Friday, January 08, 2016

The Computer Fraud and Abuse Act, the Solar Panel Company and Copying Files

This post examines an opinion a U.S. District Court Judge who sits in the U.S. District Court for the Northern District of California recently issued in a civil case:  SunPower Corporation v. SunEdison, Inc, 2015 WL 5316333 (2015).  The judge begins his opinion by explaining that the
central issue in defendants SunEdison, Inc., Shane Messer, Kendall Fong, and Vikas Desai's motion to dismiss is whether current employees violate the Computer Fraud and Abuse Act (`CFAA’)18 U.S. Code § 1030, if they breach their employer's computer use policies while accessing files that they were authorized to use. 
SunPower Corporation v. SunEdison, Inc, supra.
He goes on to begin the substantive part of his opinion by explaining that
I accept the allegations pleaded in the complaint as true for purposes of SunEdison's motion to dismiss. SunPower is an energy services provider that manufactures, installs, and distributes solar panel systems for residential and commercial markets. Messer and Fong were once employed by SunPower as Area Sales Manager and Senior Director of Global Brand, respectively.
SunPower Corporation v. SunEdison, Inc, supra.
The judge then outlines the facts involved in the lawsuit:
SunPower asserts that Messer and Fong, prior to leaving SunPower, accessed thousands of its files and likely copied them onto one or more devices such as a personal Universal Serial Bus (`USB’) drive or other non-SunPower owned device. After their departures from SunPower, they began to work for SunEdison.

SunPower identifies two specific instances of illegal copying. It contends that Messer accessed and copied over 4,300 files from a SunPower computer or server during a fifteen-minute span on July 30, 2011. In the weeks preceding his departure, Fong allegedly accessed over 9,500 SunPower files over an 80–minute span. The accessed files purportedly contained SunPower's highly confidential information and trade secrets.

SunPower also alleges that Desai, a former Vice President at SunPower, encouraged Fong and Messer to leave SunPower and to share SunPower's confidential information with SunEdison, where Desai was employed as the company's Chief Executive Officer. SunPower believes that SunEdison has used and continues to use SunPower's proprietary information for its own benefit and to the detriment of SunPower.

SunPower contends that Messer and Fong's actions violated SunPower's computer use policies that prohibited its employees from connecting any non-SunPower devices to SunPower's network or from using personal USB drives for file storage or transfer. It also claims that Messer and Fong violated their employment confidentiality agreement by transferring the allegedly stolen SunPower files to SunEdison. These agreements obliged Messer and Fong to keep SunPower's information confidential and to protect it from outside disclosures or use for others' benefit.
SunPower Corporation v. SunEdison, Inc, supra.
The Judge then outlines the “fourteen causes of action” SunPower asserts in the Complaint it filed to initiate the suit:
(1) violation of the CFAA; (2) trade secret misappropriation under the California Uniform Trade Secrets Act (`CUTSA’); (3) breach of contract; (4) breach of confidence; (5) conversion; (6) trespassto chattels; (7) interference with prospective business advantage; (8) breach of implied covenant of good faith and fair dealing; (9) tortious interferencewith contractual relationship; (10) induced breach of contract; (11) conspiracy to breach contract; (12) breach of duty of loyalty; (13) unfair competition, and (14) statutory unfair competition. Thirteen of SunPower's fourteen causes of action arise under state law. Its only federal cause of action is based on the purported violation of the CFAA. Defendants move to dismiss the first, fourth, fifth, sixth, seventh, ninth, tenth, eleventh, twelfth, thirteenth, and fourteenth causes of action for failure to state a claim upon which relief may be granted under Federal Rule of Civil Procedure 12(b)(6).  I heard argument on September 9, 2015.
SunPower Corporation v. SunEdison, Inc, supra.
The opinion then goes on to explain the “legal standard” that applies to the “analysis of the extent to which the defendants’ Rule 12(b)(6) motion raises arguments that warrant dismissing one or more of the plaintiff’s causes of action.”  SunPower Corporation v. SunEdison, Inc, supra.  Specifically, the judge explains that
[u]nder Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege `enough facts to state a claim to relief that is plausible on its face.’ See Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007). A claim is facially plausible when the plaintiff pleads facts that `allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.’ Ashcroft v. Iqbal, 556U.S. 662 (2009). . . . There must be `more than a sheer possibility that a defendant has acted unlawfully.’ Ashcroft v. Iqbal, supra. While courts do not require `heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.’ Bell Atlantic Corp. v. Twombly, supra

