SunPower Corporation v. SunEdison, Inc. et al
Filing
40
ORDER GRANTING 20 MOTION TO DISMISS WITH LEAVE TO AMEND by Hon. William H. Orrick. Any amended complaint shall be filed within 20 days of this Order. (jmdS, COURT STAFF) (Filed on 9/11/2015)
1
2
UNITED STATES DISTRICT COURT
3
NORTHERN DISTRICT OF CALIFORNIA
4
5
SUNPOWER CORPORATION,
Case No. 15-cv-02462-WHO
Plaintiff,
6
ORDER GRANTING MOTION TO
DISMISS WITH LEAVE TO AMEND
v.
7
8
SUNEDISON, INC., et al.,
Re: Dkt. No. 20
Defendants.
9
INTRODUCTION
10
United States District Court
Northern District of California
11
The central issue in defendants SunEdison, Inc., Shane Messer, Kendall Fong, and Vikas
12
Desai’s motion to dismiss is whether current employees violate the Computer Fraud and Abuse
13
Act (“CFAA”), 18 U.S.C. § 1030, if they breach their employer’s computer use policies while
14
accessing files that they were authorized to use. Because the CFAA is an anti-hacking statute, not
15
a misappropriation statute, I GRANT the motion to dismiss because Messer and Fong accessed the
16
disputed information with authorization while they were SunPower’s employees. Lacking another
17
federal claim, SunPower’s complaint is DISMISSED for lack of subject matter jurisdiction under
18
29 U.S.C. § 1331.
19
BACKGROUND
20
I accept the allegations pleaded in the complaint as true for purposes of SunEdison’s
21
motion to dismiss. SunPower is an energy services provider that manufactures, installs, and
22
distributes solar panel systems for residential and commercial markets. Messer and Fong were
23
once employed by SunPower as Area Sales Manager and Senior Director of Global Brand,
24
respectively. SunPower asserts that Messer and Fong, prior to leaving SunPower, accessed
25
thousands of its files and likely copied them onto one or more devices such as a personal
26
Universal Serial Bus (“USB”) drive or other non-SunPower owned device. After their departures
27
from SunPower, they began to work for SunEdison.
28
SunPower identifies two specific instances of illegal copying. It contends that Messer
1
accessed and copied over 4,300 files from a SunPower computer or server during a fifteen-minute
2
span on July 30, 2011. In the weeks preceding his departure, Fong allegedly accessed over 9,500
3
SunPower files over an 80-minute span. The accessed files purportedly contained SunPower’s
4
highly confidential information and trade secrets.
5
SunPower also alleges that Desai, a former Vice President at SunPower, encouraged Fong
6
and Messer to leave SunPower and to share SunPower’s confidential information with SunEdison,
7
where Desai was employed as the company’s Chief Executive Officer. SunPower believes that
8
SunEdison has used and continues to use SunPower’s proprietary information for its own benefit
9
and to the detriment of SunPower.
10
SunPower contends that Messer and Fong’s actions violated SunPower’s computer use
United States District Court
Northern District of California
11
policies that prohibited its employees from connecting any non-SunPower devices to SunPower’s
12
network or from using personal USB drives for file storage or transfer. It also claims that Messer
13
and Fong violated their employment confidentiality agreement by transferring the allegedly stolen
14
SunPower files to SunEdison. These agreements obliged Messer and Fong to keep SunPower’s
15
information confidential and to protect it from outside disclosures or use for others’ benefit.
16
SunPower brings fourteen causes of action: (1) violation of the CFAA; (2) trade secret
17
misappropriation under the California Uniform Trade Secrets Act (“CUTSA”); (3) breach of
18
contract; (4) breach of confidence; (5) conversion; (6) trespass to chattels; (7) interference with
19
prospective business advantage; (8) breach of implied covenant of good faith and fair dealing; (9)
20
tortious interference with contractual relationship; (10) induced breach of contract; (11)
21
conspiracy to breach contract; (12) breach of duty of loyalty; (13) unfair competition, and (14)
22
statutory unfair competition. Thirteen of SunPower’s fourteen causes of action arise under state
23
law. Its only federal cause of action is based on the purported violation of the CFAA. Defendants
24
move to dismiss the first, fourth, fifth, sixth, seventh, ninth, tenth, eleventh, twelfth, thirteenth, and
25
fourteenth causes of action for failure to state a claim upon which relief may be granted under
26
Federal Rule of Civil Procedure 12(b)(6). I heard argument on September 9, 2015.
27
28
LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint
2
1
if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to
2
dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its
3
face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). A claim is facially plausible
4
when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the
5
defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)
6
(citation omitted). There must be “more than a sheer possibility that a defendant has acted
7
unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff
8
must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550
9
U.S. at 555, 570.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the
10
United States District Court
Northern District of California
11
Court accepts the plaintiff’s allegations as true and draws all reasonable inferences in favor of the
12
plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court
13
is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of
14
fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir.
