Opinion
21-cv-04895-JST
07-12-2023
VOLKSWAGEN GROUP OF AMERICA, INC., Plaintiff, v. SMARTCAR, INC., Defendant.
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
Re: ECF No. 58
JON S. TIGAR United States District Judge
Before the Court is a motion to dismiss brought by Defendant Smartcar, Inc. (“Smartcar”). ECF No. 58. For the reasons set forth below, the Court will grant the motion in part and deny it in part, with leave to amend.
The unredacted version of the motion to dismiss was filed as ECF number 57-3.
I. BACKGROUND
For purposes of resolving this motion, the Court accepts as true the following allegations from the First Amended Complaint (“FAC”), ECF No. 54. In re Splunk Inc. Sec. Litig., 592 F.Supp.3d 919, 926 (N.D. Cal. 2022).
Plaintiff Volkswagen Group of America, Inc. (“VW” or “VWGoA”) is a wholly-owned subsidiary of the German company Volkswagen AG. ECF No. 54 ¶ 7. It manages the American operations of Volkswagen AG car brands, which include Volkswagen and Audi. Id. VW is responsible for protecting the trademarks of Volkswagen AG and Audi AG in the United States (“Trademarks”). Id. ¶ 8.
VW offers drivers of Volkswagen and Audi vehicles optional connectivity services, including Car-Net, Audi connect, and myAudi (collectively, the “Services”), which allow drivers to connect to and control their vehicles using their smartphones and computers. Id. ¶ 10. “The Services are designed to provide enhanced access, as well as increased security, safety, and important vehicle status information to Volkswagen and Audi drivers.” Id. In connection with the Services, VW has engaged and executed agreements with third-party providers and app developers. Id. ¶ 11. VW evaluates these providers to ensure that any provider service or third-party app that has access to the Car-Net and Audi connect networks (collectively, the “Networks”) meets VW's high standards for compatibility, interoperability, functionality, security, and safety. Id. This approval process further assists VW in monitoring access to its Networks to ensure there is no unauthorized access. Id. To maintain the security and integrity of its Networks, VW will suspend or terminate accounts if it identifies bad actors accessing the Networks. Id.
Defendant Smartcar develops and offers application programming interfaces (“APIs”), which allow third-party apps to communicate with connected vehicles to exchange information in order to enable control over the vehicle, such as to lock and unlock the vehicle, manage electrical charging, and issue digital car keys. Id. ¶ 12. Smartcar promotes and sells its APIs on its website. Id. ¶ 12. VW has not authorized Smartcar to access the Services or the Networks. Id. ¶ 14. Nevertheless, Smartcar's APIs allegedly provide third-party apps with access to the Services and Networks, thereby circumventing VW's selection and approval process for authorized third-party providers and app developers. Id. ¶ 15. VW does not have the capability to know which apps are accessing the Systems and Networks with Smartcar's APIs, or to prevent such apps from accessing the Systems and Networks. Id. Thus, VW's customers are exposed to risk to the extent that the third-party apps lack sufficient security safeguards or sufficient interoperability with the Systems and Networks. Id.
VW has not authorized Smartcar to use the Trademarks in connection with Smartcar or its APIs. Id. ¶ 14. Smartcar's website allegedly makes gratuitous use of the Trademarks in connection with Smartcar's APIs in a manner that gives the false impression that Smartcar's APIs have been approved by, sponsored by, or are affiliated with VW. Id. ¶¶ 13-14, 16, 29. Smartcar also claims on its website that its APIs are compatible with all Volkswagen and Audi car models supporting the Services, and that it is “the best way to build apps” for Volkswagen and Audi vehicles. Id. ¶ 13.
In May 2016, Smartcar and VW entered into a mutual non-disclosure agreement (“NDA”) in connection with the parties' discussions as to a potential business relationship for app development and other developer platform work. Id. ¶ 17. As part of the NDA, VW provided Smartcar with user login credentials to access the Networks, which VW alleges could be used only for the limited business purpose identified in the NDA, namely “discussing a potential business relationship for cloud services, app development or developer platform work around embedded telematics for vehicles.” Id. As part of the NDA, Smartcar built an adapter that allows vehicles connected to the Networks to leverage Smartcar's API protocols. Id. In May 2017, VW elected not to proceed with a business relationship and notified Smartcar of this decision. Id.
In August 2019, VW learned that Smartcar had nonetheless proceeded to develop APIs that enabled access to the Networks. Id. ¶ 18. Upon learning this, in August 2019, VW put Smartcar's CEO, Sahas Katta, on notice that Smartcar's activities were not permitted and any access to the Networks was unauthorized. Id. As of that moment, any perceived authorization to access the Networks was explicitly rescinded. Id. ¶ 50. VW reiterated this position in a November 2020 cease-and-desist letter to Smartcar. Id. ¶ 18. Despite VW's notices, Smartcar continued to knowingly access the Networks without VW's authorization. Id.
Smartcar achieved compatibility of its APIs with the Services and Networks by accessing the Networks without authorization by (1) misusing the user credentials and other confidential information that VW provided to Smartcar pursuant to the NDA; (2) requiring users of third-party apps that use Smartcar's APIs to enter their confidential login credentials for accessing the Services and Networks into the third-party apps so that Smartcar could then use those credentials to gain unauthorized access to the Services and Networks; and (3) using a headless browser to appear as a legitimate VW customer to covertly access portions of the Networks not normally accessible to VW customers. Id. ¶¶ 19-20, 48-49.
VW avers that Smartcar's unauthorized access of the Services and Networks has caused it various types of harm, see id. ¶¶ 21-23, and that Smartcar's conduct breached the terms of service for the Services, id. ¶ 24.
On June 25, 2021, VW filed the initial iteration of the complaint, in which it asserted against Smartcar claims (1) for false association in violation of the Lanham Act, 15 U.S.C. § 1125(a); (2) under California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200, et seq.; (3) under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; (4) under California's Comprehensive Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502; (5) for breach of contract based on breach of the terms of service for the Services; (6) for breach of contract based on breach of the NDA; (7) for trespass to chattels; and (8) for tortious interference with the terms of service for the Services. ECF No. 1.
On August 19, 2021, Smartcar moved to dismiss those claims under Rules 12(b)(6) and 12(b)(1). ECF No. 19. On July 7, 2022, the Court (1) denied the motion with respect to VW's claim for false association in violation of the Lanham Act, 15 U.S.C. § 1125(a), and its claim under the CDAFA; and (2) granted the motion, with leave to amend, with respect to all other claims. See ECF No. 51.
On August 4, 2022, VW filed the FAC, in which it asserts the same claims as in the original complaint, except that VW no longer asserts claims for trespass to chattels and tortious interference with the terms of service for the Services. ECF No. 54.
Now before the Court is Smartcar's motion under Rule 12(b)(6) to dismiss all claims in the FAC, except for the two claims that survived its prior motion to dismiss, namely the claims for false association in violation of the Lanham Act and the claim under the CDAFA. ECF No. 57-3. VW opposes the motion. ECF No. 63.
II. JURISDICTION
The Court has subject matter jurisdiction under 28 U.S.C. § 1331.
