United States District Court, N.D. California
November 3, 2014
JAVITCH CANFIELD GROUP, et al., Defendants
NovelPoster, a California General Partnership, Plaintiff:
David Nied, LEAD ATTORNEY, Keenan W. Ng, Katy Marie Young,
Michael Stephen Dorsi, Ad Astra Law Group, LLP, San
Daniel Canfield, an individual, Mark Javitch, an individual,
Defendants, Counters-Claimants: Carlton John Willey, LEAD
ATTORNEY, Willey & Bentaleb LLP, San Francisco, CA.
Mark Javitch, an individual, Daniel Canfield, an individual,
3rd party Plaintiffs: Carlton John Willey, LEAD ATTORNEY,
Willey & Bentaleb LLP, San Francisco, CA; Katy Marie Young,
LEAD ATTORNEY, Ad Astra Law Group, LLP, San Francisco, CA.
NovelPoster, a California General Partnership,
Counter-Defendant: Keenan W. Ng, LEAD ATTORNEY, Katy Marie
Young, Michael Stephen Dorsi, Ad Astra Law Group, LLP, San
Alex Yancher, Counter-Defendant: Katy Marie Young, LEAD
ATTORNEY, Michael Stephen Dorsi, Ad Astra Law Group, LLP, San
DENYING DEFENDANTS' SECOND MOTION FOR JUDGMENT ON THE
PLEADINGS Re: Dkt. No. 111
H. ORRICK, United States District Judge.
order concerns the second motion for judgment on the
pleadings filed by defendants in this case. I granted the
first motion with respect to plaintiff NovelPoster's
claims under the Computer Fraud and Abuse Act ("
CFAA" ) and California's Comprehensive Computer Data
Access and Fraud Act (" CDAFA" ) on the ground that
NovelPoster had failed to adequately plead damage or loss
within the meaning of either statute. NovelPoster has since
filed an amended complaint (" First Amended
Complaint" ) with additional details concerning the
damage and loss NovelPoster allegedly sustained as a result
of defendant's conduct. Defendants contend that the First
Amended Complaint still fails to adequately plead damage or
loss under the CFAA and CDAFA, and that it fails to properly
allege that defendants accessed or used a computer "
without permission," as required to state a claim under
the CDAFA. For the reasons discussed below, the motion is
following facts are alleged in the First Amended Complaint
and are presumed true for the purposes of this motion. Except
where otherwise indicated, most of the facts are also alleged
in NovelPoster's initial complaint and are set out in the
Court's August 4, 2014 order granting defendants'
first motion for judgment on the pleadings. See Dkt.
Nos. 1, 93. I repeat them here for ease of reference.
Failed business arrangement between the
is an online retailer that designs, sells, and distributes
" text-based poster products." FAC ¶ 3.
NovelPoster has no physical presence and is accessible only
through its website, www.NovelPoster.com, and other online
shopping portals. FAC ¶ 11. The business was founded by
Matt Grinberg and Alex Yancher in 2011. FAC ¶ 10.
operations are conducted exclusively online through a number
of software programs and websites, including Google and
Google Adwords, Goodsie, Etsy, Storenvy, Facebook and
Facebook Ads, Twitter, MailChimp, Stripe, and PayPal. FAC
¶ 12. NovelPoster uses several email accounts hosted by
Google. FAC ¶ 12. These include Contact@NovelPoster.com,
Matt@NovelPoster.com, and Alex@NovelPoster.com. FAC ¶
12. Contact@NovelPoster.com is the administrative account for
all of NovelPoster's Google email accounts, and access to
Contact@NovelPoster.com allows the user to access and control
both Matt@NovelPoster.com and Alex@NovelPoster.com, which are
the individual email accounts for Grinberg and Yancher,
respectively. FAC ¶ 12. Grinberg and Yancher used
Contact@NovelPoster.com and their individual email accounts
to communicate with customers and to store contact
information for designers, marketers, and other entities
" essential to the growth and operation of
NovelPoster." FAC ¶ 14.
first came into contact with defendants through Yancher, who
met defendant Daniel Canfield at a social event in San
Francisco, California in March 2013. FAC ¶ 16. Yancher
and Canfield agreed to pursue a potential business
arrangement by which Canfield's company, defendant
Javitch Canfield Group, would assume responsibility for
running NovelPoster " until it could be sold." FAC
¶ 16. Grinberg and Yancher met with Canfield and his
business partner, defendant Mark Javitch, several times
between March 2013 and May 2013 to discuss and negotiate the
details of the arrangement. FAC ¶ 17.
around May 3, 2013, optimistic that an agreement with
defendants would soon be reached, NovelPoster provided
defendants with the passwords to a number of its online
accounts, including Contact@NovelPoster.com and
NovelPoster's accounts with Google Adwords, Goodsie,
Facebook, Twitter, MailChimp, Stripe, and PayPal. FAC ¶
18. Grinberg and Yancher did not authorize defendants to
change the passwords to any of the accounts. FAC ¶ 18.
