts or causes the disruption of computer
services or denies or causes the denial of computer services to an authorized user of a
computer, computer system, or computer network.
25
[…]
26
(7) Knowingly and without permission accesses or causes to be accessed any computer,
computer system, or computer network.
27
28
Cal. Penal Code §§ 502(c)(1)-(5), (7).
15
1
the six provisions also require that the defendant “access[ed]” or “use[d]” a computer. The other
2
provision, section 502(c)(5), applies where the defendant “[k]nowingly and without permission
3
disrupts or causes the disruption of computer services or denies or causes the denial of computer
4
services to an authorized user of a computer, computer system, or computer network.” Id. §
5
502(c)(5).
6
Defendants contend that an individual only acts “without permission” under the CDAFA
7
where he or she “access[es] or us[es] a computer . . . in a manner that overcomes technical or
8
code-based barriers.” Facebook, Inc. v. Power Ventures, Inc., No. 08-cv-05780-JW, 2010 WL
9
3291750, at *11 (N.D. Cal. July 20, 2010). Defendants assert that NovelPoster cannot allege that
defendants overcame such a barrier, because defendants gained access to NovelPoster’s online
11
United States District Court
Northern District of California
10
accounts through the use of valid passwords, not by “hacking” into them. See Mot. 20-24.
12
NovelPoster contests the existence of a “technical or code-based barrier” requirement and asserts
13
that even if such a requirement exists, NovelPoster has alleged facts sufficient to satisfy it here.
14
Opp. 13-17.
15
The first case to construe the CDAFA to include a technical or code-based barrier
16
requirement was Facebook, Inc. v. Power Ventures, Inc. The issue in Power Ventures was
17
whether the defendant could be held liable for accessing a website “without permission” solely on
18
the ground that the defendant had accessed or used the website in violation of its terms of use. See
19
2010 WL 3291750, at *7. The particular CDAFA provisions at issue were sections 502(c)(2),
20
502(c)(3), and 502(c)(7), all of which require that the defendant “access[ed]” or “use[d]” a
21
computer. Id. at *6. After analyzing the CDAFA’s language and underlying purpose, relevant
22
case law, and potential problems with unconstitutional vagueness, the court distinguished between
23
“access that violates a term of use” and “access that circumvents technical or code-based barriers,”
24
holding that only the latter constitutes access “without permission” under the CDAFA, and that an
25
individual must “acces[s] or us[e] a computer . . . in a manner that overcomes technical or code-
26
based barriers” to violate the statute. Id. at *11. The court reasoned that this narrow construction
27
eliminated constitutional notice concerns because “a person applying the technical skill necessary
28
to overcome [a technical or code-based] barrier will almost always understand that any access
16
1
gained through such action is unauthorized.” Id. Since Power Ventures, most courts in this
2
district have likewise held that “individuals may only be subjected to liability for acting ‘without
3
permission’ under [the CDAFA] if they access or use a computer . . . in a manner that overcomes
4
technical or code-based barriers.” In re iPhone Application Litig., No. 11-md-02250-LHK, 2011
5
WL 4403963, at *12 (N.D. Cal. Sept. 20, 2011); see also, Opperman v. Path, Inc., No. 13-cv-
6
00453-JST, 2014 WL 1973378, at *20 (N.D. Cal. May 14, 2014); Enki Corp. v. Freedman, No.
7
13-cv-02201-PSG, 2014 WL 261798, at *3 (N.D. Cal. Jan. 23, 2014); In re Google Android
8
Consumer Privacy Litig., No. 11-md-02264-JSW, 2013 WL 1283236, at *11-12 (N.D. Cal. Mar.
9
26, 2013).
10
Although most courts have followed Power Ventures, “there is a split of authority in this
United States District Court
Northern District of California
11
district concerning the appropriate scope of the ‘without permission’ language in the CDAFA.”
12
Opperman, 2014 WL 1973378, at *21 n.19. In Weingand v. Harland Fin. Solutions, Inc., No. 11-
13
cv-03109-EMC, 2012 WL 2327660 (N.D. Cal. June 19, 2012), the court granted the defendant
14
leave to assert a CDAFA counterclaim against the plaintiff, who, after being terminated from the
15
defendant’s employ, had allegedly used his still-operable log-in information to access data on the
16
defendant’s computer system which he was not permitted to access. Id. at *4-5. The court
17
considered Power Ventures but declined to follow it, instead rejecting the plaintiff’s argument that
18
the CDAFA counterclaim would be futile because the statute applies only to “hacking.” Id.
