Shamrock Foods Co. v. Gast, CV-08-0219-PHX-ROS.

• Citation: 535 F.Supp.2d 962
• Decision Date: 20 February 2008
• Docket Number: No. CV-08-0219-PHX-ROS.,CV-08-0219-PHX-ROS.
• Parties: SHAMROCK FOODS COMPANY, Plaintiff, v. Jeff GAST; and Sysco Food Services of Arizona, Inc., Defendants.
• Court: U.S. District Court — District of Arizona

Page 962

535 F.Supp.2d 962

SHAMROCK FOODS COMPANY, Plaintiff, v. Jeff GAST; and Sysco Food Services of Arizona, Inc., Defendants.

No. CV-08-0219-PHX-ROS.

United States District Court, D. Arizona.

February 20, 2008.

Kara M. Maciel, Krupin Obrien LLC, Washington, DC, for Plaintiff.

ORDER

ROSLYN O. SILVER, District Judge.

Pending is Defendants' Motion to Dismiss. (Doc. 17.) This motion requires the Court to interpret the meaning of the terms "without authorization" and "exceeds authorized access" in the Computer Fraud and Abuse Act ("CFAA"), 18 "U.S.C. § 1030. The Court concludes that a violation for accessing a protected computer "without authorization" occurs only when initial access is not permitted. And, an "exceeds authorized access" violation occurs only when initial access to a protected computer is permitted but the access of certain information is not permitted. Thus, Defendants' Motion to Dismiss will be granted.

BACKGROUND

Plaintiff Shamrock Foods Company ("Shamrock") alleges that Defendant Jeff Gast began working for Shamrock in September 2000. (Compl. ¶ 19.) As an employee of Shamrock, Gast signed a Confidentiality Agreement, agreeing not to use or disclose "any trade secrets, confidential information, knowledge or data relating or belonging to" Shamrock. (Id.) On December 20, 2007, Gast was promoted to Regional Sales Manager of Southern Arizona. (Id. ¶ 28.) Around this time, Gast began employment negotiations with Defendant Sysco Food Services of Arizona, Inc. ("Sysco"), a competitor of Shamrock. (Id. ¶ 31.) On January 4 and 7, 2008, Gast emailed numerous documents containing Shamrock's confidential and proprietary information to his personal email account. (Id. ¶¶ 32, 36.) The next day, Gast informed his manager that he was considering leaving Shamrock. (Id. ¶ 40.) On January 14, 2008, Gast told his manager that he was going to work for Sysco, and, on January 15, 2008, submitted a written resignation. (Id. ¶ 42-45.) Gast began employment with Sysco on January 18, 2008. (Id. ¶ 55.)

After Gast left Shamrock on January 15, 2008, Shamrock performed a forensic analysis of Gast's computer at a cost exceeding $5,000.00 and discovered the emails that Gast sent to himself. (Id. ¶ 49.) Shamrock alleges that Gast was acting as an agent of Sysco when he assessed and mailed the confidential information. (Id. ¶¶ 50-52.) Further, Shamrock alleges that Gast provided this confidential information to Sysco and that Sysco is using this information to Shamrock's detriment. (Id. ¶¶ 52-53.)

On February 3, 2008, Shamrock filed a complaint and motion for temporary restraining order. The complaint asserts that this Court has federal-question jurisdiction under the CFAA. Specifically, Shamrock brings CFAA claims under § 1030(a)(2), (4), and (5)(A)(iii). In addition to the CFAA claims, Shamrock brings a host of state common law and statutory claims. Defendants moved to dismiss the CFAA claims for failure to state a claim and the remaining state law claims for lack of subject matter jurisdiction.

STANDARD

"A Rule 12(b)(6) motion tests the legal sufficiency of a claim." Navarro v. Block, 250 F.3d 729, 732 (9th Cir.2001). When reviewing a motion to dismiss, the Court "must determine whether, assuming all facts and inferences in favor of the nonmoving party, it appears beyond doubt that [Plaintiffs] can prove no set of facts to support [their] claims." Marder v. Lopez, 450 F.3d 445, 448 (9th Cir.2006) (internal quotations omitted).

DISCUSSION

I. Computer Fraud and Abuse Act

The CFAA makes it a federal criminal offense to engage in any one of seven prohibited activities. 18 U.S.C. § 1030(a). While the CFAA is primarily a criminal statute, it also provides a civil cause of action under § 1030(g):

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section ma be brought only if the conduct involves 1 of the factors set forth in clause (i), (iii), (iv), or (v) of subsection (a)(5)(B).

The Ninth Circuit has clarified that subsection (g) enables a party to bring a private cause of action for any violation under the CFAA. Theofel v. Farey-Jones, 359 F.3d 1066, 1078 n. 5 (9th Cir.2004). While a civil cause of action "must involve one of the five factors in (a)(5)(B), it need not be one of the three offenses in (a)(5)(A)." Id. Here, the conduct alleged by Shamrock involves one of the five factors in (a)(5)(B) because it involves a loss aggregating at least $5,000 in value. See 18 U.S.C. § 1030(a)(5)(B)(i) and (e)(11) (defining "loss" to include the cost of conducting a damage assessment). Thus, Shamrock may bring a civil cause of action under § 1030(a)(2), (4), and (5)(A)(iii).

It is a violation of § 1030(a)(2) when a person "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer if the conduct involved an interstate or foreign communication." Section 1030(a)(4) is violated when a person "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value...." Section (a)(5)(A)(iii) is violated when a person "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage...." Thus, to state a claim under (a)(2) and (a)(4), Shamrock must allege conduct showing that Gast accessed a protected computer without authorization or exceeded authorized access. Unlike (a)(2) and (a)(4), which also prohibit a person from exceeding authorized access, (a)(5)(A)(iii) only prohibits access without authorization. Thus, to state a claim under (a)(5)(A)(iii), Shamrock must allege conduct showing that Gast accessed a protected computer without authorization.

Defendants do not deny that Gast accessed a protected computer. Instead, they argue that Gast was authorized to access the computer and information at issue. Shamrock concedes that "Gast may very well be correct that he was entitled to access Shamrock's confidential and proprietary information while he was an employee." (Doc. 28 at 9.) Nevertheless, Shamrock argues that Gast was no longer authorized to access its confidential information once he acquired the improper purpose to use this information to benefit himself and Sysco.

The parties' dispute reflect two lines of cases interpreting the meaning of "authorization." Some courts have applied principles of agency law to the CFAA and have held that an employee accesses a computer "without authorization" whenever the employee, without knowledge of the employer, acquires an adverse interest or is guilty of a serious breach of loyalty. See e.g., Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir.2006); ViChip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Cal.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D.Wash.2000). In contrast, other courts "have opted for a less expansive view, holding that the phrase `without authorization' generally only reaches conduct by outsiders who do not have permission to access the plaintiffs computer in the first place." See e.g., Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D.Ga. Oct. 1, 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D.Fla. Aug. 1, 2006); Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 495 (D.Md.2005). The Court is persuaded by the narrower view of "authorization" embraced in the latter line of cases.

First, the plain language supports a narrow reading of the CFAA. The CFAA does not define the term "without authorization." Nevertheless, "`authorization' is commonly understood as `[t]he act of conferring authority; permission." Lockheed Martin Corp., 2006 WL 2683058, at *5 (quoting The American Heritage Dictionary 89 (1976)). Further, while the CFAA does not define "without authorization," it does define "exceeds authorized access." Subsection (e)(6) provides: "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The definition of this term obviates any need to revert to outside sources, including principles of agency law, to understand the conduct prohibited by the CFAA. The court in Diamond Power Intern., Inc. explained:

Section 1030(e)(6) contemplates that an "exceeds authorized access" violation occurs where the defendant first has initial "authorization" to access the computer. But, once the computer is permissibly accessed, the use of that access is improper because the defendant accesses information to which he is not entitled. Under Citrin and Shurgard, however, that distinction is overlooked. Under their reasoning, an employee who accesses a computer with initial authorization but later acquires (with an improper purpose) files to which he is not entitled — and in so doing, breaches his duty of loyalty — is "without authorization," despite the Act's contemplation that such a situation constitutes accessing "with authorization" but by "exceed[ing] authorized access." 18 U.S.C. § 1030(e)(6). The construction of Citrin and Shurgard thus conflates the meaning of those two distinct phrases and overlooks their application in § 1030(e)(6).

2007 WL 2904119, at *14 (alteration in original); see also Lockheed Martin Corp., 2006 WL 2683058, at *5-6 (disagreeing with Citrin's reliance on agency law). Thus, the plain language of § 1030(a)...