UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA
April 28, 2010
ATPAC, INC., A CALIFORNIA CORPORATION, PLAINTIFF,
APTITUDE SOLUTIONS, INC., A FLORIDA CORPORATION, COUNTY OF NEVADA, A CALIFORNIA COUNTY, AND GREGORY J. DIAZ, AN INDIVIDUAL, DEFENDANTS.
MEMORANDUM AND ORDER RE: MOTION TO DISMISS, MOTION FOR JUDGMENT ON THE PLEADINGS, AND MOTION TO STRIKE
Plaintiff AtPac, Inc. ("AtPac") filed this action against defendants Aptitude Solutions, Inc. ("Aptitude"), County of Nevada, and Gregory J. Diaz alleging breach of contract, misappropriation of trade secrets, copyright infringement, and violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq. Defendants move to dismiss and move for judgment on the pleadings on plaintiff's fourth cause of action pursuant to Federal Rules of Civil Procedure 12(b)(6) and 12(c) for failure to state a claim upon which relief can be granted, and to strike plaintiff's prayer for statutory damages for its third cause of action for copyright infringement pursuant to Rule 12(f) because plaintiff is not entitled to statutory damages as a matter of law.
I. Factual and Procedural Background
AtPac provides software and consulting services related to county clerk-recorder information imaging systems. (Compl. ¶ 3.) These systems are computer-based and designed to, inter alia, electronically receive, store, and organize information that is within the purview of a county clerk-recorder and store images of relevant documents associated with this information. (Id.) AtPac's clerk-recorder imaging information software is distributed under the mark "CRiis." (Id.) In 1999, AtPac allegedly entered into a License Agreement with County of Nevada for the CRiis software and related services to help County of Nevada electronically maintain and organize public information. (Id. ¶ 12.) The License Agreement was allegedly amended between 2001 and 2006, the most recent of which extended the term of the License Agreement until June 30, 2010. (Id. ¶ 13.)
The License Agreement allegedly provides, inter alia, that AtPac retains title to the software, that the software is trade secrets and that County of Nevada will not release or disclose the information to third parties (Id. ¶ 14), that County of Nevada will notify AtPac immediately of any known or suspected unauthorized use or access of the CRiis software (Id. ¶ 16), and that all documents provided to County of Nevada may not be reproduced by County of Nevada (Id. ¶ 17). California law governs the License Agreement. (Id. ¶ 22.)
In November 2008, Diaz, the Clerk-Recorder of County of Nevada, allegedly notified AtPac that County of Nevada intended to terminate the License Agreement and obtain the services of Aptitude, one of AtPac's competitors. (Id. ¶ 23.) Diaz allegedly rejected AtPac's offer to help County of Nevada extract the data from AtPac's files and convert it to a form usable by Aptitude. (Id.) Diaz allegedly represented in a January 8, 2008 letter that County of Nevada would extract the data from the AtPac files on its own, and that County of Nevada would not provide AtPac's trade secret information to Aptitude or save the trade secret and proprietary information. (Id. ¶¶ 24-25.) On January 13, 2009, County of Nevada allegedly ratified an indemnification agreement between Aptitude and County of Nevada, indemnifying Aptitude for claims related to "extraction and migration of County data for the system conversion." (Id. ¶ 26.)
AtPac alleges that County of Nevada did not perform the data extraction itself, and that it instead provided Aptitude with AtPac's trade secret and copyright-protected information. (Id. ¶¶ 28-30.) Specifically, AtPac alleges that Diaz and County of Nevada copied and provided this information through e-mail communications and through a public, non-secure file transfer protocol ("FTP") site entitled "Aptitude FTP" without AtPac's authorization. (Id. ¶¶ 29-33.) Diaz and County of Nevada allegedly provided Aptitude with "full and unfettered access" to the server located in County of Nevada's offices on which AtPac trade secret information and the CRiis source code are stored without AtPac's authorization. (Id. ¶ 34.)
Plaintiff filed its Complaint on February 3, 2010, (Docket No. 1) and Aptitude and Diaz filed their Answer on March 19, 2010. (Docket No. 10.) Presently before the court are County of Nevada's motion to dismiss plaintiff's fourth cause of action for violation of the CFAA (Docket No. 13) and Aptitude and Diaz's motion for judgment on the pleadings on plaintiff's fourth cause of action for violation of the CFAA, as well as each defendant's motion to strike plaintiff's prayer for statutory damages.
