MEMORANDUM AND ORDER RE: MOTION TO DISMISS
Plaintiff AtPac, Inc. ("AtPac") filed this action against defendants Aptitude Solutions, Inc. ("Aptitude"), County of Nevada, and Gregory J. Diaz alleging breach of contract, misappropriation of trade secrets, copyright infringement, and violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq. Defendants move to dismiss plaintiff's fourth cause of action pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted.
I. Factual and Procedural Background
The facts of this case have been thoroughly discussed in the court's prior order granting defendants' motion to dismiss (Docket No. 21.) AtPac subsequently amended its Complaint to add additional factual allegations regarding the server on which it alleges its source code was stored and regarding defendants' deceptive and allegedly illegal actions. This Order details only those facts that are newly alleged.
Specifically, plaintiff's First Amended Complaint ("FAC") alleges that AtPac was the exclusive system administrator for the ER-Recorder server which was housed with Nevada County. (FAC (Docket No. 22) ¶ 24.) As system administrator, AtPac alleges that it created all user accounts and passwords for the server and was custodian of its master system administrator/root account. (Id. ¶ 25.) The ER-Recorder server was allegedly segregated such that the CRiis application and customer data was stored in one set of directories, and proprietary AtPac files--including the source code---were stored in another set of directories. (Id. ¶ 26.) Plaintiff allegedly created all login accounts for Nevada County personnel such that they were restricted from accessing the AtPac directories. (Id.) Nevada County personnel, therefore, could access parts of the server in order to execute the CRiis software--referred to as "CRiis access rights"---but lacked access to sensitive AtPac data and files stored on the server---referred to as "AtPac access rights." (Id.) AtPac allegedly gave Nevada County the root account password---which enabled Nevada County full AtPac access rights---only so that Nevada County could power down the server in the event of an emergency. (Id.)
Plaintiff quotes from an additional provision of the License Agreement, which allegedly provides that:
[AtPac] shall continue to deposit and maintain in an escrow with [AtPac's] escrow agent the source code and de-encryption code for the Application Software and any relevant and necessary documentation in magnetic tape form. . . . In the event that [AtPac] shall cease to do business, become insolvent, or declare bankruptcy, except for reorganization[,] [Nevada County] shall have the right to request a copy of the source code from the escrow agent. Should [Nevada County] ever exercise the option to obtain the source code, [Nevada County] shall only use it for purposes of continuing operation of the System and shall not transfer, sell, loan or otherwise disclose source-code to any person not a county employee subject to this agreement.
(FAC ¶ 20 (substitutions in FAC).) The parties allegedly understood and agreed that Nevada County was authorized to access the ER-Recorder server only to run the CRiis software and was prohibited from granting any third parties access to the server whatsoever. (Id.) Plaintiff alleges that Nevada County was not authorized to access the AtPac directories other than in the event of emergency. (Id. ¶ 27.)
On November 4, 2008, Nevada County employees allegedly e-mailed each other regarding the transition from AtPac to Aptitude as the County's clerk-recorder software provider. (Id. ¶ 28.) One e-mail allegedly stated that*fn1 "we have a person/vendor coming in who needs inquiry only access to the Atpac data" and that one employee responded that he would "do what I can to facilitate access to the AtPac system." (Id.) Diaz allegedly authorized the creation of a user account for the ER-Recorder server for Aptitude, and the County employee creating the account was allegedly directed via e-mail to "obfuscate the login so that AtPac doesn't know that we are working in the system." (Id.) A user account by the name of "isphydoux" and corresponding password were allegedly created for Aptitude with full AtPac access rights to the entire ER-Recorder server. (Id. ¶ 29.) Plaintiff alleges that this was done by using the root account password--given to Nevada County for emergency server shut-down only---to access the AtPac directories. (Id.)
Nevada County asked AtPac for permission to grant Aptitude remote access to the ER-Recorder server on November 18, 2008, which was immediately denied. (Id. ¶ 30.) Plaintiff alleges that Nevada County concealed from it the fact that it already given Aptitude access to the server and that Aptitude had already inspected AtPac's trade secrets. (Id. ¶¶ 30-31.) On November 19, 2008, Nevada County allegedly informed Aptitude via e-mail that AtPac rejected its request. (Id. ¶ 30.)
In addition to alleging that defendants violated §§ 1030(a)(2)(c), (a)(4) and (a)(5) of the CFAA as alleged in its original Complaint, plaintiff's fourth cause of action in its FAC alleges that defendants trafficked in an illicit and unauthorized password in violation of § 1030(a)(6). (FAC ¶ 86); see 18 U.S.C. §§ 1030(a)(2)(c), (a)(4)-(6). Presently before the court is defendants' motion to dismiss plaintiff's fourth cause of action for violation of the CFAA. (Docket No. 23.)
On a motion to dismiss, the court must accept the allegations in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Scheuer v. Rhodes, 416 U.S. 232, 236 (1974), overruled on other grounds by Davis v. Scherer, 468 U.S. 183 (1984); Cruz v. Beto, 405 U.S. 319, 322 (1972). To survive a motion to dismiss, a plaintiff needs to plead "only enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 127 S.Ct. 1955, 1974 (2007). This "plausibility standard," however, "asks for more than a sheer possibility that a defendant has acted unlawfully," and where a complaint pleads facts that are "merely consistent with" a defendant's liability, it "stops short of the line between possibility and plausibility." Ashcroft v. Iqbal, 522 U.S. --- at ---, 129 S.Ct. 1937, 1949 (2009) (quoting Twombly, 550 U.S. at 556-57).
In general a court may not consider items outside the pleadings upon deciding a motion to dismiss, but may consider items of which it can take judicial notice. Heliotrope Gen., Inc. v. Ford Motor Co., 189 F.3d 971, 981 n.18 (9th Cir. 1999) (internal citations omitted); Barron v. Reich, 13 F.3d 1370, 1377 (9th Cir. 1994). A court may take judicial notice of facts "not subject to reasonable dispute" because they are either "(1) generally known within the territorial jurisdiction of the trial court or (2) capable of accurate and ready determination by resort to sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201. Furthermore, courts may consider documents outside the complaint without converting the motion to dismiss into a motion for summary judgment if (1) the documents' authenticity is not contested; and (2) the plaintiff's complaint necessarily relief on the documents. Lee v. City of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001).
Defendants have submitted a Request for Judicial Notice ("RJN") (Docket No. 24) that contains a copy of the July 19, 2004 License Agreement (Ex. 1) and a transcript from the court's April 26, 2010 hearing on defendants' first motion to dismiss (Ex. 2). The court will take judicial notice of the second exhibit because it is a matter of public record. Fed. R. Evid. 201. Plaintiff objects to the court taking judicial notice of defendants' first exhibit, arguing that defendants failed to provide a declaration attesting to its authenticity. (Opp'n to Mot. to Dismiss (Docket No. 25) at 16.) As defendants have not attempted to authenticate the document, the court must decline to take judicial notice of it.
A. Scope of the CFAA's Prohibitions
The parties renew their arguments regarding whether the CFAA prohibits---and makes the defendants potentially criminally liable for---breaching the License Agreement by accessing and giving Aptitude access to the Atpac drives on the ER-Recorder server. The relevant provisions of the CFAA make liable:
(2) intentionally accesses a computer without authorization or exceeds authorized ...