Speed of Light Ops, LLC v. Elliot

1

SPEED OF LIGHT OPS, LLC, a Utah limited liability company, Plaintiff, v. GREGORY ALEXANDER ELLIOT, an individual; JOHN HERRINGTON, an individual; and JESSIE REESE, an individual, Defendants.

No. 2:22-cv-00246-DAK-DBP

United States District Court, D. Utah

April 7, 2023

Dale A. Kimball District Judge

REPORT AND RECOMMENDATION

Dustin B. Pead Chief Magistrate Judge

This matter is before the court on Defendant Gregory Alexander Elliott's motion to dismiss all claims. (ECF No 23.)^[1]Defendant argues the First Amended Complaint fails to state a claim against him for a violation of the Computer Fraud and Abuse Act because “it has failed to plead the essential elements of ‘unauthorized access' or ‘loss.'” (ECF No. 23 p. 2.) For the reasons set forth herein, the undersigned recommends that Defendant's motion be DENIED.

BACKGROUND^[2]

Plaintiff Speed of Light Ops, LLC (Solo) is a software company that provides document management, computer-aided design, and engineering software products to a variety of industries and companies. (ECF No. 21 ¶ 9.) One such industry is the solar industry. Customers obtain licenses to use Solo's software, which “enables them to prepare and provide quick and personalized bids to potential customers interested in purchasing solar panels for their homes or businesses.” Id. ¶ 10. To help protect the software, Solo limits licenses to those who sign written agreements regarding access, use, and the disclosure of confidential or trade secret information. Each Licensee has login credentials that they use to access the software platform. The transfer of data is also protected by Google. Id. ¶ 11.

In the solar industry, Licensees use Solo's software to create access, and save proposals for new and existing customers. Licensees are limited from viewing and accessing proposals created by other Licensees. When a proposal is created and saved it is assigned an identification number. Defendants who are salespersons or agents for one or more licensees, were provided login credentials to the Solo platform. Defendants used these credentials to access, view, and edit proposals for customers that were saved under their employer license.

In October 2021, Solo learned that Defendants had also used their credentials to access portions of the Solo software platform they were unauthorized to access. Defendants took the identification numbers from their proposals and reverse engineered numbers to gain access to other proposals in the system. These proposals contained confidential information of customers created, or saved by, other Licensees. The confidential information included proposals, proposal information, and customer information such as names, addresses, phone numbers and in some instances, driver's license numbers. Defendants copied and exchanged the confidential information amongst themselves and competitors.

Solo notes this unauthorized access has “impaired the integrity of the Confidential Information on the Solo Software Platform” and necessitated it contacting other end-user customers to inform them that their data was improperly obtained. Id. ¶ 23-24. This has resulted in damaging business goodwill and the reputation of Solo. In addition, Solo “has also been forced to spend many thousands of dollars conducting a forensic investigation of Defendants' unauthorized access of the Solo Software Platform assessing the scope and harm of Defendants' unauthorized access, and mitigating the damages caused by Defendants' actions.” Id. ¶ 25.

LEGAL STANDARDS

To prevail on a motion to dismiss under Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). When determining whether a complaint meets these standards, the court will “assume the factual allegations are true and ask whether it is plausible that the plaintiff is entitled to relief.” Gallagher v. Shelton, 587 F.3d 1063, 1068 (10th Cir. 2009). A “well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of [the alleged] facts is improbable, and ‘that a recovery is very remote and unlikely.'” Twombly, 550 U.S. at 556, 127 S.Ct. 1955 (citation omitted). As noted by the Tenth Circuit, “The court's function on a Rule 12(b)(6) motion is not to weigh potential evidence that the parties might present at trial, but to assess whether the plaintiff's complaint alone is legally sufficient to state a claim for which relief may be granted.” Miller v. Glanz, 948 F.2d 1562, 1565 (10th Cir. 1991). In this matter, the court looks to the Amended Complaint as it supersedes the original. Seeid.

ANALYSIS

The Computer Fraud and Abuse Act (CFAA) “subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,' and thereby obtains computer information.” Van Buren v. United States, 210 L.Ed.2d 26, 141 S.Ct 1648, 1652 (2021) (quoting 18 U.S.C. § 1030(a)(2)). The CFAA is primarily a criminal statue, but it also provides a civil cause of action. “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). Thus, subsections (a)(2) and (a)(4) of the CFAA, each create civil liability either for “exceeding authorized access” or for accessing protected information “without authorization.” For ease of reference the court refers to these as the “exceeds authorized access element” and the “without authorization element.”

Helpful in applying the CFAA is a recent 2021 decision from the Supreme Court found in Van Buren v. Untied States, where the Court considered the applicability of the CFAA. In Van Buren a police officer was convicted under the CFAA after he was paid by an individual to use his access to a license plate database to locate records at their request. Van Buren, 141 S.Ct. at 1653. The government argued the police officer had “exceeded authorized access” under the CFAA because he used his authorized access to the license plate database for “an improper purpose.” id. The Supreme Court reversed the conviction, holding that the exceeds authorized access element does not apply to situations like Van Buren's, where someone with authorized access to a system uses that access in an unauthorized manner. Id. at 1655. In essence, the CFAA does not cover those who have improper motives for obtaining information that is otherwise available to them.

Defendant Gregory Elliott argues Solo's claim under the CFAA fails for two reasons. First, Solo fails to plead the required element of “unauthorized access” or “exceed authorized access” because Elliott had authorization to access Solo's platform. Second, Solo fails to adequately allege “loss” within the meaning of the CFAA. The court turns to these arguments.

i. Solo adequately pleads Elliott's access was without authorization

To plead a civil cause of action under the CFAA Plaintiff must allege that Defendant “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S.C. § 1030(a)(2). Elliott argues Plaintiff fails to plead that he accessed Solo's platform without authorization or exceeded authorized access. Elliott primarily relies on Van Buren in support of his position. Elliott had authorized access and at most utilized it for an improper purpose. The court agrees with Elliott as to the applicability of Van Buren that precludes liability under the exceeds authorized access element for those who use authorized access to a computer for an unauthorized purpose. Yet, Plaintiff adequately alleges liability under the without authorization element.

Following Van Buren, many district courts have recognized that Van Buren's holding applies only to the exceeds authorized access element and did not equally limit the scope of the other provisions of the CFAA, including the without authorization element. For example, a Pennsylvania district court, interpreting the CFAA in a criminal case, noted the interplay and discussion in Van Buren between without authorization and exceeds authorized access. The court noted:

[E]ven where the Court in Van Buren discusses the interplay between liability for access “without authorization” and access that “exceeds authorization,” nothing in the analysis [precludes] the Government's theory of prosecution. In particular, the Supreme Court agreed with Van Buren that access “without authorization” “protects computers themselves by targeting so-called outside hackers-those who ‘acces[s] a computer without any permission at all.' ” The Court went on to state that “[u]nder Van Buren's reading, liability under both clauses stems from a gates-up-or-down inquiry-one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” ... Eddings argues that there can be no criminal liability under the access “without authorization” clause because Denis was not an “ ‘outside hacker' attempting to get ‘gates down' unauthorized access to the IFC server.” ... However, the Government's theory of the case is that Denis was akin to an “outside hacker”- someone “who acces[sed] a computer without any permission at all.” ... [T]he mere fact that [Defendant] retained possession of a password which allowed her to access the server post-employment does not,

...