15
2008).
16
If the court dismisses the complaint, it “should grant leave to amend even if no request to
17
amend the pleading was made, unless it determines that the pleading could not possibly be cured
18
by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000).
DISCUSSION
19
20
Defendants raise three arguments in their motion to dismiss: (i) SunPower fails to state a
21
claim under CFAA; (ii) CUTSA preempts all non-contractual claims based on misappropriation of
22
confidential information; and (iii) SunPower fails to state a claim for interference with business
23
advantage. Because I find that SunPower’s complaint fails to state a claim under CFAA, its only
24
federal cause of action, I will not address the state law claims. If there is no federal claim, I will
25
not exercise supplemental jurisdiction.
26
The CFAA prohibits various computer-related crimes, including accessing a computer
27
without authorization or exceeding authorized access. 18 U.S.C. § 1030(a)(1). It was enacted in
28
1984 to “target hackers who accessed computers to steal information or to disrupt or destroy
3
1
computer functionality, as well as criminals who possessed the capacity to access and control high
2
technology processes vital to our everyday lives.” See LVRC Holdings LLC v. Brekka, 581 F.3d
3
1127, 1130 (9th Cir. 2009)(internal quotations and citations omitted). “The CFAA prohibits a
4
number of different computer crimes, the majority of which involve accessing computers without
5
authorization or in excess of authorization, and then taking specified forbidden actions, ranging
6
from obtaining information to damaging a computer or computer data.” Id. at 1131.
7
SunPower alleges that the defendants’ behavior violated 18 U.S.C. § 1030(a)(2)(c), (a)(4)
8
and (g). Compl. ¶ 1. (Dkt. No. 33). Section 1030(a)(2)(c) provides for criminal penalties when a
9
person “[i]ntentionally accesses a computer without authorization or exceeds authorized access,
and thereby obtains…information from any protected computer.” Section 1030(a)(4) provides for
11
United States District Court
Northern District of California
10
penalties if a person:
12
13
14
15
16
17
knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means
of such conduct furthers the intended fraud and obtains anything of
value, unless the object of the fraud and the thing obtained consists
only of the use of the computer and the value of such use is not more
than $5,000 in any 1-year period.
18 U.S.C. § 1030(a)(4).
In addition to criminal penalties, the CFAA creates a private right of action for “[a]ny
person who suffers damage or loss by reason of a violation” of the statute. 18 U.S.C. § 1030(g).
18
However, a claim may only be brought if the conduct involves the factors delineated in subclause
19
(I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Id. Therefore, to bring a successful CFAA
20
claim based on this subjection, a plaintiff must show:
21
22
23
24
25
26
27
28
(I) loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related
course of conduct affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the
United States Government in furtherance of the administration of
justice, national defense, or national security.
4
1
18 U.S.C. § 1030(c)(4)(A)(i).1
2
A plausible claim under either 18 U.S.C. § 1030(a)(2)(c) or (a)(4) requires SunPower to
3
allege that the defendants acted “without authorization” or by “exceed[ing] authorized access.”
4
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to
5
use such access to obtain or alter information in the computer that the accesser is not entitled so to
6
obtain or alter.” 18 U.S.C. § 1030(e)(6). The term “without authorization” is not defined within
7
the statute.
The Ninth Circuit has determined that a person uses a computer “without authorization”
8
9
when “the person has not received permission to use the computer for any purpose (such as when
a hacker accesses someone's computer without any permission), or when the employer has
11
United States District Court
Northern District of California
10
rescinded permission to access the computer and the defendant uses the computer anyway.”
12
Brekka, 581 F.3d at 1135. Specifically, the Ninth Circuit has articulated a “sensible interpretation
13
of §§ 1030(a)(2) and (4), which gives effect to both the phrase ‘without authorization’ and the
14
phrase ‘exceeds authorized access’: a person who ‘intentionally accesses a computer without
15
authorization’ accesses a computer without any permission at all, while a person who ‘exceeds
16
authorized access’ has permission to access the computer, but accesses information on the
17
computer that the person is not entitled to access.” Brekka, 581 F.3d at1133 (internal citations
18
omitted).
The Ninth Circuit has held that the plain language of the CFAA targets “the unauthorized
19
20
procurement or alteration of information, not its misuse or misappropriation.” United States v.
21
Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (internal quotation and citations omitted). Specifically,
22
“the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use
23
restrictions.” Id. The Ninth Circuit’s narrow reading intentionally focused the statute’s application
24
to its purpose of punishing hackers and not misappropriating trade secrets. Id. at 863. Subsequent
25
cases have similarly limited their interpretation of the CFAA. See, e.g., Koninklijke Philips N.V. v.
