holding that the plain language of the CFAA, its legislative history, and principles of statutory construction support a narrow reading of "authorization"Summary of this case from Dana Ltd. v. American Axle & Mfg. Holdings, Inc.
February 20, 2008
Pending is Defendants' Motion to Dismiss. (Doc. 17.) This motion requires the Court to interpret the meaning of the terms "without authorization" and "exceeds authorized access" in the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. The Court concludes that a violation for accessing a protected computer "without authorization" occurs only when initial access is not permitted. And, an "exceeds authorized access" violation occurs only when initial access to a protected computer is permitted but the access of certain information is not permitted. Thus, Defendants' Motion to Dismiss will be granted.
Plaintiff Shamrock Foods Company ("Shamrock") alleges that Defendant Jeff Gast began working for Shamrock in September 2000. (Compl. ¶ 19.) As an employee of Shamrock, Gast signed a Confidentiality Agreement, agreeing not to use or disclose "any trade secrets, confidential information, knowledge or data relating or belonging to" Shamrock. (Id.) On December 20, 2007, Gast was promoted to Regional Sales Manager of Southern Arizona. (Id. ¶ 28.) Around this time, Gast began employment negotiations with Defendant Sysco Food Services of Arizona, Inc. ("Sysco"), a competitor of Shamrock. (Id. ¶ 31.) On January 4 and 7, 2008, Gast emailed numerous documents containing Shamrock's confidential and proprietary information to his personal email account. (Id. ¶¶ 32, 36.) The next day, Gast informed his manager that he was considering leaving Shamrock. (Id. ¶ 40.) On January 14, 2008, Gast told his manager that he was going to work for Sysco, and, on January 15, 2008, submitted a written resignation. (Id. ¶¶ 42-45.) Gast began employment with Sysco on January 18, 2008. (Id. ¶ 55.)
After Gast left Shamrock on January 15, 2008, Shamrock performed a forensic analysis of Gast's computer at a cost exceeding $5,000.00 and discovered the emails that Gast sent to himself. (Id. ¶ 49.) Shamrock alleges that Gast was acting as an agent of Sysco when he assessed and emailed the confidential information. (Id. ¶¶ 50-52.) Further, Shamrock alleges that Gast provided this confidential information to Sysco and that Sysco is using this information to Shamrock's detriment. (Id. ¶¶ 52-53.)
On February 3, 2008, Shamrock filed a complaint and motion for temporary restraining order. The complaint asserts that this Court has federal-question jurisdiction under the CFAA. Specifically, Shamrock brings CFAA claims under § 1030(a)(2), (4), and (5)(iii). In addition to the CFAA claims, Shamrock brings a host of state common law and statutory claims. Defendants moved to dismiss the CFAA claims for failure to state a claim and the remaining state law claims for lack of subject matter jurisdiction.
"A Rule 12(b)(6) motion tests the legal sufficiency of a claim." Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). When reviewing a motion to dismiss, the Court "must determine whether, assuming all facts and inferences in favor of the nonmoving party, it appears beyond doubt that [Plaintiffs] can prove no set of facts to support [their] claims." Marder v. Lopez, 450 F.3d 445, 448 (9th Cir. 2006) (internal quotations omitted).
I. Computer Fraud and Abuse Act
The CFAA makes it a federal criminal offense to engage in any one of seven prohibited activities. 18 U.S.C. § 1030(a). While the CFAA is primarily a criminal statute, it also provides a civil cause of action under § 1030(g):
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).
The Ninth Circuit has clarified that subsection (g) enables a party to bring a private cause of action for any violation under the CFAA. Theofel v. Farey-Jones, 359 F.3d 1066, 1078 n. 5 (9th Cir. 2004). While a civil cause of action "must involve one of the five factors in (a)(5)(B), it need not be one of the three offenses in (a)(5)(A)." Id. Here, the conduct alleged by Shamrock involves one of the five factors in (a)(5)(B) because it involves a loss aggregating at least $5,000 in value. See 18 U.S.C. § 1030(a)(5)(B)(i) and (e)(11) (defining "loss" to include the cost of conducting a damage assessment). Thus, Shamrock may bring a civil cause of action under § 1030(a)(2), (4), and (5)(a)(iii).
