allowing a § 502(c) claim based on access gained through using valid passwords and not hackingSummary of this case from Satmodo, LLC v. Whenever Commc'ns, LLC
Case No. 13–cv–05186–WHO
David Nied, Keenan W. Ng, Katy Marie Young, Ad Astra Law Group, LLP, San Francisco, CA, for Plaintiff. Carlton John Willey, Willey & Bentaleb LLP, San Francisco, CA, for Defendants.
David Nied, Keenan W. Ng, Katy Marie Young, Ad Astra Law Group, LLP, San Francisco, CA, for Plaintiff.
Carlton John Willey, Willey & Bentaleb LLP, San Francisco, CA, for Defendants.
ORDER DENYING DEFENDANTS' SECOND MOTION FOR JUDGMENT ON THE PLEADINGS
Re: Dkt. No. 111
WILLIAM H. ORRICK, United States District Judge
This order concerns the second motion for judgment on the pleadings filed by defendants in this case. I granted the first motion with respect to plaintiff NovelPoster's claims under the Computer Fraud and Abuse Act (“CFAA”) and California's Comprehensive Computer Data Access and Fraud Act (“CDAFA”) on the ground that NovelPoster had failed to adequately plead damage or loss within the meaning of either statute. NovelPoster has since filed an amended complaint (“First Amended Complaint”) with additional details concerning the damage and loss NovelPoster allegedly sustained as a result of defendant's conduct. Defendants contend that the First Amended Complaint still fails to adequately plead damage or loss under the CFAA and CDAFA, and that it fails to properly allege that defendants accessed or used a computer “without permission,” as required to state a claim under the CDAFA. For the reasons discussed below, the motion is DENIED.
I. FACTUAL BACKGROUND
The following facts are alleged in the First Amended Complaint and are presumed true for the purposes of this motion. Except where otherwise indicated, most of the facts are also alleged in NovelPoster's initial complaint and are set out in the Court's August 4, 2014 order granting defendants' first motion for judgment on the pleadings. See Dkt. Nos. 1, 93. I repeat them here for ease of reference.
A. Failed business arrangement between the parties
NovelPoster is an online retailer that designs, sells, and distributes “text-based poster products.” FAC ¶ 3. NovelPoster has no physical presence and is accessible only through its website, www.NovelPoster.com, and other online shopping portals. FAC ¶ 11. The business was founded by Matt Grinberg and Alex Yancher in 2011. FAC ¶ 10.
NovelPoster's operations are conducted exclusively online through a number of software programs and websites, including Google and Google Adwords, Goodsie, Etsy, Storenvy, Facebook and Facebook Ads, Twitter, MailChimp, Stripe, and PayPal. FAC ¶ 12. NovelPoster uses several email accounts hosted by Google. FAC ¶ 12. These include Contact@NovelPoster.com, Matt@NovelPoster.com, and Alex@NovelPoster.com. FAC ¶ 12. Contact@NovelPoster.com is the administrative account for all of NovelPoster's Google email accounts, and access to Contact @NovelPoster.com allows the user to access and control both Matt @NovelPoster.com and Alex@NovelPoster.com, which are the individual email accounts for Grinberg and Yancher, respectively. FAC ¶ 12. Grinberg and Yancher used Contact@NovelPoster.com and their individual email accounts to communicate with customers and to store contact information for designers, marketers, and other entities “essential to the growth and operation of NovelPoster.” FAC ¶ 14.
NovelPoster first came into contact with defendants through Yancher, who met defendant Daniel Canfield at a social event in San Francisco, California in March 2013. FAC ¶ 16. Yancher and Canfield agreed to pursue a potential business arrangement by which Canfield's company, defendant Javitch Canfield Group, would assume responsibility for running NovelPoster “until it could be sold.” FAC ¶ 16. Grinberg and Yancher met with Canfield and his business partner, defendant Mark Javitch, several times between March 2013 and May 2013 to discuss and negotiate the details of the arrangement. FAC ¶ 17.
On or around May 3, 2013, optimistic that an agreement with defendants would soon be reached, NovelPoster provided defendants with the passwords to a number of its online accounts, including Contact@NovelPoster.com and NovelPoster's accounts with Google Adwords, Goodsie, Facebook, Twitter, MailChimp, Stripe, and PayPal. FAC ¶ 18. Grinberg and Yancher did not authorize defendants to change the passwords to any of the accounts. FAC ¶ 18. Nevertheless, on or around May 8, 2013, defendants changed the passwords to each of the accounts without providing the new passwords to NovelPoster. FAC ¶ 19. Grinberg emailed defendants to inform them that while changing the passwords was “totally fine for now,” Grinberg and Yancher “would need access to NovelPoster's accounts going forward.” FAC ¶ 21. In the same email, Grinberg proposed final contract terms between the parties, including the following points:
(i) Javitch Canfield Group would “take over all aspects of operations except for poster design,” while NovelPoster would “continu[e] to be responsible for additional poster design at a rate of one poster per month.”