26
1
27
28
Although SunPower does not allege which of the specific 18 U.S.C. § 1030(c)(4)(A)(i) factors is
triggered by SunEdison’s behavior, it does claim that its losses and damages amount to over
$5,000 over a one year period. Comp. ¶ 79. This is sufficient to implicate 18 U.S.C. §
1030(c)(4)(A)(i)(I).
5
1
Elec-Tech In’l Co., 14-cv-02737-BLF, 2015 WL 1289984, at *4 (N.D. Cal. Mar. 20, 2015)
2
(following Ninth Circuit precedent in Nosal and dismissing plaintiff’s CFAA claim based in part
3
on the fact that the statute targets hacking, not trade secret misappropriation); Quad Knopf, Inc. v.
4
S. Valley Biology Consulting, LLC, 13-cv-01262, 2014 WL 1333999, at *3 (E.D. Cal. Apr. 3,
5
2014) (same); Synopsys, Inc. v. ATopTech, Inc., 13-cv-02965 SC, 2013 WL 5770542, at *9 (N.D.
6
Cal. Oct. 24, 2013) (same).
Here, SunPower does not allege that Fong and Messer were not authorized to access a
7
8
computer or certain information. Instead, SunPower claims that Fong and Messer violated the
9
CFAA by breaching SunPower’s computer use policies when they connected USB drives or other
non-SunPower owned equipment to SunPower’s network, copied files onto these devices, and
11
United States District Court
Northern District of California
10
stored them on an unauthorized device.2 Comp. ¶ ¶ 30 - 45. To support its argument, SunPower
12
relies on Brekka for the proposition that the phrase “exceeds authorized access” includes
13
violations of employer-placed limitations on use. Opp. at 6. (Dkt. No. 26) .
I do not read Brekka in that manner. In Brekka, the employer alleged that one of its former
14
15
employees, Christopher Brekka, violated the CFAA by accessing the employer’s computer
16
“without authorization” and in excess of authorization both while Brekka was employed and after
17
he left. 581 F.3d at 1129. The Ninth Circuit affirmed summary judgment in favor of Brekka and
18
the other defendants. It found, in part, that Brekka was authorized to use his employer’s computer
19
while he was employed and therefore downloading his employer’s files and emailing the
20
documents to his personal email did not violate the CFAA. Id. at 1137. The court explicitly held
21
that “for purposes of the CFAA, when an employer authorizes an employee to use a computer
22
23
24
25
26
27
28
2
For the first time at oral argument, SunPower pointed to two specific provisions of its computer
use policies that it alleges are access restrictions. See SunPower Ex. F at 1.1, SunPower Ex. C at
6.2.2. It argued that it is limiting its claims only to violations of these provisions. The extent to
which these isolated uses of the word “access” would qualify these subsections as access
restrictions defined by Nosal and Brekka is, at best, unclear and should have been briefed.
SunPower’s policies do not seem to be consistent in their terminology. On the very same pages
where SunPower’s alleged access restrictions are located, the company employs the word “use” in
related subsections. See SunPower Ex. C at 1.1 (clarifying that the purpose and scope of this
chapter of SunPower’s policy is to avoid damages resulting from “[I]nadvertent or intentional
misuse”), SunPower Ex. F at 6.1.1(prohibiting the “use” of USB drives for file storage or
transfer). Simply using one word or another does not control the categorization of the restriction.
6
1
subject to certain limitations, the employee remains authorized to use the computer even if the
2
employee violates these limitations.” Id. at 1133.
3
Under Brekka, a CFAA claim hinges not on the use of the information but on whether or
4
not the employee is authorized to access the information in the first place. Id., see also Nosal, 676
5
F.3d at 857 (rejecting the government’s suggestion that unauthorized access encompasses
6
situations involving limitations on use when an employee has unrestricted physical access to the
7
information). Accordingly, it held that Brekka did not violate the CFAA because “there is no
8
dispute that Brekka was given permission to access [the defendant’s] computer.” Brekka,
9
581F.3d, at 1135. Under Brekka, a prohibited action, such as copying or transferring the accessed
files onto a USB, does not by itself transform an employee’s access from authorized to
11
United States District Court
Northern District of California
10
unauthorized. SunPower’s contention that Brekka holds otherwise is incorrect.
12
SunPower’s assertion that subsequent cases have interpreted Brekka to allow violations of
13
employer-placed non-technical restrictions to form the basis of “unauthorized access” ignores the
14
important differences between those cases and its own. Opp. at 6. SunPower relies on two cases
15
involving former employees who exceeded their authorized access by accessing information after
16
their employment ended. See NetApp, Inc. v. Nimble Storage, Inc. 41 F. Supp. 3d 816 (N.D. Cal.
17
2014); Weingand v. Harland Fin. Solutions, Inc., 11-cv-03109-EMC, 2012 WL 2327660 (N.D.
18
Cal. June 19, 2012). The key to both courts’ analyses was timing-- the employees had gained
19
accessed to their previous employers’ networks after their access to those networks had been
20
revoked. NetApp, 41 F. Supp. 3d, at 831-32 (holding that the Ninth Circuit has not precluded
21
applying CFAA to situations where an individual access a former employer’s network); Weingard,
22
2012 WL 2327660, at *3 (same). Because Messer and Fong were current employees at the time of
23
the alleged access, their access was not unauthorized in the same manner as the plaintiffs in
24
NetApp and Weingand.
25
SunPower’s argument that Messer and Fond violated “technological barriers” by
26
physically plugging in USB drives or other non-SunPower equipment into SunPower’s computer
27
is similarly unpersuasive. SunPower cites to an inapposite example given by the Ninth Circuit in
28
Nosal. An employer keeps information in a separate database that can be viewed on a computer
7
1
screen but not copied or downloaded. If the employee circumvents the employer’s security
2
measures, copies information on to a USB drive and takes it out of the building, that would have
3
exceeded her authorization in violation of the CFAA. Nosal, 676 F.3d at 858. But that is not the
4
situation here. SunPower has not alleged that either Messer or Fong circumvented any security
5
measures or accessed unauthorized information; instead, they allegedly misappropriated
6
information to which they had access in violation of SunPower’s policies.
7
A more apt comparison would be to another example that the Ninth Circuit discussed in
Nosal. The government argued that the CFAA should apply to an employee who is “authorized to
9
access customer lists in order to do his job but not to send them to a competitor,” but nevertheless
10
sends the competitor lists to a competitor. Nosal, 676 F.3d at 857. The court disagreed, observing
11
United States District Court
Northern District of California
8
that applying CFAA to any unauthorized use of information obtained from a computer would
12
“make criminals of large groups of people who would have little reason to suspect they are
13
committing a federal crime.” Id. at 859. Punishing this type of behavior would be incongruent
14
with the statute’s focus on prohibiting hacking and other high technology related crimes. That is
15
true here as well.
16
SunPower relies on American Furukawa, Inc. v. Hossain, 14-cv-13633, 2015 WL 2124794
17
(E.D. Mich. May 6, 2015) to argue that other cases have followed Nosal’s approach while holding
18
that downloading files to removable media constitutes a violation under CFAA. Opp. at 7. In
19
American Furukawa, a company sued a former employee alleging that the employee emailed and
20
downloaded the company’s files in violation of the CFAA both while he was employed and during
21
a leave of absence. 2015 WL 2124794, at *1-2. The court held that the company properly alleged
22
that the employee took some files “without authorization” during his leave of absence. Id. at * 11.
23
Additionally, because the company’s computer use policy specified that an employee needs
24
permission from a manager before accessing files with removable media, the court also held that
25
the employee exceeded authorized access because he did not seek permission and therefore
26
violated this access restriction. Id. at *19.
27
28
American Furukawa does not help SunPower. Fundamentally, it comes from a district
court in Michigan that appropriately followed its Sixth Circuit precedent. It explicitly discussed
8
1
and disagreed with the approach of the Ninth Circuit in Nosal, which binds me. Id. at *18.
2
Moreover, the decision is consistent with this one in that the court rejected the employer’s
3
argument that the employee’s misappropriation of its files while he was actively employed was a
4
violation of the CFAA because he breached the employer’s Secrecy Agreement; the court found
5
the CFAA violation only for the period when the employee was out on leave and violated a
6
condition of his leave--that he could not do any work during that time. Id. at *11. All of the
7
alleged behavior here occurred while Messer and Fong were current employees. Restrictions
8
related to an employee’s leave of absence are not at play in this case.
9
In sum, SunPower’s allegations describe misappropriation of its confidential information.
They do not constitute a violation of the CFAA. While it is not clear to me how it can
11
United States District Court
Northern District of California
10
successfully plead a plausible CFAA cause of action in light of the allegations it has already made,
12
if it wishes it may amend its complaint within 20 days. If it chooses not to do so, I will remand
13
this case to the California Superior Court for further proceedings since no other basis for federal
14
jurisdiction is alleged.
15
CONCLUSION
16
Defendants’ motion to dismiss is GRANTED. SunPower’s complaint is DISMISSED
17
WITH LEAVE TO AMEND. Any amended complaint shall be filed within 20 days of this Order.
18
If an amended complaint is not filed within that timeframe, I decline to exercise
19
supplemental jurisdiction over any remaining state law claims under 28 U.S.C. § 1367(c) and will
20
remand the case to state court. If an amended complaint is filed, I will retain jurisdiction as
21
appropriate.
22
IT IS SO ORDERED.
23
Dated: September 11, 2015
24
25
26
______________________________________
WILLIAM H. ORRICK
United States District Judge
27
28
9
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?