Friday, February 21, 2014

The Former Employee, Hacking and Computer Fraud

This post examines an opinion a U.S. District Court Judge recently issued in a civil case:  Enki Corporation v. Freedman, 2014 WL 261798 (U.S. District Court for the Northern District of California 2014).  This is how the judge described the suit and the issue he addressed in the opinion:

When a former employee uses a customer's working log-in credentials to access his former employer's scripts, are he and the customer hackers

Plaintiff Enki Corporation says yes; Defendant Keith Freedman, along with his current employer and co-defendant, Zuora, Inc., say no. Freedman and Zuora now move to dismiss Enki's claims under the Computer Fraud and Abuse Act and the California Computer Data Access And Fraud Act for failure to state a claim upon which relief may be granted and the remainder of Enki's claims for lack of subject matter jurisdiction. 

Enki Corporation v. Freedman, supra.

As Wikipedia explains, a motion to dismiss a suit for failing to state a cause of action upon which relief can be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure is how civil suits with

insufficient legal theories underlying their cause of action are dismissed from court. For example, assault requires intent, so if the plaintiff has failed to plead intent, the defense can seek dismissal by filing a 12(b)(6) motion. `While a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations, a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.

Factual allegations must be enough to raise a right to relief above the speculative level, on the assumption that all the allegations in the complaint are true (even if doubtful in fact).’ Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007). . . .

The judge then explains, in some detail, how the case arose:

From 2006–2011, Freedman was a 12% interest holding member of Enki.  Enki's business is to acquire, manage, develop, improve, and operate cloud computing and other IT services for enterprises. In May of 2011, Freedman resigned. Under the terms of Freedman's separation agreement with Enki, Enki bought out Freedman's interest, neither party was to disparage the other in any way, and Freedman was barred from soliciting Enki's clients or competing with Enki for a year.

Shortly after Freedman's departure, Enki entered into a master service agreement with Zuora under which Enki was to provide consulting, cloud computing services, and other IT services. As part of these services, and as set forth in various statements of work, Enki installed `Nimsoft’ on Zuora's network

Nimsoft is a `software based system monitor’ used to monitor computer resources and performance. Although the software was installed on Zuora's network, under the terms of the agreement Enki was the sole administrator of the software and the only one allowed to `write’ Nimsoft scripts.

In order to fulfill this contract, Enki hired Freedman and retained his new company, Freeform, as a contractor to provide certain services to Zuora.  Even though the separation agreement remained in effect, Freedman proceeded to spread negative stories about Enki and its work product throughout Zuora for several months, leading to the termination of his contract with Enki. Zuora then hired Freedman and retained Freeform's services directly. 

In February 2013, Zuora terminated its contract with Enki `for convenience.’ Before this termination, however, Freedman and Zuora accessed the Nimsoft servers on Zuora's network without authorization. 

Freedman and Zuora then copied Enki's proprietary information, including Enki's Nimsoft scripts, in order to terminate the contract and receive the benefits of Enki's enterprise and technology without continuing to pay for Enki's services.  

Enki brings this action to recover for various breaches of contract, as well as violations of state and federal antihacking statutes.

Enki Corporation v. Freedman, supra (notes omitted).

The judge began his analysis of the issues raised by the motion to dismiss with the Computer Fraud and Abuse Act claims, which asserted that the defendants had engaged in conduct that violated the Act in either or both of two ways:

46. Defendants have violated the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030(a)(2)(C), by intentionally accessing a computer used for interstate or foreign commerce or communication, without ENKI's authorization, and by obtaining information from such a protected computer.

47. Defendants have violated the CFAA, 18 U.S. Code § 1030(a)(4), by knowingly, and with intent to defraud ENKI, accessing a protected computer, without authorization or by exceeding authorized access to such a computer, and by means of such conduct furthered the intended fraud and obtained one or more things of value, including content from the Nimsoft server.

Enki Corporation v. Freedman, Complaint (May 14, 2013), 2013 WL 2296051. 

The judge noted that the defendants

put forth two main theories as to why Enki's claim under the CFAA should be dismissed: 1) the complaint fails to allege loss or damage within the meaning of the statute; and 2) the complaint fails to allege unauthorized access within the Ninth Circuit's interpretation of the statue.

Enki Corporation v. Freedman, supra.

He began with the first theory, explaining that

although the Ninth Circuit has not yet ruled on whether costs of investigation may be included in the calculation of loss under the CFAA, this district and others within the circuit have long accepted that theory. The statutory definition of loss includes `the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.’ 

Before the incident at issue here, Enki's proprietary information was secured, and afterward, it evidentially was not. It therefore stands to reason that the cost of investigating the source of the breach and remedying it would qualify as `loss’ within that definition, as they would be required to return the system to its secured state. The undersigned therefore joins with his colleagues in holding that the costs of investigating a security breach may be included in the calculation of `loss’ under the CFAA.