19
Similarly, in Synopsys, Inc. v. ATopTech, Inc., No. 13-cv-02965-SC, 2013 WL 5770542 (N.D.
20
Cal. Oct. 24, 2013), the court acknowledged Power Ventures but concluded that it could not find,
21
“as a matter of law, that plaintiff does not state a claim under the CDAFA solely because plaintiff
22
relies on the alleged breach of a license agreement instead of a technical breach.” Id. at *11.
23
In addition to Weingand and Synopsys, there is also a recent California court of appeal case
24
that appears to conflict with – or at least limit – the holding in Power Ventures. The court in
25
People v. Childs, 220 Cal. App. 4th 1079 (2013), affirmed a conviction under section 502(c)(5) for
26
“knowingly and without permission disrupt[ing] or . . . den[ying] . . . computer services to an
27
authorized user,” despite the fact that the defendant was authorized to access and use the computer
28
system in question. The defendant was the system administrator of a large and complex computer
17
1
network who manipulated the network so that he was only person with administrative access. Id.
2
at 1082-93. The court held that the scope of section 502(c)(5) was not constrained “to external
3
hackers who obtain unauthorized access to a computer system,” and that the provision “may
4
properly be applied to an employee who uses his or her authorized access to a computer system to
5
disrupt or deny computer services to another lawful user.” Id. at 1104. In reaching this holding,
6
the court emphasized that section 502(c)(5), unlike most CDAFA provisions, does not contain an
7
“access” element. Id. at 1102 (“The Legislature’s requirement of unpermitted access in some
8
section 502 offenses and its failure to require that element in other parts of the same statute raise a
9
strong inference that [the offenses] that do not require unpermitted access were intended to apply
10
United States District Court
Northern District of California
11
to persons who gain lawful access to a computer but then abuse that access.”).
In light of Childs, NovelPoster has alleged sufficient facts to support its claims under
12
section 502(c)(5). As noted above, that provision makes liable anyone who “[k]nowingly and
13
without permission disrupts or causes the disruption of computer services or denies or causes the
14
denial of computer services to an authorized user of a computer, computer system, or computer
15
network.” Cal. Penal Code § 502(c)(5). NovelPoster’s allegation that defendants locked
16
NovelPoster out of its online accounts for several months, despite NovelPoster’s unambiguous
17
attempt to terminate the contract and regain access to those accounts, appears to qualify as such an
18
offense. Apart from their damage/loss and technical-or-code-based-barrier arguments, defendants
19
do not contend otherwise. See Mot. 20-24; Reply 13-15. Moreover, Childs highlights that the
20
holding in Power Ventures is best understood as applying only to those CDAFA provisions which,
21
like the provisions specifically at issue in that case, require a showing of unpermitted access or
22
use, not to section 502(c)(5). See Power Ventures, 2010 WL 3291750, at *11 (“[T]he Court finds
23
that a user of internet services does not access or use a computer, computer network, or website
24
without permission simply because that user violated a contractual term of use.”) (emphasis
25
added). NovelPoster’s section 502(c) claims may go forward.
26
NovelPoster’s claims under sections 502(c)(1)-(4) and (7) may proceed as well. Of the
27
cases cited by the parties, Weingand is the most factually similar. There, as here, the CDAFA
28
claims were based on allegations that an individual used technically-operable log-in information to
18
1
access portions of a computer system which the individual knew he was not permitted to access.
2
See Weingand, 2012 WL 2327660, at *4. I agree with Weingand that, at least at the pleading
3
phase, such allegations may support a claim under section 502 that a person “knowingly” and
4
“without permission” accessed or used a computer. Cal. Penal Code § 502(c). To the extent that
5
the Power Ventures construction of the CDAFA is instructive in a case involving factual
6
circumstances like those at issue here, I also find that NovelPoster’s allegations that defendants
7
without authorization changed the passwords to NovelPoster’s online accounts, thereby preventing
8
NovelPoster from accessing those accounts and eliminating the very technical access barriers that
9
NovelPoster had set up to protect them, are sufficient at the pleading phase to show that
defendants overcame a technical access barrier. As defendants do not point to other deficiencies
11
United States District Court
Northern District of California
10
in NovelPoster’s claims under sections 502(c)(1)-(4) and (7), the claims will not be dismissed.
CONCLUSION
12
13
14
15
16
17
18
For the foregoing reasons, defendants’ second motion for judgment on the pleadings is
DENIED.
IT IS SO ORDERED.
Dated: November 3, 2014
______________________________________
WILLIAM H. ORRICK
United States District Judge
19
20
21
22
23
24
25
26
27
28
19
United States District Court
Northern District of California
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
20
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?