In deciding whether the plaintiff has stated a claim upon which relief can be granted, the Court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556 (U.S.Court of Appeals for the 9th Circuit 1987) However, the court is not required to accept as true `allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.’ In re Gilead Sciences Securities Litigation, 536 F.3d 1049 (U.S. Court of Appeals for the 9th Circuit 2008).
SunPower Corporation v. SunEdison, Inc, supra.  He also noted that
[i]f the court dismisses the complaint, it `should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.’ Lopez v. Smith, 203 F.3d 1122 (U.S. Court of Appeals for the 9th Circuit 2000).
SunPower Corporation v. SunEdison, Inc, supra. 
The District Court Judge then begins his analysis of the arguments the defendants raised in their motion to dismiss, noting that they made
three arguments in their motion to dismiss: (i) SunPower fails to state a claim under CFAA; (ii) CUTSA preempts all non-contractual claims based on misappropriation of confidential information; and (iii) SunPower fails to state a claim for interference with business advantage. Because I find that SunPower's complaint fails to state a claim under CFAA, its only federal cause of action, I will not address the state law claims. If there is no federal claim, I will not exercise supplemental jurisdiction.
SunPower Corporation v. SunEdison, Inc, supra. 
For a U.S. District Court to have jurisdiction to hear and decide a civil suit, the suit must either (i) involve claims that arise under federal law (“federal question jurisdiction”) or (ii) citizens of different U.S. states (“diversity jurisdiction”).  Since the citizens involved in this suit are not from different states, the only basis for federal jurisdiction is federal question jurisdiction.  If the federal claim – the Computer Fraud and Abuse Act claim – fails, there will be no jurisdiction and the case would have to be dismissed.
The Judge began his analysis of the defendants’ motion to dismiss the claim brought under the Computer Fraud and Abuse Act by explaining that the CFAA
prohibits various computer-related crimes, including accessing a computer without authorization or exceeding authorized access. 18 U.S. Code § 1030(a)(1).  It was enacted in 1984 to `target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to access and control high technology processes vital to our everyday lives.’ See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009). The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.’ LVRC Holdings LLC v. Brekka, supra.

SunPower alleges that the defendants' behavior violated 18 U.S. Code § 1030(a)(2)(c), (a)(4) and (g). Compl. ¶ 1. . . . Section 1030(a)(2)(c) provides for criminal penalties when a person `[i]ntentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.’ Section 1030(a)(4) provides for penalties if a person:

`knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.’

18 U.S. Code § 1030(a)(4).
SunPower Corporation v. SunEdison, Inc, supra. 
Next, he pointed out that,
[i]n addition to criminal penalties, the CFAA creates a private right of action for `[a]ny person who suffers damage or loss by reason of a violation’ of the statute. 18 U.S Code § 1030(g). However, a claim may only be brought if the conduct involves the factors delineated in subclause (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). 18 U.S Code § 1030(g). Therefore, to bring a successful CFAA claim based on this subjection, a plaintiff must show:

`(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.’

18 U.S. Code § 1030(c)(4)(A)(i).
SunPower Corporation v. SunEdison, Inc, supra. 
The judge then applied the standards outlined above to this case, noting that a
plausible claim under either 18 U.S. Code § 1030(a)(2)(c) or (a)(4) requires SunPower to allege that the defendants acted `without authorization’ or by `exceed[ing] authorized access.’ The [Computer Fraud and Abuse Act] defines `exceeds authorized access’ as `to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ 18 U.S. Code § 1030(e)(6). The term `without authorization’ is not defined within the statute.

The [U.S. Court of Appeals for the 9th Circuit] has determined that a person uses a computer `without authorization’ when `the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’ LVRC Holdings LLC v Brekka, supra.  Specifically, the Ninth Circuit has articulated a “sensible interpretation of §§ 1030(a)(2) and (4), which gives effect to both the phrase ‘without authorization’ and the phrase ‘exceeds authorized access': a person who ‘intentionally accesses a computer without authorization’ accesses a computer without any permission at all, while a person who ‘exceeds authorized access' has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” LVRC Holdings LLC v Brekka, supra.