Nevertheless, on or around May 8, 2013, defendants changed
the passwords to each of the accounts without providing the
new passwords to NovelPoster. FAC ¶ 19. Grinberg emailed
defendants to inform them that while changing the passwords
was " totally fine for now," Grinberg and Yancher
" would need access to NovelPoster's accounts going
forward." FAC ¶ 21. In the same email, Grinberg
proposed final contract terms between the parties, including
the following points:
(i) Javitch Canfield Group would " take over all aspects
of operations except for poster design," while
NovelPoster would " continu[e] to be responsible for
additional poster design at a rate of one poster per
(ii) NovelPoster would maintain " ownership of all
NovelPoster related accounts."
(iii) Javitch Canfield Group would receive 80 percent of all
NovelPoster sales, as well as a ten percent equity share to
vest in two years.
(iv) Javitch Canfield Group would not compete with
NovelPoster " by creating their own text-based poster
accepted the terms via email on May 9, 2013. FAC ¶ 24.
around May 13, 2013, in line with the contract provision that
NovelPoster would maintain " ownership of all
NovelPoster related accounts," Canfield provided
NovelPoster with the new passwords the defendants had
created. FAC ¶ 27. On or around June 6, 2013, however,
defendants reversed course and again changed the passwords
for Contact@NovelPoster.com, Google Adwords, Goodsie,
Facebook, Twitter, MailChimp, Stripe, and PayPal, again
without providing the new passwords to NovelPoster. FAC
¶ 29. On the same date, defendants also accessed and
changed the passwords to Grinberg and Yancher's
individual email accounts, Matt@NovelPoster.com and
Alex@NovelPoster.com. FAC ¶ 30. Neither Grinberg nor
Yancher had authorized defendants to access the individual
email accounts or to change the accounts' passwords. FAC
¶ 30. The First Amended Complaint alleges that by
changing the various online account passwords, defendants
exceeded their authority " to operate, but not own,
NovelPoster" and " prevented [NovelPoster] from
restoring and reasserting the technical access barriers that
defendants had just overcome." FAC ¶ 29-30, 92.
10, 2013, Yancher emailed Canfield and Javitch, alerting them
that he knew they had accessed the individual email accounts
and read emails therein without permission. FAC ¶ 31.
Javitch replied and suggested a meeting to discuss the
situation. FAC ¶ 32. Yancher agreed to meet but
reiterated that defendants were not authorized to access the
individual email accounts or to change the accounts'
passwords. FAC ¶ 32.
parties met on June 13, 2013. FAC ¶ 33. Grinberg and
Yancher told defendants that " their business
relationship was not working" and that they wished to
terminate the agreement. FAC ¶ 33. Defendants refused,
insisting they would relinquish control of NovelPoster only
for a $10,000 fee. FAC ¶ 33. The next day, Grinberg sent
Canfield an email terminating the agreement and demanding
that defendants return all of NovelPoster's business
operations, including the passwords to NovelPoster's
online accounts. FAC ¶ 34. In a reply email sent the
same day, Javitch " refused to acknowledge the
termination of the agreement, reasoning . . . there was no
clause in the contract that addressed termination and
therefore the termination was not valid." FAC ¶ 36.
June 2013 and January 2014, defendants maintained control of
all aspects of NovelPoster's business and routinely
accessed, without authorization from Grinberg or Yancher,
NovelPoster's online accounts. FAC ¶ 41. Throughout
that period, defendants " cross-marketed NovelPoster
with other brands [they] promote" and misrepresented to
vendors and other business contacts that defendants were
authorized to enter binding agreements on NovelPoster's
behalf. FAC ¶ ¶ 39-40. In early December 2013,
NovelPoster discovered that defendants had shut down
Novelposter's website. FAC ¶ 43. This was "
right at the apex of the holiday season and the most
profitable part of the year for NovelPoster." FAC ¶
43. NovelPoster asserts that in 2012, it earned thirty
percent of its revenues in December; because its website was
shut down in December 2013, NovelPoster " could not
conduct sales, interact with customers, or generally operate,
and lost significant revenue as a result." FAC ¶
not until January 10, 2014 that defendants finally turned
over the passwords to all but one of NovelPoster's online
accounts. FAC ¶ 44. Prior to returning access,
defendants deleted the email accounts Mark@NovelPoster.com
and Becky@NovelPoster.com, along with all data and
communications stored within those accounts. FAC ¶
45-46. Defendants also withheld from
NovelPoster all emails and other communications that had been
sent or received through any of NovelPoster's online
accounts during the approximately seven months that
defendants controlled the business. FAC ¶ 48. On
February 10, 2014, I ordered defendants to provide those
emails and communications to NovelPoster within seven days.
Dkt. No. 38.
NovelPoster's allegations concerning damage and
respect to NovelPoster's CFAA and CDAFA causes of action,
the damage and loss allegations in the initial complaint were
limited to a single boilerplate sentence: " As a result
of defendants' conduct, NovelPoster has suffered damages
and/or loss in excess of $5,000 in the year preceding the
date of this filing, but the damages grow each day that
defendants refuse to acknowledge [the] termination of the
agreement." Order at 14; Dkt. No. 1 ¶
damage and loss allegations in the First Amended Complaint
are substantially more detailed. They can be grouped into
three categories. First, NovelPoster alleges "
impairment of data" damage caused by defendants'
extended period of exclusive control over NovelPoster's
online accounts. See FAC ¶ 42 (" Because
plaintiff was locked out of its own accounts, it had no way
to . . . investigate what had been done with its . . .
accounts, what data had been deleted, what false information
had been created, or how its accounts had been used while
they were hijacked by defendants." ).