III. LEGAL STANDARD
A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). A complaint need not contain detailed factual allegations, but facts pleaded by a plaintiff must be “enough to raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). To survive a Rule 12(b)(6) motion to dismiss, a complaint must contain sufficient factual matter that, when accepted as true, states a claim that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. The Court must “accept all factual allegations in the complaint as true and construe the pleadings in the light most favorable to the nonmoving party.” Knievel v. ESPN, 393 F.3d 1068, 1072 (9th Cir. 2005).
IV. DISCUSSION
A. UCL
“The UCL prohibits, and provides civil remedies for, unfair competition, which it defines as ‘any unlawful, unfair or fraudulent business act or practice.'” Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 320 (2011) (quoting Cal. Bus. & Prof. Code § 17200). “Each prong of the UCL is a separate and distinct theory of liability[.]” Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009) (citation omitted). “A claim that sufficiently pleads any one of these prongs survives a motion to dismiss.” MacDonald v. Ford Motor Co., 37 F.Supp.3d 1087, 1097 (N.D. Cal. 2014) (citation omitted). A plaintiff must establish that it has standing to bring a claim under the UCL by showing that it “has suffered injury in fact and has lost money or property” as a result of the alleged unfair competition that gives rise to the claim. See Cal. Bus. & Prof. Code § 17204.
VW brings a claim under the UCL based on two theories of liability. The first theory is based on its claim for false association in violation of the Lanham Act, 15 U.S.C. § 1125(a)(1)(A). VW alleges that Smartcar uses the Trademarks on its website gratuitously and in a manner that gives the false impression that VW is associated with Smartcar's APIs and third-party apps that use Smartcar's APIs, even though that is not the case. See FAC ¶¶ 25-35. The second theory is based on allegations that Smartcar “has used unfair, deceptive, untrue, or misleading advertising” in violation of the UCL by promoting its APIs on its website in a manner that gives the false impression that VW has approved Smartcar's APIs and any third-party apps using the APIs, even though VW has not done so. See id. ¶¶ 36-38.
In the section of the FAC that sets forth VW's UCL claim, VW incorporates by reference its allegations in support of its claim for false association in violation of the Lanham Act. See FAC ¶ 35.
In its prior motion to dismiss, Smartcar argued that VW's UCL claim was subject to dismissal for two independent reasons: (1) that the UCL claim failed to the extent it was predicated on VW's claim for false association in violation of the Lanham Act because, according to Smartcar, the Lanham Act claim was “meritless”; and (2) that the UCL claim failed because VW did not allege sufficient facts to demonstrate that it suffered the requisite economic injury for UCL standing. See ECF No. 19 at 14-15.
In its order of July 7, 2022, the Court rejected Smartcar's first argument and held that, because the Court denied Smartcar's motion to dismiss the claim for false association in violation of the Lanham Act, VW's UCL claim was not subject to dismissal on the basis that VW's Lanham Act claim was not viable. ECF No. 51 at 5-6. However, the Court accepted Smartcar's second argument that VW had not alleged sufficient facts to establish UCL standing, and it dismissed the claim on that basis, with leave to amend. Id. The Court reasoned that VW did not plausibly allege that it had suffered the type of economic injury required for UCL standing because its allegations were limited to conclusory statements that it had been “damaged” by the alleged “false association,” and because VW did not “say anything about diminution in value or loss of consumer goodwill” in the complaint. Id. at 6.
Smartcar moves to dismiss VW's UCL claim once again. First, Smartcar argues that, because the UCL claim is premised on allegations of “unfair, deceptive, untrue, or misleading advertising,” the UCL claim sounds in fraud and VW must, therefore, satisfy the requirements of Rule 9(b) and plead consumer reliance on Smartcar's alleged misrepresentations, which VW has not done. Second, Smartcar contends that VW has not shown that it has UCL standing, because it has not plausibly alleged that it suffered an economic injury caused by Smartcar's allegedly misleading advertising.
VW responds that it brings its UCL claim under the unlawful prong only, with the predicate violation being its claim for false association in violation of the Lanham Act, which is not based on any alleged fraudulent conduct by Smartcar. ECF No. 63 at 10-11. VW argues that, because its unlawful-prong claim is predicated exclusively on an alleged unlawful business practice that does not involve fraud, the claim is not subject to Rule 9(b) and VW is not required to plead consumer reliance on any alleged misrepresentations. VW further argues that it has established that it has UCL standing because it alleges that it has suffered economic injury in the form loss of goodwill, reputational harm, loss of quality control over the Trademarks, loss of reliable and monetizable data, and loss of revenue. Id. at 13-14.
The Court interprets this argument as a concession by VW that it does not wish to proceed with the second theory of UCL liability alleged in the FAC, which is premised on averments that Smartcar's promotion of its APIs on its website constitutes “unfair, deceptive, untrue, or misleading advertising” in violation of the UCL. See, e.g., FAC ¶¶ 36-38.
The Court agrees with VW. First, VW can rely on its claim for false association in violation of the Lanham Act to plead a claim under the unlawful prong of the UCL. The UCL “borrows violations of other laws and treats them as unlawful practices that the unfair competition law makes independently actionable.” Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1168 (9th Cir. 2012) (citations omitted). “Accordingly, to state a claim under the unlawful prong of the UCL, a plaintiff must sufficiently plead a predicate violation.” MacDonald, 37 F.Supp.3d at 1097. VW has done so here. VW's claim for false association in violation of the Lanham Act survived Smartcar's previous motion to dismiss, and that claim can, therefore, serve as a predicate violation for VW's claim under the UCL's unlawful prong. See 6th St. Partners, LLC v. Bd., No. CV 21-6595-RSWL-JPRX, 2022 WL 1570630, at *5 (C.D. Cal. Mar. 17, 2022) (denying motion to dismiss unlawful-prong claim on the ground that the plaintiff “sufficiently pleaded its first cause of action” for false association in violation of the Lanham Act).
Smartcar does not distinguish or otherwise address 6th Street Partners in its reply even though VW cited that case for the proposition that its unlawful-prong UCL claim is sufficiently pleaded to the extent that its predicate is its claim for false association in violation of the Lanham Act.
Smartcar argues that VW cannot rely on the alleged violation of the Lanham Act as the predicate for its unlawful-prong claim unless VW supports the claim with allegations that consumers relied on Smartcar's alleged misrepresentations. See ECF No. 67 at 15-16. The Court disagrees. A plaintiff must allege consumer reliance to establish the requisite causation between the plaintiff's economic injury and the defendant's conduct (i.e., to establish UCL standing) where the UCL claim is “based on a fraud theory involving false advertising and misrepresentations to consumers.” See Kwikset, 51 Cal.4th at 326 (citation and internal quotation marks omitted). This is because “reliance is the causal mechanism of fraud[.]” See id. (citation and internal quotation marks omitted). But this is not a fraud claim. VW is not required to allege consumer reliance because its unlawful-prong claim is predicated only on its claim for false association in violation of the Lanham Act. A claim for false association in violation of the Lanham Act turns on whether the defendant's use of the plaintiff's mark is likely to cause confusion, and it does not require allegations of fraudulent conduct. Where, as here, a UCL claim is based on an unlawful business practice that is not based on a theory of fraud, Kwikset's consumer reliance requirement is irrelevant. See 6th St. Partners, 2022 WL 1570630, at *3 (“Courts require an additional showing of actual reliance only where the plaintiff's claim is based on a defendant's misrepresentations or fraudulent conduct.... Here, Plaintiff's [unlawful-prong] claim is not rooted in fraudulent conduct but rather in Defendants' ‘unlawful and unfair trade practices' in using the Mark and causing consumer confusion” in violation of the Lanham Act).
See 6th St. Partners, 2022 WL 1570630, at *3 (“To prevail on Plaintiff's first cause of action for trademark infringement under 15 U.S.C. § 1125(a), Plaintiff must show that: (1) it has a valid, protectible trademark; and (2) Defendants' use of the mark is likely to cause confusion.”).
Second, VW has alleged sufficient facts to show that it has UCL standing. To establish UCL standing, a plaintiff must “(1) establish a loss or deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice or false advertising that is the gravamen of the claim.” Kwikset, 51 Cal.4th at 321 (emphasis added). Alleged damage to goodwill is a cognizable economic injury under the UCL, because it constitutes harm to a property interest. See Kwikset, 51 Cal.4th at 323 (holding that “[t]here are innumerable ways in which economic injury from unfair competition may be shown” and they include “a present or future property interest diminished”); Obesity Rsch. Inst., LLC v. Fiber Rsch. Int'l, LLC, 165 F.Supp.3d 937, 948 n.1 (S.D. Cal. 2016) (holding that “[g]oodwill is a protected property interest and harm to goodwill is a cognizable injury” under the UCL); Soranno's Gasco, Inc. v. Morgan, 874 F.2d 1310, 1316 (9th Cir. 1989) (“California recognizes business goodwill as a property interest.”).
Here, VW avers that it has spent considerable resources identifying trusted vendors that adhere to its overall brand and security standards and has thereby developed goodwill in the industry. FAC ¶ 38. VW further alleges that the likelihood of confusion and false association caused by Smartcar's use of the Trademarks is damaging its goodwill, because it is likely to lure consumers into a false sense of security that VW is associated with and has vetted Smartcar's APIs and third-party apps that employ those API, even though VW neither is associated with them nor has vetted them. See id. ¶¶ 8, 28, 31, 33, 38-39. These allegations plausibly suggest that the likelihood of confusion and false association created by Smartcar's alleged misuse of the Trademarks is negatively impacting VW's ability to control its own goodwill in the industry, as well as the capacity of the Trademarks to indicate a single source of services. That sufficiently pleads an injury to VW's property interest in the form of its goodwill. See 5 J. Thomas McCarthy, McCarthy on Trademarks and Unfair Competition § 30:2.50 (5th ed.) (“[I]nfringement is a nofault commercial tort with injury presumed to flow from a likelihood of confusion over source, sponsorship, affiliation or connection.... Injury is presumed because if confusion is likely, it is also probable that the senior user's reputation is placed in the hands of another[.] . . . This probable loss of control over reputation and goodwill is presumed by the law to be an injury”) (citations omitted).
VW's averments, which raise the inference of a causal relationship between the likelihood of consumer confusion and false association resulting from Smartcar's alleged use of the Trademarks (i.e., the gravamen of VW's unlawful-prong claim) and the alleged damage to VW's goodwill, are sufficient to confer UCL standing. See Rise Basketball Skill Dev., LLC v. K Mart Corp., No. 16-CV-04895-WHO, 2017 WL 2775030, at *5 (N.D. Cal. June 27, 2017) (holding that plaintiff “met § 17200's injury requirement” by alleging that the defendant's alleged use of a logo was likely to cause consumer confusion under the Lanham Act's standard and that this “w[ould] cause injury to [the plaintiff's] property interest” in the form of its “customer goodwill and brand strength”); Lauren Moshi, LLC v. Fuentes, No. CV186725DMGJPRX, 2020 WL 2303081, at *5 (C.D. Cal. Jan. 17, 2020) (holding that “alleged injury in the form of harm to the LA Logo, goodwill, and reputation in the marketplace” caused by the counter-defendant's alleged use of a logo was sufficient to confer UCL standing) (citation and internal quotation marks omitted).
The parties dispute whether other economic injuries alleged by VW, such as lost revenues, are sufficient to confer UCL standing. The Court need not reach those disputes, given that VW's allegations of damage to its goodwill are sufficient to confer UCL standing.
Smartcar argues that VW's allegations regarding damage to its goodwill are speculative and insufficient to plausibly allege an injury in fact. ECF No. 57-3 at 14-15. The Court is not persuaded. The authorities that Smartcar cites to support that argument are distinguishable.Smartcar has cited no case in which allegations of damage to goodwill arising out of the defendant's alleged use of the plaintiff's mark or logo were held to be insufficient to confer UCL standing.
In Foyer v. Wells Fargo Bank, N.A., No. 320CV00591GPCAHG, 2020 WL 3893031, at *13 (S.D. Cal. July 10, 2020), the UCL claim was predicated on violations of California statutes governing residential foreclosures and related loan proceedings. The court held that the plaintiffs' allegations of economic injury in the form of reputational harm and loss of goodwill were “conclusory” and insufficient to confer UCL standing because the plaintiffs did “not explain what they mean[t] by harm to their reputation or ‘goodwill,' or articulate how such harm can be traced to Defendant's conduct.” See id. Here, VW's allegations, discussed in detail above, do not suffer from the deficiencies identified in Foyer. In Marco Bicego S.P.A. v. Kantis, No. 17-CV-00927-SI, 2017 WL 2651985, at *4 (N.D. Cal. June 20, 2017), the UCL claim was premised on a cease-and-desist letter sent by the defendants to the plaintiffs stating that the plaintiffs were committing copyright and trademark infringement. The plaintiffs alleged that the letter constituted unfair competition in violation of the UCL because the letter had a “tendency to deceive the public in believing Plaintiffs are bad actors” and the letter could, therefore, damage their reputation. See id. (internal quotation marks omitted). The court held that UCL standing was lacking because the plaintiffs did not show that injury to their reputation caused by the cease-and-desist letter was a cognizable economic injury under the UCL. Here, by contrast, the alleged damage to VW's goodwill resulting from Smartcar's alleged use of the Trademarks is a type of economic injury that courts have recognized as cognizable for the purpose of UCL standing, as discussed above. In Birdsong v. Apple, Inc., 590 F.3d 955, 960 (9th Cir. 2009), the UCL claim was brought by purchasers of the Apple iPod based on the theory that the iPod was defective because it posed an unreasonable risk of noise-induced hearing loss. The Ninth Circuit held that the plaintiffs lacked UCL standing because the risk of hearing loss (i.e., the alleged injury) was conjectural and hypothetical as opposed to actual or imminent, as the plaintiffs did “not claim that they, or anyone else, have suffered or are substantially certain to suffer hearing loss from using an iPod.” See Id. at 960-61. Here, VW's allegations raise the inference that the alleged damage to its goodwill caused by Smartcar's use of the Trademarks is actual or imminent, and not conjectural or hypothetical as in Birdsong.
In light of the foregoing, VW plausibly pleads a claim under the UCL's unlawful prong predicated on its claim for false association in violation of the Lanham Act. The Court denies Smartcar's motion to dismiss as to that claim.
B. CFAA
“The CFAA prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use.” Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1065-66 (9th Cir. 2016). “It creates criminal and civil liability for whoever ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” Id. (quoting 18 U.S.C. § 1030(a)(2)). “The CFAA provides a private right of action for ‘[a]ny person who suffers damage or loss by reason of a violation of this section.'” Id. (quoting 18 U.S.C. § 1030(g)).
VW brings claims under both the “without authorization” and “exceeds authorized access” clauses of the CFAA. VW avers that Smartcar accessed the Networks “without authorization” because it did so after VW revoked Smartcar's authorization to access the Networks. See FAC ¶¶ 18, 48-52. In the alternative, VW alleges that, to the extent that Smartcar had authorization to access the Networks, Smartcar exceeded that authorization by using a headless browser to access and obtain data from the back-end of the Networks. Id. ¶ 52.
In its order of July 7, 2022, the Court granted Smartcar's motion to dismiss this claim with leave to amend on the grounds that (1) VW had not plausibly alleged that Smartcar accessed the Networks “without authorization,” as VW alleged three methods via which Smartcar allegedly accessed the Networks but only one of them was allegedly revoked by VW (i.e., the access granted pursuant to the NDA), suggesting that the other two methods (i.e., access via login credentials that were provided to Smartcar by VW customers, and access via login credentials that Smartcar obtained when its CEO allegedly purchased certain Volkswagen or Audi vehicles) remained authorized methods for accessing the Networks; and (2) VW had failed to allege that Smartcar exceeded any authorization it may have had to access the Networks, because VW's allegations suggested that Smartcar had used its authorization to access the Networks in violation of VW's terms of service, but accessing a protected computer in violation of terms of service does not give rise to a violation of the “exceeds authorized access” clause as a matter of law. ECF No. 51 at 7-9.
Smartcar moves to dismiss VW's CFAA claims once again, arguing that (1) VW fails to allege a cognizable loss under the CFAA, which is a requirement for filing a civil lawsuit for violations of the CFAA; and (2) VW fails to plausibly plead that Smartcar accessed the Networks without authorization or that Smartcar exceeded any authorization it had to access the Networks. The Court rejects these arguments.
1. Loss
Smartcar argues that VW has not plausibly alleged that it suffered the requisite loss to bring a civil claim for violations of the CFAA and that VW's claims under the “without authorization” and “exceeds authorized access” clauses fail on that basis.
As relevant here, a person who suffers “damage” or “loss” as a result of a CFAA violation may maintain a civil action for money damages and equitable relief if the violator's conduct involves one of five circumstances enumerated in 18 U.S.C. § 1030(c)(4)(A)(i). See 18 U.S.C. § 1030(g). The circumstance relevant here requires that the alleged CFAA violation have caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” See 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA defines “loss” as any “reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]” 18 U.S.C. § 1030(e)(11). “This is a narrow conception of loss” as it “clearly limits its focus to harms caused by computer intrusions, not general injuries unrelated to the hacking itself.” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1262 (9th Cir. 2019) (citations and internal quotation marks omitted). “Accordingly, any theory of loss must conform to the limited parameters of the CFAA's definition.” Id.
Here, VW alleges that it has incurred expenses in excess of $5,000 in one year as a result of “Smartcar's unauthorized access” to its Networks. See FAC ¶¶ 54-55. VW avers that these expenses qualify as a “loss” under 18 U.S.C. § 1030(e)(11) because they were incurred on “investigating,” “analyzing, and responding to Smartcar's unauthorized access” to its Networks. See id. ¶ 54.
Smartcar argues that these allegations are insufficient to raise the inference that VW suffered a “loss” of more than $5,000 in one year for two reasons, neither of which is persuasive.
First, Smartcar argues that, for VW's expenses to qualify as a cognizable a “loss,” VW must (but has failed to) allege facts showing that its expenses arise out of technological harms of the type that unauthorized access causes to computer systems and data. See NovelPoster v. Javitch Canfield Grp., 140 F.Supp.3d 954, 963 (N.D. Cal. 2014) (“[T]he plaintiff's costs are only cognizable where they arise from the investigation or repair of a damaged computer system or data, or from an ‘interruption of service.'”); hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1195 n.12 (9th Cir. 2022) (noting that the “civil remedies provision [of the CFAA] requires a showing of ‘technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data”). Smartcar contends that VW has not satisfied this requirement because it “does not claim actual impairment of data or computer systems, only that it wishes it could monitor or control better the use of those systems.” ECF No. 57-3 at 25 (emphasis in the original). The Court disagrees. VW avers that Smartcar's purported violations of the CFAA decreased the accuracy of the data that VW collects from users, and removed VW's ability to monitor and control access to its own Networks, among other technological harms. See FAC ¶¶ 23, 54-55. These averments raise the inference that Smartcar's alleged violations of the CFAA caused actual impairment to the integrity or availability of VW's data and systems, which is a cognizable technological harm or “damage” under the CFAA. See 18 U.S.C. § 1030(e)(8) (defining “damage” as “any impairment to the integrity or availability of data, a program, a system, or information”). The expenses that VW allegedly incurred in investigating, analyzing, and responding to Smartcar's alleged CFAA violations plausibly arise out of these alleged technological harms.
Second, Smartcar contends that VW's allegations as to the expenses it allegedly incurred are conclusory and insufficient because VW does not “allege what type of investigation [VW] is claiming as a loss, including any details about any such investigation,” and because VW does not plead “how much it actually lost even in approximation.” ECF No. 57-3 at 24. Smartcar, however, cites no authority showing that a plaintiff is required to plead more detail than what VW has alleged as to the nature and magnitude of the costs it allegedly incurred. The non-binding authorities that Smartcar cites for the proposition that VW's allegations are inadequate are distinguishable. In those cases, the plaintiffs alleged facts that suggested that their alleged expenses either did not fall within the definition of “loss” under § 1030(e)(11) or could not be traced to the defendant's CFAA violations. VW's allegations do not suffer from those defects. The expenses that VW allegedly incurred, which VW alleges were caused by Smartcar's unauthorized access to the Networks, fall within the definition of “loss” under § 1030(e)(11) because they are associated with investigating, analyzing, and responding to an unauthorized intrusion into a computer network. See Mintz v. Mark Bartelstein & Assocs. Inc., 906 F.Supp.2d 1017, 1029 (C.D. Cal. 2012) (“[C]osts associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the [CFAA].”) (citation and internal quotation marks omitted); see also Facebook, 844 F.3d at 1066 (holding that plaintiff “suffered a loss under the CFAA” because its “employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to [the defendant's] actions”).
See United Fed'n of Churches, LLC v. Johnson, 598 F.Supp.3d 1084, 1097 (W.D. Wash. 2022) (holding that the plaintiff did not plead a cognizable “loss” because it alleged litigation expenses and losses arising out of a “lost ability to communicate” with users of a hacked webpage, which do not fall within the definition of “loss” under § 1030(e)(11)); Fish v. Tesla, Inc., No. SACV21060PSGJDEX, 2022 WL 1552137, at *8 (C.D. Cal. May 12, 2022) (holding that the plaintiff did not plead a cognizable “loss” because it alleged the loss of the value of hacked batteries, which does not fall within the definition of “loss” under § 1030(e)(11)).
See Reis, Inc. v. Lennar Corp., No. 15 CIV. 7905 (GBD), 2016 WL 3702736, at *6 (S.D.N.Y. July 5, 2016) (holding that alleged expenses related to the plaintiffs' investigation and damages assessment were not cognizable losses because the plaintiffs alleged facts suggesting that some of those expenses were incurred before the defendant's alleged unauthorized access and may not have been caused by the defendant's unauthorized access).
Accordingly, VW's CFAA claims are not subject to dismissal for failure to plead a “loss” of more than $5,000 in one year.
2. “Without authorization” clause
Smartcar argues that VW's CFAA claim under the “without authorization” clause must be dismissed because VW does not plausibly allege that Smartcar accessed the Networks without authorization.
A violation of the CFAA under the “without authorization” clause occurs when a person intentionally accesses a protected computer and obtains information from it “without authorization.” 18 U.S.C. § 1030(a)(2)(C). As relevant here, the Ninth Circuit has held that “a defendant can run afoul of the [“without authorization” clause] when he or she has no permission to access a computer or when such permission has been revoked explicitly.” Facebook, 844 F.3d at 1067 (emphasis added). “Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.” Id.
Here, VW alleges that Smartcar violated the “without authorization” clause because Smartcar accessed the Networks to obtain data after VW revoked Smartcar's authorization to access them via two separate notices. See FAC ¶¶ 18, 50-51. First, in August 2019, VW “put Smartcar's CEO Sahas Katta on notice that Smartcar's activities were not permitted and any access to [VW's] Networks was unauthorized and violated [VW's] rights.” Id. ¶ 18 (emphasis added). VW avers that this notice was sufficient to revoke “any perceived authorization” that Smartcar may have had to access the Networks. See id. ¶ 50. Second, in a November 2020 cease-and-desist letter sent by VW to Smartcar, VW “specifically demanded that Smartcar ‘[c]ease and desist offering [its] API in connection with Volkswagen or Audi vehicles . . .[and] cease and desist from using any data associated with [VWGoA's] services, including without limitation any login or password information of Volkswagen or Audi customers.'” Id. (ellipses and alterations in the original).
Smartcar argues that VW has not alleged a violation of the “without authorization” clause because VW has not plausibly averred that the November 2020 cease-and-desist letter revoked Smartcar's authorization to access the Networks. See ECF No. 57-3 at 25-30 (“This November 2020 Letter is insufficient for multiple reasons.”).
Because VW's “without authorization” claim is premised on Smartcar allegedly accessing the Networks after VW revoked its authorization via two separate notices, to obtain dismissal of the “without authorization” claim, Smartcar must show that neither of the two alleged notices revoked its authorization to access the Networks. In its motion, Smartcar attempts to show that the November 2020 notice was insufficient to revoke its authorization but it says nothing about the August 2019 notice. As noted, VW avers that the August 2019 notice was sufficient to rescind “any perceived authorization” Smartcar may have had to access the Networks, because it notified Smartcar's CEO that “any access” to the Networks was unauthorized. See FAC ¶¶ 18, 50. Because Smartcar has not shown that the August 2019 notice was insufficient to revoke Smartcar's authorization to access the Networks, VW's unchallenged allegations raise the inference that VW explicitly revoked Smartcar's access to the Networks via the August 2019 notice and that Smartcar's alleged access to the Networks after receiving that notice, via any means, was “without authorization.” See Facebook, 844 F.3d at 1067 (“Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.”); see also United States v. Nosal, 844 F.3d 1024, 1028 (9th Cir. 2016) (“[O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”). This is sufficient to permit VW's “without authorization” claim to proceed past the pleading stage.
In the prior iteration of the complaint, VW did not allege that it notified Smartcar in August 2019 that “any access” by Smartcar to the Networks was unauthorized. See generally ECF No. 1. For that reason, when resolving Smartcar's prior motion to dismiss, the Court inferred that the August 2019 notice revoked only one of the three forms of authorized access to the Networks that Smartcar allegedly had (i.e., the access that VW granted to Smartcar under the NDA). See ECF No. 51 at 7.
For the sake of completeness, the Court briefly addresses Smartcar's arguments with respect to the alleged November 2020 cease-and-desist letter.
First, Smartcar argues that the letter and allegations in the FAC in support of VW's non-CFAA claims contain references to alleged violations of VW's terms of service by both VW customers who provided their login credentials to Smartcar, and by Smartcar itself. ECF No. 57-3 at 26. Smartcar contends that this means that VW's “without authorization” claim is premised on violations of the terms of service, which in turn means that the claim fails as a matter of law because terms-of-service violations cannot give rise to a claim under the “without authorization” clause. Id. Smartcar is correct that violating terms of service “without more. . . cannot establish liability under the CFAA.” See Facebook, 844 F.3d at 1067 (emphasis added). However, VW's “without authorization” claim is not premised on alleged violations of terms of service, but rather on Smartcar's unauthorized access to the Networks after VW allegedly revoked Smartcar's authorization, as discussed above. See FAC ¶¶ 18, 45-51. Accordingly, the claim is not subject to dismissal on the ground that it is premised on alleged violations of terms of service.
Second, Smartcar argues that, to the extent the “without authorization” claim is premised on a revocation theory, the claim fails because the November 2020 letter did not unequivocally revoke Smartcar's authorization to access the Networks. ECF No. 57-3 at 27. Smartcar relies on Ticketmaster L.L.C. v. Prestige Ent., Inc., 306 F.Supp.3d 1164, 1175 (C.D. Cal. 2018). Ticketmaster is distinguishable. There, the plaintiff's CFAA claim was premised on the theory that “Defendants lacked or exceeded their authorization [to access a website] by violating [the plaintiff's] TOU [terms of use], even after [the plaintiff] sent Defendants a cease-and-desist letter outlining the alleged violations” of the TOU. See id. The Court held that the cease-and-desist letter could not be construed as a revocation of the defendants' access to the website because the letter demanded that they “cease and desist from any further violations of [the plaintiff's] rights” under the TOU, and it implied that “Defendants could continue to use [the plaintiff's] website so long as they abide by the TOU.” Id. Here, unlike in Ticketmaster, VW's claim is not premised on the theory that Smartcar violated terms of service, as discussed above. Further, VW's allegations about the November 2020 letter, which the Court must construe as true at this juncture, do not raise the inference that the letter implied that Smartcar could continue to access the Networks so long as it abided by VW's terms of service. Instead, they plausibly suggest that VW “undeniably revoked any Network access by Smartcar through any login credentials[.]” See FAC ¶ 51.
Third, Smartcar argues that, “in order to show a CFAA violation, a plaintiff should not be able to simply allege that it revoked the defendant's access. Instead, it should also be required to plead facts demonstrating that it has the right and authority to revoke such access.” ECF No. 57-3 at 28. Smartcar cites no authority for this proposition, and the Court declines to create a new pleading requirement from whole cloth.
Finally, Smartcar contends that, to the extent that VW revoked Smartcar's authorization to access the Networks via the November 2020 letter, VW subsequently reinstated Smartcar's authorization (and thus rescinded its revocation of Smartcar's authorization via the letter) when Smartcar subsequently accessed the Networks and used VW's Services and allegedly became bound to VW's terms of service. ECF No. 57-3 at 29-30. Smartcar contends that, because VW's terms of service provide that they supersede any prior agreements and communications between the parties, the terms of service “superseded” the November 2020 revocation of Smartcar's access to the Networks. See id. The Court is not persuaded. Smartcar cites no authority involving a CFAA claim in which a court has held that the revocation of a person's authorization to access a protected computer can be “superseded” in the manner that Smartcar advances. The authorities that Smartcar cites are inapposite because they address contract claims, not CFAA claims. See ECF No. 57-3 at 30 (citing authorities for the proposition that “[a]court can dismiss a breach of contract claim on the basis that the asserted contract was superseded by a later contract”).