It is a violation of § 1030(a)(2) when a person "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication." Section 1030(a)(4) is violated when a person "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value. . . ." Section (a)(5)(A)(iii) is violated when a person "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage. . . ." Thus, to state a claim under (a)(2) and (a)(4), Shamrock must allege conduct showing that Gast accessed a protected computer without authorization or exceeded authorized access. Unlike (a)(2) and (a)(4), which also prohibit a person from exceeding authorized access, (a)(5)(A)(iii) only prohibits access without authorization. Thus, to state a claim under (a)(5)(A)(iii), Shamrock must allege conduct showing that Gast accessed a protected computer without authorization.
Defendants do not deny that Gast accessed a protected computer. Instead, they argue that Gast was authorized to access the computer and information at issue. Shamrock concedes that "Gast may very well be correct that he was entitled to access Shamrock's confidential and proprietary information while he was an employee." (Doc. 28 at 9.) Nevertheless, Shamrock argues that Gast was no longer authorized to access its confidential information once he acquired the improper purpose to use this information to benefit himself and Sysco.
The parties' dispute reflect two lines of cases interpreting the meaning of "authorization." Some courts have applied principles of agency law to the CFAA and have held that an employee accesses a computer "without authorization" whenever the employee, without knowledge of the employer, acquires an adverse interest or is guilty of a serious breach of loyalty. See e.g.,Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir. 2006); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006); Shurgard Storage Ctrs, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2000). In contrast, other courts "have opted for a less expansive view, holding that the phrase `without authorization' generally only reaches conduct by outsiders who do not have permission to access the plaintiff's computer in the first place." See e.g., Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D. Ga. Oct. 1, 2007); Brett Senior Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D. Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D. Fla. Aug. 1, 2006); Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495 (D. Md. 2005). The Court is persuaded by the narrower view of "authorization" embraced in the latter line of cases.
First, the plain language supports a narrow reading of the CFAA. The CFAA does not define the term "without authorization." Nevertheless, "`authorization' is commonly understood as `[t]he act of conferring authority; permission.'" Lockheed Martin Corp., 2006 WL 2683058, at *5 (quoting The American Heritage Dictionary 89 (1976)). Further, while the CFAA does not define "without authorization," it does define "exceeds authorized access." Subsection (e)(6) provides: "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The definition of this term obviates any need to revert to outside sources, including principles of agency law, to understand the conduct prohibited by the CFAA. The court in Diamond Power Intern., Inc. explained:
Section 1030(e)(6) contemplates that an "exceeds authorized access" violation occurs where the defendant first has initial "authorization" to access the computer. But, once the computer is permissibly accessed, the use of that access is improper because the defendant accesses information to which he is not entitled. Under Citrin and Shurgard, however, that distinction is overlooked. Under their reasoning, an employee who accesses a computer with initial authorization but later acquires (with an improper purpose) files to which he is not entitled — and in so doing, breaches his duty of loyalty — is "without authorization," despite the Act's contemplation that such a situation constitutes accessing "with authorization" but by "exceed[ing] authorized access." 18 U.S.C. § 1030(e)(6). The construction of Citrin and Shurgan thus conflates the meaning of those two distinct phrases and overlooks their application in § 1030(e)(6).2007 WL 2904119, at *14 (alteration in original); see also Lockheed Martin Corp., 2006 WL 2683058, at *5-6 (disagreeing withCitrin's reliance on agency law). Thus, the plain language of § 1030(a)(2), (4), and (5)(a)(iii) target "the unauthorized procurement or alteration of information, not its misuse or misappropriation." See Fitzgerald, 2007 WL 2043377, at *3.