Enki Corporation v. Freedman, supra (quoting 18 U.S. Code § 1030(e)(11)).

The judge then noted that the defendants’ second argument

carries more weight. The CFAA imposes liability where the defendant commits certain acts on a `protected computer’ either `without authorization’ or in `exce[ss of his] authorization.’ The Ninth Circuit has held that to access a protected computer `without authorization’ is to do so `without any permission at all,’ and to `exceed authorized access’ is to `access[ ] information on the computer that the person is not entitled to access.

It has further held that an individual does not `exceed authorized access’ simply by misusing information that he or she was entitled to view for some other purpose; the CFAA regulates access to data, not its use by those entitled to access it.

Enki Corporation v. Freedman, supra (notes omitted).

He then explained that

[h]ere, Enki alleges that Freedman and Zuora violated the CFAA by `unlawfully access[ing] the Nimsoft servers and improperly cop[ying] Enki's Proprietary Information,’ and in particular Enki's Nimsoft scripts. However, the complaint does not allege that Defendants were unauthorized to access the scripts in question.

In fact, the Statement of Work submitted for the court's consideration specifically grants Zuora and its representatives `sudo access’ to `non-shell root commands’ that would include the scripts at issue.  Enki instead hangs its hat on its repeated refusals to grant Zuora or Freedman the authority to write or edit those scripts.

That argument, however, speaks to misuse of the scripts, not unauthorized access, which under Nosal does not run afoul of the CFAA. Because Enki's complaint fails to allege that Defendants had no access rights to Enki's scripts, and indeed the documents upon which it relies reveal that Defendants had certain access rights, their CFAA claim must be DISMISSED for failure to state a claim.

Enki Corporation v. Freedman, supra (notes omitted).

The judge then noted that the

only other claim that Freedman and Zuora substantively address in their motion is the CDAFA [California Computer Data Access And Fraud Act] claim. With respect to that claim, they argue that because Enki's complaint fails to allege that either Freedman or Zuora overcame any technical barrier in order to view and copy its proprietary information, the claim must be dismissed for failure to state a claim.

Enki, however, maintains that a violation of the established terms of use is sufficient to create liability under CDAFA, and because the complaint alleges that Freedman and Zuora copied the information when they were not permitted to do so, they have sufficiently pled their claim.

Enki Corporation v. Freedman, supra (notes omitted).

He then addressed the merits of Enki’s argument, finding that the

CDAFA imposes liability where an individual takes certain actions `without permission’ on another's computer, network, or website. [California Penal Code § 502.] Enki relies on a single case, Craigslist v. Naturemarket, Inc., [694 F. Supp. 2d. 1039 (U.S. District Court for the Northern District of California 2010)] to argue that a simple violation of the terms of use meets the requirement that the action be `without permission.’

Craigslist, however, appears to be an outlier. Just four months after Craigslist, in Facebook v. Power Ventures, Inc., [2010 WL 3291750 (U.S. District Court for the Northern District of California 2010)], this court held that to take an action `without permission’ under the CDAFA, a defendant must overcome some technical or code barrier.

This has been the governing standard in this district since that time, and it is the standard that applies here. As Enki itself does not even argue that the complaint alleges a technical obstacle, the court GRANTS Defendants' motion as to the CDAFA claim.

Enki Corporation v. Freedman, supra (notes omitted).

The judge therefore granted the defendants’ motion to dismiss these two causes of action, but retained the state law claims asserted in their Complaint under the court’s pendent jurisdiction. Enki Corporation v. Freedman, supra.  As Wikipedia explains, pendent jurisdiction lets a federal district court hear related state law claims that are brought with “anchor” federal law claims.  

As to how pendent jurisdiction applied here, the judge noted that

[b]ecause jurisdiction over state law claims under § 1367 generally requires a federal hook, a court may choose to decline jurisdiction over any lingering state law claims where all federal claims in the case have been dismissed before trial.  

Further, in the Ninth Circuit, `[i]t is usually appropriate to dismiss pendent state claims when federal claims are dismissed before trial,’ [McCarthy v. Mayo, 827 F.2d 1310 (U.S. Court of Appeals for the 9th Circuit 1987)] although in each case, a court must assess the values of `economy, convenience, fairness, and comity’ in deciding whether or not to retain jurisdiction. [Acri v. Varian Assocs, 114 F.3d 999 (U.S. Court of Appeals for the 9th Circuit 1994)].

Enki Corporation v. Freedman, supra.

As to why he retained these claims, he explained that

although the remaining claims are all grounded in state law, the parties are already eight months into litigation in this forum, and it would hardly serve the interests of economy or convenience to require the parties to begin anew in state court. In addition, because Enki has leave to amend its complaint to remedy the deficiencies identified in its pleadings, the federal claim may yet move forward in another version of the complaint.

The court therefore will retain jurisdiction over the lingering state law claims.

Enki Corporation v. Freedman, supra. 

No comments: