United States District Court, N.D. California, San Jose Division
May 28, 2014
FLEXTRONICS INTERNATIONAL, LTD. and FLEXTRONICS INTERNATIONAL USA, INC. Plaintiffs,
PARAMETRIC TECHNOLOGY CORPORATION, Defendant.
ORDER GRANTING-IN-PART DEFENDANT'S MOTION TO DISMISS
(RE: DOCKET NO. 168)
PAUL S. GREWAL, Magistrate Judge.
Defendant Parametric Technology Corporation once again moves to dismiss Plaintiff Flextronics International's claims under the Computer Fraud and Abuse Act,  Flextronics' claims under the California Computer Data Access And Fraud Act,  and Flextronics' common law claims for trespass to chattels and conversion. This court previously granted PTC's motion to dismiss Flextronics' original complaint. The parties appeared for a hearing. Having considered the parties' respective arguments, the court GRANTS PTC's motion, but only IN-PART.
In 1998, Flextronics and PTC executed an "Enterprise Agreement, " which granted Flextronics a license to use PTC's software on its computers. It did so, and for over a decade, the two companies lived in harmony. Then, on July 26, 2012, PTC informed Flextronics that it had become aware of numerous unauthorized copies of the software in use on Flextronics' machines and was gravely concerned about these "cracked copies" being used in violation of the license agreement. Flextronics began investigating these claims, and in the course of doing so, discovered that PTC had "concealed certain embedded technology in the PTC software" that it was using to access, obtain and transmit information in, from and about Flextronics' system back to PTC. Less than a month after this discovery, Flextronics filed suit against PTC for various computer crimes, as well as for a declaratory judgment of non-infringement of copyright and performance on the Enterprise Agreement. PTC denied Flextronics' allegations and countered with its own claims for copyright infringement and breach of contract.
After an extended hearing on the matter, the court granted PTC's motion for a preliminary injunction,  as well as its first motion to dismiss. In granting PTC's motion to dismiss, the court held that two sentences of conclusory allegations were insufficient to sustain a six-count complaint. Consistent with the court's order, on February 4, 2014, Flextronics filed an amended complaint that is the subject of the present motion.
II. LEGAL STANDARDS
A. Article III Standing
To satisfy Article III, a plaintiff "must show that (1) it has suffered an injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." A suit brought by a plaintiff without Article III standing is not a "case or controversy, " and an Article III court lacks subject matter jurisdiction over the suit. In that event, the suit should be dismissed under Fed. R. Civ. Pro. 12(b)(1).
The injury required by Article III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." In such cases, the "standing question... is whether the constitutional or standing provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." At all times the threshold question of standing "is distinct from the merits of [a] claim" and does not require "analysis of the merits." The Supreme Court also has instructed that the "standing inquiry requires careful judicial examination of a complaint's allegations to ascertain whether the particular plaintiff is entitled to an adjudication of the particular claims asserted."
B. Rule 12(b)(6)
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." If a plaintiff fails to proffer "enough facts to state a claim to relief that is plausible on its face, " the complaint may be dismissed for failure to state a claim upon which relief may be granted. A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Accordingly, under Fed.R.Civ.P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, "[d]ismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." "A formulaic recitation of the elements of a cause of action will not do."
On a motion to dismiss, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party. The court's review is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice. However, the court need not accept as true allegations that are conclusory, unwarranted deductions of fact, or unreasonable inferences.
"Dismissal with prejudice and without leave to amend is not appropriate unless it is clear... that the complaint could not be saved by amendment."
PTC advances two arguments for dismissing Flextronics' complaint. First, it focuses on the CFAA and CDAFA claims and argues that Flextronics has not alleged sufficient injury to establish Article III standing. Second, it argues that even if standing exists, Flextronics has failed to plead critical elements to sustain each of its claims. Neither argument is persuasive.
A. Flextronics Has Suffered Sufficient "Injury-In-Fact" To Establish Article III Standing
The Ninth Circuit has made it clear that Article III standing can be established by virtue of the violation of statutory rights. Where a statue "can be understood as granting persons in the plaintiff's position a right to judicial relief, " a right giving rise to standing has been created. The CFAA prohibits "a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data." The CFAA further recognizes a private right of action for anyone who has suffered "loss" through a violation of its provisions. Although the Ninth Circuit has not yet ruled on whether costs of investigation may be included in the calculation of loss under the CFAA, in cases of an alleged security breach, this court has accepted that theory. Similarly, the CDAFA authorizes a civil suit for the victim of a computer crime to recover "any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted" by the alleged unauthorized access.
Here, Flextronics has alleged that "the investigation into and response to PTC's unlawful conduct has imposed costs and expenses to Flextronics aggregating more than $5, 000 in at least one single year period, " and thus sufficiently alleged a cognizable injury under the CFAA. Because the CFAA and the CDAFA clearly intended to grant persons in such a position a right to judicial relief, Flextronics has met the threshold for Article III standing on those claims.