NovelPoster alleges " investigation and recovery"
losses. Opp. 2-3. NovelPoster states that between June 14,
2013 (the date NovelPoster terminated its agreement with
defendants) and February 17, 2014 (the date by which
defendants were ordered to turn over all emails and other
communications that had been sent or received through
NovelPoster's online accounts during defendants'
period of exclusive control), Grinberg and Yancher each spent
approximately ten hours per week " on their efforts to
secure the restoration of NovelPoster and its data and
information" to the condition they were in " prior
to when defendants took control of NovelPoster." FAC
¶ 70. These efforts included restoring the data and
information to their prior condition, as well as responding
to and conducting a damage assessment of defendants'
alleged CFAA and CDAFA violations. FAC ¶ 50. NovelPoster
states that Grinberg and Yancher have previously received
$150 per hour for computer work, and that, based on that
figure, the value of the time and services they expended in
their restorative efforts is approximately $105,000.
Id. NovelPoster also hired attorneys in its efforts
to restore its data and information. FAC ¶ 71. The
attorneys " charge in excess of $300/hour and spent in
or around in excess of 100 hours securing the return of
NovelPoster's data and information." Id.
NovelPoster alleges " interruption of service"
losses. Opp. 3, 7-8. NovelPoster states that as a result of
defendants' control of NovelPoster's website and
online accounts, NovelPoster suffered lost revenue in the
form of: (i) approximately $13,000 in NovelPoster sales that
occurred while the website was under defendants' control
and that was " unjustly retained" by defendants;
(ii) " unrealized revenues," including those due to
defendants' shutdown of the NovelPoster website in
December 2013 during the height of the holiday shopping
season; and (iii) " damaged relationships with
wholesalers due to the subpar product and customer service
[defendants] offered while operating NovelPoster." FAC
¶ ¶ 74-75.
filed its initial complaint on November 16, 2013, alleging
nine causes of action against defendants: (1) violation of
the CFAA, 18 U.S.C. § § 1030(a)(2)(C) and
1030(a)(5)(C); (2) violation of the Wiretap Act, 18 U.S.C.
§ 2511 et seq.; (3) violation of the CDAFA,
Cal. Penal Code § § 502(c)(1)-(5), (7); (4)
violation of the California Invasion of Privacy Act, Cal.
Penal Code § 630 et seq.; (5) conversion; (6)
breach of contract; (7) breach of the implied covenant of
good faith and fair dealing; (8) violation of
California's Unfair Competition Law; and (9) unjust
enrichment. Dkt. No. 1.
6, 2014, defendants filed a motion for judgment on the
pleadings on the first through fourth causes of action. Dkt.
No. 60. On August 8, 2014, I granted the motion on the CFAA
cause of action, reasoning that while NovelPoster had
adequately alleged improper conduct under the
Act, NovelPoster's barebones loss and
damage allegation was too conclusory to support a claim for
relief against defendants. Dkt. No. 93 at 6-15. I also
granted judgment on the pleadings for defendants on
NovelPoster's CDAFA cause of action, also on the ground
that NovelPoster had failed to adequately allege loss or
damage within the meaning of that statute. Id. at
16-17. I gave NovelPoster leave to amend both
causes of action. Id. at 22.
filed the First Amended Complaint on August 19, 2014,
alleging the same causes of action as in the initial
complaint, minus the Wiretap Act and California Invasion of
Privacy Act claims. Defendants filed the instant motion on
September 10, 2014, and I heard argument from the parties on
October 15, 2014.
Federal Rule of Civil Procedure 12(c) provides that "
[a]fter the pleadings are closed -- but early enough not to
delay trial -- a party may move for judgment on the
pleadings." Fed.R.Civ.P. 12(c). " Analysis under
Rule 12(c) is substantially identical to analysis under Rule
12(b)(6) because, under both rules, a court must determine
whether the facts alleged in the complaint, taken as true,
entitle the plaintiff to a legal remedy." Chavez v.
United States, 683 F.3d 1102, 1108 (9th Cir. 2012)
(internal quotation marks omitted). As with a motion to
dismiss under Rule 12(b)(6), when deciding a motion for
judgment on the pleadings, the court " must accept all
factual allegations in the complaint as true and construe
them in the light most favorable to the nonmoving
party." Fleming v. Pickard, 581 F.3d 922, 925
(9th Cir. 2009). " Judgment on the pleadings is properly
granted when there is no issue of material fact in dispute,
and the moving party is entitled to judgment as a matter of
law." Id. (footnote and citation omitted).
DAMAGE AND LOSS UNDER THE CFAA
contend that the First Amended Complaint still fails to
adequately plead either damage or loss as defined by the
CFAA. Defendants are wrong.
maintain a civil action under the CFAA, the plaintiff must
show that he or she " suffer[ed] damage or loss by
reason of [the defendant's] violation" of the Act,
and that one of five enumerated circumstances is present. 18
U.S.C. § 1030(g). NovelPoster claims that defendants
violated two provisions of the CFAA, 18 U.S.C. §
1030(a)(2)(C) and 18 U.S.C. § 1030(a)(5)(C). Section
1030(a)(2)(C) makes liable anyone who " intentionally
access a computer without authorization or exceeds authorized
access, and thereby obtains . . . information from any
protected computer." 18 U.S.C. § 1030(a)(2)(C).
Section 1030(a)(5)(C) similarly creates a cause of action
against anyone who " intentionally accesses a protected
computer without authorization, and as a result of such
conduct, causes damage and loss." 18 U.S.C. §
1030(a)(5)(C). The circumstance relevant to NovelPoster's
claims is whether defendants' alleged CFAA violations
caused " loss to 1 or more persons during any 1-year
period . . . aggregating at least $5,000 in value." 18
U.S.C. § 1030(c)(4)(A)(i)(I). The upshot is that
NovelPoster must show that defendants' violation of each
of the alleged CFAA provisions caused loss of at least
$5,000, and, further, that defendants' violation of
section 1030(a)(5)(C) caused both " damage and
loss." 18 U.S.C. § § 1030(a)(5)(C),
1030(c)(4)(A)(i)(I); see also, Network Cargo
Sys. Int'l, Inc. v. Pappas, No. 13-cv-09171, 2014 WL
1674650, at *2 (N.D.Ill. Apr. 25, 2014) (noting that a
plaintiff bringing a claim under 18 U.S.C. 1030(a)(5)(C) must
show both " damage" and " loss" ).
CFAA defines " damage" as " any impairment to
the integrity or availability of data, a program, a system,
or information." 18 U.S.C. § 1030(e)(8). "
Loss" is defined as " any reasonable cost to any
victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of
service." Id. § 1030(e)(11). Thus, while
" damage" covers harm to data and information,
" loss" refers to monetary harms sustained by the
plaintiff. See Phillips v. Ex'r of Estate of
Arnold, 13-cv-00444, 2013 WL 4458790, at *4 (W.D. Wash.
Aug. 16, 2013).
First Amended Complaint adequately alleges damage because it
alleges that throughout the approximately seven months that
defendants maintained unauthorized control of
NovelPoster's online accounts, NovelPoster was prohibited
from accessing the data and communications stored within
them. See FAC ¶ 42. This qualifies as an "
impairment to the . . . availability of data," as
required to show damage under the CFAA. See 18
U.S.C. § 1030(e)(8); see also, Cassetica
Software, Inc. v. Computer Sciences Corp., No.
09-cv-00003, 2009 WL 1703015, at *3 (N.D.Ill. June 18, 2009)
(holding that a plaintiff alleges damage under the CFAA where
he alleges that defendant's conduct " caused a
diminution in the completeness or usability" or "
affected the availability" of data).
contend that CFAA-qualifying damage only occurs where data is
destroyed or where the underlying computer system is harmed.
See Reply at 5 (" Plaintiff does not plead any
damage to computers or computer systems." ). Defendants
cite several cases in support of this proposition.
See NetApp, Inc. v. Nimble Storage, Inc.,
No. 13-cv-05058-LHK, 41 F.Supp.3d 816, 2014 WL 1903639, at
*12-13 (N.D. Cal. May 12, 2014) (" damage" means
" harm to computers or networks" ); Doyle v.
Taylor, 09-cv-00158, 2010 WL 2163521, at *2-3 (E.D.
Wash. May 24, 2010) (to show " damage" or "
loss" under the CFAA, " plaintiffs must identify
impairment of or damage to the computer system that was
accessed without authorization" ); Del Monte Fresh
Produce, N.A., Inc. v. Chiquita Brands Int'l Inc.,
616 F.Supp.2d 805, 810 (N.D.Ill. 2009) (a person causes
" damage" under the CFAA when she " destroys .
. . data" ).
the cases cited by defendants, however, involve a situation
where the alleged CFAA violation caused the extended
unavailability of the data at issue. Rather, all of the cases
involve the mere copying of data. See, e.g.,
NetApp, Inc, 2014 WL 1903639, at *13 ("
[Plaintiff] alleges only that [defendant] accessed its
databases without permission, not that he damaged any systems
or destroyed any data." ); Doyle, 2010 WL
2163521, at *1 (plaintiff alleged that defendant violated the
CFAA by copying and distributing the contents of
plaintiff's thumb drive); Del Monte, 616
F.Supp.2d at 811 (N.D.Ill. 2009) (" copying electronic
files from a computer database . . . is not enough to satisfy
the damage requirement of the CFAA" ). These cases
appear to have used language suggesting a destruction or
harm-to-computer-system requirement as a means of emphasizing
that the mere copying of data is not enough, not as a means
of excluding the extended unavailability of data from the
CFAA's definition of " damage." Given their
factual differences with the instant case, the decisions
cited by defendants are not persuasive here.
district courts in the Ninth Circuit have expressly held
that, under the CFAA, " it is not necessary for data to
be physically changed or erased to constitute damage to that
data." Multiven, Inc. v. Cisco Sys., Inc., 725
F.Supp.2d 887, 894-95 (N.D. Cal. 2010); see also,
T-Mobile USA, Inc. v. Terry, 862 F.Supp.2d 1121,
1131 (W.D. Wash. 2012) (noting that data need not be "
physically changed or erased" to be damaged under the
also point to B.U.S.A. Corp. v. Ecogloves, Inc., No.
