Opinion
Case No. 5:13-cv-00034-PSG
05-28-2014
FLEXTRONICS INTERNATIONAL, LTD. and FLEXTRONICS INTERNATIONAL USA, INC. Plaintiffs, v. PARAMETRIC TECHNOLOGY CORPORATION Defendant.
ORDER GRANTING-IN-PART
DEFENDANT'S MOTION TO
DISMISS
(Re: Docket No. 168)
Defendant Parametric Technology Corporation once again moves to dismiss Plaintiff Flextronics International's claims under the Computer Fraud and Abuse Act, Flextronics' claims under the California Computer Data Access And Fraud Act, and Flextronics' common law claims for trespass to chattels and conversion. This court previously granted PTC's motion to dismiss Flextronics' original complaint. The parties appeared for a hearing. Having considered the parties' respective arguments, the court GRANTS PTC's motion, but only IN-PART.
See Docket No. 152.
I. BACKGROUND
In 1998, Flextronics and PTC executed an "Enterprise Agreement," which granted Flextronics a license to use PTC's software on its computers. It did so, and for over a decade, the two companies lived in harmony. Then, on July 26, 2012, PTC informed Flextronics that it had become aware of numerous unauthorized copies of the software in use on Flextronics' machines and was gravely concerned about these "cracked copies" being used in violation of the license agreement. Flextronics began investigating these claims, and in the course of doing so, discovered that PTC had "concealed certain embedded technology in the PTC software" that it was using to access, obtain and transmit information in, from and about Flextronics' system back to PTC. Less than a month after this discovery, Flextronics filed suit against PTC for various computer crimes, as well as for a declaratory judgment of non-infringement of copyright and performance on the Enterprise Agreement. PTC denied Flextronics' allegations and countered with its own claims for copyright infringement and breach of contract.
See Docket No. 161-4 at ¶ 47.
See id. at ¶¶ 25-46, 48-52.
See Docket No. 1.
See Docket No. 17.
After an extended hearing on the matter, the court granted PTC's motion for a preliminary injunction, as well as its first motion to dismiss. In granting PTC's motion to dismiss, the court held that two sentences of conclusory allegations were insufficient to sustain a six-count complaint. Consistent with the court's order, on February 4, 2014, Flextronics filed an amended complaint that is the subject of the present motion.
See Docket No. 125.
See Docket No. 158.
See Docket No. 158.
II. LEGAL STANDARDS
A. Article III Standing
To satisfy Article III, a plaintiff "must show that (1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." A suit brought by a plaintiff without Article III standing is not a "case or controversy," and an Article III court lacks subject matter jurisdiction over the suit. In that event, the suit should be dismissed under Fed. R. Civ. Pro. 12(b)(1).
See Friends of the Earth, Inc. v. Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-181 (2000).
Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101 (1998).
See Steel Co., 523 U.S. at 109-110; White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000).
The injury required by Article III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." In such cases, the "standing question . . . is whether the constitutional or standing provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." At all times the threshold question of standing "is distinct from the merits of [a] claim" and does not require "analysis of the merits." The Supreme Court also has instructed that the "standing inquiry requires careful judicial examination of a complaint's allegations to ascertain whether the particular plaintiff is entitled to an adjudication of the particular claims asserted."
See Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)).
See id. (quoting Warth, 422 U.S. at 500).
Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011).
DaimlerChrysler, 547 U.S. at 352 (quoting Allen v. Wright, 468 U.S. 737, 752 (1984)); see also Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1121-22 (9th Cir. 2010).
B. Rule 12(b)(6)
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." If a plaintiff fails to proffer "enough facts to state a claim to relief that is plausible on its face," the complaint may be dismissed for failure to state a claim upon which relief may be granted. A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Accordingly, under Fed. R. Civ. P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, "[d]ismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." "A formulaic recitation of the elements of a cause of action will not do."
Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007).
Ashcroft v. Iqbal, 556 U.S. 662, 663 (2009).
Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990).
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007).
On a motion to dismiss, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party. The court's review is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice. However, the court need not accept as true allegations that are conclusory, unwarranted deductions of fact, or unreasonable inferences.
