This post examines an opinion a U.S. District Court Judge
who sits in the U.S. District Court for the Northern District of California
recently issued in a civil case: SunPower Corporation v. SunEdison, Inc, 2015
WL 5316333 (2015). The judge begins his
opinion by explaining that the
central issue in defendants SunEdison,
Inc., Shane Messer, Kendall Fong, and Vikas Desai's motion to dismiss is
whether current employees violate the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030, if they breach their employer's computer use policies while
accessing files that they were authorized to use.
SunPower Corporation
v. SunEdison, Inc, supra.
He goes on to begin the substantive part of his opinion by
explaining that
I accept the allegations pleaded in the
complaint as true for purposes of SunEdison's motion to dismiss. SunPower is an
energy services provider that manufactures, installs, and distributes solar
panel systems for residential and commercial markets. Messer and Fong were once
employed by SunPower as Area Sales Manager and Senior Director of Global Brand,
respectively.
SunPower Corporation
v. SunEdison, Inc, supra.
The judge then outlines the facts involved in the lawsuit:
SunPower asserts that Messer and Fong,
prior to leaving SunPower, accessed thousands of its files and likely copied
them onto one or more devices such as a personal Universal Serial Bus (`USB’)
drive or other non-SunPower owned device. After their departures from SunPower,
they began to work for SunEdison.
SunPower identifies two specific
instances of illegal copying. It contends that Messer accessed and copied over
4,300 files from a SunPower computer or server during a fifteen-minute span on
July 30, 2011. In the weeks preceding his departure, Fong allegedly accessed
over 9,500 SunPower files over an 80–minute span. The accessed files
purportedly contained SunPower's highly confidential information and trade
secrets.
SunPower also alleges that Desai, a
former Vice President at SunPower, encouraged Fong and Messer to leave SunPower
and to share SunPower's confidential information with SunEdison, where Desai
was employed as the company's Chief Executive Officer. SunPower believes that
SunEdison has used and continues to use SunPower's proprietary information for
its own benefit and to the detriment of SunPower.
SunPower contends that Messer and
Fong's actions violated SunPower's computer use policies that prohibited its
employees from connecting any non-SunPower devices to SunPower's network or
from using personal USB drives for file storage or transfer. It also claims
that Messer and Fong violated their employment confidentiality agreement by
transferring the allegedly stolen SunPower files to SunEdison. These agreements
obliged Messer and Fong to keep SunPower's information confidential and to
protect it from outside disclosures or use for others' benefit.
SunPower Corporation
v. SunEdison, Inc, supra.
The Judge then outlines the “fourteen causes of action”
SunPower asserts in the Complaint it filed to initiate the suit:
(1) violation of the CFAA; (2) trade
secret misappropriation under the California Uniform Trade Secrets Act (`CUTSA’);
(3) breach of contract; (4) breach of confidence; (5) conversion; (6) trespassto chattels; (7) interference with prospective business advantage; (8) breach of implied covenant of good faith and fair dealing; (9) tortious interferencewith contractual relationship; (10) induced breach of contract; (11) conspiracy to breach contract; (12) breach of duty of loyalty; (13) unfair competition,
and (14) statutory unfair competition. Thirteen of SunPower's fourteen causes
of action arise under state law. Its only federal cause of action is based on
the purported violation of the CFAA. Defendants move to dismiss the first, fourth,
fifth, sixth, seventh, ninth, tenth, eleventh, twelfth, thirteenth, and
fourteenth causes of action for failure to state a claim upon which relief may
be granted under Federal Rule of Civil Procedure 12(b)(6). I heard argument on September 9, 2015.
SunPower Corporation
v. SunEdison, Inc, supra.
The opinion then goes on to explain the “legal standard”
that applies to the “analysis of the extent to which the defendants’ Rule
12(b)(6) motion raises arguments that warrant dismissing one or more of the
plaintiff’s causes of action.” SunPower Corporation v. SunEdison, Inc, supra.