The Court denies Smartcar's motion to dismiss VW's CFAA claim under the “without authorization” clause.
3. “Exceeds authorized access” clause
As noted, VW also asserts, in the alternative, a claim under the CFAA's “exceeds authorized access” clause.
The CFAA “defines the term ‘exceeds authorized access' to mean ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.'” Van Buren v. United States, 141 S.Ct. 1648, 1652 (2021) (quoting 18 U.S.C. § 1030(e)(6)). In other words, “an individual ‘exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer-such as files, folders, or databases-that are off limits to him.” Id.
Here, VW alleges that, to the extent that Smartcar had authorization to access the Networks, Smartcar exceeded its authorization when it used a headless browser (1) “to appear as a legitimate user to covertly access portions of the Networks not normally accessible to consumers”; (2) “to circumvent [VW's] ability to control and limit certain access to its Networks”; and (3) “to access back-end data from the Networks[.]” FAC ¶¶ 19, 52.
Without citing any supporting authority, Smartcar argues that these allegations are insufficient to raise the inference that Smartcar's alleged use of a headless browser to access VW's Networks and back-end data exceeded any authorization Smartcar may have had, because they do not suggest that Smartcar lacked authorization to access back-end data. ECF No. 57-3 at 30-31. The Court disagrees. VW alleges that the back-end portions of the Networks were not normally accessible to consumers, and that Smartcar's use of a headless browser allowed Smartcar to access them “covertly.” See FAC ¶ 19. Those averments, which the Court must construe in VW's favor at this stage, plausibly suggest that Smartcar did not have authorization to access the back-end portions of the Networks and data located therein even if it had authorization to access other portions of the Networks.
Accordingly, the Court denies Smartcar s motion to dismiss VW's CFAA claim under the “exceeds authorized access” clause.
C. Breach of Contract
Smartcar moves to dismiss VW's two claims for breach of contract. The first claim is premised on alleged breaches of the terms of service for the Services and the second claim is premised on alleged breaches of the NDA that Smartcar and Volkswagen allegedly signed in May 2016.
A plaintiff suing for breach of contract must allege (1) the existence of a contract, (2) her performance or excuse for nonperformance, (3) breach by the defendant, and (4) damages. See Oasis W. Realty, LLC v. Goldman, 51 Cal.4th 811, 821 (2011).
In their briefs, the parties assume that California law governs VW's breach of contract claims. See ECF No. 58 at 17; ECF No. 63 at 16. The Court therefore does likewise.
1. Terms of Service
VW asserts a claim for breach of the terms of service for the Services (Car-Net and myAudi), which VW avers prohibit (1) “tampering with any portion of the Services or otherwise exploiting the Services in any unauthorized way,” and (2) “commercial use” of the Services. FAC ¶¶ 71-73. VW alleges that Smartcar's CEO, Sahas Katta, “purchased or leased one or more Volkswagen and/or Audi vehicles in order to create customer login credentials for the Service and gain unauthorized access to [VW's] Networks as a means of integrating, interfacing, and/or making its APIs compatible with [VW's] Services.” Id. ¶ 69. VW further avers that, “[b]y accessing [VW's] Networks and Services, Smartcar . . . is bound” to the terms of service. Id. ¶ 70. Smartcar allegedly breached the terms of service “through its improper use of the login credential, access to the Services and Networks, and development, testing, marketing, distribution, and commercialization of Smartcar's API and services.” Id. ¶ 74. VW included hyperlinks in the FAC to certain versions of the terms of service for Car-Net and Audi connect, respectively. See id. ¶¶ 71-73. However, VW does not allege that those hyperlinked versions are the ones that Smartcar allegedly breached.
In its order of July 7, 2022, the Court granted Smartcar's motion to dismiss this claim, with leave to amend, on the basis that VW did not specifically allege the provisions of the terms of service that Smartcar allegedly breached. ECF No. 51 at 13.
Smartcar again moves to dismiss the claim, on two grounds. First, Smartcar contends that VW has not alleged facts that raise the inference that a contract was formed between VW and Smartcar, because VW does not allege that Smartcar assented to any version of the terms of service. Smartcar contends that VW's allegation that Smartcar is “bound” to the terms of service by accessing the Services is insufficient to raise the inference that a contract was formed because VW does not allege how Smartcar accepted the terms of service or that Smartcar had notice that accessing the Services would constitute assent to those terms. Second, Smartcar contends that VW has not alleged facts indicating that the versions of the terms of service hyperlinked in the FAC are the ones that Smartcar allegedly breached. Smartcar represents that there are different versions of the terms of service for different vehicle models and years, but VW does not specify which version or versions of the terms of service are the ones that give rise to its claim against Smartcar.
In its opposition, VW contends conclusorily and without citing any supporting authority that it has plausibly alleged that a valid contract was formed between itself and Smartcar because the FAC contains allegations that Smartcar is “bound” to the terms of service by virtue of having “access[ed]” the Networks and Services. ECF No. 63 at 17. VW does not meaningfully respond to Smartcar's argument that VW's allegation that Smartcar is “bound” to the terms of service is insufficient. See id. VW also does not respond to Smartcar's second argument regarding the absence of allegations specifying the version or versions of the terms of service that Smartcar allegedly breached. See id.
The Court finds that VW's claim for breach of the terms of service is subject to dismissal based on both grounds advanced by Smartcar.
First, because VW alleges that Smartcar became “bound” to the alleged terms of service by accessing the Services, FAC ¶ 70, the contract at issue appears to be a so-called “browsewrap” agreement. A browsewrap agreement is an electronic contract “in which a website [or electronic service] offers terms that are disclosed only through a hyperlink and the user supposedly manifests assent to those terms simply by continuing to use the website [or service].” Berman v. Freedom Fin. Network, LLC, 30 F.4th 849, 856 (9th Cir. 2022). “The defining feature of browsewrap agreements is that the user can continue to use the website or its services without visiting the page hosting the browsewrap agreement or even knowing that such a webpage exists.” See Be In, Inc. v. Google Inc., No. 12-CV-03373-LHK, 2013 WL 5568706, at *6 (N.D. Cal. Oct. 9, 2013). Relative to other types of electronic contracts, “[c]ourts are more reluctant to enforce browsewrap agreements because consumers are frequently left unaware that contractual terms were even offered, much less that continued use of the website will be deemed to manifest acceptance of those terms.” Berman, 30 F.4th at 856. Accordingly, “[t]o avoid the unfairness of enforcing contractual terms that consumers never intended to accept,” courts require a showing of “meaningful assent” by the user of the website or service, which can be established by showing that the user had either “actual knowledge of the agreement” or that the user was on “inquiry notice” of the terms of the agreement and of the fact that, by taking a certain action, the user would manifest assent to those terms. See id. at 856-57 (citations omitted).