See Metzler Inv. GMBH v. Corinthian Colls., Inc., 540 F.3d 1049, 1061 (9th Cir. 2008).
See id. at 1061.
See Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001); see also Twombly, 550 U.S. at 561 ("a wholly conclusory statement of [a] claim" will not survive a motion to dismiss).
"Dismissal with prejudice and without leave to amend is not appropriate unless it is clear . . . that the complaint could not be saved by amendment."
Eminence Capital, LLC v. Asopeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003).
III. DISCUSSION
PTC advances two arguments for dismissing Flextronics' complaint. First, it focuses on the CFAA and CDAFA claims and argues that Flextronics has not alleged sufficient injury to establish Article III standing. Second, it argues that even if standing exists, Flextronics has failed to plead critical elements to sustain each of its claims. Neither argument is persuasive.
A. Flextronics Has Suffered Sufficient "Injury-In-Fact" To Establish Article III Standing
The Ninth Circuit has made it clear that Article III standing can be established by virtue of the violation of statutory rights. Where a statue "can be understood as granting persons in the plaintiff's position a right to judicial relief," a right giving rise to standing has been created. The CFAA prohibits "a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data." The CFAA further recognizes a private right of action for anyone who has suffered "loss" through a violation of its provisions. Although the Ninth Circuit has not yet ruled on whether costs of investigation may be included in the calculation of loss under the CFAA, in cases of an alleged security breach, this court has accepted that theory. Similarly, the CDAFA authorizes a civil suit for the victim of a computer crime to recover "any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted" by the alleged unauthorized access.
See Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)); see also In re Zynga Privacy Litig., Case No. 12-cv-15619, 2014 WL 1814029, at *5 n.5 (9th Cir. May 8, 2014) ("Because the plaintiffs allege that Facebook and Zynga are violating statutes that grant persons in the plaintiffs' position the right to judicial relief, we conclude they have standing to bring this claim.").
See Cantrell v. City of Long Beach, 241 F.3d 674, 684 (9th Cir. 2001).
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009).
See Enki Corp. v. Freedman, Case No. 5:13-cv-02201-PSG, 2014 WL 261798, at *2 (N.D. Cal. Jan. 23, 2014) (citing Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1039 (N.D. Cal. 2012) ("Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute."); Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887, 895 (N.D. Cal. 2010); SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 981 (N.D. Cal. 2008) (holding that "where the offender has actually accessed protected information, discovering who has that information and what information he or she has is essential to remedying the harm" and therefore qualifies as loss under the CFAA)).
Here, Flextronics has alleged that "the investigation into and response to PTC's unlawful conduct has imposed costs and expenses to Flextronics aggregating more than $5,000 in at least one single year period," and thus sufficiently alleged a cognizable injury under the CFAA. Because the CFAA and the CDAFA clearly intended to grant persons in such a position a right to judicial relief, Flextronics has met the threshold for Article III standing on those claims.
PTC argues that this allegation is too conclusory to demonstrate loss, but as this court explained in Enki, it is sufficient that a plaintiff allege that its computer system and the information it contains is no longer secure as a result of the defendant's actions. See id.
B. Flextronics Has Alleged Sufficient Facts To State Claims Under Rule 12(b)(6)
1. Flextronics Alleges Use Of Its Systems "In A Manner That Exceeds Authorized Access" Under The CFAA
PTC challenges Flextronics' CFAA claim on two grounds: (1) the complaint does not show that Flextronics suffered a "loss" of at least $5,000, and (2) Flextronics fails to allege facts indicating that PTC accessed its system "without authorization" or "in a manner that exceeds authorized access." Having considered and rejected the first argument above, the court moves directly to the second.
Id.
Presented with an explicit allegation that "[w]ithout notice to or authorization from Flextronics, PTC has concealed certain embedded technology in the PTC software provided to Flextronics [and] used that hidden technology to access, obtain, and transmit information in Flextronics' computers that PTC is not entitled to access, obtain, or transmit," followed by almost five pages of details about how it does so, PTC nonetheless argues that it cannot be held to have hacked Flextronics' computers because Flextronics voluntarily installed the software. This might be a sufficient defense if the standard were limited to access "without authorization," but the CFAA also reaches one "who's authorized to access only certain data or files but accesses unauthorized data or files." Flextronics alleges that PTC did exactly that in paragraphs twenty-nine through thirty-one of the operative complaint. These paragraphs list the types of information to which PTC gained access, and specifically state that "PTC is not entitled to access, obtain, alter, or transmit" that information. This is precisely the type of detail required by Iqbal and Twombly, and the type of excess access contemplated by Nosal. Whether or not Flextronics will be able to prove up these claims remains to be seen, but at this stage, when all allegations are accepted as true, they suffice.