Specifically, the judge explains that
[u]nder Federal Rule of Civil
Procedure 12(b)(6), a district court must dismiss a complaint if it fails to
state a claim upon which relief can be granted. To survive a Rule 12(b)(6)
motion to dismiss, the plaintiff must allege `enough facts to state a claim to
relief that is plausible on its face.’ See Bell Atlantic Corp. v.
Twombly, 550 U.S. 544 (2007). A claim is facially plausible when the
plaintiff pleads facts that `allow the court to draw the reasonable inference
that the defendant is liable for the misconduct alleged.’ Ashcroft v. Iqbal, 556U.S. 662 (2009). . . . There must be `more than a sheer possibility that a
defendant has acted unlawfully.’ Ashcroft
v. Iqbal, supra. While courts do not require `heightened fact pleading
of specifics,” a plaintiff must allege facts sufficient to “raise a right to
relief above the speculative level.’ Bell
Atlantic Corp. v. Twombly, supra
In deciding whether the plaintiff has
stated a claim upon which relief can be granted, the Court accepts the
plaintiff's allegations as true and draws all reasonable inferences in favor of
the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556 (U.S.Court of Appeals for the 9th Circuit 1987) However, the court is not required
to accept as true `allegations that are merely conclusory, unwarranted
deductions of fact, or unreasonable inferences.’ In re Gilead Sciences
Securities Litigation, 536 F.3d 1049 (U.S. Court of Appeals for the 9th
Circuit 2008).
SunPower Corporation
v. SunEdison, Inc, supra. He also noted that
[i]f the court dismisses the complaint,
it `should grant leave to amend even if no request to amend the pleading was
made, unless it determines that the pleading could not possibly be cured by the
allegation of other facts.’ Lopez v. Smith, 203 F.3d 1122 (U.S.
Court of Appeals for the 9th Circuit 2000).
SunPower Corporation
v. SunEdison, Inc, supra.
The District Court Judge then begins his analysis of the
arguments the defendants raised in their motion to dismiss, noting that they
made
three arguments in their motion to
dismiss: (i) SunPower fails to state a claim under CFAA; (ii) CUTSA preempts
all non-contractual claims based on misappropriation of confidential
information; and (iii) SunPower fails to state a claim for interference with
business advantage. Because I find that SunPower's complaint fails to state a
claim under CFAA, its only federal cause of action, I will not address the
state law claims. If there is no federal claim, I will not exercise
supplemental jurisdiction.
SunPower Corporation
v. SunEdison, Inc, supra.
For a U.S. District Court to have jurisdiction to hear and
decide a civil suit, the suit must either (i) involve claims that arise under
federal law (“federal question jurisdiction”) or (ii) citizens of different
U.S. states (“diversity jurisdiction”).
Since the citizens involved in this suit are not from different states,
the only basis for federal jurisdiction is federal question jurisdiction. If the federal claim – the Computer Fraud and
Abuse Act claim – fails, there will be no jurisdiction and the case would have
to be dismissed.
The Judge began his analysis of the defendants’ motion to
dismiss the claim brought under the Computer Fraud and Abuse Act by explaining
that the CFAA
prohibits various computer-related
crimes, including accessing a computer without authorization or exceeding
authorized access. 18 U.S. Code § 1030(a)(1). It was enacted in 1984 to `target hackers who
accessed computers to steal information or to disrupt or destroy computer
functionality, as well as criminals who possessed the capacity to access and
control high technology processes vital to our everyday lives.’ See LVRC
Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the
9th Circuit 2009). The CFAA prohibits a number of different computer crimes,
the majority of which involve accessing computers without authorization or in
excess of authorization, and then taking specified forbidden actions, ranging
from obtaining information to damaging a computer or computer data.’ LVRC
Holdings LLC v. Brekka, supra.