Smartcar cites a case from this district, which VW has not distinguished, that holds that allegations similar to those here are insufficient to plausibly plead assent in the context of a claim for breach of a browsewrap agreement. In Be In, Inc., 2013 WL 5568706, at *9, the plaintiff alleged that the defendants assented to a browsewrap agreement by using a website, but it did not allege facts indicating that the defendants “were put on notice that the mere use of the website would be interpreted as agreement to the Terms of Service.” Id. The court held that the plaintiff's allegations were, therefore, insufficient to raise the inference that the defendants had assented to the terms of service, and it dismissed the plaintiff's claim for breach of contract on the basis that the plaintiff failed to plead “allegations from which the Court can infer valid contract formation.” See id. Here, as in Be In, Inc., VW avers that Smartcar became bound to the terms of service by accessing the Services, see FAC ¶ 70, but it avers no facts that suggest that Smartcar had actual or constructive notice of the terms of service or of the fact that accessing the Services would be construed as manifesting assent to those terms. Accordingly, VW's allegations fail to raise the inference that a valid contract between the parties was formed. See Be In, Inc., 2013 WL 5568706, at *9. The Court grants Smartcar's motion to dismiss VW's claim for breach of the terms of service on that basis, with leave to amend.
Second, VW's claim for breach of the terms of service is subject to dismissal for the additional reason that VW failed to identify the version or versions of the terms of service that Smartcar allegedly breached. To the extent that VW files an amended complaint to cure the defects identified herein with respect to this claim, VW shall identify in that pleading the specific version or versions of the terms of service, as well as the specific provisions of each version of the terms of service, that VW allegedly breached.
2. NDA
VW asserts a claim for breach of the NDA that the parties allegedly executed in May 2016 in connection with their discussions as to a potential business relationship. FAC ¶ 17.
In its order of July 7, 2022, the Court granted Smartcar's motion to dismiss this claim, with leave to amend, on the grounds that (1) VW failed to identify the terms of the NDA that Smartcar allegedly violated; and (2) VW failed to plausibly plead that Smartcar breached the NDA by misusing the login credentials that VW allegedly provided to Smartcar pursuant to the NDA. ECF No. 51 at 13-14.
Smartcar moves to dismiss this claim once more on the grounds that (1) VW lacks standing to sue for breach of the NDA because it is neither a party nor a third-party beneficiary to the NDA; and (2) VW does not plausibly plead any breach of the NDA.
a. Whether VW has standing to sue for breach of the NDA
As a general matter, under California law, “a person who is not a party to a contract lacks standing to sue for breach.” 19 Tao Vega LLC v. Holo Ltd., No. C 19-5640 SBA, 2019 WL 9607733, at *7 (N.D. Cal. Dec. 17, 2019) (citations omitted). An exception to that general rule exists where a contract was made expressly for the benefit of a third person. Balsam v. Tucows Inc., 627 F.3d 1158, 1162 (9th Cir. 2010) (citing Cal. Civ. Code § 1559). In that circumstance, the contract can be enforced by the third-party beneficiary. See id. “The test for determining whether a contract was made for the benefit of a third person is whether an intent to benefit a third person appears from the terms of the contract.” Id. (quoting Spinks v. Equity Residential Briarwood Apartments, 171 Cal.App.4th 1004, 1022 (2009)). The alleged third-party beneficiary “bears the burden of proving” that the contract was intended to benefit them. Spinks, 171 Cal.App.4th at 1024 (citation and internal quotation marks omitted).
Smartcar contends that VW lacks standing to sue for breach of the NDA because, according to the contract's express terms, VW is neither a party nor a third-party beneficiary to the NDA. Smartcar attached to its motion to dismiss a copy of the NDA, which the Court considers for the purpose of resolving the present motion under the incorporation-by-reference doctrine. See Chatterjee Decl., Ex. C, ECF No. 57-4 (SEALED). As Smartcar points out, the NDA provides that it is a contract “between Audi of America, Inc. (‘AoA'), an operating unit of Volkswagen Group of America, Inc., and Smartcar, Inc (‘Company').” See id. at 2. The NDA defines “Party” as including only Audi of America, Inc. and Smartcar; VW is not included in that definition. See id. (“Each of AoA and the Company [Smartcar] may be referred to as a ‘Party,' and collectively as the ‘Parties.'”). Smartcar also points out that the NDA contains a “No Third Party Beneficiary” provision, which provides that the NDA “is not intended, nor shall it be construed, to create or convey any right in or upon any person or entity not a party to this Agreement.” See id. at 3.
The incorporation-by-reference doctrine “permits a court to consider a document if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim.” Steinle v. City & Cnty. of San Francisco, 919 F.3d 1154, 1162-63 (9th Cir. 2019) (citation and internal quotation marks omitted). Because the NDA is the basis of VW's claim for breach of contract, the Court may consider the copy of the NDA filed by Smartcar. VW does not object to Smartcar's request to incorporate by reference this copy of the NDA or question its authenticity. See Sourceprose Corp. v. RPX Corp., No. 16-CV-04089-LB, 2017 WL 1806496, at *6 (N.D. Cal. May 5, 2017) (holding that it was permissible to consider a copy of a non-disclosure agreement attached to a motion to dismiss under the incorporation-by-reference doctrine on the grounds that the plaintiff's “claim depends on the contents of the NDA and the parties do not dispute its authenticity”).
The Court granted Smartcar's motion to seal the copy of the NDA in its entirety. See ECF No. 62. Because this order quotes portions of the NDA, the order will be filed with restrictions.
VW does not dispute that it is not a signatory to the NDA and that the NDA contains a provision stating that the contract has no third-party beneficiaries. Nevertheless, VW argues that it has standing to sue for breach of the NDA both as a party and as a third-party beneficiary, but its arguments are unpersuasive.
First, VW contends that, because the NDA provides that Audi of America, Inc. (a signatory and party to the NDA) is an “operating unit” of VW, then the Court can infer that VW is a party to the NDA. ECF No. 63 at 17-18. But VW cites no authority for the proposition that a non-signatory can be deemed to be a party to a contract merely because the contract states, without more, that a party to the contract is an “operating unit” of the non-signatory. VW has not alleged any facts indicating what it means for Audi of America, Inc. to be an “operating unit” of VW; the FAC does not mention Audi of America, Inc. or describe VW's corporate structure. Accordingly, VW has not established that it has standing to sue for breach of the NDA on the basis that the NDA states that Audi of America, Inc. is VW's “operating unit.”
Second, VW argues that it has standing to sue for breach of the NDA as a third-party beneficiary because “the circumstances surrounding the NDA clearly demonstrate that the signing parties intended for the benefit of any agreement to flow to” VW. ECF No. 63 at 17-18. VW points to allegations in the FAC that Smartcar contacted VW in 2016 seeking a possible business relationship and signed the NDA “shortly thereafter.” See id. (citing FAC ¶ 17). VW argues that those allegations indicate that the parties intended VW to be a third-party beneficiary of the NDA. Again, however, VW cites no authority to support the proposition that a non-party can be deemed to be a third-party beneficiary of a contract on the basis that a signatory to the contract contacted that non-party prior to entering into the contract. See ECF No. 63 at 17-18. The authorities that VW relies upon are inapposite and do not support a finding that VW has standing to sue as a third-party beneficiary of the NDA. In those cases, the alleged third-party beneficiary had standing to sue for breach of a contract because the third party pointed to express provisions in the agreement that could be construed as indicating an intent by the parties to the contract to benefit the third party. Here, VW points to no such provision in the NDA. Additionally, VW has not shown that it can be deemed to be a third-party beneficiary of the NDA despite the contract's “No Third Party Beneficiary” provision. Thus, the Court cannot infer that VW has standing to sue for breach of the NDA as a third-party beneficiary. See Balsam, 627 F.3d at 1161-63 (affirming dismissal of claim for breach of contract brought by a third party for lack of standing because the contract contained a “No Third Party Beneficiaries” clause and the third party failed to point to any provisions in the contract that plausibly indicated that the contract was intended to benefit it).