(ii) NovelPoster would maintain “ownership of all NovelPoster related accounts.”
(iii) Javitch Canfield Group would receive 80 percent of all NovelPoster sales, as well as a ten percent equity share to vest in two years.
(iv) Javitch Canfield Group would not compete with NovelPoster “by creating their own text-based poster product.”
FAC ¶ 21.
Defendants accepted the terms via email on May 9, 2013. FAC ¶ 24.
On or around May 13, 2013, in line with the contract provision that NovelPoster would maintain “ownership of all NovelPoster related accounts,” Canfield provided NovelPoster with the new passwords the defendants had created. FAC ¶ 27. On or around June 6, 2013, however, defendants reversed course and again changed the passwords for Contact@NovelPoster.com, Google Adwords, Goodsie, Facebook, Twitter, Mai lChimp, Stripe, and PayPal, again without providing the new passwords to NovelPoster. FAC ¶ 29. On the same date, defendants also accessed and changed the passwords to Grinberg and Yancher's individual email accounts, Matt@NovelPoster.com and Alex @NovelPoster.com. FAC ¶ 30. Neither Grinberg nor Yancher had authorized defendants to access the individual email accounts or to change the accounts' passwords. FAC ¶ 30. The First Amended Complaint alleges that by changing the various online account passwords, defendants exceeded their authority “to operate, but not own, NovelPoster” and “prevented [NovelPoster] from restoring and reasserting the technical access barriers that defendants had just overcome.” FAC ¶ 29–30, 92.
On June 10, 2013, Yancher emailed Canfield and Javitch, alerting them that he knew they had accessed the individual email accounts and read emails therein without permission. FAC ¶ 31. Javitch replied and suggested a meeting to discuss the situation. FAC ¶ 32. Yancher agreed to meet but reiterated that defendants were not authorized to access the individual email accounts or to change the accounts' passwords. FAC ¶ 32.
The parties met on June 13, 2013. FAC ¶ 33. Grinberg and Yancher told defendants that “their business relationship was not working” and that they wished to terminate the agreement. FAC ¶ 33. Defendants refused, insisting they would relinquish control of NovelPoster only for a $10,000 fee. FAC ¶ 33. The next day, Grinberg sent Canfield an email terminating the agreement and demanding that defendants return all of NovelPoster's business operations, including the passwords to NovelPoster's online accounts. FAC ¶ 34. In a reply email sent the same day, Javitch “refused to acknowledge the termination of the agreement, reasoning ... there was no clause in the contract that addressed termination and therefore the termination was not valid.” FAC ¶ 36.
Between June 2013 and January 2014, defendants maintained control of all aspects of NovelPoster's business and routinely accessed, without authorization from Grinberg or Yancher, NovelPoster's online accounts. FAC ¶ 41. Throughout that period, defendants “cross-marketed NovelPoster with other brands [they] promote” and misrepresented to vendors and other business contacts that defendants were authorized to enter binding agreements on NovelPoster's behalf. FAC ¶¶ 39–40. In early December 2013, NovelPoster discovered that defendants had shut down Novelposter's website. FAC ¶ 43. This was “right at the apex of the holiday season and the most profitable part of the year for NovelPoster.” FAC ¶ 43. NovelPoster asserts that in 2012, it earned thirty percent of its revenues in December; because its website was shut down in December 2013, NovelPoster “could not conduct sales, interact with customers, or generally operate, and lost significant revenue as a result.” FAC ¶ 43.
It was not until January 10, 2014 that defendants finally turned over the passwords to all but one of NovelPoster's online accounts. FAC ¶ 44. Prior to returning access, defendants deleted the email accounts Mark@NovelPoster.com and Becky@NovelPoster.com, along with all data and communications stored within those accounts. FAC ¶ 45–46. Defendants also withheld from NovelPoster all emails and other communications that had been sent or received through any of NovelPoster's online accounts during the approximately seven months that defendants controlled the business. FAC ¶ 48. On February 10, 2014, I ordered defendants to provide those emails and communications to NovelPoster within seven days. Dkt. No. 38.
NovelPoster alleges that defendants still have not turned over the password to NovelPoster's Stripe account. FAC ¶ 44.
NovelPoster does not state who created these email accounts or who was licensed to use them. See FAC ¶¶ 45–46. Defendants assert, and NovelPoster appears to concede, that the accounts were created either by defendants or by persons associated with defendants. Mot. 10; Opp. 9.