SunPower alleges that the defendants'
behavior violated 18 U.S. Code § 1030(a)(2)(c), (a)(4) and (g).
Compl. ¶ 1. . . . Section 1030(a)(2)(c) provides for criminal penalties when a
person `[i]ntentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains . . . information from any protected
computer.’ Section 1030(a)(4) provides for penalties if a person:
`knowingly and with intent to defraud,
accesses a protected computer without authorization, or exceeds authorized
access, and by means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing obtained consists
only of the use of the computer and the value of such use is not more than
$5,000 in any 1-year period.’
18 U.S. Code § 1030(a)(4).
SunPower Corporation
v. SunEdison, Inc, supra.
Next, he pointed out that,
[i]n addition to criminal penalties,
the CFAA creates a private right of action for `[a]ny person who suffers damage
or loss by reason of a violation’ of the statute. 18 U.S Code § 1030(g). However,
a claim may only be brought if the conduct involves the factors delineated in
subclause (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). 18 U.S
Code § 1030(g). Therefore, to bring a successful CFAA claim based on
this subjection, a plaintiff must show:
`(I) loss to 1 or more persons during
any 1-year period (and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting from a related
course of conduct affecting 1 or more other protected computers) aggregating at
least $5,000 in value;
(II) the modification or impairment, or
potential modification or impairment, of the medical examination, diagnosis,
treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or
safety;
(V) damage affecting a computer used by
or for an entity of the United States Government in furtherance of the
administration of justice, national defense, or national security.’
18 U.S. Code § 1030(c)(4)(A)(i).
SunPower Corporation
v. SunEdison, Inc, supra.
The judge then applied the standards outlined above to this
case, noting that a
plausible claim under either 18
U.S. Code § 1030(a)(2)(c) or (a)(4) requires SunPower to allege
that the defendants acted `without authorization’ or by `exceed[ing] authorized
access.’ The [Computer Fraud and Abuse Act] defines `exceeds authorized access’
as `to access a computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not entitled so to
obtain or alter.’ 18 U.S. Code § 1030(e)(6). The term `without
authorization’ is not defined within the statute.
The [U.S. Court of Appeals for the 9th
Circuit] has determined that a person uses a computer `without authorization’
when `the person has not received permission to use the computer for any
purpose (such as when a hacker accesses someone's computer without any
permission), or when the employer has rescinded permission to access the
computer and the defendant uses the computer anyway.’ LVRC Holdings LLC
v Brekka, supra. Specifically, the Ninth Circuit has
articulated a “sensible interpretation of §§ 1030(a)(2) and (4), which
gives effect to both the phrase ‘without authorization’ and the phrase ‘exceeds
authorized access': a person who ‘intentionally accesses a computer without authorization’
accesses a computer without any permission at all, while a person who ‘exceeds
authorized access' has permission to access the computer, but accesses
information on the computer that the person is not entitled to access.” LVRC
Holdings LLC v Brekka, supra.
The Ninth Circuit has held that the
plain language of the [Computer Fraud and Abuse Act] targets `the unauthorized
procurement or alteration of information, not its misuse or
misappropriation.” U.S. v. Nosal, 676 F.3d 854 (U.S. Court of
Appeals for the 9th Circuit 2012). . . . Specifically, `the phrase ‘exceeds
authorized access' in the CFAA does not extend to violations of use
restrictions.’ U.S. v. Nosal, supra. The
Ninth Circuit's narrow reading intentionally focused the statute's application
to its purpose of punishing hackers and not misappropriating trade secrets. U.S. v. Nosal, supra. Subsequent cases
have similarly limited their interpretation of the CFAA. See,
e.g., Koninklijke Philips N.V. v. Elec–Tech In'l Co., 2015 WL 1289984
(U.S. District Court for the Northern District of California 2015) (following
Ninth Circuit precedent in Nosal and dismissing plaintiff's CFAA
claim based in part on the fact that the statute targets hacking, not trade
secret misappropriation (U.S. District Court for the Eastern District of
California 2014) (same); Synopsys, Inc. v. ATopTech, Inc., 2013 WL
5770542 (U.S. District Court for the Northern District of California 2013) (same).
SunPower Corporation
v. SunEdison, Inc, supra.
He then began the process of applying the above legal principles
to the facts in this case, explaining that
[h]ere, SunPower does not allege that
Fong and Messer were not authorized to access a computer or certain
information. Instead, SunPower claims that Fong and Messer violated the CFAA by
breaching SunPower's computer use policies when they connected USB drives or
other non-SunPower owned equipment to SunPower's network, copied files onto
these devices, and stored them on an unauthorized device. Comp. ¶¶
30–45. To support its argument, SunPower relies on Brekka for the
proposition that the phrase `exceeds authorized access’ includes violations of
employer-placed limitations on use. Opp. at 6. (Dkt. No. 26).
I do not read Brekka in
that manner. In Brekka, the employer alleged that one of its
former employees, Christopher Brekka, violated the CFAA by accessing the
employer's computer “without authorization” and in excess of authorization both
while Brekka was employed and after he left. LVRC Holdings LLC v.
Brekka, supra. The Ninth Circuit affirmed summary judgment in favor of
Brekka and the other defendants. It found, in part, that Brekka was authorized
to use his employer's computer while he was employed and therefore downloading
his employer's files and emailing the documents to his personal email did not
violate the CFAA. LVRC Holdings LLC v. Brekka, supra. The court
explicitly held that `for purposes of the CFAA, when an employer authorizes an
employee to use a computer subject to certain limitations, the employee remains
authorized to use the computer even if the employee violates these
limitations.’ LVRC Holdings LLC v. Brekka, supra.
Under Brekka, a CFAA
claim hinges not on the use of the information but on whether or not the
employee is authorized to access the information in the first place. LVRC
Holdings LLC v. Brekka, supra. See
also U.S. v. Nosal, supra. (rejecting the government's suggestion that
unauthorized access encompasses situations involving limitations on use when an
employee has unrestricted physical access to the information). Accordingly, it
held that Brekka did not violate the CFAA because `there is no dispute that
Brekka was given permission to access [the defendant's] computer.’ LVRC
Holdings LLC v. Brekka, supra. Under Brekka,
a prohibited action, such as copying or transferring the accessed files onto a
USB, does not by itself transform an employee's access from authorized to
unauthorized. SunPower's contention that Brekka holds otherwise is
incorrect.
SunPower Corporation
v. SunEdison, Inc, supra.
He went on to point out that
SunPower's assertion that subsequent
cases have interpreted Brekka to allow violations of
employer-placed non-technical restrictions to form the basis of `unauthorized
access’ ignores the important differences between those cases and its own. . .
. SunPower relies on two cases involving former employees who exceeded their
authorized access by accessing information after their employment ended. See
NetApp, Inc. v. Nimble Storage, Inc,. 41 F.Supp.3d 816 (U.S. District
Court for the Northern District of California 2014); Weingand v.
Harland Fin. Solutions, Inc., 2012 WL 2327660 (U.S. District Court for
the Northern District of California 2012). The key to both courts' analyses was
timing -- the employees had gained accessed to their previous employers'
networks after their access to those networks had been
revoked. NetApp, Inc. v. Nimble Storage, Inc., supra (holding
that the Ninth Circuit has not precluded applying CFAA to situations where an
individual access a former employer's network); Weingand v. Harland
Fin. Solutions, Inc., supra (same).
Because Messer and Fong were current employees at the time of the alleged
access, their access was not unauthorized in the same manner as the plaintiffs
in NetApp and Weingand.
SunPower Corporation
v. SunEdison, Inc, supra.
