holding that loss under the CDAFA includes both the reasonable costs incurred by the victim as well as lost revenue or other damages incurred as a result of the defendants' conductSummary of this case from Oracle USA, Inc. v. Rimini St., Inc.
NO. CIV. 2:10-294 WBS KJM.
August 4, 2010
MEMORANDUM AND ORDER RE: MOTION TO DISMISS
Plaintiff AtPac, Inc. ("AtPac") filed this action against defendants Aptitude Solutions, Inc. ("Aptitude"), County of Nevada, and Gregory J. Diaz alleging breach of contract, misappropriation of trade secrets, copyright infringement, and violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq. Defendants move to dismiss plaintiff's fourth cause of action pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted.
I. Factual and Procedural Background
The facts of this case have been thoroughly discussed in the court's prior order granting defendants' motion to dismiss (Docket No. 21.) AtPac subsequently amended its Complaint to add additional factual allegations regarding the server on which it alleges its source code was stored and regarding defendants' deceptive and allegedly illegal actions. This Order details only those facts that are newly alleged.
Specifically, plaintiff's First Amended Complaint ("FAC") alleges that AtPac was the exclusive system administrator for the ER-Recorder server which was housed with Nevada County. (FAC (Docket No. 22) ¶ 24.) As system administrator, AtPac alleges that it created all user accounts and passwords for the server and was custodian of its master system administrator/root account. (Id. ¶ 25.) The ER-Recorder server was allegedly segregated such that the CRiis application and customer data was stored in one set of directories, and proprietary AtPac files — including the source code — were stored in another set of directories. (Id. ¶ 26.) Plaintiff allegedly created all login accounts for Nevada County personnel such that they were restricted from accessing the AtPac directories. (Id.) Nevada County personnel, therefore, could access parts of the server in order to execute the CRiis software — referred to as "CRiis access rights" — but lacked access to sensitive AtPac data and files stored on the server — referred to as "AtPac access rights." (Id.) AtPac allegedly gave Nevada County the root account password — which enabled Nevada County full AtPac access rights — only so that Nevada County could power down the server in the event of an emergency. (Id.)
Plaintiff quotes from an additional provision of the License Agreement, which allegedly provides that:
[AtPac] shall continue to deposit and maintain in an escrow with [AtPac's] escrow agent the source code and de-encryption code for the Application Software and any relevant and necessary documentation in magnetic tape form. . . . In the event that [AtPac] shall cease to do business, become insolvent, or declare bankruptcy, except for reorganization[,] [Nevada County] shall have the right to request a copy of the source code from the escrow agent. Should [Nevada County] ever exercise the option to obtain the source code, [Nevada County] shall only use it for purposes of continuing operation of the System and shall not transfer, sell, loan or otherwise disclose source-code to any person not a county employee subject to this agreement.
(FAC ¶ 20 (substitutions in FAC).) The parties allegedly understood and agreed that Nevada County was authorized to access the ER-Recorder server only to run the CRiis software and was prohibited from granting any third parties access to the server whatsoever. (Id.) Plaintiff alleges that Nevada County was not authorized to access the AtPac directories other than in the event of emergency. (Id. ¶ 27.)
On November 4, 2008, Nevada County employees allegedly e-mailed each other regarding the transition from AtPac to Aptitude as the County's clerk-recorder software provider. (Id. ¶ 28.) One e-mail allegedly stated that "we have a person/vendor coming in who needs inquiry only access to the Atpac data" and that one employee responded that he would "do what I can to facilitate access to the AtPac system." (Id.) Diaz allegedly authorized the creation of a user account for the ER-Recorder server for Aptitude, and the County employee creating the account was allegedly directed via e-mail to "obfuscate the login so that AtPac doesn't know that we are working in the system." (Id.) A user account by the name of "isphydoux" and corresponding password were allegedly created for Aptitude with full AtPac access rights to the entire ER-Recorder server. (Id. ¶ 29.) Plaintiff alleges that this was done by using the root account password — given to Nevada County for emergency server shut-down only — to access the AtPac directories. (Id.)
Plaintiff alleges to have obtained Nevada County e-mails through public record requests.