B. NovelPoster's allegations concerning damage and loss
With respect to NovelPoster's CFAA and CDAFA causes of action, the damage and loss allegations in the initial complaint were limited to a single boilerplate sentence: “As a result of defendants' conduct, NovelPoster has suffered damages and/or loss in excess of $5,000 in the year preceding the date of this filing, but the damages grow each day that defendants refuse to acknowledge [the] termination of the agreement.” Order at 14; Dkt. No. 1 ¶ 44.
NovelPoster filed its initial complaint on November 6, 2013, when, according to NovelPoster's allegations, the business was still under defendants' control and it was conceivable that NovelPoster's damages were still “grow[ing] each day.” See Dkt. No. 1.
The damage and loss allegations in the First Amended Complaint are substantially more detailed. They can be grouped into three categories. First, NovelPoster alleges “impairment of data” damage caused by defendants' extended period of exclusive control over NovelPoster's online accounts. See FAC ¶ 42 (“Because plaintiff was locked out of its own accounts, it had no way to ... investigate what had been done with its ... accounts, what data had been deleted, what false information had been created, or how its accounts had been used while they were hijacked by defendants.”).
NovelPoster also alleges “impairment of data” damage caused by defendants' alleged deletion of theMark@NovelPoster.com and Becky @NovelPoster.com email accounts. See FAC ¶¶ 45–46; Opp. 9. However, as noted above, NovelPoster does not allege who created the accounts or who was licensed to use them. Damage or loss is only relevant to NovelPoster's CFAA and CDAFA claims if it was caused by defendants' violation of one or both of the statutes. See 18 U.S.C. § 1030(g) (“Any person who suffers damage or loss by reason of a violation of [the CFAA] may maintain a civil action against the violator.”) (emphasis added); Cal. Penal Code § 502(e)(1) (“[T]he owner or lessee of the computer ... or data who suffers damage or loss by reason of a violation of [the CDAFA] may bring a civil action against the violator.”) (emphasis added). Because NovelPoster has not alleged to whom Mark@NovelPoster.com and Becky@NovelPoster. com belonged, it is not clear that defendants' access, use, and deletion of those accounts was in violation of the CFAA or CDAFA. Accordingly, I will not consider defendants' alleged conduct in connection with those accounts for the purposes of this motion.
Second, NovelPoster alleges “investigation and recovery” losses. Opp. 2–3. NovelPoster states that between June 14, 2013 (the date NovelPoster terminated its agreement with defendants) and February 17, 2014 (the date by which defendants were ordered to turn over all emails and other communications that had been sent or received through NovelPoster's online accounts during defendants' period of exclusive control), Grinberg and Yancher each spent approximately ten hours per week “on their efforts to secure the restoration of NovelPoster and its data and information” to the condition they were in “prior to when defendants took control of NovelPoster.” FAC ¶ 70. These efforts included restoring the data and information to their prior condition, as well as responding to and conducting a damage assessment of defendants' alleged CFAA and CDAFA violations. FAC ¶ 50. NovelPoster states that Grinberg and Yancher have previously received $150 per hour for computer work, and that, based on that figure, the value of the time and services they expended in their restorative efforts is approximately $105,000. Id. NovelPoster also hired attorneys in its efforts to restore its data and information. FAC ¶ 71. The attorneys “charge in excess of $300/hour and spent in or around in excess of 100 hours securing the return of NovelPoster's data and information.” Id.
Finally, NovelPoster alleges “interruption of service” losses. Opp. 3, 7–8. NovelPoster states that as a result of defendants' control of NovelPoster's website and online accounts, NovelPoster suffered lost revenue in the form of: (i) approximately $13,000 in NovelPoster sales that occurred while the website was under defendants' control and that was “unjustly retained” by defendants; (ii) “unrealized revenues,” including those due to defendants' shutdown of the NovelPoster website in December 2013 during the height of the holiday shopping season; and (iii) “damaged relationships with wholesalers due to the subpar product and customer service [defendants] offered while operating NovelPoster.” FAC ¶¶ 74–75.
II. PROCEDURAL BACKGROUND
NovelPoster filed its initial complaint on November 16, 2013, alleging nine causes of action against defendants: (1) violation of the CFAA, 18 U.S.C. §§ 1030(a)(2)(C) and 1030(a)(5)(c); (2) violation of the Wiretap Act, 18 U.S.C. § 2511 et seq.; (3) violation of the CDAFA, Cal. Penal Code §§ 502(c)(1)–(5), (7); (4) violation of the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq.; (5) conversion; (6) breach of contract; (7) breach of the implied covenant of good faith and fair dealing; (8) violation of California's Unfair Competition Law; and (9) unjust enrichment. Dkt. No. 1.
On June 6, 2014, defendants filed a motion for judgment on the pleadings on the first through fourth causes of action. Dkt. No. 60. On August 8, 2014, I granted the motion on the CFAA cause of action, reasoning that while NovelPoster had adequately alleged improper conduct under the Act, NovelPoster's barebones loss and damage allegation was too conclusory to support a claim for relief against defendants. Dkt. No. 93 at 6–15. I also granted judgment on the pleadings for defendants on NovelPoster's CDAFA cause of action, also on the ground that NovelPoster had failed to adequately allege loss or damage within the meaning of that statute. Id. at 16–17. I gave NovelPoster leave to amend both causes of action. Id. at 22.
In holding that NovelPoster had adequately alleged improper conduct under the CFAA, I rejected defendants' contention that NovelPoster's allegations failed to show that defendants acted without authorization or in excess of authorization by accessing and maintaining exclusive control of NovelPoster's various online accounts. I reasoned that, “[b]ased on the pleadings, issues of fact remain concerning whether defendants truly had authorization to access NovelPoster's various accounts and to change the passwords during the business relationship and, if they did, to continue to access the accounts” after the relationship was supposedly terminated. Dkt. No. 93 at 9.
In addition, I granted judgment on the pleadings for defendants on NovelPoster's second and fourth causes of action, for violations of the Wiretap Act and the California Invasion of Privacy Act. Dkt. No. 93 at 17–22. NovelPoster does not bring those causes of action in the First Amended Complaint.
NovelPoster filed the First Amended Complaint on August 19, 2014, alleging the same causes of action as in the initial complaint, minus the Wiretap Act and California Invasion of Privacy Act claims. Defendants filed the instant motion on September 10, 2014, and I heard argument from the parties on October 15, 2014.
In conjunction with the motion, defendants requested judicial notice of various documents, including NovelPoster's ex parte application for a temporary restraining order in this case, Dkt. No. 35, and this Court's subsequent order, Dkt. No. 38. With the exception of the TRO application and order, I find that the documents submitted by defendants are not necessary to resolve this motion, and defendants' request for judicial notice of those documents is DENIED AS MOOT. Defendants' request for judicial notice of the TRO application and order is GRANTED, although defendants are advised for future reference that they need not seek judicial notice of documents previously filed in the same case. An accurate citation will suffice.
Federal Rule of Civil Procedure 12(c) provides that “[a]fter the pleadings are closed—but early enough not to delay trial—a party may move for judgment on the pleadings.” Fed. R. Civ. P. 12(c). “Analysis under Rule 12(c) is substantially identical to analysis under Rule 12(b)(6) because, under both rules, a court must determine whether the facts alleged in the complaint, taken as true, entitle the plaintiff to a legal remedy.” Chavez v. United States, 683 F.3d 1102, 1108 (9th Cir.2012) (internal quotation marks omitted). As with a motion to dismiss under Rule 12(b)(6), when deciding a motion for judgment on the pleadings, the court “must accept all factual allegations in the complaint as true and construe them in the light most favorable to the nonmoving party.” Fleming v. Pickard, 581 F.3d 922, 925 (9th Cir.2009). “Judgment on the pleadings is properly granted when there is no issue of material fact in dispute, and the moving party is entitled to judgment as a matter of law.” Id. (footnote and citation omitted).
I. DAMAGE AND LOSS UNDER THE CFAA
Defendants contend that the First Amended Complaint still fails to adequately plead either damage or loss as defined by the CFAA. Defendants are wrong.
To maintain a civil action under the CFAA, the plaintiff must show that he or she “suffer[ed] damage or loss by reason of [the defendant's] violation” of the Act, and that one of five enumerated circumstances is present. 18 U.S.C. § 1030(g). NovelPoster claims that defendants violated two provisions of the CFAA, 18 U.S.C. § 1030(a)(2)(C) and 18 U.S.C. § 1030(a)(5)(C). Section 1030(a)(2)(C) makes liable anyone who “intentionally access a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Section 1030(a)(5)(C) similarly creates a cause of action against anyone who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” 18 U.S.C. § 1030(a)(5)(C). The circumstance relevant to NovelPoster's claims is whether defendants' alleged CFAA violations caused “loss to 1 or more persons during any 1–year period ... aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). The upshot is that NovelPoster must show that defendants' violation of each of the alleged CFAA provisions caused loss of at least $5,000, and, further, that defendants' violation of section 1030(a)(5)(C) caused both “damage and loss.” 18 U.S.C. §§ 1030(a)(5)(C), 1030(c)(4)(A)(i)(I); see also, Network Cargo Sys. Int'l, Inc. v. Pappas, No. 13–cv–09171, 2014 WL 1674650, at *2 (N.D.Ill. Apr. 25, 2014) (noting that a plaintiff bringing a claim under 18 U.S.C. 1030(a)(5)(C) must show both “damage” and “loss”).