See Docket No. 168 at 12 ("Having voluntarily installed PTC software on its computers, Flextronics cannot argue that PTC has 'accessed' its system 'without authorization.'").
See Nosal, 676 F.3d at 857.
See Docket No. 169 at ¶¶ 29-31.
Id.
See Nosal, 676 F.3d at 857 (holding that an employee authorized to access certain files on a computer violates the CFAA when he accesses files not explicitly authorized). This portion of the complaint has been filed under seal, so the court will not recount the details here.
2. Flextronics Successfully Pleads A Claim Under Section 502(c)(8)
The CDAFA imposes liability where an alleged hacker "knowingly" takes one or more actions related to computers; 8 of the 9 subsections also require that these actions be taken "without permission." This district has interpreted the phrase "without permission" to require that the defendant have accessed the computer system "in a manner that overcomes technical or code-based barriers."
In re iPhone Application Litig., Case No. 5:11-md-02250-LHK, 2011 WL 4403963, at (N.D. Cal. Sept. 20, 2011) (citing Facebook, Inc. v. Power Ventures, Inc., Case No. 4:08-cv-05870-JW, 2010 WL 3291750, at *11 (N.D.Cal. July 20, 2010)).
In this iteration of the complaint, Flextronics argues that PTC violated Sections 502(c)(2), (3), (6), (7) and (8). PTC advances three arguments for the dismissal of Flextronics' CDAFA claims. First, it argues that because the software at issue was installed alongside other, authorized software, Flextronics has failed to allege that PTC acted "without permission," as required by subsections (2), (3), (6) and (7). Second, it argues that because PTC's software does not "usurp the normal operation" of Flextronics' computer systems, it does not constitute a "computer contaminant" under subsection (8)A. Third, PTC argues that Flextronics has not suffered the necessary "loss or damages" to support a CDAFA claim. Again, because the court has already rejected the "loss or damages" theory, it will not rehash the discussion here; suffice to say PTC's arguments are no more compelling in this context than in others.
See Docket No. 168 at 17-18.
a) Because Flextronics Acknowledges That It Installed Some Portion Of PTC's Software Voluntarily, The Embedded Technology That Accompanied Was Not Installed "Without Permission"
This court has previously held that in order to take an action "without permission" under the CDAFA, a defendant must overcome some technical or code barrier to do so. On its face, the operative complaint would appear to meet this requirement, as Flextronics repeatedly alleges that the software "evades and circumvents the firewalls and other security measures put in place by Flextronics to secure its confidential and proprietary data." However, PTC contends that here, whether or not the software overcame a technical barrier is irrelevant. Instead, it argues that because Flextronics voluntarily gave permission to install some portion of PTC's software on its computers, any additional code installed at the same time was also installed with permission. This argument has been adopted in many other cases in this district. These cases hold that when software containing "surreptitious code" is installed voluntarily by a plaintiff, a defendant has not accessed the plaintiff's computer "without permission," even if the plaintiff was unaware of the "surreptitious code" when he or she installed the software.
See Enki, 2014 WL 261798, at *2 (citing Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1039 (N.D. Cal. 2012)).
See Docket No. 161-4 at ¶¶ 4, 26, 32, 39.
See Docket No. 168 at 17.
See, e.g., Opperman v. Path, Inc., 4:13-cv-00453-JST, 2014 WL 1973378, at *20 (N.D. Cal. May 14, 2014); In re Google Android Consumer Privacy Litig., 4:11-md-02264 JSW, 2013 WL 1283236, at *12 (N.D. Cal. Mar. 26, 2013); In re iPhone Application Litig., Case No. 5:11-md-02250-LHK, 2011 WL 4403963, at *12 (N.D. Cal. Sept. 20, 2011).