Nevada County asked AtPac for permission to grant Aptitude remote access to the ER-Recorder server on November 18, 2008, which was immediately denied. (Id. ¶ 30.) Plaintiff alleges that Nevada County concealed from it the fact that it already given Aptitude access to the server and that Aptitude had already inspected AtPac's trade secrets. (Id. ¶¶ 30-31.) On November 19, 2008, Nevada County allegedly informed Aptitude via e-mail that AtPac rejected its request. (Id. ¶ 30.)
In addition to alleging that defendants violated §§ 1030(a)(2)(c), (a)(4) and (a)(5) of the CFAA as alleged in its original Complaint, plaintiff's fourth cause of action in its FAC alleges that defendants trafficked in an illicit and unauthorized password in violation of § 1030(a)(6). (FAC ¶ 86); see 18 U.S.C. §§ 1030(a)(2)(c), (a)(4)-(6). Presently before the court is defendants' motion to dismiss plaintiff's fourth cause of action for violation of the CFAA. (Docket No. 23.)
On a motion to dismiss, the court must accept the allegations in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Scheuer v. Rhodes, 416 U.S. 232, 236 (1974), overruled on other grounds by Davis v. Scherer, 468 U.S. 183 (1984); Cruz v. Beto, 405 U.S. 319, 322 (1972). To survive a motion to dismiss, a plaintiff needs to plead "only enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 127 S. Ct. 1955, 1974 (2007). This "plausibility standard," however, "asks for more than a sheer possibility that a defendant has acted unlawfully," and where a complaint pleads facts that are "merely consistent with" a defendant's liability, it "stops short of the line between possibility and plausibility." Ashcroft v. Iqbal, 522 U.S. ___ at ___, 129 S. Ct. 1937, 1949 (2009) (quoting Twombly, 550 U.S. at 556-57).
In general a court may not consider items outside the pleadings upon deciding a motion to dismiss, but may consider items of which it can take judicial notice. Heliotrope Gen., Inc. v. Ford Motor Co., 189 F.3d 971, 981 n. 18 (9th Cir. 1999) (internal citations omitted); Barron v. Reich, 13 F.3d 1370, 1377 (9th Cir. 1994). A court may take judicial notice of facts "not subject to reasonable dispute" because they are either "(1) generally known within the territorial jurisdiction of the trial court or (2) capable of accurate and ready determination by resort to sources whose accuracy cannot reasonably be questioned." Fed.R.Evid. 201. Furthermore, courts may consider documents outside the complaint without converting the motion to dismiss into a motion for summary judgment if (1) the documents' authenticity is not contested; and (2) the plaintiff's complaint necessarily relief on the documents. Lee v. City of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001).
Defendants have submitted a Request for Judicial Notice ("RJN") (Docket No. 24) that contains a copy of the July 19, 2004 License Agreement (Ex. 1) and a transcript from the court's April 26, 2010 hearing on defendants' first motion to dismiss (Ex. 2). The court will take judicial notice of the second exhibit because it is a matter of public record. Fed.R.Evid. 201. Plaintiff objects to the court taking judicial notice of defendants' first exhibit, arguing that defendants failed to provide a declaration attesting to its authenticity. (Opp'n to Mot. to Dismiss (Docket No. 25) at 16.) As defendants have not attempted to authenticate the document, the court must decline to take judicial notice of it.
A. Scope of the CFAA's Prohibitions
The parties renew their arguments regarding whether the CFAA prohibits — and makes the defendants potentially criminally liable for — breaching the License Agreement by accessing and giving Aptitude access to the Atpac drives on the ER-Recorder server. The relevant provisions of the CFAA make liable:
(a) Whoever —
. . .
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains —
. . .
. . .
(C) information from any protected computer;
. . .
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
. . .
. . .
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if —
(A) such trafficking affects interstate or foreign commerce; or
. . . [irrelevant]18 U.S.C. § 1030(a). "Traffic" is defined as to "transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of." 18 U.S.C. § 1029(e)(5).
As a preliminary matter, the court notes that plaintiffs allege that all three defendants are liable under each subsection of 18 U.S.C. § 1030(a) quoted above without making any distinctions among Diaz, Nevada County, or Aptitude for purposes of liability. The court previously determined that because Diaz and Nevada County were authorized to access the computer that housed plaintiff's CRiis software — now referred-to as the ER-Recorder server — that they could not have "accessed a protected computer without authorization" as required to be liable under § 1030(a)(5)(C). (Order of April 29, 2010 (Docket No. 21).) As the facts alleged in the FAC do not change this conclusion, the court will construe plaintiff's fourth cause of action accordingly.