05-cv-09988, 2009 WL 3076042 (S.D.N.Y. Sept. 28, 2009), but
the case is plainly distinguishable. The court in
B.U.S.A. held that the plaintiffs could not prove
" loss" under the CFAA where " [t]he credible
evidence in the record does not show that [defendant's]
actions caused an 'interruption of service' -- at
most, plaintiffs were unable to access some of
[defendant's] past emails for an unspecified period of
time." Id. at *9. As the preceding sentence
indicates, B.U.S.A. was concerned with "
loss" under the CFAA, not " damage."
Id. at *6-9. The court held that the temporary
unavailability of emails does not constitute an "
interruption of service" under the CFAA but said nothing
about what constitutes damage within the meaning of the Act.
have not presented any persuasive authority for excluding the
approximately seven-month unavailability of data from the
CFAA's definition of damage despite that definition's
plain inclusion of " impairment to the . . .
availability of data." 18 U.S.C. § 1030(e)(8).
NovelPoster has adequately alleged that defendants'
alleged CFAA violations caused damage within the meaning of
First Amended Complaint also includes sufficient allegations
of loss under the CFAA. As defined under section 1030(e)(11),
" loss" means two things: first, " any
reasonable cost to any victim," such as conducting a
damage assessment and restoring the damaged data or
information to its condition prior to the offense; and
second, lost revenue or other costs incurred as a result of
an " interruption of service." 18 U.S.C. §
1030(e)(11). NovelPoster may only sue defendants under the
CFAA if defendants' violations of the Act caused a loss
of at least $5,000 in value. See 18 U.S.C. §
§ 1030(c)(4)(A)(i)(I), 1030(g).
pleading purposes, NovelPoster has satisfied this requirement
by alleging that Grinberg and Yancher each spent substantial
time and energy " on their efforts to secure the
restoration of NovelPoster and its data and information"
to the condition they were in " prior to when defendants
took control of NovelPoster," efforts which included
restoring the data and information to their prior condition,
as well as responding to and conducting a damage assessment
of defendants' alleged CFAA and CDAFA violations. FAC
¶ ¶ 50, 70. These allegations fit within the
CFAA's definition of " loss" as " any
reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense." 18 U.S.C. §
1030(e)(11). By alleging the approximate number of hours that
Grinberg and Yancher spent on their restorative efforts, and
the approximate value of their services, NovelPoster has also
provided a basis for the plausible inference that
defendants' alleged CFAA violations caused losses of at
least $5,000. See FAC ¶ 50, 70.
argue that Grinberg and Yancher's efforts cannot qualify
as loss under the CFAA because it is not plausible that their
efforts were related to the damage of any computer system or
data. According to defendants, the allegations in the First
Amended Complaint demonstrate that " there was nothing
[for Grinberg and Yancher] to investigate." Mot. 8.
NovelPoster knew that it had transferred its passwords and
operations to defendants, and that defendants had changed the
passwords and continued to operate the business despite
NovelPoster's attempt to terminate the agreement between
the parties. Mot. 8. Defendants assert that " [t]his
situation is easily comprehensible for individuals of
ordinary intelligence and does not justify a 700-hour
argument is flawed for two reasons. First, it conflates
investigating the circumstances of defendants' alleged
misconduct with " conducting a damage assessment [and]
restoring the data . . . to its condition prior to the
offense." See 18 U.S.C. § 1030(e)(11).
Just because NovelPoster knew how defendants had violated the
CFAA does not mean NovelPoster knew which data had been made
unavailable or how to restore it. It is certainly plausible
that NovelPoster spent extensive time and energy determining
precisely what data was contained within the hijacked
accounts and attempting to restore that data, even after
ascertaining what defendants had done. See
SuccessFactors, Inc. v. Softscape, Inc., 544
F.Supp.2d 975, 981 (N.D. Cal. 2008) (holding that where
" the offender has actually accessed protected
information, discovering who has that information and
what information he or she has is essential to remedying
the harm" and therefore qualifies as loss under the
CFAA) (emphasis added).
second problem with defendants' argument is that it
requires a factual inquiry into the accuracy of
NovelPoster's claims that is not appropriate on a motion
for judgment on the pleadings. In deciding such a motion, the
court " must accept all factual allegations in the
complaint as true and construe them in the light most
favorable to the nonmoving party." Fleming, 581
F.3d at 925. Defendants are correct that under the CFAA, the
plaintiff's costs are only cognizable where they arise
from the investigation or repair of a damaged computer system
or data, or from an " interruption of service."
See, e.g., Mintz v. Mark Bartelstein &
Associates Inc., 906 F.Supp.2d 1017, 1029 (C.D. Cal.
2012) ( " Costs associated with investigating intrusions
into a computer network and taking subsequent remedial
measures are losses within the meaning of the [CFAA]."
); Mintel Int'l Grp., Ltd. v. Neergheen,
08-CV-3939, 2010 WL 145786, at *9-10 (N.D.Ill. Jan. 12, 2010)
(finding no CFAA-qualifying loss where the plaintiff's
expert " was not assessing whether [defendant] had
damaged [plaintiff's] computers or data...; rather, the
expert was hired for assistance in [this] lawsuit" )
(internal quotation marks omitted); Cassetica
Software, 2009 WL 1703015, at *4 ( to state a CFAA claim
based on loss, " the alleged loss must relate to the
investigation or repair of a computer system following a
violation that caused impairment or unavailability of
data" ). As explained above, however, NovelPoster has
alleged damage as defined by the CFAA. See FAC
¶ 42. NovelPoster has also alleged that Grinberg and
Yancher's restorative efforts were directly related to
that damage. See FAC ¶ ¶ 50, 70. Whether
these allegations are supported by the evidence is not a
matter to be determined at this point in the proceedings.
the majority of the cases cited by defendants in which the
court found an absence of CFAA-qualifying loss are summary
judgment cases or similarly fact-intensive decisions.
