JAMES WARE, District Judge.
Presently before the Court are Defendants and Counterclaimants Cisco Systems,
Cisco Systems, Inc. is a leading provider of networking equipment (primarily switches and routers) and related services.
On or about March 2, 2005, Adekeye incorporated Multiven. (Answer ¶ 48.) Multiven is a Delaware Corporation that purports to provide service and maintenance support for router and networking systems, including those placed in the market by Cisco.
On December 1, 2008, Multiven filed this action against Cisco alleging, inter alia, monopolization and attempted monopolization of the market for provision and maintenance of Cisco network software in violation of the Sherman Act, 15 U.S.C. § 2. (Complaint ¶¶ 17-61.) On November 20, 2009, Cisco filed a First Amended Answer and Second Amended Counterclaims alleging, inter alia, violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, violation of the California Penal Code § 502, and violation of the California Unfair Competition Law ("UCL"), Cal. Bus. & Prof.Code § 17200 et seq. (hereafter, "SAC," Docket Item No. 59.)
Presently before the Court are the parties' Motions for Partial Summary Judgment.
Although motions for partial summary judgment are common, Rule 56 of the Federal
The purpose of summary judgment "is to isolate and dispose of factually unsupported claims or defenses." Celotex v. Catrett, 477 U.S. 317, 323-24, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). Thus, partial summary judgment may be used to dispose of a factually unsupported claim or affirmative defense.
As with a motion on the entire claim, under Rule 56(c), partial summary judgment is proper "if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to judgment [on a part of the claim or an affirmative defense] as a matter of law." Fed.R.Civ.P. 56(c). The moving party "always bears the initial responsibility of informing the district court of the basis for its motion, and identifying the evidence which it believes demonstrates the absence of a genuine issue of material fact." Celotex, 477 U.S. at 323, 106 S.Ct. 2548. The non-moving party must then identify specific facts "showing a genuine issue for trial." Fed.R.Civ.P. 56(e).
When evaluating a motion for partial or full summary judgment, the court views the evidence through the prism of the evidentiary standard of proof that would pertain at trial. Anderson v. Liberty Lobby Inc., 477 U.S. 242, 255, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). The court draws all reasonable inferences in favor of the nonmoving party, including questions of credibility and of the weight that particular evidence is accorded. See, e.g., Masson v. New Yorker Magazine, Inc., 501 U.S. 496, 520, 111 S.Ct. 2419, 115 L.Ed.2d 447 (1991). The court determines whether the non-moving party's "specific facts," coupled with disputed background or contextual facts, are such that a reasonable jury might return a verdict for the non-moving party. T.W. Elec. Serv. v. Pac. Elect. Contractors, 809 F.2d 626, 631 (9th Cir.1987). In such a case, partial summary judgment is inappropriate. Anderson, 477 U.S. at 248, 106 S.Ct. 2505, However, where a rational trier of fact could not find for the non-moving party based on the record as a whole, there is no "genuine issue for trial." Matsushita Elec. Indus. Co. v. Zenith Radio, 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986).
Cisco move for summary judgment on their CFAA claim on the ground that on multiple occasions and without authorization, Adekeye used a Cisco employee's password to gain access to Cisco's computer systems and download Cisco's proprietary and copyrighted software. (Cisco's Motion at 2.) Multiven respond that Adekeye only used a Cisco employee's password to access Cisco's computer systems once, and on that occasion he had the employee's permission to do so.
The Ninth Circuit has explained the purpose of the CFAA as follows:
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir.2009) (internal quotation omitted).
Although Cisco's Counterclaim only alleges violation generally of 18 U.S.C. § 1030, and does not specify which subsections cover Adekeye's alleged actions,
To successfully bring an action under § 1030(a)(4), a plaintiff must show that the defendant: (1) accessed a "protected computer," (2) without authorization or exceeding such authorization that was granted, (3) "knowingly" and with "intent to defraud," and thereby (4) "further[ed] the intended fraud and obtain[ed] anything of value," causing (5) a loss to one or more persons during any one-year period aggregating at least $5000 in value. See 18 U.S.C. § 1030(a)(4); LVRC Holdings, 581 F.3d at 1132.
To successfully bring an action under § 1030(a)(5)(A)(iii), a plaintiff must show that the defendant: (1) accessed a "protected computer," (2) without authorization,
The Court addresses the elements necessary to establish liability under the CFAA in turn.
At issue is whether Adekeye accessed a "protected computer," as that term is defined under the statute.
The CFAA defines a "protected computer" as one "which is used in interstate or foreign commerce or communication." 18 U.S.C. § 1030(e)(2)(B). The Ninth Circuit has found that "[a]s both the means to engage in commerce and the method by which transactions occur, the Internet is an instrumentality and channel of interstate commerce." United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007).
Here, the parties do not dispute that Cisco's network is connected to the internet. (See Cisco's Motion at 12-13; Multiven's Opposition.) Thus, the Court
At issue is whether Adekeye accessed secure areas of Cisco's network without authorization.
In the context of the CFAA, the Ninth Circuit has held that "a person uses a computer `without authorization' ... when the person has not received permission to use the computer for any purpose ... or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." LVRC Holdings, 581 F.3d at 1135.
Here, Adekeye is a former employee of Cisco, however, there is no evidence that any privileges he had as an employee to access secure areas of the Cisco website extended beyond his employment. Cisco, however, has presented unrebutted evidence that upon leaving Cisco's employ, neither Adekeye nor Multiven had Cisco's permission or authorization to access Cisco's network. (Bouja Decl. ¶ 3.) Thus, the Court finds that any access by Adekeye to secure areas of the Cisco network was without authorization.
Multiven admit that on one occasion Adekeye accessed secure areas of the Cisco network. They contend however, that a Cisco employee, Wes Olson, supplied Adekeye with his login and password, thus authorizing Adekeye to access the restricted website. (Multiven's Opposition at 7-12.) It is undisputed that Wes Olson provided Adekeye with his login and "external" password. Olsen declares that the password was given to Adekeye "to give him access to Cisco's network on one occasion, for a specific purpose."
Accordingly, the Court finds that there is no genuine issue of material fact that Adekeye accessed secure areas of the Cisco server without authorization.
Cisco contend that Adekeye, without authorization, accessed Cisco's network "knowingly" and with "intent to defraud" within the meaning of the CFAA. (Cisco's Motion at 14-16.)
Neither "knowingly" or "intentionally" are specifically defined by the CFAA. Thus, the court applies the "fundamental canon of statutory construction ... that, unless otherwise defined, words will be interpreted as taking their ordinary, contemporary, common meaning." Perrin v. United States, 444 U.S. 37, 42, 100 S.Ct. 311, 62 L.Ed.2d 199 (1979). For purposes of the CFAA, "[t]he term `defraud' ... simply means wrongdoing and does not require proof of common law fraud." Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F.Supp.2d 1122, 1131 (E.D.Cal.2008); see also eBay, Inc. v. Digital Point Solutions, Inc., 608 F.Supp.2d 1156, 1164 (N.D.Cal.2009). However, a plaintiff cannot prove "intent to defraud" by merely showing that an unauthorized access has taken place. P.C. Yonkers, Inc. v. Celebrations The Party and Seasonal Superstore, LLC, 428 F.3d 504, 509 (3d Cir.2005). "Without a showing of some taking, or use, of information, it is difficult to prove intent to defraud." Id. As the Ninth Circuit has recognized on numerous occasions, "[c]ases where intent is a primary issue generally are inappropriate for summary judgment unless all reasonable inferences that could be drawn
Here, Cisco present evidence that on multiple occasions, a person accessed the Cisco secure computer server from an IP address tied to Adekeye. (Bouja Decl. ¶¶ 4, 10.) Cisco further present evidence that Olson, a current Cisco employee who had an investment and business relationship with Adekeye, gave Adekeye his unique Cisco-issued user ID and external password.
Adekeye admits that on one occasion, he used Olson's password to access Cisco's secure network.
In response to Cisco's evidence that an individual using an IP address associated with Adekeye used Olson's password to access Cisco's network on multiple occasions, Multiven present evidence that throughout the time period in which the alleged invasions were taking place, Olson was a daily visitor to Adekeye's home, which then also served as the Multiven office. (Adekeye Opposition Decl. ¶¶ 3, 4.) According to Adekeye, Olson had access to the computers in Adekeye's home, and used them to remotely access the Cisco network. (Id. ¶ 4.) However, Cisco's undisputed evidence shows that during the time period in which the unauthorized accesses occurred from the IP address associated with Adekeye, Olson was traveling extensively out of the area.
Given the number of times that Adekeye accessed the secure areas of the Cisco network, the Court finds that no reasonable juror could conclude that Adekeye actually believed that he had Cisco's authorization to do so. Even if Adekeye genuinely believed that Olson gave him authorization for a limited purpose on one occasion, there is no evidence that Adekeye had any reason to believe that having Olson's login and password gave him unlimited authorization to access Cisco's secure website at will. Furthermore, as a former Cisco employee, Adekeye cannot create a genuine issue of material fact as to his knowledge that he was entering areas of the Cisco network without authorization by merely claiming ignorance of Cisco's policy prohibiting such access for non-employees. (See Bouja Decl. ¶ 3.) Finally, Adekeye has admitted that his reason for accessing Cisco's secure website was to gather information about which Cisco employees have access to "bug fixes," referring to Olson as a "whistleblower."
Accordingly, the Court finds that there is no genuine issue of material fact that Adekeye acted with the requisite mental state for liability under the CFAA when he accessed Cisco's network.
At issue is whether Cisco have suffered damage or loss within the meaning of the statute.
The CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system or information." 18 U.S.C. § 1030(e)(8). The CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11). Although the Ninth Circuit has not explicitly addressed the issue, district courts in the Ninth Circuit have held that it is not necessary for data to be physically changed or erased to constitute damage to that data. Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1126-27 (W.D.Wash.2000); see also, e.g., Therapeutic Research Faculty v. NBTY, Inc., 488 F.Supp.2d 991, 996
Here, Cisco present evidence that Cisco's operating software valued at over $14,000 was subject to unauthorized downloads, resulting from unauthorized intrusions into Cisco's secure website originating from the IP address associated with Adekeye. (Bouja Decl. ¶ 17.) Adekeye's only response to this evidence of unauthorized downloads was his testimony that he "never downloaded any software using Wesley Kent Olson's password(s) for use in [his] business." (Adekeye Decl. ¶ 6.) Adekeye did not deny using Olson's password to download software for purposes other than his business. Furthermore, Cisco present evidence that Cisco expended at least $75,000 investigating the intrusions into their network and "restoring the security and integrity of Cisco's proprietary systems." (Id.) Thus, the Court finds that there is no genuine issue of material fact that Adekeye's unauthorized access of Cisco's network caused Cisco damage and loss in excess of $5000.
Since there are no genuine issues of material fact remaining as to the elements for liability under the CFAA, the Court GRANTS Cisco's Motion for Summary Judgment as to their claim under the CFAA.
Cisco move for summary judgment as to their claim under California Penal Code § 502 on essentially the same grounds as their claim under the CFAA. (Cisco's Motion at 12.)
California Penal Code § 502(c), the California corollary to the CFAA, provides, in pertinent part:
Here, Cisco's Section 502 claim is based on the identical facts as their CFAA claim. Since the necessary elements of Section 502 do not differ materially from the necessary elements of the CFAA for purposes of this action, the Court finds that there are no genuine issues of material fact remaining as to Cisco Section 502 claim.
Multiven move for summary judgment as to Cisco's UCL claim on the ground that Cisco have suffered no injury in fact, and thus do not have standing to bring such a claim. (Multiven's Motion at 2.) Multiven contend that UCL standing is limited to individuals who suffer losses of money or property that are eligible for restitution.
The UCL prohibits "any unlawful, unfair or fraudulent business act or practice."
In a recent case, the Court found that standing under the UCL does not require a loss of money or property that is eligible for restitution.
As Multiven point out, the Ninth Circuit cited Buckland as authority for the proposition that UCL standing requires a showing of "lost money or property." Walker, 558 F.3d at 1027. In a parenthetical to the Buckland citation, the Ninth Circuit includes a quote from that case which states, "Because remedies for individuals under the UCL are restricted to injunctive relief and restitution, the import of the requirement is to limit standing to individuals who suffer losses of money or property that are eligible for restitution." Id. However, the
As previously discussed, Cisco present evidence that Cisco's operating software valued at over $14,000 was subject to unauthorized downloads, allegedly resulting from Adekeye's invasion into Cisco's network, and that Cisco expended at least $75,000 investigating the intrusions into their network and restoring the security of its systems. (Bouja Decl. ¶ 17.) The Court finds that Cisco have made a sufficient showing of a loss of money or property resulting from Adekeye's alleged invasions into Cisco's network to impart UCL standing. The loss of valuable software and the considerable expense of investigating security breaches and possible compromise of the integrity of the network constitute substantial economic loss. Moreover, prior to the alleged unauthorized download of Cisco's software, Cisco had possession of, and a vested legal interest in that software.
Accordingly, the Court DENIES Multiven's Motion for Partial Summary Judgment as to Cisco's UCL claim on the ground that Cisco have not adequately shown an injury in fact to impart standing.
On June 8, 2010, Multiven filed a Motion to Stay Counterclaims. (hereafter, "Motion to Stay," Docket Item No. 234.) Multiven contend that further litigation of the counterclaims will jeopardize Adekeye's Fifth Amendment privileges in parallel criminal proceedings arising out of the same factual circumstances. (Motion to Stay at 5-7.) Multiven further contend that the factors recognized by the Ninth Circuit in Keating v. Office of Thrift Supervision, 45 F.3d 322, 324 (9th Cir.1995), for determining whether a stay is appropriate weigh in favor of a stay here. (Id. at 8-10.)
Here, Adekeye has already voluntarily submitted declarations in support of Multiven's briefs regarding the parties' crossmotions for summary judgment and has been deposed extensively, including fourteen hours of deposition testimony that he voluntarily provided in Vancouver, Canada prior to his arrest. Without deciding whether Adekeye was sufficiently aware of the likelihood of criminal prosecution for his declarations and deposition testimony to effect a waiver of his Fifth Amendment rights,
Accordingly, the Court DENIES Multiven's Motion to Stay Counterclaims.
The Court GRANTS Cisco's Motion for Partial Summary Judgment as to Cisco's claims under the CFAA and California Penal Code § 502. The Court DENIES Multiven's Motion for Partial Summary Judgment as to Cisco's UCL claim.
The Court DENIES Multiven's Motion to Stay Counterclaims.