Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.

Enki Corporation v. Freedman

United States District Court, Ninth Circuit

January 23, 2014

KEITH FREEDMAN et al., Defendants.


PAUL S. GREWAL, Magistrate Judge.

When a former employee uses a customer's working log-in credentials to access his former employer's scripts, are he and the customer hackers? Plaintiff Enki Corporation says yes; Defendant Keith Freedman, along with his current employer and co-defendant, Zuora, Inc., say no. Freedman and Zuora now move to dismiss Enki's claims under the Computer Fraud and Abuse Act[1] and the California Computer Data Access And Fraud Act[2] for failure to state a claim upon which relief may be granted and the remainder of Enki's claims for lack of subject matter jurisdiction. Having reviewed the papers and considered the arguments of counsel, the court GRANTS Defendants' motion.


The court draws the following facts, taken as true for the purposes of the motion to dismiss, from Enki's First Amended Complaint.

From 2006-2011, Freedman was a 12% interest holding member of Enki.[3] Enki's business is to acquire, manage, develop, improve, and operate cloud computing and other IT services for enterprises.[4] In May of 2011, Freedman resigned.[5] Under the terms of Freedman's separation agreement with Enki, Enki bought out Freedman's interest, neither party was to disparage the other in any way, and Freedman was barred from soliciting Enki's clients or competing with Enki for a year.[6]

Shortly after Freedman's departure, Enki entered into a master service agreement with Zuora under which Enki was to provide consulting, cloud computing services, and other IT services.[7] As part of these services, and as set forth in various statements of work, Enki installed "Nimsoft" on Zuora's network.[8] Nimsoft is a "software based system monitor" used to monitor computer resources and performance.[9] Although the software was installed on Zuora's network, under the terms of the agreement Enki was the sole administrator of the software and the only one allowed to "write" Nimsoft scripts.[10]

In order to fulfill this contract, Enki hired Freedman and retained his new company, Freeform, as a contractor to provide certain services to Zuora.[11] Even though the separation agreement remained in effect, Freedman proceeded to spread negative stories about Enki and its work product throughout Zuora for several months, leading to the termination of his contract with Enki.[12] Zuora then hired Freedman and retained Freeform's services directly.[13]

In February 2013, Zuora terminated its contract with Enki "for convenience."[14] Before this termination, however, Freedman and Zuora accessed the Nimsoft servers on Zuora's network without authorization.[15] Freedman and Zuora then copied Enki's proprietary information, including Enki's Nimsoft scripts, in order to terminate the contract and receive the benefits of Enki's enterprise and technology without continuing to pay for Enki's services.[16] Enki brings this action to recover for various breaches of contract, as well as violations of state and federal anti-hacking statutes.


A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief."[17] If a plaintiff fails to proffer "enough facts to state a claim to relief that is plausible on its face, " the complaint may be dismissed for failure to state a claim upon which relief may be granted.[18] A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged."[19] Accordingly, under Fed.R.Civ.P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, "[d]ismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory."[20] "A formulaic recitation of the elements of a cause of action will not do."[21]

On a motion to dismiss, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party.[22] The court's review is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice.[23] However, the court need not accept as true allegations that are conclusory, unwarranted deductions of fact, or unreasonable inferences.[24]

"Dismissal with prejudice and without leave to amend is not appropriate unless it is clear... that the complaint could not be saved by amendment."[25]


A. Enki's CFAA Claim Fails to Allege Sufficient "Unauthorized Access"

Zuora and Freedman put forth two main theories as to why Enki's claim under the CFAA should be dismissed: 1) the complaint fails to allege loss or damage within the meaning of the statute; and 2) the complaint fails to allege unauthorized access within the Ninth Circuit's interpretation of the statue.

Regarding Defendants' first argument, although the Ninth Circuit has not yet ruled on whether costs of investigation may be included in the calculation of loss under the CFAA, this district and others within the circuit have long accepted that theory.[26] The statutory definition of loss includes "the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense."[27] Before the incident at issue here, Enki's proprietary information was secured, and afterward, it evidentially was not. It therefore stands to reason that the cost of investigating the source of the breach and remedying it would qualify as "loss" within that definition, as they would be required to return the system to its secured state. The undersigned therefore joins with his colleagues in holding that the costs of investigating a security breach may be included in the calculation of "loss" under the CFAA.

Defendants' second argument, however, carries more weight. The CFAA imposes liability where the defendant commits certain acts on a "protected computer" either "without authorization" or in "exce[ss of his] authorization."[28] The Ninth Circuit has held that to access a protected computer "without authorization" is to do so "without any permission at all, " and to "exceed authorized access" is to "access[] information on the computer that the person is not entitled to access."[29] It has further held that an individual does not "exceed authorized access" simply by misusing information that he or she was entitled to view for some other purpose; the CFAA regulates access to data, not its use by those entitled to access it.[30]

Here, Enki alleges that Freedman and Zuora violated the CFAA by "unlawfully access[ing] the Nimsoft servers and improperly cop[ying] Enki's Proprietary Information, "[31] and in particular Enki's Nimsoft scripts. However, the complaint does not allege that Defendants were unauthorized to access the scripts in question. In fact, the Statement of Work submitted for the court's consideration specifically grants Zuora and its representatives "sudo access" to "non-shell root commands" that would include the scripts at issue.[32] Enki instead hangs its hat on its repeated refusals to grant Zuora or Freedman the authority to write or edit those scripts.[33] That argument, however, speaks to misuse of the scripts, not unauthorized access, which under Nosal does not run afoul of the CFAA. Because Enki's complaint fails to allege that Defendants had no access rights to Enki's scripts, and indeed the documents upon which it relies reveal that Defendants had certain access rights, [34] their CFAA claim must be DISMISSED for failure to state a claim.

B. Enki's CDAFA Claim Fails to Allege A Sufficient Technical Code or Barrier

The only other claim that Freedman and Zuora substantively address in their motion is the CDAFA claim. With respect to that claim, they argue that because Enki's complaint fails to allege that either Freedman or Zuora overcame any technical barrier in order to view and copy its proprietary information, the claim must be dismissed for failure to state a claim.[35] Enki, however, maintains that a violation of the established terms of use is sufficient to create liability under CDAFA, and because the complaint alleges that Freedman and Zuora copied the information when they were not permitted to do so, they have sufficiently pled their claim.

The CDAFA imposes liability where an individual takes certain actions "without permission" on another's computer, network, or website.[36] Enki relies on a single case, Craigslist v. Naturemarket, Inc., [37] to argue that a simple violation of the terms of use meets the requirement that the action be "without permission."[38] Craigslist, however, appears to be an outlier. Just four months after Craigslist, in Facebook v. Power Ventures, Inc ., [39] this court held that to take an action "without permission" under the CDAFA, a defendant must overcome some technical or code barrier.[40] This has been the governing standard in this district since that time, [41] and it is the standard that applies here. As Enki itself does not even argue that the complaint alleges a technical obstacle, the court GRANTS Defendants' motion as to the CDAFA claim.

C. The Court Will Retain Subject Matter Jurisdiction Over the Remaining State Law Claims

Because jurisdiction over state law claims under ยง 1367 generally requires a federal hook, a court may choose to decline jurisdiction over any lingering state law claims where all federal claims in the case have been dismissed before trial.[42] Further, in the Ninth Circuit, "[i]t is usually appropriate to dismiss pendent state claims when federal claims are dismissed before trial, "[43] although in each case, a court must assess the values of "economy, convenience, fairness, and comity" in deciding whether or not to retain jurisdiction.[44]

Here, although the remaining claims are all grounded in state law, the parties are already eight months into litigation in this forum, and it would hardly serve the interests of economy or convenience to require the parties to begin anew in state court. In addition, because Enki has leave to amend its complaint to remedy the deficiencies identified in its pleadings, the federal claim may yet move forward in another version of the complaint. The court therefore will retain jurisdiction over the lingering state law claims.


Defendants' motion to dismiss is GRANTED as to the CFAA and CDAFA claims, which are dismissed without prejudice and with leave to amend. Any amended pleading shall be filed by February 23, 2014.


Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.