Next, the judge began the process of applying the applicable
law to the facts in this case, noting, initially, that SunPower's argument that
Messer and Fond violated
`technological barriers’ by
physically plugging in USB drives or other non-SunPower equipment into
SunPower's computer is similarly unpersuasive. SunPower cites to an inapposite
example given by the Ninth Circuit in U.S. v. Nosal, supra. An
employer keeps information in a separate database that can be viewed on a
computer screen but not copied or downloaded. If the employee circumvents the
employer's security measures, copies information on to a USB drive and takes it
out of the building, that would have exceeded her authorization in violation of
the CFAA. U.S. v. Nosal, supra. But that is not the situation here. SunPower
has not alleged that either Messer or Fong circumvented any security measures
or accessed unauthorized information; instead, they allegedly misappropriated
information to which they had access in violation of SunPower's policies.
A more apt comparison would be to
another example that the Ninth Circuit discussed in U.S. v. Nosal, supra.
The government argued that the CFAA should apply to an employee who is `authorized
to access customer lists in order to do his job but not to send them to a
competitor,’ but nevertheless sends the competitor lists to a competitor. U.S.
v. Nosal, supra. The court disagreed, observing that applying CFAA to any
unauthorized use of information obtained from a computer would `make criminals
of large groups of people who would have little reason to suspect they are
committing a federal crime.’ U.S. v. Nosal, supra. Punishing this
type of behavior would be incongruent with the statute's focus on prohibiting
hacking and other high technology related crimes. That is true here as well.
SunPower Corporation
v. SunEdison, Inc, supra.
The judge then addressed a related argument SunPower made,
noting that it relied on
American Furukawa, Inc. v. Hossain,
2015 WL 2124794 (U.S. District Court for the Eastern District of Michigan 2015) to
argue that other cases have followed Nosal’s
approach while holding that downloading files to removable media constitutes a
violation under CFAA. Opp. at 7. In American Furukawa, a
company sued a former employee alleging that the employee emailed and
downloaded the company's files in violation of the CFAA both while he was
employed and during a leave of absence. American Furukawa, Inc. v.
Hossain, supra. The court held that the company properly alleged that the
employee took some files `without authorization’ during his leave of absence. American
Furukawa, Inc. v. Hossain, Additionally,
because the company's computer use policy specified that an employee needs
permission from a manager before accessing files with removable media, the
court also held that the employee exceeded authorized access because he did not
seek permission and therefore violated this access restriction. American
Furukawa, Inc. v. Hossain, supra.
SunPower Corporation
v. SunEdison, Inc, supra.
The judge then outlined his holding in the case, noting,
first, that
American Furukawa does not
help SunPower. Fundamentally, it comes from a district court in Michigan that
appropriately followed its [U.S. Court of Appeals for the 6th Circuit] precedent. It explicitly discussed and disagreed with the approach of
the Ninth Circuit in Nosal, which binds me. American
Furukawa, Inc. v. Hossain, supra. Moreover,
the decision is consistent with this one in that the court rejected the
employer's argument that the employee's misappropriation of its files while he
was actively employed was a violation of the CFAA because he breached the
employer's Secrecy Agreement; the court found the CFAA violation only for the
period when the employee was out on leave and violated a condition of his
leave—that he could not do any work during that time. American Furukawa,
Inc. v. Hossain, supra. All of the alleged behavior here occurred while
Messer and Fong were current employees. Restrictions related to an employee's
leave of absence are not at play in this case.
In sum, SunPower's allegations describe
misappropriation of its confidential information. They do not constitute a
violation of the CFAA. While it is not clear to me how it can successfully
plead a plausible CFAA cause of action in light of the allegations it has
already made, if it wishes it may amend its complaint within 20 days. If it
chooses not to do so, I will remand this case to the California Superior Court
for further proceedings since no other basis for federal jurisdiction is
alleged.
SunPower Corporation
v. SunEdison, Inc, supra.
No comments:
Post a Comment