In re iPhone Application Litig., 2011 WL 4403953 at *12.
Flextronics presents no argument whatsoever as to how this case is distinguishable from that line. In each of the above cited cases, a plaintiff installed software with code that, unbeknownst to the plaintiff, secretly collected and transmitted personal data to third parties. That is precisely what Flextronics alleges happened here; it installed PTC software that, unbeknownst to Flextronics, secretly collected and transmitted data back to PTC. Absent any argument to the contrary, the undersigned joins his colleagues in holding that an unknown file or subroutine of otherwise voluntarily installed software cannot be said to have been installed on the computer "without permission" in violation of the CDAFA.
b) Flextronics' Successfully Alleges That PTC Introduced A Computer Contaminant To Its System Within The Meaning of Section 502(b)(10) and Section 502(c)(8)
Section 502(c) delineates the actions that may subject a "hacker" to civil and criminal liability under the CDAFA. With one exception, each of the 9 subsections require that the action be taken "knowingly and without permission." That one exception is subsection (c)(8), which requires only that the defendant "[k]nowingly introduce[] any computer contaminant into any computer." A computer contaminant is defined in Section 502(b)(10) as "any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information." PTC argues that the use of phrase "without the intent or permission of the owner" in Section 502(b)(10) means that courts must effectively apply Section 502(c)(8) as though it contained the same "and without permission" language as Section 502(c)(1-7) and (9). Under this theory, Flextronics' claim under Section 502(c)(8) would fail for the same reason that all its other CDAFA claims fail: Flextronics voluntarily installed at least some of the software.
See also In re Google Inc. Cookie Placement Consumer Privacy Litigation, Case No. 12-2358-SLR, 2013 WL 5582866, at *9 (D. Del. Oct. 9, 2013).
See Docket No. 168 at 18.
This court cannot agree. First and foremost, such a conclusion is at odds with the text of the statute. When read in conjunction with subsection (b)(10), subsection (c)(8) sets out two verb clauses: introduce and modify/damage/destroy/record/transmit. As a matter of plain language, the phrase "without the intent or permission of the owner" in subsection (b)(10) modifies the verb modify/damage/destroy/record/transmit, whereas the phrase "and without permission," as used throughout subsection (c), modifies the verb introduce. Under the other provisions of subsection (c), the phrase "and without permission" appears directly next to and modifies the first, operative verb of the subsection, which describes the human conduct prohibited by the statute. The legislature wrote Section 502(c)(8) differently, and that drafting choice must be given deference in interpreting the statute. As such, the placement of "without permission" in a different location in subsection (b)(10) and (c)(8) gives it a different meaning. The plain language of the statute leads the court to conclude that in order to state a claim for conduct in violation of Section 502(c)(8), a plaintiff need only allege that the actions of the contaminant (modify/damage/destroy/record/ transmit) were undertaken by overcoming a technical barrier without the permission of the owner; the introduction of the contaminant to the system need not surmount the same hurdle.
See BP Am. Prod. Co. v. Burton, 549 U.S. 84, 91 (2006) ("We start, of course, with the statutory text."); BedRoc Ltd., LLC v. United States, 541 U.S. 176, 183 (2004) ("[O]ur inquiry begins with the statutory text, and ends there as well if the text is unambiguous.").
It is important to note that any transmission, modification, etc. by the computer contaminant must overcome a technical barrier in order to create liability. If it does not overcome or bypass such a barrier, or if the plaintiff has tendered consent to do so, then the action would not be taken "without permission." If, for example, PTC's "hidden, embedded technology" obtained Flextronics' consent to transmit bug information, crash reports, etc., then liability would not attach here.
This conclusion is in line with legislature's aim in subsections (b)(10) and (c)(8). The drafters spelled out that they intended this provision to encompass things including, but not limited to, "a group of computer instructions commonly called viruses or worms." One common type of computer virus is the "Trojan Horse," which secures the permission of the system owner by claiming to do one thing, such as launch a game or stream of digital media, and then does something different or extra after it has been accepted. Under PTC's proposed interpretation, someone who introduced a Trojan Horse to a computer system would not be subject to liability under the CDAFA, even though the legislature specifically noted that it intended this subsection to capture individuals responsible for the spread of computer viruses. Where, as here, the plain language of the statute leads to an interpretation in line with the stated objective of a statute, that interpretation is the correct one.