See, e.g., Mintz, 906 F.Supp.2d at 1029-31
(order on summary judgment); Mintel, 2010 WL 145786,
at *9-10 (ruling on bench trial); Del Monte, 616
F.Supp.2d at 812 (" This is not a motion to dismiss.
Therefore, the Court cannot blindly accept the allegation
that [plaintiff's consultant] conducted a 'damage
assessment' as true." ). Those cases cited by
defendants that do concern pleading motions involve
situations where the plaintiff failed to allege that the
defendant's conduct caused impairment of data or
interruption of service. See, e.g., AtPac, Inc.
v. Aptitude Solutions, Inc., 730 F.Supp.2d 1174, 1185
(E.D. Cal. 2010) (dismissing CFAA claims where
plaintiff's only loss allegation was that defendants,
through their unauthorized access, " obtained something
of value exceeding $5,000" ); Cassetica
Software, 2009 WL 1703015, at *3-4 (N.D.Ill. June 18,
2009) (plaintiff failed to allege loss under the CFAA where
plaintiff " did not allege any facts that would
plausibly suggest that [defendant's conduct] caused any
impairment of data or interruption of service" );
SKF USA, Inc. v. Bjerkness, 636 F.Supp.2d 696,
720-21 (N.D.Ill. 2009) (granting defendants' motion to
dismiss CFAA claims where plaintiff's only alleged loss
was due to defendants unauthorized transfer of data to
plaintiff's business competitor). Here, in contrast,
NovelPoster has alleged that defendants impaired the
availability of NovelPoster's data, thereby causing
damage within the meaning of the CFAA, and that Grinberg and
Yancher's restorative efforts were directly related to
it is unlikely that all $105,000 worth of Grinberg and
Yancher's alleged efforts can be provably linked to data
restoration or damage assessment or other recoverable losses,
at this juncture, NovelPoster's allegations are
sufficient to raise the plausible inference that NovelPoster
spent at least $5,000 responding to the unauthorized takeover
of its online accounts. Because I conclude that the
allegations concerning Grinberg and Yancher's restorative
efforts are sufficient to satisfy the CFAA's $5,000 loss
requirement, I do not consider NovelPoster's other
alleged losses -- i.e., the attorney's fees and "
interruption of service" losses. NovelPoster has stated
a prima facie claim for relief under sections 1030(a)(2)(C)
and 1030(a)(5)(C) of the CFAA, and that cause of action will
DAMAGE AND LOSS UNDER THE CDAFA
the CFAA, the CDAFA allows an individual who " suffers
damage or loss by reason of a violation" of the statute
to bring a private civil action. Cal. Penal Code §
502(e)(1). Unlike the CFAA, the CDAFA does not impose a
$5,000 loss minimum -- any amount of damage or loss caused by
the defendant's CDAFA violation is enough to sustain the
plaintiff's claims. Id. Accordingly, courts in
this circuit have found that a plaintiff's alleged damage
or loss may be sufficient to support a CDAFA claim even where
it is not enough to support a claim under the CFAA.
See Capitol Audio Access, Inc. v. Umemoto,
980 F.Supp.2d 1154, 1157-60 (E.D. Cal. 2013); Mintz,
906 F.Supp.2d at 1029-32. By adequately alleging damage or
loss under the CFAA, NovelPoster has done the same under the
CDAFA. NovelPoster's CDAFA claims will not be dismissed
on this ground.
" WITHOUT PERMISSION" UNDER THE CDAFA
also seek judgment on NovelPoster's CDAFA cause of action
on the ground that NovelPoster fails to allege that
defendants overcame a technical or code-based barrier in
their access and use of NovelPoster's online accounts.
asserts claims under six different CDAFA provisions, each of
which requires that the defendant acted " without
permission." See Cal. Penal Code § §
502(c)(1)-(5), (7). Five of the six provisions also
require that the defendant " access[ed]" or "
use[d]" a computer. The other provision, section
502(c)(5), applies where the defendant " [k]nowingly and
without permission disrupts or causes the disruption of
computer services or denies or causes the denial of computer
services to an authorized user of a computer, computer
system, or computer network." Id. §
contend that an individual only acts " without
permission" under the CDAFA where he or she "
access[es] or us[es] a computer . . . in a manner that
overcomes technical or code-based barriers."
Facebook, Inc. v. Power Ventures, Inc., No.
08-cv-05780-JW, 2010 WL 3291750, at *11 (N.D. Cal. July 20,
2010) . Defendants assert that NovelPoster cannot allege that
defendants overcame such a barrier, because defendants gained
access to NovelPoster's online accounts through the use
of valid passwords, not by " hacking" into them.
See Mot. 20-24. NovelPoster contests the existence
of a " technical or code-based barrier" requirement
and asserts that even if such a requirement exists,
NovelPoster has alleged facts sufficient to satisfy it here.
first case to construe the CDAFA to include a technical or
code-based barrier requirement was Facebook, Inc. v.