The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). Thus, while “damage” covers harm to data and information, “loss” refers to monetary harms sustained by the plaintiff. See Phillips v. Ex'r of Estate of Arnold, 13–cv–00444, 2013 WL 4458790, at *4 (W.D.Wash. Aug. 16, 2013).
The First Amended Complaint adequately alleges damage because it alleges that throughout the approximately seven months that defendants maintained unauthorized control of NovelPoster's online accounts, NovelPoster was prohibited from accessing the data and communications stored within them. See FAC ¶ 42. This qualifies as an “impairment to the ... availability of data,” as required to show damage under the CFAA. See 18 U.S.C. § 1030(e)(8); see also, Cassetica Software, Inc. v. Computer Sciences Corp., No. 09–cv–00003, 2009 WL 1703015, at *3 (N.D.Ill. June 18, 2009) (holding that a plaintiff alleges damage under the CFAA where he alleges that defendant's conduct “caused a diminution in the completeness or usability” or “affected the availability” of data).
Defendants contend that CFAA-qualifying damage only occurs where data is destroyed or where the underlying computer system is harmed. See Reply at 5 (“Plaintiff does not plead any damage to computers or computer systems.”). Defendants cite several cases in support of this proposition. See NetApp, Inc. v. Nimble Storage, Inc., 41 F.Supp.3d 816, 834 (N.D.Cal.2014) (“damage” means “harm to computers or networks”); Doyle v. Taylor, 09–cv–00158, 2010 WL 2163521, at *2–3 (E.D.Wash. May 24, 2010) (to show “damage” or “loss” under the CFAA, “plaintiffs must identify impairment of or damage to the computer system that was accessed without authorization”); Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int'l Inc., 616 F.Supp.2d 805, 810 (N.D.Ill.2009) (a person causes “damage” under the CFAA when she “destroys ... data”).
None of the cases cited by defendants, however, involve a situation where the alleged CFAA violation caused the extended unavailability of the data at issue. Rather, all of the cases involve the mere copying of data. See, e.g., NetApp, Inc, 41 F.Supp.3d at 834 (“[Plaintiff] alleges only that [defendant] accessed its databases without permission, not that he damaged any systems or destroyed any data.”); Doyle, 2010 WL 2163521, at *1 (plaintiff alleged that defendant violated the CFAA by copying and distributing the contents of plaintiff's thumb drive); Del Monte, 616 F.Supp.2d at 811 (N.D.Ill.2009) (“copying electronic files from a computer database ... is not enough to satisfy the damage requirement of the CFAA”). These cases appear to have used language suggesting a destruction or harm-to-computer-system requirement as a means of emphasizing that the mere copying of data is not enough, not as a means of excluding the extended unavailability of data from the CFAA's definition of “damage.” Given their factual differences with the instant case, the decisions cited by defendants are not persuasive here.
Moreover, district courts in the Ninth Circuit have expressly held that, under the CFAA, “it is not necessary for data to be physically changed or erased to constitute damage to that data.” Multiven, Inc. v. Cisco Sys., Inc., 725 F.Supp.2d 887, 894–95 (N.D.Cal.2010); see also, T–Mobile USA, Inc. v. Terry, 862 F.Supp.2d 1121, 1131 (W.D.Wash.2012) (noting that data need not be “physically changed or erased” to be damaged under the CFAA).
Defendants also point to B.U.S.A. Corp. v. Ecogloves, Inc., No. 05–cv–09988, 2009 WL 3076042 (S.D.N.Y. Sept. 28, 2009), but the case is plainly distinguishable. The court in B.U.S.A. held that the plaintiffs could not prove “loss” under the CFAA where “[t]he credible evidence in the record does not show that [defendant's] actions caused an ‘interruption of service’—at most, plaintiffs were unable to access some of [defendant's] past emails for an unspecified period of time.” Id. at *9. As the preceding sentence indicates, B.U.S.A. was concerned with “loss” under the CFAA, not “damage.” Id. at *6–9. The court held that the temporary unavailability of emails does not constitute an “interruption of service” under the CFAA but said nothing about what constitutes damage within the meaning of the Act. Id.
Defendants have not presented any persuasive authority for excluding the approximately seven-month unavailability of data from the CFAA's definition of damage despite that definition's plain inclusion of “impairment to the ... availability of data.” 18 U.S.C. § 1030(e)(8). NovelPoster has adequately alleged that defendants' alleged CFAA violations caused damage within the meaning of the Act.
The First Amended Complaint also includes sufficient allegations of loss under the CFAA. As defined under section 1030(e)(11), “loss” means two things: first, “any reasonable cost to any victim,” such as conducting a damage assessment and restoring the damaged data or information to its condition prior to the offense; and second, lost revenue or other costs incurred as a result of an “interruption of service.” 18 U.S.C. § 1030(e)(11). NovelPoster may only sue defendants under the CFAA if defendants' violations of the Act caused a loss of at least $5,000 in value. See 18 U.S.C. §§ 1030(c)(4)(A)(i)(I), 1030(g).
For pleading purposes, NovelPoster has satisfied this requirement by alleging that Grinberg and Yancher each spent substantial time and energy “on their efforts to secure the restoration of NovelPoster and its data and information” to the condition they were in “prior to when defendants took control of NovelPoster,” efforts which included restoring the data and information to their prior condition, as well as responding to and conducting a damage assessment of defendants' alleged CFAA and CDAFA violations. FAC ¶¶ 50, 70. These allegations fit within the CFAA's definition of “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). By alleging the approximate number of hours that Grinberg and Yancher spent on their restorative efforts, and the approximate value of their services, NovelPoster has also provided a basis for the plausible inference that defendants' alleged CFAA violations caused losses of at least $5,000. See FAC ¶ 50, 70.
Defendants argue that Grinberg and Yancher's efforts cannot qualify as loss under the CFAA because it is not plausible that their efforts were related to the damage of any computer system or data. According to defendants, the allegations in the First Amended Complaint demonstrate that “there was nothing [for Grinberg and Yancher] to investigate.” Mot. 8. NovelPoster knew that it had transferred its passwords and operations to defendants, and that defendants had changed the passwords and continued to operate the business despite NovelPoster's attempt to terminate the agreement between the parties. Mot. 8. Defendants assert that “[t]his situation is easily comprehensible for individuals of ordinary intelligence and does not justify a 700–hour ‘investigation.’ ” Id.
Defendants' argument is flawed for two reasons. First, it conflates investigating the circumstances of defendants' alleged misconduct with “conducting a damage assessment [and] restoring the data ... to its condition prior to the offense.” See 18 U.S.C. § 1030(e)(11). Just because NovelPoster knew how defendants had violated the CFAA does not mean NovelPoster knew which data had been made unavailable or how to restore it. It is certainly plausible that NovelPoster spent extensive time and energy determining precisely what data was contained within the hijacked accounts and attempting to restore that data, even after ascertaining what defendants had done. See SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 981 (N.D.Cal.2008) (holding that where “the offender has actually accessed protected information, discovering who has that information and what information he or she has is essential to remedying the harm” and therefore qualifies as loss under the CFAA) (emphasis added).
The second problem with defendants' argument is that it requires a factual inquiry into the accuracy of NovelPoster's claims that is not appropriate on a motion for judgment on the pleadings. In deciding such a motion, the court “must accept all factual allegations in the complaint as true and construe them in the light most favorable to the nonmoving party.” Fleming, 581 F.3d at 925. Defendants are correct that under the CFAA, the plaintiff's costs are only cognizable where they arise from the investigation or repair of a damaged computer system or data, or from an “interruption of service.” See, e.g., Mintz v. Mark Bartelstein & Associates Inc., 906 F.Supp.2d 1017, 1029 (C.D.Cal.2012) (“Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the [CFAA].”); Mintel Int'l Grp., Ltd. v. Neergheen, 08–CV–3939, 2010 WL 145786, at *9–10 (N.D.Ill. Jan. 12, 2010) (finding no CFAA-qualifying loss where the plaintiff's expert “was not assessing whether [defendant] had damaged [plaintiff's] computers or data ...; rather, the expert was hired for assistance in [this] lawsuit”) (internal quotation marks omitted); Cassetica Software, 2009 WL 1703015, at *4 (to state a CFAA claim based on loss, “the alleged loss must relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data”). As explained above, however, NovelPoster has alleged damage as defined by the CFAA. See FAC ¶ 42. NovelPoster has also alleged that Grinberg and Yancher's restorative efforts were directly related to that damage. See FAC ¶¶ 50, 70. Whether these allegations are supported by the evidence is not a matter to be determined at this point in the proceedings.
Indeed, the majority of the cases cited by defendants in which the court found an absence of CFAA-qualifying loss are summary judgment cases or similarly fact-intensive decisions. See, e.g., Mintz, 906 F.Supp.2d at 1029–31 (order on summary judgment); Mintel, 2010 WL 145786, at *9–10 (ruling on bench trial); Del Monte, 616 F.Supp.2d at 812 (“This is not a motion to dismiss. Therefore, the Court cannot blindly accept the allegation that [plaintiff's consultant] conducted a ‘damage assessment’ as true.”). Those cases cited by defendants that do concern pleading motions involve situations where the plaintiff failed to allege that the defendant's conduct caused impairment of data or interruption of service. See, e.g., AtPac, Inc. v. Aptitude Solutions, Inc., 730 F.Supp.2d 1174, 1185 (E.D.Cal.2010) (dismissing CFAA claims where plaintiff's only loss allegation was that defendants, through their unauthorized access, “obtained something of value exceeding $5,000”); Cassetica Software, 2009 WL 1703015, at *3–4 (N.D.Ill. June 18, 2009) (plaintiff failed to allege loss under the CFAA where plaintiff “did not allege any facts that would plausibly suggest that [defendant's conduct] caused any impairment of data or interruption of service”); SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696, 720–21 (N.D.Ill.2009) (granting defendants' motion to dismiss CFAA claims where plaintiff's only alleged loss was due to defendants unauthorized transfer of data to plaintiff's business competitor). Here, in contrast, NovelPoster has alleged that defendants impaired the availability of NovelPoster's data, thereby causing damage within the meaning of the CFAA, and that Grinberg and Yancher's restorative efforts were directly related to that impairment.
While it is unlikely that all $105,000 worth of Grinberg and Yancher's alleged efforts can be provably linked to data restoration or damage assessment or other recoverable losses, at this juncture, NovelPoster's allegations are sufficient to raise the plausible inference that NovelPoster spent at least $5,000 responding to the unauthorized takeover of its online accounts. Because I conclude that the allegations concerning Grinberg and Yancher's restorative efforts are sufficient to satisfy the CFAA's $5,000 loss requirement, I do not consider NovelPoster's other alleged losses—i.e., the attorney's fees and “interruption of service” losses. NovelPoster has stated a prima facie claim for relief under sections 1030(a)(2)(C) and 1030(a)(5)(C) of the CFAA, and that cause of action will proceed.
II. DAMAGE AND LOSS UNDER THE CDAFA
Like the CFAA, the CDAFA allows an individual who “suffers damage or loss by reason of a violation” of the statute to bring a private civil action. Cal. Penal Code § 502(e)(1). Unlike the CFAA, the CDAFA does not impose a $5,000 loss minimum—any amount of damage or loss caused by the defendant's CDAFA violation is enough to sustain the plaintiff's claims. Id. Accordingly, courts in this circuit have found that a plaintiff's alleged damage or loss may be sufficient to support a CDAFA claim even where it is not enough to support a claim under the CFAA. See Capitol Audio Access, Inc. v. Umemoto, 980 F.Supp.2d 1154, 1157–60 (E.D.Cal.2013); Mintz, 906 F.Supp.2d at 1029–32. By adequately alleging damage or loss under the CFAA, NovelPoster has done the same under the CDAFA. NovelPoster's CDAFA claims will not be dismissed on this ground.
III. “WITHOUT PERMISSION” UNDER THE CDAFA
Defendants also seek judgment on NovelPoster's CDAFA cause of action on the ground that NovelPoster fails to allege that defendants overcame a technical or code-based barrier in their access and use of NovelPoster's online accounts.
NovelPoster asserts claims under six different CDAFA provisions, each of which requires that the defendant acted “without permission.” See Cal. Penal Code §§ 502(c)(1)–(5), (7). Five of the six provisions also require that the defendant “access[ed]” or “use[d]” a computer. The other provision, section 502(c)(5), applies where the defendant “[k]nowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.” Id. § 502(c)(5).
The provisions make liable anyone who:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
Cal. Penal Code §§ 502(c)(1)–(5), (7).
Defendants contend that an individual only acts “without permission” under the CDAFA where he or she “access[es] or us[es] a computer ... in a manner that overcomes technical or code-based barriers.” Facebook, Inc. v. Power Ventures, Inc., No. 08–cv–05780–JW, 2010 WL 3291750, at *11 (N.D.Cal. July 20, 2010). Defendants assert that NovelPoster cannot allege that defendants overcame such a barrier, because defendants gained access to NovelPoster's online accounts through the use of valid passwords, not by “hacking” into them. See Mot. 20–24. NovelPoster contests the existence of a “technical or code-based barrier” requirement and asserts that even if such a requirement exists, NovelPoster has alleged facts sufficient to satisfy it here. Opp. 13–17.