B. Flextronics Has Alleged Sufficient Facts To State Claims Under Rule 12(b)(6)
1. Flextronics Alleges Use Of Its Systems "In A Manner That Exceeds Authorized Access" Under The CFAA
PTC challenges Flextronics' CFAA claim on two grounds: (1) the complaint does not show that Flextronics suffered a "loss" of at least $5, 000, and (2) Flextronics fails to allege facts indicating that PTC accessed its system "without authorization" or "in a manner that exceeds authorized access." Having considered and rejected the first argument above, the court moves directly to the second.
Presented with an explicit allegation that "[w]ithout notice to or authorization from Flextronics, PTC has concealed certain embedded technology in the PTC software provided to Flextronics [and] used that hidden technology to access, obtain, and transmit information in Flextronics' computers that PTC is not entitled to access, obtain, or transmit, " followed by almost five pages of details about how it does so, PTC nonetheless argues that it cannot be held to have hacked Flextronics' computers because Flextronics voluntarily installed the software. This might be a sufficient defense if the standard were limited to access "without authorization, " but the CFAA also reaches one "who's authorized to access only certain data or files but accesses unauthorized data or files." Flextronics alleges that PTC did exactly that in paragraphs twenty-nine through thirty-one of the operative complaint. These paragraphs list the types of information to which PTC gained access, and specifically state that "PTC is not entitled to access, obtain, alter, or transmit" that information. This is precisely the type of detail required by Iqbal and Twombly, and the type of excess access contemplated by Nosal.  Whether or not Flextronics will be able to prove up these claims remains to be seen, but at this stage, when all allegations are accepted as true, they suffice.
2. Flextronics Successfully Pleads A Claim Under Section 502(c)(8)
The CDAFA imposes liability where an alleged hacker "knowingly" takes one or more actions related to computers; 8 of the 9 subsections also require that these actions be taken "without permission." This district has interpreted the phrase "without permission" to require that the defendant have accessed the computer system "in a manner that overcomes technical or code-based barriers."
In this iteration of the complaint, Flextronics argues that PTC violated Sections 502(c)(2), (3), (6), (7) and (8). PTC advances three arguments for the dismissal of Flextronics' CDAFA claims. First, it argues that because the software at issue was installed alongside other, authorized software, Flextronics has failed to allege that PTC acted "without permission, " as required by subsections (2), (3), (6) and (7). Second, it argues that because PTC's software does not "usurp the normal operation" of Flextronics' computer systems, it does not constitute a "computer contaminant" under subsection (8)A. Third, PTC argues that Flextronics has not suffered the necessary "loss or damages" to support a CDAFA claim. Again, because the court has already rejected the "loss or damages" theory, it will not rehash the discussion here; suffice to say PTC's arguments are no more compelling in this context than in others.
a) Because Flextronics Acknowledges That It Installed Some Portion Of PTC's Software Voluntarily, The Embedded Technology That Accompanied Was Not Installed "Without Permission"
This court has previously held that in order to take an action "without permission" under the CDAFA, a defendant must overcome some technical or code barrier to do so. On its face, the operative complaint would appear to meet this requirement, as Flextronics repeatedly alleges that the software "evades and circumvents the firewalls and other security measures put in place by Flextronics to secure its confidential and proprietary data." However, PTC contends that here, whether or not the software overcame a technical barrier is irrelevant. Instead, it argues that because Flextronics voluntarily gave permission to install some portion of PTC's software on its computers, any additional code installed at the same time was also installed with permission. This argument has been adopted in many other cases in this district. These cases hold that when software containing "surreptitious code" is installed voluntarily by a plaintiff, a defendant has not accessed the plaintiff's computer "without permission, " even if the plaintiff was unaware of the "surreptitious code" when he or she installed the software.
Flextronics presents no argument whatsoever as to how this case is distinguishable from that line. In each of the above cited cases, a plaintiff installed software with code that, unbeknownst to the plaintiff, secretly collected and transmitted personal data to third parties. That is precisely what Flextronics alleges happened here; it installed PTC software that, unbeknownst to Flextronics, secretly collected and transmitted data back to PTC. Absent any argument to the contrary, the undersigned joins his colleagues in holding that an unknown file or subroutine of otherwise voluntarily installed software cannot be said to have been installed on the computer "without permission" in violation of the CDAFA.
b) Flextronics' Successfully Alleges That PTC Introduced A Computer Contaminant To Its System Within The Meaning of Section 502(b)(10) and Section 502(c)(8)
Section 502(c) delineates the actions that may subject a "hacker" to civil and criminal liability under the CDAFA. With one exception, each of the 9 subsections require that the action be taken "knowingly and without permission." That one exception is subsection (c)(8), which requires only that the defendant "[k]nowingly introduce any computer contaminant into any computer." A computer contaminant is defined in Section 502(b)(10) as "any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information." PTC argues that the use of phrase "without the intent or permission of the owner" in Section 502(b)(10) means that courts must effectively apply Section 502(c)(8) as though it contained the same "and without permission" language as Section 502(c)(1-7) and (9). Under this theory, Flextronics' claim under Section 502(c)(8) would fail for the same reason that all its other CDAFA claims fail: Flextronics voluntarily installed at least some of the software.
This court cannot agree. First and foremost, such a conclusion is at odds with the text of the statute. When read in conjunction with subsection (b)(10), subsection (c)(8) sets out two verb clauses: introduce and modify/damage/destroy/record/transmit. As a matter of plain language, the phrase "without the intent or permission of the owner" in subsection (b)(10) modifies the verb modify/damage/destroy/record/transmit, whereas the phrase "and without permission, " as used throughout subsection (c), modifies the verb introduce. Under the other provisions of subsection (c), the phrase "and without permission" appears directly next to and modifies the first, operative verb of the subsection, which describes the human conduct prohibited by the statute. The legislature wrote Section 502(c)(8) differently, and that drafting choice must be given deference in interpreting the statute. As such, the placement of "without permission" in a different location in subsection (b)(10) and (c)(8) gives it a different meaning. The plain language of the statute leads the court to conclude that in order to state a claim for conduct in violation of Section 502(c)(8), a plaintiff need only allege that the actions of the contaminant (modify/damage/destroy/record/transmit) were undertaken by overcoming a technical barrier without the permission of the owner; the introduction of the contaminant to the system need not surmount the same hurdle.
This conclusion is in line with legislature's aim in subsections (b)(10) and (c)(8). The drafters spelled out that they intended this provision to encompass things including, but not limited to, "a group of computer instructions commonly called viruses or worms." One common type of computer virus is the "Trojan Horse, " which secures the permission of the system owner by claiming to do one thing, such as launch a game or stream of digital media, and then does something different or extra after it has been accepted. Under PTC's proposed interpretation, someone who introduced a Trojan Horse to a computer system would not be subject to liability under the CDAFA, even though the legislature specifically noted that it intended this subsection to capture individuals responsible for the spread of computer viruses. Where, as here, the plain language of the statute leads to an interpretation in line with the stated objective of a statute, that interpretation is the correct one.
Flextronics has sufficiently plead just such a claim. Paragraphs twenty-five to forty-six describe the "hidden embedded technology" that PTC "caused to be installed" on Flextronics' computers. This technology undisputedly qualifies as a set of computer instructions for purposes of the CDAFA. PTC also does not contest that the technology is alleged to transmit information within the computer system, or that it does so "without the intent or permission" of the owners of the information. Flextronics thus has successfully plead the basic requirements for a CDAFA claim under Section 502(c)(8).
PTC attempts to argue that because the technology does not "usurp the normal operation of the computer, " it does not qualify as a "contaminant." However, that argument misinterprets an illustrative phrase at the end of a list of possible ways things that a set of computer instructions might do to be considered a "contaminant." Earlier in that same sentence, the statute teaches that a set of instructions which "consume computer resources, modify, destroy, record, or transmit data" may also be considered a contaminant. Here, again, Flextronics clearly alleges that the embedded software transmitted data from its computers, bringing it squarely within the purview of the statutory definition.
Flextronics' claim under the CDAFA may thus proceed under Section 502(c)(8) alone.
3. Flextronics Has Reinforced Its Common Law Claims With Sufficient Factual Allegations To Proceed On Those Claims
In this court's prior order, it ruled that "[b]ecause Flextronics has not alleged that [its] data was in any way degraded by PTC's actions or that it was deprived of use of the data for any period of time, " Flextronics' claim for trespass to chattels had to be dismissed. In the operative complaint, they have fixed that error in paragraphs thirty-nine through forty-two. These paragraphs provide far more than a conclusory statement that, "Flextronics' systems have been harmed, " offering instead the specific harms that its data and its systems have suffered as a result of PTC's actions. What's more, after Flextronics pointed out these paragraphs in its opposition to the instant motion, PTC offered no argument in its reply that they were insufficient. PTC's motion as to the trespass to chattels claim is therefore denied. Flextronics does not, however, plead the requisite intentionality to also sustain a claim for conversion, the big brother of trespass to chattels, so that claim will be dismissed.
C. Flextronics Is Entitled To A Jury On All But The Contract Claims
PTC puts forth one final request in asking that the court strike Flextronics' jury demand in light of the jury waiver that was present in the original Enterprise Agreement between Flextronics and PTC. That waiver, however, only applied to disputes regarding the contract. In the operative complaint, Flextronics has alleged several causes of action that do not stem from the contractual relationship. In these circumstances, the Ninth Circuit has held that absent language in a jury waiver indicating that the parties contemplated that the waiver would apply beyond the contract, it will not bar a jury demand for statutory claims arising from only tangentially related actions. PTC's motion to strike is therefore denied.
PTC's motion to dismiss is GRANTED-IN-PART. Flextronics' claim for conversion is dismissed without prejudice and with leave to amend, but its claims under the CFAA, Section 502(c)(8) of the CDAFA, and for trespass to chattels have now cleared the bar set by Rule 12(b)(6). Flextronics' jury demand is also effective as to all but the contractual, declaratory judgment claim. Any further amended complaint shall filed by June 28, 2014.
IT IS SO ORDERED.