Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two

Author: Scripta Ad Astra Staff

This is the second part of a two part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found here.

NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015)(“NetApp II”)

Judge: Lucy H. Koh, United States District Judge

 This case may sound familiar as I discussed its predecessor opinion, NetApp, 2014 U.S. Dist. LEXIS 65818 (N.D. Cal. May 12, 2014) (“NetApp I”), in a previous blog post. NetApp I, discussed authorization and damage with respect to defendant Michael Reynolds and vicarious liability with respect to defendant Nimble Storage, Inc. (“Nimble”).

As a factual recap, NetApp filed suit against (1) Nimble, a competitor of NetApp, (2) some former NetApp employees, and (3) Reynolds, who used to work at Thomas Duryea Consulting (“TDC”).  NetApp alleges that when it contracted with TDC, it provided Reynolds with access to NetApp’s computer systems and other information.  In April 2013, Reynolds left TDC, but continued to access NetApp’s databases from June 2013 through August 2013, where he used confidential, proprietary information to solicit business for Nimble.

NetApp I granted NetApp, Inc. (“NetApp”) leave to amend, which NetApp did. Nimble brought a motion to dismiss NetApp’s amended 18 U.S.C. § 1030 (a)(5) claim arguing that NetApp had still not properly pled damage under the CFAA.

In its amended compliant, NetApp alleged that Reynolds caused damage to NetApp’s computers, violating § 1030(a)(5), in three ways:

(1) Reynolds “cop[ied] certain information from NetApp’s protected computers and transferr[ed] it to a non-secure area or device”;

(2) Reynolds “diminish[ed] the value of NetApp’s data by compromising its exclusivity, for which it derives value because it is not available to competitors”; and

(3) Reynolds “alter[ed] or modif[ied] NetApp’s performance data contained on its protected computers.”

Nimble argued that NetApp failed to allege that Reynolds “impair[ed] the integrity or availability of any part of NetApp’s systems—he did not crash NetApp’s systems, delete data, or prevent any other user’s access” as required by 18 U.S.C. § 1030 (e)(8). NetApp argues that “rendering a computer system less secure should be considered ‘damage’ under § 1030(a)(5)[], even when no data, program, or system is damaged or destroyed.”

Copying information, without more, does not constitute damage

NetApp II looked at cases in the Northern District that asked whether copying of information, without more, constitutes damage. It does not. NetApp II found these cases based their holdings on three main points:

(1) The CFAA “is not intended to expansively apply to all cases where a trade secret has been misappropriated by use of a computer:”

(2) To state a claim for damage, the CFAA requires “impairment to integrity . . . of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). Typically, the mere copying of information does not, without more, impinge on that information’s “integrity”;

(3) There must be actual damage to data, information, a program, or system in order to state a claim under the relevant provision of the CFAA. Such damage occurs where there is “the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any diminution in the completeness or usability of the data on a computer system.”

NetApp II did note that not all cases followed this line of reasoning, pointing to Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash 2000), cited by NetApp, which held that copying of information, without more, can constitute “damage” under the CFAA. NetApp II found Shurgard unpersuasive because Senate reports accompanying the 1996 amendment said nothing about imposing liability for the taking of information, but gave specific examples of other conduct that “arguably” causes “no damage” but is nevertheless prohibited by the CFAA – namely password stealing.

Diminished value of NetApp’s data

NetApp II dismissed NetApp’s second argument: that Reynolds’ actions caused damage to NetApp because his actions “diminish[ed] the value of NetApp’s data by compromising its exclusivity, for which it derives value because it is not available to competitors.” The court noted that damage requires a showing there be an “impairment to the integrity or availability of data” and that a diminution of data value is not equivocal.

Modification of NetApp’s performance data

Lastly, NetApp alleged that Reynold caused damage by altering or modifying “NetApp’s performance data contained on its protected computers.” The court was not persuaded by this argument. It noted that, without more detail, this allegation did not demonstrate an “impairment to the integrity or availability of data” occurred.

Motion granted without leave to amend

Because the court was not persuaded by NetApp’s arguments, it granted Nimble’s motion with respect to the CFAA. Because this was the court’s second time dismissing the 18 U.S.C. § 1030 (a)(5) claim, and NetApp’s third complaint, the court denied NetApp leave to amend with respect to that claim.

 

Facebook, Inc. v. Grunin, 2015 U.S. Dist. LEXIS 2075 (N.D. Cal. January 8, 2015)

Judge: William Alsup, United States District Judge

Facebook sued Martin Grunin under the CFAA (18 U.S.C. §§ 1030 (a)(2), (a)(4)) and other claims for opening up advertising accounts with Facebook under false pretenses and then not paying for the advertisements. The “complaint alleged … that after Grunin’s access was terminated and after he received two cease-and-desist letters, Grunin intentionally accessed Facebook’s computers and servers to obtain account credentials, Facebook credit lines, Facebook ads, and other information, causing more than $5,000 in losses to Facebook. Grunin intentionally circumvented Facebook’s technical measures by impersonating others to obtain Facebook accounts to run ads which were never paid for.”

Defendant represented himself and failed to file a timely responsive pleading. Facebook moved for a default judgment.

The court found that Defendant had violated the CFAA by violating a restriction on access. The court stated “Facebook implemented a complete access restriction by sending Grunin two cease-and-desist letters and by taking technical measures to block his access. Grunin nevertheless continued to access Facebook’s site and services without authorization and to impersonate others, resulting in alleged damages.” As such, Facebook was entitled to a default judgment on the CFAA claims.

 

Facebook, Inc. v. Grunin, 2015 U.S. Dist. LEXIS 20166 (N.D. Cal. February 19, 2015)

Judge: William Alsup, United States District Judge

A follow up to Facebook, Inc. v. Grunin, 2015 U.S. Dist. LEXIS 2075 (N.D. Cal. January 8, 2015), the court reviewed Facebook’s subsequent motion for damages, fees, and costs in light of its successful motion for default judgment. The court awarded partial damages and fees.

Facebook sought: Compensatory damages in the amount of $116,067.41 for fraud in connection with the Thinkmodo account and $300,032.49 for fraud in connection with the Imprezzio.

Facebook awarded: $340,000.

Court’s reasoning: The “well-pled” complaint alleged that Defendant ran $40,000 in ads related to the Thinkmodo account and $300,000 in ads connected to Imprezzio.

 

Facebook sought: $500,000 in punitive damages.

Facebook awarded: $0.

Courts’ reasoning: Facebook concedes that “it is hard to know how much will deter [Grunin] from doing it again” and that Facebook “does not know how much money Grunin made as a result of his unlawful activities.” The court found that a “permanent injunction has been entered and Grunin himself has stated that he ‘ceased any business with Facebook well before the lawsuit was filed.’” The court described Facebook’s punitive damages claims as a “grossly excessive, bald request.”

 

Facebook sought: $326,129.11 in attorney’s fees and costs. As the court described, “counsel only appended two one-page summary exhibits to their declaration. No timesheets, no invoices, and no details specifically identifying the amount of time incurred on each specific task were filed. Instead, counsel vaguely stated that they spent (1) $8,516.50 on pre-litigation investigations; (2) $58,908.50 on drafting the complaint; (3) $60,149 on ‘case management;’ (4) $80,751.50 on Facebook’s motion to strike Grunin’s improper filings and Grunin’s motion to set aside the default; and (5) $118,032.50 on Facebook’s motion for default judgment and damages… One partner, three associates, and a paralegal worked on this matter.”

Facebook awarded: $75,000.

Court’s reasoning: The court found that Facebook was entitled to “$75,000 in fees, which is the sum of $5,000 for the complaint and case management, $10,000 for Facebook’s motion to strike and Grunin’s motion to set aside the default, and $60,000 for Facebook’s motion for default judgment, damages, fees, and costs. These reductions account for inefficiency, overstaffing, an inadequate documentation.

 

Facebook sought: $8,516.50 in loss pursuant to the CFAA.

Facebook awarded: $0.

Court’s reasoning: A showing of loss requires a showing that it occurred within a one-year period. Facebook stated that it incurred $8,516.50 in fees between March 2011 and January 2014. Thus, Facebook submitted no evidence of a loss of more than $5,000 in a one-year period was provided.

 

Facebook sought: $8,287.61 in costs.

Facebook awarded: $0.

Court’s reasoning: Facebook’s documentation – a summary table – was inadequate.

In total, Facebook was awarded $340,000 in compensatory damages and $75,000 in attorneys’ fees.

That concludes this edition of the Ad Astra CFAA Round-Up! I hope you thought it was informative. I’ll do another Round Up in a couple of months, so check back in soon! Feel free to email me with any questions or comments.