Although most courts have followed Power Ventures, “there is a split of authority in this district concerning the appropriate scope of the ‘without permission’ language in the CDAFA.” Opperman, 87 F.Supp.3d at 1054 n. 19. In Weingand v. Harland Fin. Solutions, Inc., No. 11–cv–03109–EMC, 2012 WL 2327660 (N.D.Cal. June 19, 2012), the court granted the defendant leave to assert a CDAFA counterclaim against the plaintiff, who, after being terminated from the defendant's employ, had allegedly used his still-operable log-in information to access data on the defendant's computer system which he was not permitted to access. Id. at *4–5. The court considered Power Ventures but declined to follow it, instead rejecting the plaintiff's argument that the CDAFA counterclaim would be futile because the statute applies only to “hacking.” Id. Similarly, in Synopsys, Inc. v. ATopTech, Inc., No. 13–cv–02965–SC, 2013 WL 5770542 (N.D.Cal. Oct. 24, 2013), the court acknowledged Power Ventures but concluded that it could not find, “as a matter of law, that plaintiff does not state a claim under the CDAFA solely because plaintiff relies on the alleged breach of a license agreement instead of a technical breach.” Id. at *11.
In addition to Weingand and Synopsys, there is also a recent California court of appeal case that appears to conflict with—or at least limit—the holding in Power Ventures. The court in People v. Childs, 220 Cal.App.4th 1079, 164 Cal.Rptr.3d 287 (2013), affirmed a conviction under section 502(c)(5) for “knowingly and without permission disrupt[ing] or ... den[ying] ... computer services to an authorized user,” despite the fact that the defendant was authorized to access and use the computer system in question. The defendant was the system administrator of a large and complex computer network who manipulated the network so that he was only person with administrative access. Id. at 1082–93, 164 Cal.Rptr.3d 287. The court held that the scope of section 502(c)(5) was not constrained “to external hackers who obtain unauthorized access to a computer system,” and that the provision “may properly be applied to an employee who uses his or her authorized access to a computer system to disrupt or deny computer services to another lawful user.” Id. at 1104, 164 Cal.Rptr.3d 287. In reaching this holding, the court emphasized that section 502(c)(5), unlike most CDAFA provisions, does not contain an “access” element. Id. at 1102, 164 Cal.Rptr.3d 287 (“The Legislature's requirement of unpermitted access in some section 502 offenses and its failure to require that element in other parts of the same statute raise a strong inference that [the offenses] that do not require unpermitted access were intended to apply to persons who gain lawful access to a computer but then abuse that access.”).
In light of Childs, NovelPoster has alleged sufficient facts to support its claims under section 502(c)(5). As noted above, that provision makes liable anyone who “[k]nowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.” Cal. Penal Code § 502(c)(5). NovelPoster's allegation that defendants locked NovelPoster out of its online accounts for several months, despite NovelPoster's unambiguous attempt to terminate the contract and regain access to those accounts, appears to qualify as such an offense. Apart from their damage/loss and technical-or-code-based-barrier arguments, defendants do not contend otherwise. See Mot. 20–24; Reply 13–15. Moreover, Childs highlights that the holding in Power Ventures is best understood as applying only to those CDAFA provisions which, like the provisions specifically at issue in that case, require a showing of unpermitted access or use, not to section 502(c)(5). See Power Ventures, 2010 WL 3291750, at *11 (“[T]he Court finds that a user of internet services does not access or use a computer, computer network, or website without permission simply because that user violated a contractual term of use.”) (emphasis added). NovelPoster's section 502(c) claims may go forward.
NovelPoster's claims under sections 502(c)(1)–(4) and (7) may proceed as well. Of the cases cited by the parties, Weingand is the most factually similar. There, as here, the CDAFA claims were based on allegations that an individual used technically-operable log-in information to access portions of a computer system which the individual knew he was not permitted to access. See Weingand, 2012 WL 2327660, at *4. I agree with Weingand that, at least at the pleading phase, such allegations may support a claim under section 502 that a person “knowingly” and “without permission” accessed or used a computer. Cal. Penal Code § 502(c). To the extent that the Power Ventures construction of the CDAFA is instructive in a case involving factual circumstances like those at issue here, I also find that NovelPoster's allegations that defendants without authorization changed the passwords to NovelPoster's online accounts, thereby preventing NovelPoster from accessing those accounts and eliminating the very technical access barriers that NovelPoster had set up to protect them, are sufficient at the pleading phase to show that defendants overcame a technical access barrier. As defendants do not point to other deficiencies in NovelPoster's claims under sections 502(c)(1)–(4) and (7), the claims will not be dismissed.
For the foregoing reasons, defendants' second motion for judgment on the pleadings is DENIED.