The Ninth Circuit has held that the plain language of the [Computer Fraud and Abuse Act] targets `the unauthorized procurement or alteration of information, not its misuse or misappropriation.” U.S. v. Nosal, 676 F.3d 854 (U.S. Court of Appeals for the 9th Circuit 2012). . . . Specifically, `the phrase ‘exceeds authorized access' in the CFAA does not extend to violations of use restrictions.’ U.S. v. Nosal, supra.  The Ninth Circuit's narrow reading intentionally focused the statute's application to its purpose of punishing hackers and not misappropriating trade secrets. U.S. v. Nosal, supra. Subsequent cases have similarly limited their interpretation of the CFAA. See, e.g., Koninklijke Philips N.V. v. Elec–Tech In'l Co., 2015 WL 1289984 (U.S. District Court for the Northern District of California 2015) (following Ninth Circuit precedent in Nosal and dismissing plaintiff's CFAA claim based in part on the fact that the statute targets hacking, not trade secret misappropriation (U.S. District Court for the Eastern District of California 2014) (same); Synopsys, Inc. v. ATopTech, Inc., 2013 WL 5770542 (U.S. District Court for the Northern District of California 2013) (same).
SunPower Corporation v. SunEdison, Inc, supra. 
He then began the process of applying the above legal principles to the facts in this case, explaining that
[h]ere, SunPower does not allege that Fong and Messer were not authorized to access a computer or certain information. Instead, SunPower claims that Fong and Messer violated the CFAA by breaching SunPower's computer use policies when they connected USB drives or other non-SunPower owned equipment to SunPower's network, copied files onto these devices, and stored them on an unauthorized device. Comp. ¶¶ 30–45. To support its argument, SunPower relies on Brekka for the proposition that the phrase `exceeds authorized access’ includes violations of employer-placed limitations on use. Opp. at 6. (Dkt. No. 26).

I do not read Brekka in that manner. In Brekka, the employer alleged that one of its former employees, Christopher Brekka, violated the CFAA by accessing the employer's computer “without authorization” and in excess of authorization both while Brekka was employed and after he left. LVRC Holdings LLC v. Brekka, supra. The Ninth Circuit affirmed summary judgment in favor of Brekka and the other defendants. It found, in part, that Brekka was authorized to use his employer's computer while he was employed and therefore downloading his employer's files and emailing the documents to his personal email did not violate the CFAA. LVRC Holdings LLC v. Brekka, supra. The court explicitly held that `for purposes of the CFAA, when an employer authorizes an employee to use a computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates these limitations.’ LVRC Holdings LLC v. Brekka, supra.

Under Brekka, a CFAA claim hinges not on the use of the information but on whether or not the employee is authorized to access the information in the first place. LVRC Holdings LLC v. Brekka, supra. See also U.S. v. Nosal, supra. (rejecting the government's suggestion that unauthorized access encompasses situations involving limitations on use when an employee has unrestricted physical access to the information). Accordingly, it held that Brekka did not violate the CFAA because `there is no dispute that Brekka was given permission to access [the defendant's] computer.’ LVRC Holdings LLC v. Brekka, supra.  Under Brekka, a prohibited action, such as copying or transferring the accessed files onto a USB, does not by itself transform an employee's access from authorized to unauthorized. SunPower's contention that Brekka holds otherwise is incorrect.
SunPower Corporation v. SunEdison, Inc, supra. 
He went on to point out that
SunPower's assertion that subsequent cases have interpreted Brekka to allow violations of employer-placed non-technical restrictions to form the basis of `unauthorized access’ ignores the important differences between those cases and its own. . . . SunPower relies on two cases involving former employees who exceeded their authorized access by accessing information after their employment ended. See NetApp, Inc. v. Nimble Storage, Inc,. 41 F.Supp.3d 816 (U.S. District Court for the Northern District of California 2014); Weingand v. Harland Fin. Solutions, Inc., 2012 WL 2327660 (U.S. District Court for the Northern District of California 2012). The key to both courts' analyses was timing -- the employees had gained accessed to their previous employers' networks after their access to those networks had been revoked. NetApp, Inc. v. Nimble Storage, Inc., supra (holding that the Ninth Circuit has not precluded applying CFAA to situations where an individual access a former employer's network); Weingand v. Harland Fin. Solutions, Inc., supra (same). Because Messer and Fong were current employees at the time of the alleged access, their access was not unauthorized in the same manner as the plaintiffs in NetApp and Weingand.
SunPower Corporation v. SunEdison, Inc, supra. 
Next, the judge began the process of applying the applicable law to the facts in this case, noting, initially, that SunPower's argument that Messer and Fond violated
`technological barriers’ by physically plugging in USB drives or other non-SunPower equipment into SunPower's computer is similarly unpersuasive. SunPower cites to an inapposite example given by the Ninth Circuit in U.S. v. Nosal, supra. An employer keeps information in a separate database that can be viewed on a computer screen but not copied or downloaded. If the employee circumvents the employer's security measures, copies information on to a USB drive and takes it out of the building, that would have exceeded her authorization in violation of the CFAA. U.S. v. Nosal, supra.  But that is not the situation here. SunPower has not alleged that either Messer or Fong circumvented any security measures or accessed unauthorized information; instead, they allegedly misappropriated information to which they had access in violation of SunPower's policies.