Power Ventures, Inc. The issue in Power
Ventures was whether the defendant could be held liable
for accessing a website " without permission"
solely on the ground that the defendant had accessed or used
2010 WL 3291750, at *7. The particular CDAFA provisions at
issue were sections 502(c)(2), 502(c)(3), and 502(c)(7), all
of which require that the defendant " access[ed]"
or " use[d]" a computer. Id. at *6. After
analyzing the CDAFA's language and underlying purpose,
relevant case law, and potential problems with
unconstitutional vagueness, the court distinguished between
" access that violates a term of use" and "
access that circumvents technical or code-based
barriers," holding that only the latter constitutes
access " without permission" under the CDAFA, and
that an individual must " acces[s] or us[e] a computer .
. . in a manner that overcomes technical or code-based
barriers" to violate the statute. Id. at *11.
The court reasoned that this narrow construction eliminated
constitutional notice concerns because " a person
applying the technical skill necessary to overcome [a
technical or code-based] barrier will almost always
understand that any access gained through such action is
unauthorized." Id. Since Power
Ventures, most courts in this district have likewise
held that " individuals may only be subjected to
liability for acting 'without permission' under [the
CDAFA] if they access or use a computer . . . in a manner
that overcomes technical or code-based barriers." In
re iPhone Application Litig., No. 11-md-02250-LHK, 2011
WL 4403963, at *12 (N.D. Cal. Sept. 20, 2011); see
also, Opperman v. Path, Inc., No.
13-cv-00453-JST, 2014 WL 1973378, at *20 (N.D. Cal. May 14,
2014); Enki Corp. v. Freedman, No. 13-cv-02201-PSG,
2014 WL 261798, at *3 (N.D. Cal. Jan. 23, 2014); In re
Google Android Consumer Privacy Litig., No.
11-md-02264-JSW, 2013 WL 1283236, at *11-12 (N.D. Cal. Mar.
most courts have followed Power Ventures, "
there is a split of authority in this district concerning the
appropriate scope of the 'without permission'
language in the CDAFA." Opperman, 2014 WL
1973378, at *21 n.19. In Weingand v. Harland Fin.
Solutions, Inc., No. 11-cv-03109-EMC, 2012 WL 2327660
(N.D. Cal. June 19, 2012), the court granted the defendant
leave to assert a CDAFA counterclaim against the plaintiff,
who, after being terminated from the defendant's employ,
had allegedly used his still-operable log-in information to
access data on the defendant's computer system which he
was not permitted to access. Id. at *4-5. The court
considered Power Ventures but declined to follow it,
instead rejecting the plaintiff's argument that the CDAFA
counterclaim would be futile because the statute applies only
to " hacking." Id. Similarly, in
Synopsys, Inc. v. ATopTech, Inc., No.
13-cv-02965-SC, 2013 WL 5770542 (N.D. Cal. Oct. 24, 2013),
the court acknowledged Power Ventures but concluded
that it could not find, " as a matter of law, that
plaintiff does not state a claim under the CDAFA solely
because plaintiff relies on the alleged breach of a license
agreement instead of a technical breach." Id.
addition to Weingand and Synopsys, there is
also a recent California court of appeal case that appears to
conflict with -- or at least limit -- the holding in
Power Ventures. The court in People v.
Childs, 220 Cal.App.4th 1079, 164 Cal.Rptr.3d 287
(2013), affirmed a conviction under section 502(c)(5) for
" knowingly and without permission disrupt[ing] or . . .
den[ying] . . . computer services to an authorized
user," despite the fact that the defendant was
authorized to access and use the computer system in question.
The defendant was the system administrator of a large and
complex computer network who manipulated the network so that
he was only person with administrative access. Id.
at 1082-93. The court held that the scope of section
502(c)(5) was not constrained " to external hackers who
obtain unauthorized access to a computer system," and
that the provision " may properly be applied to an
employee who uses his or her authorized access to a computer
system to disrupt or deny computer services to another lawful
user." Id. at 1104. In reaching this holding,
the court emphasized that section 502(c)(5), unlike most
CDAFA provisions, does not contain an " access"
element. Id. at 1102 (" The Legislature's
requirement of unpermitted access in some section 502
offenses and its failure to require that element in other
parts of the same statute raise a strong inference that [the
offenses] that do not require unpermitted access were
intended to apply to persons who gain lawful access to a
computer but then abuse that access." ).
light of Childs, NovelPoster has alleged sufficient
facts to support its claims under section 502(c)(5). As noted
above, that provision makes liable anyone who "
[k]nowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network." Cal.
Penal Code § 502(c)(5). NovelPoster's allegation
that defendants locked NovelPoster out of its online accounts
for several months, despite NovelPoster's unambiguous
attempt to terminate the contract and regain access to those
accounts, appears to qualify as such an offense. Apart from
their damage/loss and technical-or-code-based-barrier
arguments, defendants do not contend otherwise. See
Mot. 20-24; Reply 13-15. Moreover, Childs highlights
that the holding in Power Ventures is best
understood as applying only to those CDAFA provisions which,
like the provisions specifically at issue in that case,
require a showing of unpermitted access or use, not to
section 502(c)(5). See Power Ventures, 2010
WL 3291750, at *11 (" [T]he Court finds that a user of
internet services does not access or use a computer,
computer network, or website without permission simply
because that user violated a contractual term of use." )
(emphasis added). NovelPoster's section 502(c) claims may
claims under sections 502(c)(1)-(4) and (7) may proceed as
well. Of the cases cited by the parties, Weingand is
the most factually similar. There, as here, the CDAFA claims
were based on allegations that an individual used
technically-operable log-in information to access portions of
a computer system which the individual knew he was not
permitted to access. See Weingand, 2012 WL
2327660, at *4. I agree with Weingand that, at least
at the pleading phase, such allegations may support a claim
under section 502 that a person " knowingly" and
" without permission" accessed or used a computer.