Second, the legislative history supports a narrow view of the CFAA. The CFAA — originally called the Counterfeit Access Device and Computer Fraud and Abuse Act — was enacted in 1984. Pub.L. No. 98-473, § 2102(a), 98 Stat. 1937 (1984). The general purpose of the CFAA "was to create a cause of action against computer hackers (e.g., electronic trespassers)." Werner-Masuda, 390 F. Supp. 2d at 495-96 (citing S. Rep. No. 99-432, at 4 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479, 2482 (explaining that the CFAA "is a consensus bill aimed at deterring and punishing certain `high-tech' crimes")). The 1984 House Committee emphasized that "Section 1030 deals with an `unauthorized access' concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of `breaking and entering' rather than using a computer . . . in committing the offense." H.R. Rep. No. 98-894, at 20 (1984), as reprinted in 1984 U.S.C.C.A.N. 3689, 3706. Consequently, the committee report emphasized concerns about "hackers" who "trespass into" computers and the inability of "password codes" to protect against this threat. H.R. Rep. No. 98-894, at 10-11, 1984 U.S.C.C.A.N. at 3695-97. Simply stated, the CFAA is a criminal statute focused on criminal conduct. The civil component is an afterthought.
In 1986, "Congress amended the CFAA to substitute the phrase `exceeds authorized access' for the phrase `or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.'" Werner-Masuda, 390 F. Supp. 2d at 499 n. 12 (quoting S. Rep. No. 99-432, at 9 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479, 2486). The court in Werner-Masuda explained:
By enacting this amendment, and providing an express definition for "exceeds authorized access," the intent was to "eliminate coverage for authorized access that aims at `purposes to which such authorization does not extend,'" thereby "remov[ing] from the sweep of the statute one of the murkier grounds of liability, under which a [person's] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization."Id. at 499 n. 12 (quoting S. Rep. No. 99-432, at 21, 1986 U.S.C.C.A.N. at 2494-95) (alterations in original). This core language, basing violation of the CFAA on access without authorization and access exceeding authorization, remains unchanged. Compare Pub.L. No. 99-474, 100 Stat. 1213 (1986),with 18 U.S.C. § 1030.
While courts have struggled to distinguish between the terms "without authorization" and "exceeds authorized access," see, e.g., Citrin, 440 F.3d at 420 ("The difference between `without authorization' and `exceeding authorized access' is paper thin. . . ."), "prohibitions against exceeding authorization appear to reflect concerns that users with some rights to access a computer network could otherwise use those limited rights as an absolute defense to further computer misuse." Orin S. Kerr,Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1630 (2003). "Senate report[s have] suggested a difference between access without authorization and exceeding authorized access based on the difference between `insiders' and `outsiders. Insiders were those with rights to access computers in some circumstances (such as employees), whereas outsiders had no rights to access computers at all (such as hackers)." Id. (citing S. Rep. No. 104-357, at 4 (1996) (explaining that § 1030(a)(3), which prohibits access without authorization to government computers, "only applies to outsiders who gain unauthorized access to Federal Government computers, and not to Government employees who abuse their computer access privileges to obtain Government information that may be sensitive and confidential") and S. Rep. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 247, 2488 (explaining that § 1030(a)(3) is "aimed at `outsiders,' i.e., those lacking authorization to access any Federal interest computer")). Thus, the legislative history confirms that the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.
Finally, principles of statutory construction persuade the Court to adopt a narrower view of the CFAA. The rule of lenity guides the Court's interpretation of the CFAA because it has both criminal and noncriminal applications. See Leocal v. Ashcroft, 543 U.S. 1, 12 n. 8 (2004); United States v. Thompson/Center Arms Co., 504 U.S. 505, 517-18 (1992). Such rule requires a court confronted with two rational readings of a criminal statute, one harsher than the other, to choose the harsher only when Congress has spoken in clear and definite language. Pasquantino v. United States, 544 U.S. 349, 383 (2005). The rule weighs in favor of adopting the narrower approach. The approach advanced by Shamrock would sweep broadly within the criminal statute breaches of contract involving a computer. See Fitzgerald, 2007 WL 2043377, at *4; see also Kerr, supra, at 1596, 1642 (criticizing courts which "have adopted broad approaches to authorization that in a criminal context would criminalize a remarkable swath of conduct involving computers"). Similarly, an interpretation of CFAA based upon agency principles would greatly expand federal jurisdiction by conferring a federal cause of action whenever an employee accesses "the company computer with `adverse interests' and such access causes a statutorily recognized injury." Lockheed Martin Corp., 2006 WL 2683058, at *7 (questioning whether the broad approach would grant a civil cause of action when an employee accesses a person email account without permission and unintentionally causes damage). The Court declines the invitation to open the doorway to federal court so expansively when this reach is not apparent from the plain language of the CFAA. Id.; see also Whitman v. American Trucking Associations, 531 U.S. 457, 468 (2001) (Congress does not "hide elephants in mouseholes").