See id.
Other courts have reached a different conclusion. See, e.g., Opperman, 2014 WL 1973378 at *20; In re Google Android Consumer Privacy Litig, 2013 WL 1283236 at *12; In re iPhone Application Litig., 2011 WL 4403953 at *12. However, those cases did not address the textual concerns raised above nor are their conclusions in line with the stated objective of the statute.
Flextronics has sufficiently plead just such a claim. Paragraphs twenty-five to forty-six describe the "hidden embedded technology" that PTC "caused to be installed" on Flextronics' computers. This technology undisputedly qualifies as a set of computer instructions for purposes of the CDAFA. PTC also does not contest that the technology is alleged to transmit information within the computer system, or that it does so "without the intent or permission" of the owners of the information. Flextronics thus has successfully plead the basic requirements for a CDAFA claim under Section 502(c)(8).
See Docket No. 161-4 at ¶¶ 25-46.
PTC attempts to argue that because the technology does not "usurp the normal operation of the computer," it does not qualify as a "contaminant." However, that argument misinterprets an illustrative phrase at the end of a list of possible ways things that a set of computer instructions might do to be considered a "contaminant." Earlier in that same sentence, the statute teaches that a set of instructions which "consume computer resources, modify, destroy, record, or transmit data" may also be considered a contaminant. Here, again, Flextronics clearly alleges that the embedded software transmitted data from its computers, bringing it squarely within the purview of the statutory definition.
See Docket No. 161-4 at ¶ 34.
Flextronics' claim under the CDAFA may thus proceed under Section 502(c)(8) alone.
3. Flextronics Has Reinforced Its Common Law Claims With Sufficient Factual Allegations To Proceed On Those Claims
In this court's prior order, it ruled that "[b]ecause Flextronics has not alleged that [its] data was in any way degraded by PTC's actions or that it was deprived of use of the data for any period of time," Flextronics' claim for trespass to chattels had to be dismissed. In the operative complaint, they have fixed that error in paragraphs thirty-nine through forty-two. These paragraphs provide far more than a conclusory statement that, "Flextronics' systems have been harmed," offering instead the specific harms that its data and its systems have suffered as a result of PTC's actions. What's more, after Flextronics pointed out these paragraphs in its opposition to the instant motion, PTC offered no argument in its reply that they were insufficient. PTC's motion as to the trespass to chattels claim is therefore denied. Flextronics does not, however, plead the requisite intentionality to also sustain a claim for conversion, the big brother of trespass to chattels, so that claim will be dismissed.
See id at ¶¶ 39-42.
5 Witkin, Summary Torts, § 710 (10th ed. 2005)
C. Flextronics Is Entitled To A Jury On All But The Contract Claims
PTC puts forth one final request in asking that the court strike Flextronics' jury demand in light of the jury waiver that was present in the original Enterprise Agreement between Flextronics and PTC. That waiver, however, only applied to disputes regarding the contract. In the operative complaint, Flextronics has alleged several causes of action that do not stem from the contractual relationship. In these circumstances, the Ninth Circuit has held that absent language in a jury waiver indicating that the parties contemplated that the waiver would apply beyond the contract, it will not bar a jury demand for statutory claims arising from only tangentially related actions. PTC's motion to strike is therefore denied.
See Docket No. 168 at 21.
See Tracer v. Nat'l Envtl. Servs. Co., 42 F.3d 1292, 1295 (9th Cir. 1994).
IV. CONCLUSION
PTC's motion to dismiss is GRANTED-IN-PART. Flextronics' claim for conversion is dismissed without prejudice and with leave to amend, but its claims under the CFAA, Section 502(c)(8) of the CDAFA, and for trespass to chattels have now cleared the bar set by Rule 12(b)(6). Flextronics' jury demand is also effective as to all but the contractual, declaratory judgment claim. Any further amended complaint shall filed by June 28, 2014.
IT IS SO ORDERED.
__________
PAUL S. GREWAL
United States Magistrate Judge