A more apt comparison would be to another example that the Ninth Circuit discussed in U.S. v. Nosal, supra. The government argued that the CFAA should apply to an employee who is `authorized to access customer lists in order to do his job but not to send them to a competitor,’ but nevertheless sends the competitor lists to a competitor. U.S. v. Nosal, supra. The court disagreed, observing that applying CFAA to any unauthorized use of information obtained from a computer would `make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.’ U.S. v. Nosal, supra. Punishing this type of behavior would be incongruent with the statute's focus on prohibiting hacking and other high technology related crimes. That is true here as well.
SunPower Corporation v. SunEdison, Inc, supra. 
The judge then addressed a related argument SunPower made, noting that it relied on
American Furukawa, Inc. v. Hossain, 2015 WL 2124794 (U.S. District Court for the Eastern District of Michigan 2015) to argue that other cases have followed Nosal’s approach while holding that downloading files to removable media constitutes a violation under CFAA. Opp. at 7. In American Furukawa, a company sued a former employee alleging that the employee emailed and downloaded the company's files in violation of the CFAA both while he was employed and during a leave of absence. American Furukawa, Inc. v. Hossain, supra. The court held that the company properly alleged that the employee took some files `without authorization’ during his leave of absence.  American Furukawa, Inc. v. Hossain, Additionally, because the company's computer use policy specified that an employee needs permission from a manager before accessing files with removable media, the court also held that the employee exceeded authorized access because he did not seek permission and therefore violated this access restriction. American Furukawa, Inc. v. Hossain, supra.
SunPower Corporation v. SunEdison, Inc, supra. 
The judge then outlined his holding in the case, noting, first, that
American Furukawa does not help SunPower. Fundamentally, it comes from a district court in Michigan that appropriately followed its [U.S. Court of Appeals for the 6th Circuit] precedent. It explicitly discussed and disagreed with the approach of the Ninth Circuit in Nosal, which binds me. American Furukawa, Inc. v. Hossain, supra.  Moreover, the decision is consistent with this one in that the court rejected the employer's argument that the employee's misappropriation of its files while he was actively employed was a violation of the CFAA because he breached the employer's Secrecy Agreement; the court found the CFAA violation only for the period when the employee was out on leave and violated a condition of his leave—that he could not do any work during that time. American Furukawa, Inc. v. Hossain, supra. All of the alleged behavior here occurred while Messer and Fong were current employees. Restrictions related to an employee's leave of absence are not at play in this case.

In sum, SunPower's allegations describe misappropriation of its confidential information. They do not constitute a violation of the CFAA. While it is not clear to me how it can successfully plead a plausible CFAA cause of action in light of the allegations it has already made, if it wishes it may amend its complaint within 20 days. If it chooses not to do so, I will remand this case to the California Superior Court for further proceedings since no other basis for federal jurisdiction is alleged.
SunPower Corporation v. SunEdison, Inc, supra.  

No comments: