THERESA L. SPRINGMANN, District Judge.
This matter comes before the Court on Defendant Linfield Media, LLC's Motion for Judgment on the Pleadings [ECF No. 119], filed on October 13, 2016. For the reasons stated below, the Court denies the Motion for Judgment on the Pleadings
Plaintiff CouponCabin LLC filed a Complaint [ECF No. 1] against Defendants Linfield Media, LLC, Savings.Com, Inc., Cox Target Media, Inc., Internet Brands, Inc., d/b/a DealsPlus, and Does 1 through 10 (collectively "the Defendants") that was amended on November 2, 2015. The Amended Complaint [ECF No. 28] alleged that the Defendants "scraped" the Plaintiff's websites, which means to "electronically copy, retrieve or otherwise acquire data and information from the websites of others with little or no human interaction." (Am. Compl. ¶ 4, ECF No. 28.) This "scraping" allegedly violated the federal Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) (Id. ¶¶ 56-67), and was also a breach of contract, trespass, and interference with prospective business advantage (Id. ¶¶ 68-92). The facts surrounding this dispute are laid out in greater detail in the Court's Order [ECF No. 87] of June 8, 2016.
The Defendants moved to dismiss the Amended Complaint, and on June 8, 2016, the Court granted the Motion as to the DMCA claim but denied it as to all other claims. Thereafter, Linfield Media filed a separate Motion for Judgment on the Pleadings. The Plaintiff filed its Opposition [ECF No. 123] on October 27, 2016, and Linfield Media's Reply [ECF No. 124] was entered on November 7, 2016.
A motion for judgment on the pleadings, pursuant to Federal Rule of Civil Procedure 12(c), permits a party to move for judgment after the complaint and answer have been filed by the parties. When reviewing Rule 12(c) motions, a court must review the pleadings under the same standard that applies when reviewing motions to dismiss for failure to state a claim under Rule 12(b)(6). Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 633 (7th Cir. 2007). When reviewing a complaint attacked by a Rule 12(b)(6) motion, a court must accept all of the factual allegations as true and draw all reasonable inferences in favor of the plaintiff. Erickson v. Pardus, 551 U.S. 89, 93 (2007). The complaint need not contain detailed facts, but surviving a Rule 12(b)(6) motion "requires more than labels and conclusions. . . . Factual allegations must be enough to raise a right to relief above the speculative level." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). "A claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556).
The Court has jurisdiction over the CFAA claim pursuant to 28 U.S.C. § 1331 and supplemental jurisdiction over the remaining state law claims pursuant to 28 U.S.C. § 1367. As the Court recently ruled on a Motion to Dismiss filed by all Defendants, the present Motion is in essence a request that the Court reconsider its past ruling as to just Linfield Media. In the Motion, Linfield Media requests judgment on the pleadings on all the Plaintiff's remaining claims.
The CFAA imposes both civil and criminal liability for the unauthorized access of electronic data. 18 U.S.C. § 1030(a)(1)-(7). Of relevance here, an individual violates the CFAA if he "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer." § 1030(a)(2); see Motorola, Inc. v. Lemko Corp., 609 F.Supp.2d 760, 766 (N.D. Ill. 2009) ("The elements of a section 1030(a)(2) violation . . . include (1) intentional access of a computer, (2) without or in excess of authorization, (3) whereby the defendant obtains information from the protected computer."). The CFAA does not define "without authorization"; although it does define "exceeds authorized access," as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
Liability under § 1030(a)(2) is triggered by the unauthorized access of electronic data— not by the unauthorized use of such data. Bittman v. Fox, 107 F.Supp.3d 896, 900-01 (N.D. Ill. 2015) ("The statutory purpose of the CFAA is to punish trespassers and hackers."); CollegeSource, Inc. v. AcademyOne, Inc., No. 10-3542, 2012 WL 5269213, at *14 (E.D. Pa. Oct. 25, 2012) ("The CFAA protects against unauthorized access rather than unauthorized use."); Koch Indus., Inc. v. Does, No. 2:10CV1275, 2011 WL 1775765, at *8 (D. Utah May 9, 2011) (noting that "[a] majority of courts have concluded" that claims of unauthorized use "lie outside the scope of the CFAA"). Because the CFAA does not define "authorization," the Court must give the term its "`ordinary and plain meaning.'" United States v. Patel, 778 F.3d 607, 613 (7th Cir. 2015) (quoting Sanders v. Jackson, 209 F.3d 998, 1000 (7th Cir. 2000) (noting that "[w]e frequently look to dictionaries to determine the plain meaning of words, and in particular we look at how a phrase was defined at the time the statute was drafted and enacted.")). The Oxford English Dictionary defines "Authorization" as "[t]he action of authorizing a person or thing" or "formal permission or approval." Authorization, oed.com, http://www.oed.com/view/Entry/13351 (last visited Jan. 5, 2017). As a verb, "authorize" ordinarily means "to give official permission for or formal approval to (an action, undertaking, etc.)" or "to approve, sanction." Authorize, oed.com, http://www.oed.com/view/ Entry/13352 (last visited Jan. 5, 2017). Therefore, based on the ordinary and plain meaning of "authorization," to act "without authorization" is to act without formal permission or approval.
A review of case law shows that several district courts have adopted a similar interpretation of "without authorization" when confronting nearly identical facts. For example, in Craigslist Inc. v. 3Taps Inc., 964 F.Supp.2d 1178 (N.D. Cal. 2013), a defendant accessed the plaintiff's public website even after the plaintiff sent cease-and-desist letters and blocked the defendant's IP addresses. Id. at 1180-81. In finding that the defendant acted "without authorization" under the CFAA, the court explained that although the plaintiff "gave the world permission (i.e., `authorization') to access the public information on its public website . . . it rescinded that permission for [the defendant]. Further access by [the defendant] after that rescission was `without authorization.'" Id. at 1184; see also Facebook, Inc. v. Grunin, 77 F.Supp.3d 965, 973 (N.D. Cal. 2015) (finding that a defendant acted "without authorization" under the CFAA when he continued to access Facebook's site, even after Facebook "implemented a complete access restriction by sending [the defendant] two cease-and-desist letters and by taking technical measures to block his access."); Sw. Airlines v. Farechase, 318 F.Supp.2d 435, 439-40 (N.D. Tex. 2004) (finding that a plaintiff plausibly alleged a CFAA claim when Southwest "directly informed" the defendant that its scraping activity violated the Use Agreement on Southwest's website, which was "accessible from all pages on the website," as well as via "direct repeated warnings and requests to stop scraping.") (internal quotation marks and citation omitted); cf. QVC, Inc. v. Resultly, LLC, 159 F.Supp.3d 576, 596-97 (E.D. Pa. 2016) (noting that, in determining whether the defendant acted "without authorization," the "relevant question is not whether [the defendant] was granted permission to access the information on [website], but whether that authorization was ever rescinded or limited in a way that would put [the defendant] on notice that it was not authorized to access information it was otherwise entitled to access.").
Guidance as to the meaning of "without authorization" is also found in CFAA cases involving employer-employee relationships. Notably, in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), the Seventh Circuit found that an employee acted "without authorization" to access his work computer the moment he engaged in misconduct and decided to quit his job. Id. at 420. This was so even though there was an absence of any "hacking" or other techniques aimed at penetrating a secure computer or network on the employee's part. Id.; cf. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133-34 (9th Cir. 2009) ("[A] person uses a computer `without authorization' . . . when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access someone's computer and the defendant uses the computer anyway.") Thus, given the ordinary and plain meaning of "authorization," coupled with the case law described above, the Court is persuaded that CFAA liability may exist in certain situations where a party's authorization to access electronic data— including publicly accessible electronic data—has been affirmatively rescinded or revoked.
In its present Motion, Linfield Media focuses on the allegation in the Amended Complaint that states, "CouponCabin has in the past contacted or communicated with each of the Defendants, other than Linfield Media, LLC, to demand that they cease and desist their data scraping." (Am. Compl. ¶ 74 (emphasis added).) Even though the Plaintiff alleged that all the Defendants knowingly and intentionally circumvented the Plaintiff's security measures after it blocked their access from certain cloud computing/internet service providers, Linfield Media argues that this one allegation shows that it had no notice that its alleged activities were unauthorized. Without notice from the Plaintiff, Linfield Media argues that it could not have violated the CFAA because it could not have acted "without authorization." (Mot. J. Pleadings 6, ECF No. 119.)
Such an argument is unpersuasive. The Court must accept all factual allegations in a complaint, not cherry pick among them. See Erickson, 551 U.S. at 93. Considering the allegations as a whole, the Court's reasoning regarding the CFAA claim remains the same as in its Order of June 8, 2016. Even if the Plaintiff did not directly communicate to Linfield Media its demand to cease and desist scraping-related activities, the Plaintiff alleged that it revoked all of the Defendants' access, including Linfield Media's. Revocation of website access would have been sufficient to give the Defendants constructive notice that they were without authorization to act as they allegedly did. See Brekka, 581 F.3d at 1133; Resultly, LLC, 159 F. Supp. 3d at 596-97. Accordingly, the Court denies Linfield Media's Motion for Judgment on the Pleadings as it relates to the CFAA claim.
The above reasoning applies equally to the trespass claim. In Indiana, liability for trespass
The Plaintiff also asserts breach of contract, alleging that the Defendants violated its Terms and Conditions, which appear on its website and prohibit the "systematic retrieval (including by use or data mining, robots, or other extraction tools) of data or other content from the [Plaintiff's] website." (Am. Compl. ¶ 5 (quoting Ex. A., Pl.'s Terms and Conditions).) Users of the Plaintiff's website "signify their acceptance of the [Plaintiff's] Terms and Conditions by virtue of their access and use of the Site." (Id. at ¶ 28 ("The Terms and Conditions state that, `[b]y using the Site, you signify your agreement to these terms and conditions and [the Plaintiff's] Privacy Policy.'").)
Under the familiar rule of Erie Railroad Co. v. Tompkins, 304 U.S. 64 (1938)—which is applicable to state law claims that are brought through supplemental jurisdiction, Houben v. Telular Corp., 309 F.3d 1028, 1032 (7th Cir. 2012)—a federal court sitting in diversity applies the substantive law of the state in which it sits. "The law concerning contracts is well settled in Indiana. An offer, acceptance, plus consideration make up the basis for a contract." Dimizio v. Romo, 756 N.E.2d 1018, 1022 (Ind. Ct. App. 2001). "A mutual assent or a meeting of the minds on all essential elements or terms must exist in order to form a binding contract." Homer v. Burman, 743 N.E.2d 1144, 1146-47 (Ind. Ct. App. 2001) ("Assent to th[e] terms of a contract may be expressed by acts which manifest acceptance.") (internal quotation marks and citation omitted). But as far as the Court can tell, Indiana courts have not weighed in on the validity of so-called "browsewrap agreements," which is the type of agreement at issue here. See Sgouros v. TransUnion Corp, No. 14 C 1850, 2015 WL 507584, at *6 (N.D. Ill. Feb. 5, 2015) (noting that browsewrap agreements "do not require users to sign a document or click an `accept' or `I agree' button, so users are considered to give assent simply by using the website.") (internal quotation marks and citation omitted).
However, several district courts in this Circuit have found browsewrap agreements to be enforceable when a user has actual or constructive knowledge of the website's terms and conditions. See, e.g., id. at *6; Hussein v. Coinabul, LLC, No. 14 C 5735, 2014 WL 7261240, at *2-3 (N.D. Ill. Dec. 19, 2014); Van Tassell v. United Mktg. Grp., LLC, 795 F.Supp.2d 770, 790-91 (N.D. Ill. 2011); see also Nguyen v. Barnes & Noble, 763 F.3d 1171, 1176 (9th Cir. 2014). Thus, "[w]hen there is no evidence that users had actual knowledge of terms at issue, the validity of a browsewrap contract hinges on whether a website provided reasonable notice of the terms of the contract, i.e., whether users could have completed their purchases without ever having notice that their purchases are bound by the terms." Sgouros, 2015 WL 507584, at *6 (internal quotation marks and citation omitted).
Linfield Media argues that the Plaintiff has failed to allege the existence of an enforceable browsewrap agreement; namely, by failing to show that the Defendant had actual or constructive notice of the Terms and Conditions. In its June 8, 2016, Order the Court found that
(Opinion & Order 15-16, ECF No. 87.) Nevertheless, Linfield Media argues that the Plaintiff did not allege that it ever directly communicated with Linfield Media to "demand that they cease and desist their data scraping, misappropriation of Coupon Content or data from the [Plaintiff's] website." (Am. Compl. ¶ 74.) However, it is reasonable to infer from the allegations that Linfield Media had constructive notice as to the website's Terms and Conditions given that it is a business entity in direct competition with the Plaintiff. Based on the pleadings, whether Linfield Media had sufficient notice of the Terms and Conditions is more appropriately answered at a later point in the litigation.
In Indiana, a claim for tortious interference with prospective business advantage requires: (1) the existence of a valid relationship; (2) the defendant's knowledge of the existence of the relationship; (3) the defendant's intentional interference with that relationship; (4) the absence of justification; (5) damages; and (6) illegal conduct. Levee v. Beeching, 729 N.E.2d 215, 222 (Ind. Ct. App. 2000). Linfield Media moves for judgment on the pleadings on the grounds that the Plaintiff has alleged neither illegal conduct nor facts showing that it acted with intent to injure the Plaintiff.
The first argument is moot because the Court has permitted the claims for violation of the CFAA, trespass, and breach of contract to go forward, which means illegal conduct is alleged. The second argument rephrases the fourth element based on Indiana case law. See Morgan Asset Holding Corp. v. CoBank, 736 N.E.2d 1268, 1272 (Ind. Ct. App. 2000). The Indiana Supreme Court enumerates certain factors for a court to consider as to the absence of justification,
For the foregoing reasons, the Court DENIES the Defendant's Motion for Judgment on the Pleadings.
SO ORDERED.