This post examines an opinion a U.S. District Court Judge
recently issued in a civil case: Enki Corporation v. Freedman, 2014 WL
261798 (U.S. District Court for the Northern District of California 2014). This is how the judge described the suit and
the issue he addressed in the opinion:
When a former employee uses a
customer's working log-in credentials to access his former employer's scripts,
are he and the customer hackers?
Plaintiff Enki Corporation
says yes; Defendant Keith Freedman, along with his current employer and
co-defendant, Zuora, Inc., say no. Freedman and Zuora now move to dismiss
Enki's claims under the Computer Fraud and Abuse Act and the California Computer Data Access And Fraud Act for failure to
state a claim upon which relief may be granted and the remainder of Enki's
claims for lack of subject matter jurisdiction.
Enki Corporation v.
Freedman, supra.
As Wikipedia explains, a motion to dismiss a suit for
failing to state a cause of action upon which relief can be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure is how civil suits with
insufficient legal theories underlying
their cause of action are dismissed from court. For example, assault requires intent,
so if the plaintiff has failed to plead intent, the defense can seek dismissal
by filing a 12(b)(6) motion. `While a complaint attacked by a Rule 12(b)(6)
motion to dismiss does not need detailed factual allegations, a plaintiff's
obligation to provide the grounds of his entitlement to relief requires more
than labels and conclusions, and a formulaic recitation of the elements of a
cause of action will not do.
Factual allegations must be enough to
raise a right to relief above the speculative level, on the assumption that all
the allegations in the complaint are true (even if doubtful in fact).’ Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007). . . .
The judge then explains, in some detail, how the case arose:
From 2006–2011, Freedman was a 12% interest holding member of Enki. Enki's business is to acquire, manage, develop, improve, and operate cloud computing and other IT services for enterprises. In May of 2011, Freedman resigned. Under the terms of Freedman's separation agreement with Enki, Enki bought out Freedman's interest, neither party was to disparage the other in any way, and Freedman was barred from soliciting Enki's clients or competing with Enki for a year.
Shortly after Freedman's departure,
Enki entered into a master service agreement with Zuora under which Enki was to
provide consulting, cloud computing services, and other IT services. As part of these services, and as set forth in
various statements of work, Enki installed `Nimsoft’ on Zuora's network.
Nimsoft is a `software based system
monitor’ used to monitor computer resources and performance. Although the software was installed on Zuora's
network, under the terms of the agreement Enki was the sole administrator of
the software and the only one allowed to `write’ Nimsoft scripts.
In order to fulfill this contract, Enki
hired Freedman and retained his new company, Freeform, as a contractor to
provide certain services to Zuora. Even though the separation agreement
remained in effect, Freedman proceeded to spread negative stories about Enki
and its work product throughout Zuora for several months, leading to the
termination of his contract with Enki. Zuora then hired Freedman and retained Freeform's
services directly.
In February 2013, Zuora terminated its
contract with Enki `for convenience.’ Before this termination,
however, Freedman and Zuora accessed the Nimsoft servers on Zuora's network
without authorization.
Freedman and Zuora then copied Enki's
proprietary information, including Enki's Nimsoft scripts, in order to
terminate the contract and receive the benefits of Enki's enterprise and
technology without continuing to pay for Enki's services.
Enki brings this action to recover for various breaches of contract, as well as
violations of state and federal antihacking statutes.
Enki Corporation v.
Freedman, supra (notes omitted).
The judge began his analysis of the issues raised by the
motion to dismiss with the Computer Fraud and Abuse Act claims, which asserted
that the defendants had engaged in conduct that violated the Act in either or
both of two ways:
46. Defendants have violated the
Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030(a)(2)(C), by
intentionally accessing a computer used for interstate or foreign commerce or
communication, without ENKI's authorization, and by obtaining information from
such a protected computer.
47. Defendants have violated the
CFAA, 18 U.S. Code § 1030(a)(4), by knowingly, and with intent to defraud
ENKI, accessing a protected computer, without authorization or by exceeding
authorized access to such a computer, and by means of such conduct furthered
the intended fraud and obtained one or more things of value, including content
from the Nimsoft server.
Enki Corporation v.
Freedman, Complaint (May 14, 2013), 2013 WL 2296051.
The judge noted that the defendants
put forth two main theories as to why
Enki's claim under the CFAA should be dismissed: 1) the complaint fails to
allege loss or damage within the meaning of the statute; and 2) the complaint
fails to allege unauthorized access within the Ninth Circuit's interpretation
of the statue.
Enki Corporation v.
Freedman, supra.
He began with the first theory, explaining that
although the Ninth Circuit has not yet
ruled on whether costs of investigation may be included in the calculation of
loss under the CFAA, this district and others within the circuit have long
accepted that theory. The statutory definition of loss
includes `the cost of responding to an offense, conducting a damage assessment,
and restoring the data, program, system, or information to its condition prior to the offense.’
Before the incident at issue here,
Enki's proprietary information was secured, and afterward, it evidentially was
not. It therefore stands to reason that the cost of investigating the source of
the breach and remedying it would qualify as `loss’ within that definition, as
they would be required to return the system to its secured state. The
undersigned therefore joins with his colleagues in holding that the costs of
investigating a security breach may be included in the calculation of `loss’
under the CFAA.
Enki Corporation v.
Freedman, supra (quoting 18 U.S. Code § 1030(e)(11)).
The judge then noted that the defendants’ second argument
carries more weight. The CFAA imposes
liability where the defendant commits certain acts on a `protected computer’
either `without authorization’ or in `exce[ss of his] authorization.’ The Ninth Circuit has held that to access a protected computer
`without authorization’ is to do so `without any permission at all,’ and to
`exceed authorized access’ is to `access[ ] information on the computer that
the person is not entitled to access.’
It has further held that an individual
does not `exceed authorized access’ simply by misusing information that he or
she was entitled to view for some other purpose; the CFAA regulates access to
data, not its use by those entitled to access it.
Enki Corporation v.
Freedman, supra (notes omitted).
He then explained that
[h]ere, Enki alleges that Freedman and Zuora
violated the CFAA by `unlawfully access[ing] the Nimsoft servers and improperly
cop[ying] Enki's Proprietary Information,’ and in particular Enki's Nimsoft scripts. However,
the complaint does not allege that Defendants were unauthorized to access the
scripts in question.
In fact, the Statement of Work
submitted for the court's consideration specifically grants Zuora and its
representatives `sudo access’ to `non-shell root commands’ that would include
the scripts at issue. Enki
instead hangs its hat on its repeated refusals to grant Zuora or Freedman the
authority to write or edit those scripts.
That argument, however, speaks to
misuse of the scripts, not unauthorized access, which under Nosal does
not run afoul of the CFAA. Because Enki's complaint fails to allege that
Defendants had no access rights to Enki's scripts, and indeed the documents
upon which it relies reveal that Defendants had certain access rights, their CFAA claim must be DISMISSED for failure to state a claim.
Enki Corporation v.
Freedman, supra (notes omitted).
The judge then noted that the
only other claim that Freedman and
Zuora substantively address in their motion is the CDAFA [California Computer
Data Access And Fraud Act] claim. With respect to that claim, they argue that
because Enki's complaint fails to allege that either Freedman or Zuora overcame
any technical barrier in order to view and copy its proprietary information,
the claim must be dismissed for failure to state a claim.
Enki, however, maintains that a
violation of the established terms of use is sufficient to create liability
under CDAFA, and because the complaint alleges that Freedman and Zuora copied
the information when they were not permitted to do so, they have sufficiently
pled their claim.
Enki Corporation v.
Freedman, supra (notes omitted).
He then addressed the merits of Enki’s argument, finding
that the
CDAFA imposes liability where an individual
takes certain actions `without permission’ on another's computer, network, or
website. [California Penal Code § 502.] Enki relies on a
single case, Craigslist v. Naturemarket, Inc., [694
F. Supp. 2d. 1039 (U.S. District Court for the Northern District of California 2010)]
to argue that a simple violation of the terms of use meets the requirement that
the action be `without permission.’
Craigslist, however,
appears to be an outlier. Just four months after Craigslist, in Facebook v. Power Ventures, Inc., [2010 WL 3291750 (U.S. District Court for the Northern District of California 2010)], this court held that to take an action `without
permission’ under the CDAFA, a defendant must overcome some technical or code
barrier.
This has been the governing standard in
this district since that time,
and it is the standard that applies here. As Enki itself does not even
argue that the complaint alleges a technical obstacle, the court GRANTS
Defendants' motion as to the CDAFA claim.
Enki Corporation v.
Freedman, supra (notes omitted).
The judge therefore granted the defendants’ motion to
dismiss these two causes of action, but retained the state law claims asserted
in their Complaint under the court’s pendent jurisdiction. Enki Corporation v. Freedman, supra. As Wikipedia explains, pendent jurisdiction
lets a federal district court hear related state law claims that are brought
with “anchor” federal law claims.
As to how pendent jurisdiction applied here, the judge noted
that
[b]ecause jurisdiction over state law
claims under § 1367 generally requires a federal hook, a court may choose to
decline jurisdiction over any lingering state law claims where all federal
claims in the case have been dismissed before trial.
Further, in the Ninth Circuit, `[i]t is usually appropriate to dismiss
pendent state claims when federal claims are dismissed before trial,’ [McCarthy v. Mayo, 827 F.2d 1310 (U.S. Court of Appeals for the 9th Circuit 1987)] although in each case, a court must assess the values of `economy,
convenience, fairness, and comity’ in deciding whether or not to retain
jurisdiction. [Acri v. Varian Assocs, 114 F.3d 999
(U.S. Court of Appeals for the 9th Circuit 1994)].
Enki Corporation v.
Freedman, supra.
As to why he retained these claims, he explained that
although the remaining claims are all
grounded in state law, the parties are already eight months into litigation in
this forum, and it would hardly serve the interests of economy or convenience
to require the parties to begin anew in state court. In addition, because Enki
has leave to amend its complaint to remedy the deficiencies identified in its
pleadings, the federal claim may yet move forward in another version of the
complaint.
The court therefore will retain
jurisdiction over the lingering state law claims.
Enki Corporation v.
Freedman, supra.
No comments:
Post a Comment