1. Without Authorization and Exceeding Authorized Access
While the CFAA itself does not define the terms "authorization" or "without authorization," the Ninth Circuit has interpreted the term "without authorization" to mean "without any permission at all." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) ("[A]n employer gives an employee `authorization' to access a company computer when the employer gives the employee permission to use it.") The CFAA defines "[e]xceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter." 18 U.S.C. § 1030(e)(6); see also LVRC, 581 F.3d at 1133.
a. Diaz and Nevada County's Liability
Plaintiff alleges that Diaz and the County of Nevada exceeded their authorized access to the ER-Recorder server in violation of § 1030(a)(2)(C) and (a)(4) when the County's employees accessed the AtPac directories on the ER-Recorder server in order to provide Aptitude with the "isphydoux" password and provide Aptitude with the source code on the server.
To remedy the defects the court identified in its prior Order, plaintiff now alleges that the License Agreement includes a provision — quoted in full in Part I, supra — that AtPac shall keep a copy of its source code in escrow that Nevada County could access — but not disclose to third-parties — only if AtPac went out of business. (FAC ¶ 20.) Plaintiff argues that this contractual provision reflects the parties' understanding that Nevada County was not authorized to access the source code stored on the ER-Recorder server. However, this one paragraph, taken out of its context as part of the broader License Agreement, discusses only the source code stored in magnetic tape form and held in escrow; it is silent with respect to the AtPac directories on the ER-Recorder server and the CRiis source code stored therein. Even drawing all reasonable inferences in favor of the plaintiff, this contractual term has nothing to say about how the parties contracted for Nevada County's access and use rights to the ER-Recorder server.
Plaintiff also asserts that, in addition to the written terms of the License Agreement, the parties agreed to additional informal and unwritten contract terms regarding the ER-Recorder server. Specifically, plaintiff alleges that the parties agreed that Nevada County was authorized to access the ER-Recorder server only to run the CRiis software, and that indeed no Nevada County employee was given a login account that provided AtPac access rights. (FAC ¶¶ 20, 26.) For purposes of the present motion to dismiss the court will assume these allegations are true. Yet AtPac also allegedly gave Nevada County a "root account password" that provided full AtPac access rights and full access to the AtPac directories on the ER-Recorder server, but was only supposed to be used to shut-off the server in the event of an emergency. (Id. ¶ 26.)
On a motion to dismiss, the court looks to the pleadings on file, not to extrinsic evidence, unless it converts the motion to dismiss into a motion for summary judgment and provides the opportunity for discovery. See Inlandboatmens Union Pac. v. Dutra Group, 279 F.3d 1075, 1083 (9th Cir. 2002). Because the court would have to consider extrinsic evidence in order to determine whether the License Agreement is a fully integrated document such that additional oral terms are or are not validly pled, the court must defer ruling on the propriety of this theory of breach.
While the CFAA defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter," 18 U.S.C. § 1030(e)(6), the Ninth Circuit's opinion in LVRC provides additional guidance that counsels the statute should be read narrowly. The LVRC court refused to adopt an expansive interpretation of the CFAA's reach, holding that the rule of lenity required the term "authority" be construed such that employees did not automatically lose "authority" to access a computer when they violate their duty of loyalty to their employer by accessing the computer with an improper purpose. 581 F.3d at 1133-34. In that case the computer owner's conduct — not the accessor's state of mind — determined whether access was "authorized." Id. at 1135. Simply put, a person cannot access a computer "without authorization" if the gatekeeper has given them permission to use it.
The same logic applies to the term "exceeding authorized access." The LVRC court interpreted that term in dicta, stating that "[a] person who `exceeds authorized access,' has permission to access the computer, but accesses information on the computer that the person is not entitled to access." 581 F.3d at 1133 (citations omitted). As with the term "without authorization," the intent of the individual accessing the computer is irrelevant; if she has authority to access information on a computer then she cannot violate the CFAA by accessing it. See United States v. Nosal, No. 08-0237, 2010 WL 934257, at *6 (N.D. Cal. Jan. 6, 2010) ("If a person is authorized to access the `F' drive on a computer or network but is not authorized to access the `G' drive of that same computer or network, the individual would `exceed authorized access' if he obtained or altered anything on the `G' drive."). Indeed, theLVRC court wrote in dicta that, had the issue been before it, it would have also found that Brekka had not exceeded authorized access when he downloaded files from his employer's computer and sent them to his wife during his employment and continued to access his employer's website with his administrative log-in after his employment ended. 581 F.3d at 1135 n. 7.
In interpreting the term "exceeds authorized access" in this manner, the court is counseled by Supreme Court's warning against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants. See United States v. Carr, 513 F.3d 1164, 1168 (9th Cir. 2008) ("[A]mbiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.") (quoting Rewis v. United States, 401 U.S. 808, 812 (1971)); see also United States v. Santos, 553 U.S. 507, ___, 128 S. Ct. 2020, 2025 (Scalia, J.) (plurality opinion). It seems incongruous to this court that the alleged "hacker's" mental state should be irrelevant when determining whether she had any access to a computer at all and relevant when determining whether she had access to specific information on a computer she was authorized to access. Rather, the court believes that the plainest and common-sense understanding of the definition of the term "exceeds authorized access" is one that simply examines whether the accessor was entitled to access the information for any purpose.
Plaintiff admits that it gave Nevada County the keys to its most sensitive trade secrets and source code. Nevada County had permission to access the AtPac directories and source code in order to shut-down the server in the event of an emergency. Nevada County could not violate the CFAA and "exceed authorized access" by accessing or obtaining the AtPac directories or source code. See LVRC, 581 F.3d at 1135. What Nevada County chose to do once it accessed the AtPac directories — what its intent in accessing those portions of the ER-Recorder server was — is irrelevant. The CFAA simply does not apply to those who have authority to access specific parts of a computer but do so with an improper purpose. While Nevada County and Diaz's actions may have violated the terms of the License Agreement or other contract with AtPac and may have constituted an inappropriate use of the information, they did not violate the CFAA. See State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009).
b. Aptitude's Liability
The parties again rehash their arguments regarding whether Nevada County and Diaz could "authorize" Aptitude to access the ER-Recorder server. The court's prior Order stated that, "State Analysis does not establish — and the court is not willing to so rule — that third parties can ordinarily be liable under the CFAA for exploiting a licensee's violation of its license agreement. Rather, State Analysis is perhaps best applied in situations where the third-party defendant uses subterfuge — like using user names and passwords that do not belong to it — to gain access to plaintiff's protected materials on plaintiff's own website, computers, or servers." (Docket No. 21.) Plaintiff has now amended its Complaint with the intent of alleging the sort of "subterfuge" that could impose CFAA liability on a third-party defendant.
Specifically, plaintiff alleges that Nevada County staff e-mailed each other regarding granting Aptitude access to the AtPac directories, and that once this was done Nevada County staff e-mailed Aptitude notifying it that they had created a login for Aptitude. (FAC ¶¶ 28-29.) Plaintiff does not allege that Aptitude had any knowledge of the actions Nevada County employees took to create the "isphydoux" login or of the fact that Nevada County was not entitled to create logins at this point. On November 19, 2008, Nevada County informed Aptitude that AtPac had denied its request to enable Aptitude remote access to the AtPac directories, and that as a result Aptitude then knew that access provided via the "isphydoux" login had been created in excess of Nevada County's authority to access the ER-Recorder server. (Id. ¶ 30.) Aptitude subsequently obtained indemnification from Nevada County for the data migration and thereafter extracted the data from the server, via e-mail, and from a file transfer protocol ("FTP") site. (FAC ¶¶ 36, 39-41.)
Simply put, plaintiff alleges that it gave Nevada County permission to access the AtPac directories on the ER-Recorder server, that Nevada County created a log-in to the ER-Recorder server to which it had access, and gave this log-in to Aptitude which Aptitude then used. These facts are distinguishable fromState Analysis in multiple and significant ways such that any potential liability that could possibly apply under State Analysis's reasoning is inapplicable. For example, the plaintiffs in this case do not own the ER-Recorder server as was the case in State Analysis. Nor is Aptitude one of plaintiff's former clients such that it could be on notice as to the terms of plaintiff's License Agreement with Nevada County.
On a more fundamental level, the court is unwilling to stretch the scope of the CFAA to encompass Aptitude's alleged exploitation of Nevada County's violation of its license agreement with plaintiff. Aptitude did not access the ER-Recorder server "without authorization" because it accessed the server with its own password given it by Nevada County. Nor did Aptitude act covertly when it accessed the ER-Recorder server; it did so openly with its own log-in and with Nevada County's express permission. See Theofel, 359 F.3d at 1072-74, 1078 (stating that the Stored Communications Act — and presumably also the CFAA — "provides no refuge for a defendant who procures consent by exploiting a known mistake that relates to the essential nature of his access."). While plaintiff potentially has other claims against Aptitude for its conduct, Aptitude did not open itself to potential criminal liability under the CFAA.
2. Trafficking in a Password
The CFAA prohibits anyone from, knowingly and with the intent to defraud, trafficking in any password through which a computer may be accessed without authorization. 18 U.S.C. § 1030(a)(6). The CFAA defines "traffic" as to "transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of." 18 U.S.C. § 1029(e)(5). The court notes that, in the course of its own research, it has come across only a handful of federal cases that even mention § 1030(a)(6), of which only State Analysis, 621 F. Supp. 2d 309 (receiving a password is not "trafficking"), analyzes the scope and substance of the provision. In interpreting the provision, therefore, the court will look to the plain language of the statute. United States v. Blixt, 548 F.3d 882, 887 (9th Cir. 2008); see Perrin v. United States, 444 U.S. 37, 42 (1979) ("A fundamental canon of statutory construction is that, unless otherwise defined, words will be interpreted as taking their ordinary, contemporary, common meaning.").
Despite its pernicious connotation, "trafficking" in a password is the simple and, this court believes, very common act of giving someone else your password. This is not a crime under the CFAA. "Trafficking" becomes illegal only where it is knowing, with the intent to defraud, and of the sort such that the password can enable the password recipient to access a computer without authorization. 18 U.S.C. § 1030(a)(6). AtPac was allegedly the system administrator for the ER-Recorder server, and created all login accounts for Nevada County employees such that they only had CRiis access rights. (FAC ¶ 26.) Nevada County is alleged to have illegally "trafficked" in the "isphydoux" password when one of its employees accessed the AtPac directories using the root account and created a user account — with full AtPac access rights — for Aptitude and gave it to Aptitude without plaintiff's knowledge. (Id. ¶¶ 28-29.)
In interpreting the related provisions of 18 U.S.C. § 1030(a)(4) the court in Multiven, Inc. v. Cisco Sys., Inc. ___ F. Supp. 2d ___, 2010 WL 2889262 (N.D. Cal. July 20, 2010) stated that "a plaintiff cannot prove `intent to defraud' by merely showing that an unauthorized access has taken place." WL 2889262, at *4. Just as the court in Multiven made clear that "intent to defraud" in the § 1030(a)(4) context requires a greater showing than simply an unauthorized access, "intent to defraud" in the § 1030(a)(6) context requires more than the intent to impermissibly give access to another.
Plaintiff's trafficking claim against Nevada County fails because plaintiff has alleged no facts to give rise to an inference of any "intent to defraud" when Nevada County gave Aptitude the "isphydoux" password. Nevada County had access to the server and to the AtPac directories from where it created the "isphydoux" password and on which plaintiff's source code was stored. While Nevada County may have breached some term of the License Agreement when it gave Aptitude a password to access the server, this is not the sort of fraud Congress envisioned when it made password trafficking subject to criminal penalties.
Furthermore, the CFAA does not criminalize password "trafficking" unless it enables the password recipient to access a computer without authorization. 18 U.S.C. § 1030(a)(6). Because the court has determined that plaintiff has not sufficiently alleged that Aptitude accessed the ER-Recorder server "without authorization," it follows that plaintiff has also failed to allege that Nevada County illegally "trafficked" in the "isphydoux" password that enabled Aptitude to access the ER-Recorder server. Because Nevada County could grant Aptitude access to the ER-Recorder server, the password did not allow Aptitude to access the server "without authorization" as required to support a trafficking claim under § 1030(a)(6). This court cannot conclude that Congress intended to impose criminal liability on third parties just because a computer licensee violates a license agreement.
Finally, to the extent that the FAC complains against Diaz individually for trafficking in the "isphydoux" password, plaintiff has failed to allege that Diaz "trafficked" in the password. While plaintiff alleges that Diaz signed the form used to create a new user account, plaintiff does not allege that Diaz personally transferred the "isphydoux" password to Aptitude or that he obtained control of the password with the intent to transfer it to Aptitude. (See FAC ¶¶ 28-29.)
B. Adequate Allegations of Loss
Plaintiff's failure to adequately plead "loss" under the CFAA provides an alternate ground for dismissal of plaintiff's CFAA claim. The CFAA is primarily a criminal statute that prohibits the intentional and knowing unauthorized accessing of computers to obtain information or anything of value or to cause damage. Under subsection (g), only persons harmed in certain ways by violations of the CFAA can bring a civil action. The CFAA provides that:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. . . .18 U.S.C. § 1030(g). The relevant factors listed in subsection (c)(4)(A)(i) are:
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
. . . [irrelevant]18 U.S.C. § 1030(c)(4)(A)(i). On the face of plaintiff's FAC, only the first factor could possibly apply. "Loss" is defined in the statute as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. . . .18 U.S.C. § 1030(e)(11). "Loss," therefore, means two things: "any reasonable cost to the victim" and lost revenue or other damages incurred as a result of an interruption of service.
To allege a loss under the CFAA, "plaintiffs must identify impairment of or damage to the computer system that was accessed without authorization." Doyle v. Taylor, No. 09-158, 2010 WL 2163521, at *2 (E.D. Wash. May 24, 2010) (citing cases and holding that where plaintiff alleged defendant accessed his USB thumb drive and retrieved a sealed document, "[p]laintiff would have to show that the thumb drive itself was somehow damaged or impaired by Defendant's act of accessing the drive"). Cognizable costs also include "the costs associated with assessing a hacked system for damage [and] upgrading a system's defenses to prevent future unauthorized access." Id. at *3; see SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008) ("[W]here the offense involves unauthorized access and the use of protected information. . . . the cost of discovering the identity of the offender or the method by which the offender accessed the protected information [is] part of the loss for purposes of the CFAA.").
To allege a loss of revenue, the loss must result from the unauthorized server breach itself. See Therapeutic Res. Facility v. NBTY, Inc., 488 F. Supp. 2d 991 (E.D. Cal. 2007) (loss sufficiently alleged where defendant breached $100 single-user license agreement for plaintiff's medical publication subscription service by sharing username and passcode with employees, where corporate subscription would cost $40,000); SKF USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696 (N.D. Ill. 2009) (holding that former employees' unauthorized transfer of confidential files and trade secrets to thumb drives which were brought to new employer and eventually resulted in lost business to plaintiff did not constitute a "loss" under the CFAA to support a civil action) ("Purely economic harm unrelated to the computer systems is not covered by this definition.").
Congress' restricting of civil actions to cases that cause the types of harm listed in 18 U.S.C. § 1030(c)(4)(A)(i) subsections (I) through (V) reemphasizes the court's conclusion that the sort of conduct alleged against Nevada County does not fall under the CFAA's prohibitions. "Loss" is grouped along with the harms of physical injury, threat to public health and safety, impairment of medical diagnosis or treatment, and damage to federal government computers that deal with national security and defense. It is no surprise that courts interpreting the definition of "loss" sufficient to bring a civil action have done so narrowly given the company that subsection (I) keeps. The definition of "loss" itself makes clear Congress's intent to restrict civil actions under subsection (I) to the traditional computer "hacker" scenario — where the hacker deletes information, infects computers, or crashes networks. See 18 U.S.C. § 1030(e)(11) (enumerating legitimate "costs" in terms of computer damage). While defendants raised this argument for the first time in their Reply brief, the court finds no reason to ignore the plain language of the statute.
Plaintiff does not allege any facts that indicate that it incurred costs to update its server security protocols or otherwise analyze the circumstances of the unauthorized server access. Rather, plaintiff's fourth cause of action alleges that defendants "obtained something of value exceeding $5,000 in a single calendar year," and contains the conclusory allegations that plaintiff has been damaged and that it has suffered immediate and irreparable harm. (FAC ¶¶ 84, 87-88.) Because plaintiff has not alleged that it incurred any costs or experienced lost revenue as a direct result of defendants' unauthorized server access, they have not alleged to have suffered a "loss" under the CFAA. Defendants' motion to dismiss will therefore be granted in its entirety.
IT IS THEREFORE ORDERED that defendants' motion to dismiss plaintiff's fourth cause of action be, and the same hereby is, GRANTED.
DATED: August 3, 2010