Lvrc Holdings Lcc v. Brekka

• Decision Date: 15 September 2009
• Docket Number: No. 07-17116.,07-17116.
• Citation: 581 F.3d 1127
• Parties: LVRC HOLDINGS LLC, Plaintiff-Appellant, v. Christopher BREKKA; Employee Business Solutions Inc.; Carolyn Quain; Stuart Smith; Brad Greenstein; Frank Szabo, Defendants-Appellees.
• Court: U.S. Court of Appeals — Ninth Circuit

581 F.3d 1127

LVRC HOLDINGS LLC, Plaintiff-Appellant, v. Christopher BREKKA; Employee Business Solutions Inc.; Carolyn Quain; Stuart Smith; Brad Greenstein; Frank Szabo, Defendants-Appellees.

No. 07-17116.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted March 13, 2009.

Filed September 15, 2009.

Thomas G. Grace, Las Vegas, NV, for the plaintiff-appellant.

Norman H. Kirshman, Las Vegas, NV, for the defendant-appellees.

Appeal from the United States District Court for the District of Nevada, Kent J. Dawson, District Judge, Presiding. D.C. No. CV-05-01026-KJD.

Before: M. MARGARET McKEOWN and SANDRA S. IKUTA, Circuit Judges, and JAMES V. SELNA,^* District Judge.

IKUTA, Circuit Judge:

LVRC Holdings, LLC (LVRC) filed this lawsuit in federal district court against its former employee, Christopher Brekka, his wife, Carolyn Quain, and the couple's two consulting businesses, Employee Business Solutions, Inc., a Nevada corporation (EBSN), and Employee Business Solutions, Inc., a Florida corporation (EBSF). LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, by accessing LVRC's computer "without authorization," both while Brekka was employed at LVRC and after he left the company. See 18 U.S.C. § 1030(a)(2), (4). The district court granted summary judgment in favor of the defendants. We affirm. Because Brekka was authorized to use LVRC's computers while he was employed at LVRC, he did not access a computer "without authorization" in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving LVRC. Nor did emailing the documents "exceed authorized access," because Brekka was entitled to obtain the documents. Further, LVRC failed to establish the existence of a genuine issue of material fact as to whether Brekka accessed the LVRC website without authorization after he left the company.

I

LVRC operates Fountain Ridge, a residential treatment center for addicted persons, in Nevada.¹ As part of its marketing efforts, LVRC retained LOAD, Inc. to provide email, website, and related services for the facility. Among other duties, LOAD monitored internet traffic to LVRC's website and compiled statistics about that traffic.

In April 2003, LVRC hired Brekka to oversee a number of aspects of the facility. Part of his duties included conducting internet marketing programs and interacting with LOAD. At the time Brekka was hired, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of internet sites and advertisements. Stuart Smith, the owner and operator of LVRC, was aware of Brekka's businesses, although he states he was not aware of the full nature of their operations.

While Brekka worked for LVRC, he commuted between Florida, where his home and one of his businesses were located, and Nevada, where Fountain Ridge and his second business were located. Brekka was assigned a computer at LVRC, but while commuting back and forth between Florida and Nevada, he emailed documents he obtained or created in connection with his work for LVRC to his personal computer. LVRC and Brekka did not have a written employment agreement, nor did LVRC promulgate employee guidelines that would prohibit employees from emailing LVRC documents to personal computers.

In June 2003, Brekka sent an email to LOAD's administrator, Nick Jones, requesting an administrative log-in for LVRC's website. Jones sent an email with the administrative user name, "cbrekka@fountainridge.com," and password, "cbrekka," to Brekka's work email, which Brekka downloaded onto his LVRC computer. By using the administrative log-in, Brekka gained access to information about LVRC's website, including the usage statistics gathered by LOAD. Brekka used those statistics in managing LVRC's internet marketing.

In August 2003, Brekka and LVRC entered into discussions regarding the possibility of Brekka purchasing an ownership interest in LVRC. At the end of August 2003, Brekka emailed a number of LVRC documents to his personal email account and his wife's personal email account. These documents included a financial statement for the company, LVRC's marketing budget, admissions reports for patients at Fountain Ridge, and notes Brekka took from a meeting with another Nevada mental health provider. On September 4, 2003, Brekka emailed a master admissions report, which included the names of past and current patients at Fountain Ridge, to his personal email account.

In mid-September 2003, negotiations regarding Brekka's purchase of an ownership interest in LVRC broke down, and Brekka ceased working for LVRC. Brekka left his LVRC computer at the company and did not delete any emails from the computer, so the June 2003 email from Nick Jones, which included the administrative user name and password, remained on his computer.

After Brekka left the company, other LVRC employees had access to Brekka's former computer, including Brad Greenstein, a consultant who was hired shortly before Brekka left and who assumed many of Brekka's responsibilities. At some point after Brekka left, the email with the administrative log-in information was deleted from his LVRC computer.

On November 19, 2004, while performing routine monitoring of the LOAD website, Jones noticed that someone was logged into the LVRC website using the user name "cbrekka@fountainridge.com" and was accessing LVRC's LOAD statistics. Jones contacted Greenstein about the use of the "cbrekka" log-in. Jones also provided the IP address of the log-in and the location of the Internet Service Provider (ISP) associated with that IP address, namely, Redwood City, California. Greenstein instructed Jones to deactivate the "cbrekka" log-in, and Jones did so the same day. Shorting thereafter, LVRC filed a report with the FBI, alleging that Brekka had unlawfully logged into LVRC's website.

LVRC then brought an action in federal court, alleging that Brekka violated the CFAA when he emailed LVRC documents to himself in September 2003 and when he continued to access the LOAD website after he left LVRC. In addition, LVRC brought a number of state tort actions. In response, Brekka filed a third-party complaint against Smith, Greenstein, and Frank Szabo, alleging that they defamed him by making statements that Brekka had stolen information from LVRC.²

The district court granted summary judgment in favor of Brekka. After dismissing the federal law claims, the district court declined to exercise supplemental jurisdiction over the remaining state law claims and dismissed the case. LVRC filed a motion to reconsider. Before the district court ruled on the motion, LVRC filed this appeal. We review the district court's grant of a motion for summary judgment de novo. SDV/ACCI, Inc. v. AT & T Corp., 522 F.3d 955, 958 (9th Cir. 2008).

II

The CFAA was enacted in 1984 to enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives...." H.R. Rep. 98-894 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984). The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. See 18 U.S.C. § 1030(a)(1)-(7) (2004).³

LVRC's complaint alleged that Brekka committed two of the crimes established by the CFAA, 18 U.S.C. §§ 1030(a)(2) and (a)(4). Section § 1030(a)(2) provides for criminal penalties to be imposed on a person who:

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—...

(C) information from any protected computer if the conduct involved an interstate or foreign communication....

18 U.S.C. § 1030(a)(2). Section 1030(a)(4) provides for criminal penalties to be imposed on a person who:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value....

18 U.S.C. § 1030(a)(4).⁴

LVRC brought suit under the provision of the statute that creates a right of action for private persons injured by such crimes. Section 1030(g) provides in pertinent part:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (I), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).

18 U.S.C. § 1030(g). Thus, a private plaintiff must prove that the defendant violated one of the provisions of § 1030(a)(1)-(7), and that the violation involved one of the factors listed in § 1030(a)(5)(B).⁵ LVRC claims that Brekka's conduct involved the factor described in subsection (a)(5)(B)(i), which proscribes conduct that causes "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(a)(5)(B)(i).

Therefore, to bring an action successfully under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2), LVRC must show that Brekka: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during...