In Estrada v. Check into Cash of Cal., No. 20NWCV00203, 2020 Cal. Super. LEXIS 60129, at *5 (Cal. Super. Ct. Oct. 22, 2020), the contract expressly stated that disputes arising out of the agreement, including those involving a signatory's parent company, were to be resolved through arbitration. See id. Based on that express provision, the court found that the contract indicated that the parties intended for the parent company to benefit from the contract and, accordingly, held that the parent company had standing to enforce the contract as a third-party beneficiary. See id. In Marina Tenants Assn. v. Deauville Marina Dev. Co., 181 Cal.App.3d 122, 131-32 (1986), the California Court of Appeal held that a lower court had erred in dismissing a claim for breach of a lease agreement on the basis that third-party tenants (who were not signatories to the lease) had not adequately alleged that they had standing to sue for breach of the lease agreement as third-party beneficiaries. The Court of Appeal held that the lease agreement could be construed as intending to benefit the third-party tenants, because it contained a provision that limited the rents that the third-party tenants would have to pay. The Court of Appeal held that the third-party tenants could rely on that provision to allege third-party beneficiary standing to sue for breach of the lease agreement. Id.
Because VW has not shown that it has standing to sue for breach of the NDA, either as a party to the contract or as a third-party beneficiary of the contract, the Court grants Smartcar's motion to dismiss VW's claim for breach of the NDA, with leave to amend.
For the sake of completeness, the Court addresses Smartcar's other arguments in support of its motion to dismiss VW's claim for breach of the NDA, as doing so may provide guidance to VW in the event that it chooses to file an amended complaint to cure the deficiencies identified in this order.
b. Whether VW has alleged a breach of the NDA
As noted, Smartcar argues that VW's claim for breach of the NDA is subject to dismissal for failure to plausibly plead that Smartcar breached any term of the NDA.
Before turning to the parties' arguments, the Court first summarizes the relevant terms of the NDA. The NDA provides that, during the Confidentiality Period, which is defined as including a term of one year from the contract's effective date plus two years thereafter, the parties may use “Confidential Information” provided or disclosed by the other party only in connection with the Business Purpose, which is defined in the NDA as “discussing a potential business relationship[.]” See Chatterjee Decl., Ex. C, ECF No. 57-4 at 2, 5. The NDA defines “Confidential Information” as including:
(i) written information received from the other Party which is marked or identified as confidential, or information that the receiving Party should reasonably expect to be confidential and (ii) oral or visual information identified as confidential at the time of disclosure which is accurately summarized in writing and provided to the other Party in such written form promptly after such oral or visual disclosure and (iii) information provided orally, even if not reduced to writing, which the receiving Party reasonably should expect to be confidential or which, if disclosed, could provide a third party with any business advantage of any kind.Id. at 2.
VW alleges that Smartcar breached the NDA in two ways. First, during the Confidentiality Period, Smartcar allegedly breached the NDA by misusing “the login credentials provided pursuant to the NDA” and “other confidential information provided pursuant to the NDA” to gain unauthorized access to VW's Networks to exploit VW's data to develop its own commercial API. See FAC ¶¶ 83-84. VW avers that Smartcar's misuse of the login credentials in this manner was a breach of the NDA because the use of the login credentials, which VW allegedly provided to Smartcar pursuant to the NDA, was not within the scope of the Business Purpose. Id. ¶ 84. Second, after the Confidentiality Period ended, Smartcar allegedly breached the NDA by misusing the API adapter that Smartcar “created pursuant to the NDA” in order to further develop its own commercial API. Id. ¶ 85. VW avers that Smartcar's misuse of the API adapter in this manner was a breach of the NDA because it involved the use of “confidential information beyond the Confidentiality Period[.]” Id. ¶ 85.
Smartcar argues that VW's allegations are insufficient to plausibly allege a breach of the NDA. First, Smartcar argues VW does not allege a breach based on Smartcar's alleged misuse of the login credentials during the Confidentiality Period because VW fails to allege “how” Smartcar allegedly misused the credentials. ECF No. 57-3 at 20-21. The Court disagrees. VW does allege how Smartcar allegedly misused the login credentials: by allegedly using them in a manner that was not consistent with the Business Purpose, namely to gain unauthorized access to VW's Networks to develop an API for its own commercial benefit. See FAC ¶¶ 81-84.
Second, Smartcar argues VW does not allege a plausible breach based on Smartcar's alleged misuse of “other confidential information” during the Confidentiality Period because VW does not allege what the “other confidential information” is. ECF No. 57-3 at 22. VW does not respond to this argument in its opposition. See ECF No. 63 at 18. The Court agrees with Smartcar. VW has not identified the “other confidential information” (other than the login credentials) that Smartcar allegedly misused during the Confidentiality Period. Accordingly, VW's claim for breach of the NDA is subject to dismissal to the extent that it is premised on Smartcar's alleged misuse of unspecified “other confidential information” during the Confidentiality Period. See Herbalife Int'l of Am., Inc. v. E. Computer Exch. Inc., No. 222CV00347ODWAGRX, 2022 WL 2065592, at *3 (C.D. Cal. June 8, 2022) (dismissing counterclaim for breach of contract with leave to amend on the ground that “Defendants do not describe the type of confidential information Herbalife supplied to Defendants' competitor in violation of the NDA”).
Third, Smartcar argues that VW does not allege a plausible breach of the NDA based on Smartcar's alleged misuse of the API adapter after the Confidentiality Period ended because the API adapter is not “Confidential Information” under the NDA. ECF No. 57-3 at 21-22. Smartcar argues that the NDA defines “Confidential Information” as information that originates with one party and is provided to the other party in writing or orally, but the API adapter does not meet that criteria. In its opposition, VW does not respond to Smartcar's argument or point to any allegations in the FAC that raise the inference that Smartcar's API constitutes “Confidential Information” as defined in the NDA, such that its use after the Confidentiality Period ended would constitute a breach of the NDA. See ECF No. 63 at 18. Accordingly, the Court agrees with Smartcar that VW's allegations do not raise the inference that Smartcar breached the NDA by misusing the API adapter after the Confidentiality Period ended.
V. CONCLUSION
For the reasons set forth above, the Court grants Smartcar's motion to dismiss VW's claims for breach of the terms of service and for breach of the NDA, with leave to amend. The Court otherwise denies Smartcar's motion to dismiss. To the extent that VW can do so without contradicting the allegations in the FAC, it may file an amended complaint within 21 days of the date of this order solely to cure the deficiencies identified herein. A failure to cure those deficiencies will result in dismissal with prejudice of VW's claims for breach of contract.
IT IS SO ORDERED.