On a motion to dismiss, the court must accept the allegations in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Scheuer v. Rhodes, 416 U.S. 232, 236 (1974), overruled on other grounds by Davis v. Scherer, 468 U.S. 183 (1984); Cruz v. Beto, 405 U.S. 319, 322 (1972). To survive a motion to dismiss, a plaintiff needs to plead "only enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 127 S.Ct. 1955, 1974 (2007). This "plausibility standard," however, "asks for more than a sheer possibility that a defendant has acted unlawfully," and where a complaint pleads facts that are "merely consistent with" a defendant's liability, it "stops short of the line between possibility and plausibility." Ashcroft v. Iqbal, 129 S.Ct. 1937, 1949 (2009) (quoting Twombly, 550 U.S. at 556-57).
Judgment on the pleadings is appropriate after the pleadings have closed when, on the face of those pleadings, accepting the allegations of the non-moving party as true, no material issue of fact remains to be resolved. See Fed. R. Civ. P. 12(c); Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542, 1550 (9th Cir. 1990). Under such circumstances, the moving party can obtain judgment as a matter of law. Hal Roach Studios, 896 F.2d at 1550. "Generally, district courts have been unwilling to grant a Rule 12(c) dismissal 'unless the movant clearly establishes that no material issue of fact remains to be resolved and that he is entitled to judgment as a matter of law.'" Doleman v. Meiji Mut. Life Ins. Co., 727 F.2d 1480, 1482 (9th Cir. 1984) (quoting 5A C. Wright & A. Miller, Federal Practice and Procedure: Civil, § 1368 at 690 (1969)).
On a motion for judgment on the pleadings, the factual allegations of the non-moving party are taken as true. Doleman, 727 F.2d at 1482 (citing Austad v. United States, 386 F.2d 147, 149 (9th Cir. 1967)). A Rule 12(c) motion is therefore essentially equivalent to a Rule 12(b)(6) motion to dismiss and consequently, a district court may "dispos[e] of the motion by dismissal rather than judgment."*fn1 Sprint Telephony PCS, L.P. v. County of San Diego, 311 F. Supp. 2d 898, 902-03 (S.D. Cal. 2004). "[D]ismissal can be based on either the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." Sprint Telephony, 311 F. Supp. 2d at 902-03; see also Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988). The court will therefore evaluate defendants' motions together.
In general a court may not consider items outside the pleadings upon deciding a motion to dismiss or motion for judgment on the pleadings, but may consider items of which it can take judicial notice. Heliotrope Gen., Inc. v. Ford Motor Co., 189 F.3d 971, 981 n.18 (9th Cir. 1999) (internal citations omitted); Barron v. Reich, 13 F.3d 1370, 1377 (9th Cir. 1994). A court may take judicial notice of facts "not subject to reasonable dispute" because they are either "(1) generally known within the territorial jurisdiction of the trial court or (2) capable of accurate and ready determination by resort to sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201. County of Nevada has submitted a Request for Judicial Notice ("RJN") (Docket No. 15) that contains a copy of the U.S. Copyright Office's web page showing that AtPac registered its CRiis software for copyright on January 26, 2010. (RJN Ex. A.) The court will take judicial notice of this exhibit because the record is generated by an official government website such that its accuracy is not reasonably in dispute. See, e.g., Edejer v. DHI Mortg. Co., No. 09-1302, 2009 WL 1684714, at *4 (N.D. Cal. June 12, 2009); Piazza v. EMPI, Inc., No. 07-954, 2009 WL 590494, at *4 (E.D. Cal. Feb. 29, 2008); see also Denius v. Dunlap, 330 F.3d 919, 926-27 (7th Cir. 2003) (taking judicial notice of information on official government website).
A. Motions to Dismiss Plaintiff's Fourth Cause of Action for Violation of the CFAA
As a preliminary matter the court notes that the motions are substantively identical, and will therefore only refer to and cite County of Nevada's motion to dismiss when discussing the motions.
The CFAA prohibits any person from "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain . . . information from any protected computer . . . ." 18 U.S.C. § 1030(a)(2)(C). It also prohibits any person from "knowingly, and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value . . . ." Id. § 1030(a)(4). The CFAA also prohibits any person from "intentionally access[ing] a protected computer without authorization, and as a result of such conduct recklessly caus[ing] damage; or  intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss." Id. § 1030(a)(5)(B)-(C). The CFAA does not define "authorization" or "authorized access," but does define "[e]xceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter." Id. § 1030(e)(6); see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132-33 (9th Cir. 2009) (discussing "authorization" under the CFAA). The CFAA is a criminal statute that also allows "any person who suffers damage or loss" under the statute to bring a civil action. Id. § 1030(g); see generally LVRC Holdings, 581 F.3d at 1130-33.
Plaintiff's fourth cause of action alleges that Aptitude, County of Nevada, and Diaz all violated these sections of the CFAA by accessing "the computer network (including computers and servers)" on which AtPac's trade secret and copyright-protected information reside without authorization or in excess of any authorization granted to them by AtPac. (FAC ¶ 73.) Plaintiff alleges that these computers and servers are located in County of Nevada's offices. (Id. ¶ 34.)
1. County of Nevada and Diaz's Liability
With respect to County of Nevada and Diaz, plaintiff fails to allege that they lacked any authority or authorization to use the computers. See LVRC Holdings, 581 F.3d at 1132-33 (explaining the distinction between the terms "without authorization" and "exceeds authorized access"). Plaintiff does not allege that plaintiffs were absolutely prohibited from using them. To the contrary, it is clear from the License Agreement that plaintiff granted those defendants the right to use plaintiff's software in conjunction with County of Nevada's computer system. (Compl. ¶ 12.) Counsel for plaintiff also conceded at oral argument that County of Nevada was authorized to use the computer at issue for at least some purposes. For this reason alone defendant's motion to dismiss should be granted with respect to County of Nevada and Diaz for the alleged § 1030(a)(5)(B)-(C) violations, as it only provides for liability for "intentionally access[ing] a protected computer without authorization" and does not provide for liability for exceeding authorized access.
Plaintiff instead argues in its Opposition that County of Nevada and Diaz exceeded their authorization to access the computers by accessing the CRiis software source code in violation of the License Agreement. (Opp'n at 7, 9.) While the Complaint excerpts provisions of the alleged License Agreement that cover disclosures to third parties, copies, notification of unauthorized use, periodic audits, and reproduction of the software, it fails to contain any allegation that the License Agreement prohibited the County of Nevada from accessing, obtaining, or altering plaintiff's software or source code. Indeed, the complaint fails to allege any facts that would indicate what constitutes an unauthorized access of the software by County of Nevada; the complaint merely states there were limits on how County of Nevada could use it by making copies of it or disclosing it to third parties. (See Compl. ¶¶ 14-15.) Rather, plaintiff's fourth cause of action makes only the conclusory allegation that defendants violated the CFAA. (Compl. ¶¶ 73-75.) Such conclusory allegations are "mere labels and conclusions" that are prohibited by Federal Rule of Civil Procedure 8(a)(2). Twombly, 550 U.S. at 555.
To the extent that plaintiff alleges that County of Nevada or Diaz are liable under the CFAA for providing Aptitude access to plaintiff's software, State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009), is instructive. In State Analysis, the court confronted a similar factual situation where a licensee defendant provided a third party with the means to access the plaintiff's protected materials. That court noted that the licensee was not guilty of unauthorized access or access exceeding authorization under the CFAA, but guilty only of unauthorized use or misappropriation of its access under the license agreement. 621 F. Supp. 2d at 317 ("[R]ather, the allegation is that [licensee defendant] used the information in an inappropriate way.") As the court has explained above, plaintiff's Complaint is devoid of any allegations that County of Nevada or Diaz exceeded their authorized access or accessed, obtained, or altered prohibited materials. Accordingly, the court will dismiss plaintiff's fourth cause of action as against County of Nevada and Diaz.
2. Aptitude's Liability
Courts have differed as to how broadly or narrowly to construe 18 U.S.C. § 1030(a)(2) and the concepts of "authorization" and "authorized access." Several cases exploring the potential liability of employees or former employees, for example, have determined that employees may go beyond their authorized access when they act as agents for others or act contrary to their employee's interest. See, e.g., LVRC Holdings, 581 F.3d at 1133 (clarifying that employee's "authorization" to use a computer does not cease when employee uses computer in violation of employer's limitations, but rather that employee has merely "exceeded authorized access"); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (former employee exceeded authorized access when he passed along information to a third party in violation of a broad confidentiality agreement); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (plaintiff's employees were defendant's agents when they had accepted job offers with defendant and used work computers to send trade secrets to defendant; employees therefore lacked authorization to access work computers). The Ninth Circuit has clarified that a plaintiff can bring a cause of action under the CFAA for unauthorized access to information stored on a third party's computer. Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir. 2004) (no ownership or control of computer required for CFAA action alleging harm by unauthorized access).
Two cases from the United States District Court for the Eastern District of Virginia address the specific question of whether third-party defendants can be liable under the CFAA where their access to plaintiff's software is made possible by another party violating its license agreement with the plaintiff. While of course neither case is binding authority, the court finds their juxtaposition instructive. In SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005), SecureInfo granted a software license to defendant Berman, a consultant for one of SecureInfo's competitors, which allowed him narrowly restricted access to the SecureInfo's materials. Berman---who was not sued under the CFAA--then allowed the other defendants access to SecureInfo's materials and his server on which they were located, in violation of the license agreement. Id. at 608. The court explained that Berman gave the other defendants "permission and authorization to use the  server and view what was contained therein" and that "[e]ven if Mr. Berman allowed the defendants access to the  server and SecureInfo's materials in violation of the license agreements, under his grant of authority to the defendants, they were entitled to obtain the information on the server." Id. at 609.
Naturally, plaintiff relies on State Analysis and argues not only that Aptitude cannot hide behind County of Nevada's "authorization" because it knew it violated the license agreement, but that the authorization was void ab initio because County of Nevada contracted away its right to authorize third-party access. In contrast, defendants rely on SecureInfo for the proposition that Aptitude did not exceed the "unfettered" access granted it by County of Nevada and Diaz. Plaintiff notes that SecureInfo distinguished its fact pattern from that in EF Cultural Travel, stating in dicta that had the plaintiff sued licensee Berman rather than the third parties, the rule in EF Cultural Travel "may have applied." 387 F. Supp. 2d at 609. All this means, however, is that the licensee may have exceeded his authorization and been subject to CFAA liability had he been sued, not that the third party defendants would become liable solely due to the presence of an additional defendant.
While the cases described above make clear that certain "insiders" can exceed their authorized access or even in some circumstances lose their authorization to access computers and computer networks, State Analysis does not establish---and the court is not willing to so rule--that third parties can ordinarily be liable under the CFAA for exploiting a licensee's violation of its license agreement. Rather, State Analysis is perhaps best applied in situations where the third-party defendant uses subterfuge---like using user names and passwords that do not belong to it--to gain access to plaintiff's protected materials on plaintiff's own website, computers, or servers.
This is consistent with the Ninth Circuit's decision in Theofel, which, in dicta referencing its prior analysis under the Stored Communications Act, 18 U.S.C. § 2701 et seq., implied that defendants who had issued a patently overbroad and illegal subpoena to Netgate for plaintiff's e-mails and subsequently viewed those e-mails on Netgate's website were not "authorized" under the CFAA by Netgate to view those e-mails. See 359 F.3d at 1072-74, 1078 (stating that the Stored Communications Act---and presumably also the CFAA--"provides no refuge for a defendant who procures consent by exploiting a known mistake that relates to the essential nature of his access."). While Theofel is silent with respect to the instant issue of whether a licensee can consent to give access to the licensed information to another, this court adopts the basic premise that a defendant's deceitful conduct can vitiate consent or authorization by a licensee. The door remains open for third-parties to be liable under the CFAA for accessing software programs held on a licensee's computers or servers where the defendant engages in the kind of fraudulent conduct that was present in State Analysis.
This case is more similar to SecureInfo where the licensee gives the third-party access to its own servers to access the protected information. Plaintiff does not allege that Aptitude accessed plaintiff's computers or servers, or that such access would require an access code or password that County of Nevada wrongfully provided Aptitude. Plaintiff instead alleges that County of Nevada gave Aptitude access to the servers located in its offices, and sent information by e-mail and via a public FTP site. (Compl. ¶¶ 28-34.) This does not allege the sort of subterfuge this court believes is necessary to find a defendant not party to a license agreement civilly liable under the CFAA where the licensee grants it authority to access information in violation of the license agreement.
B. Motions to Strike Plaintiff's Prayer for Statutory Damages
In their respective motions, the defendants each move to strike plaintiff's prayer for relief for statutory damages under the Copyright Act pursuant to Federal Rule of Civil Procedure 12(f). Section 412 of the Copyright Act prohibits an award of statutory damages unless a plaintiff has first registered its work prior to the "commencement of the infringement." 17 U.S.C. § 412. "[T]he first act of infringement in a series of ongoing infringements of the same kind marks the commencement of one continuing infringement under § 412." Derek Andrew, Inc. v. Poof Apparel Corp., 528 F.3d 696, 701 (9th Cir. 2008) (emphasis in original). According to County of Nevada's Request for Judicial Notice, plaintiff registered its copyright on January 26, 2010 (RJN Ex. A.), a mere eight days before filing its Complaint in this action. (See Docket No. 1.)
While the face of plaintiff's Complaint does not allege any legally different kind of copyright infringement occurred between January 26, 2010 and February 3, 2010, it does allege that County of Nevada and Diaz copied and disclosed plaintiff's protected information to Aptitude in January 2009 (Compl. ¶¶ 23-33), and that Nevada County continues to maintain copies of plaintiff's protected information to this day. (Id. ¶¶ 35-37.) The discovery process will properly determine if or in what ways defendants have continued to violate plaintiff's copyright, and after discovery defendants can renew their motion or raise the issue on summary judgment.
IT IS THEREFORE ORDERED that County of Nevada's motion to dismiss plaintiff's fourth cause of action be, and the same hereby is, GRANTED.
IT IS FURTHER ORDERED that Aptitude and Diaz's motion for judgment on the pleadings on plaintiff's fourth cause of action be, and the same hereby is, GRANTED.
IT IS FURTHER ORDERED that defendants' motions to strike be, and the same hereby are, DENIED.
Plaintiff is given twenty days from the date of this Order to file an amended complaint consistent with this Order.