Given the plain language, legislative history, and principles of statutory construction, the restrictive view of "authorization" is adopted. "[A] violation for accessing `without authorization' occurs only where initial access is not permitted. And a violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted." Davidson, 2007 WL 2904119, at *14; see also Lockheed Martin Corp., 2006 WL 2683058, at *5 (defining persons without authorization as "those below authorization, meaning those having no permission to access whatsoever-typically outsiders, as well as insiders that are not permitted any computer access" and defining persons exceeding authorization as "those exceeding authorization (or those above authorization, meaning those that go beyond the permitted access granted to them — typically insiders exceeding whatever access is permitted to them").
It should also be noted that Citrin, 440 F.3d 418, is legally and factually distinguishable. Citrin is legally distinguishable because it involved a different subsection of the CFAA. InCitrin, an employer brought a claim under § 1030(a)(5)(A)(i) against an employee who permanently deleted all the data on a laptop using an external program after resigning (including files for which the employer did not have duplicates and files which would have revealed improper conduct of the employee). 440 F.3d at 419, 421. Section 1030(a)(5)(A)(i) is violated when a person "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer." However, unlike § 1030(a)(2), (4), and (5)(a)(iii), which define violation in terms of accessing a protected computer without authorization, § 1030(a)(5)(A)(i) is violated by causing damage without authorization. See also S. Rep. No. 99-432, at 4 (1986),as reprinted in 1986 U.S.C.C.A.N. 2479, 2488 (explaining that subsection 1030(a)(5) was "designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another").
This case is also factually distinguishable from Citrin. Here, the information accessed by Gast was not altered, damaged, or destroyed. Instead, it was allegedly used in an improper manner. Further, the employee in Citrin was not permitted to delete all the files on the laptop, only those containing confidential information. 440 F.3d at 421. Gast was permitted to access the files in question. Finally, the employee in Citrin loaded an external program to prevent recovery of the deleted files. Id. at 419. Gast did not use any external program or other method to bypass the normal security processes of the computer.
Here, Gast was authorized to initially access the computer he used at Shamrock. Further, Shamrock conceded that Gast was permitted to view the specific files he allegedly emailed to himself. Gast did not access the information at issue "without authorization" or in a manner that "exceed[ed] authorized access." See Davidson, 2007 WL 2904119, at *14. Shamrock has failed to state a claim under the CFAA.
II. State Law Claims
A district court may decline to exercise supplemental jurisdiction over state law claims if:
(1) the claim raises a novel or complex issue of State law,
(2) the claim substantially predominates over the claim or claims over which the district court has original jurisdiction,
(3) the district court has dismissed all claims over which it has original jurisdiction, or
(4) in exceptional circumstances, there are other compelling reasons for declining jurisdiction.28 U.S.C. § 1367(c). This case raises a novel issue of state law regarding the inevitable disclosure doctrine; the state law claims substantially predominate over the CFAA claims; and the Court has dismissed all claims over which it has original jurisdiction. Therefore, the court will not exercise supplemental jurisdiction and will dismiss the state law claims for lack of subject matter jurisdiction.
IT IS ORDERED Defendants' Motion to Dismiss (Doc. 17) is GRANTED. IT IS FURTHER ORDERED Plaintiff's Amended Emergency Motion for Temporary Restraining Order and Preliminary Injunction (Doc. 11) is DENIED AS MOOT. IT IS FURTHER ORDERED the Clerk of Court shall close this case.