Cal. Penal Code § 502(c). To the extent that the
Power Ventures construction of the CDAFA is
instructive in a case involving factual circumstances like
those at issue here, I also find that NovelPoster's
allegations that defendants without authorization changed the
passwords to NovelPoster's online accounts, thereby
preventing NovelPoster from accessing those accounts and
eliminating the very technical access barriers that
NovelPoster had set up to protect them, are sufficient at the
pleading phase to show that defendants overcame a technical
access barrier. As defendants do not point to other
deficiencies in NovelPoster's claims under sections
502(c)(1)-(4) and (7), the claims will not be dismissed.
foregoing reasons, defendants' second motion for judgment
on the pleadings is DENIED.
IS SO ORDERED.
NovelPoster alleges that defendants still
have not turned over the password to NovelPoster's Stripe
account. FAC ¶ 44.
NovelPoster does not state who created
these email accounts or who was licensed to use them.
See FAC ¶ ¶ 45-46. Defendants assert, and
NovelPoster appears to concede, that the accounts were
created either by defendants or by persons associated with
defendants. Mot. 10; Opp. 9.
NovelPoster filed its initial complaint on
November 6, 2013, when, according to NovelPoster's
allegations, the business was still under defendants'
control and it was conceivable that NovelPoster's damages
were still " grow[ing] each day." See Dkt.
NovelPoster also alleges " impairment
of data" damage caused by defendants' alleged
deletion of the Mark@NovelPoster.com and
Becky@NovelPoster.com email accounts. See FAC ¶
¶ 45-46; Opp. 9. However, as noted above, NovelPoster
does not allege who created the accounts or who was licensed
to use them. Damage or loss is only relevant to
NovelPoster's CFAA and CDAFA claims if it was caused by
defendants' violation of one or both of the statutes.
See 18 U.S.C. § 1030(g) (" Any person who
suffers damage or loss by reason of a violation of [the
CFAA] may maintain a civil action against the
violator." ) (emphasis added); Cal. Penal Code §
502(e)(1) (" [T]he owner or lessee of the computer . . .
or data who suffers damage or loss by reason of a
violation of [the CDAFA] may bring a civil action
against the violator." ) (emphasis added). Because
NovelPoster has not alleged to whom Mark@NovelPoster.com and
Becky@NovelPoster.com belonged, it is not clear that
defendants' access, use, and deletion of those accounts
was in violation of the CFAA or CDAFA. Accordingly, I will
not consider defendants' alleged conduct in connection
with those accounts for the purposes of this motion.
In holding that NovelPoster had adequately
alleged improper conduct under the CFAA, I rejected
defendants' contention that NovelPoster's allegations
failed to show that defendants acted without authorization or
in excess of authorization by accessing and maintaining
exclusive control of NovelPoster's various online
accounts. I reasoned that, " [b]ased on the pleadings,
issues of fact remain concerning whether defendants truly had
authorization to access NovelPoster's various accounts
and to change the passwords during the business relationship
and, if they did, to continue to access the accounts"
after the relationship was supposedly terminated. Dkt. No. 93
In addition, I granted judgment on the
pleadings for defendants on NovelPoster's second and
fourth causes of action, for violations of the Wiretap Act
and the California Invasion of Privacy Act. Dkt. No. 93 at
17-22. NovelPoster does not bring those causes of action in
the First Amended Complaint.
In conjunction with the motion, defendants
requested judicial notice of various documents, including
NovelPoster's ex parte application for a temporary
restraining order in this case, Dkt. No. 35, and this
Court's subsequent order, Dkt. No. 38. With the exception
of the TRO application and order, I find that the documents
submitted by defendants are not necessary to resolve this
motion, and defendants' request for judicial notice of
those documents is DENIED AS MOOT. Defendants' request
for judicial notice of the TRO application and order is
GRANTED, although defendants are advised for future reference
that they need not seek judicial notice of documents
previously filed in the same case. An accurate citation will
 The provisions make liable anyone
(1) Knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to either (A) devise or execute any scheme or
artifice to defraud, deceive, or extort, or (B) wrongfully
control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes,
copies, or makes use of any data from a computer, computer
system, or computer network, or takes or copies any
supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
(3) Knowingly and without permission uses or causes
to be used computer services.
(4) Knowingly accesses and without permission adds,
alters, damages, deletes, or destroys any data, computer
software, or computer programs which reside or exist
internal or external to a computer, computer system, or
(5) Knowingly and without permission disrupts or
causes the disruption of computer services or denies or
causes the denial of computer services to an authorized
user of a computer, computer system, or computer
(7) Knowingly and without permission accesses or
causes to be accessed any computer, computer system, or
Cal. Penal Code § § 502(c)(1)-(5),