In a recent Northern District of California decision, Judge Saundra Brown Armstrong upheld the Ninth Circuit’s ruling in Nosal, and at the same time, held that fraudulent conduct claims under the Computer Fraud and Abuse Act are subject to the heightened pleading requirements of Rule 9 of the Federal Rules of Civil Procedure.
Plaintiff is a computer technology computer that supplies customers with enterprise hardware and software systems, and provides updates, including patches and fixes for its proprietary firmware and operating system software. Customers who purchase a technical support agreement are given access credentials that allow them to download support software from the plaintiff’s websites. Access to these websites is subject to the plaintiff’s terms of use, and customers are not permitted to share access credentials with unauthorized users.
In February 2011, DLT Federal Business Systems Corp (“DLT”) became a member of plaintiff’s membership program, which provides for third party companies interested in reselling plaintiff’s hardware and software. DLT allegedly fraudulently used its access to obtain plaintiff’s proprietary software patches and updates, which it then provided to customers, even though those customers lacked support agreements with plaintiff. In November 2011, plaintiff terminated DLT’s membership due to alleged violations of the agreement. Plaintiff alleged that DLT and Service Key LLC were engaged in a “gray market conspiracy” and allegedly took “vast quantities of software patches and updates for plaintiff’s proprietary operating system and other technical support files. In February 2012, plaintiff filed a complaint in the Northern District of California, alleging various causes of action. DLT subsequently filed a motion to dismiss plaintiff’s claims for violation of the CFAA, inducing breach of contract, fraudulent inducement, unfair competition, intentional interference with prospective economic relations, and an accounting.
In December 2012, Judge Armstrong dismissed plaintiff’s allegations that the defendants violated the Computer Fraud and Abuse Act (“CFAA”) via unauthorized access and induced breach of contract. According to Judge Armstrong, DLT’s conduct, “using legitimate access credentials to access websites and then distributing information obtained from such access to third parties who have no right to receive such information – is precisely the type of conduct that Nosal held was beyond the scope of the CFAA.” In Nosal, which we previously blogged about here, the Ninth Circuit held that the CFAA was intended to punish hacking, not the misappropriation of trade secrets or misuse of information.
Judge Armstrong allowed plaintiff to amend its claims against defendants for fraudulent conduct under the CFAA, finding that section 1030(a)(6) of the CFAA prohibits a party from fraudulently trafficking in “any password or similar information through which a computer may be accessed without authorization” where such trafficking affects interstate commerce. In amending the complaint, the court directed plaintiff to conform with Rule 9(b) of the Federal Rules of Civil Procedure and to “allege with specificity each incident of fraudulent conduct.” Judge Armstrong reasoned that CFAA claims are subject to the heightened pleading requirements of Rule 9(b) when the allegations are “grounded in fraud” or otherwise “sound in fraud.” Judge Armstrong cited Kearns v. Ford Motor Co, where the Ninth Circuit held that even when fraud is not a necessary element of a claim, Rule 9(b) applies where a unified course of fraudulent conduct is alleged.” Accordingly, Judge Armstrong found Kearns applicable to the instant case because plaintiff alleged that DLT had accessed plaintiff’s support websites and engaged in fraudulent trafficking of passwords to facilitate third party access.
Judge Armstrong’s ruling provides another case reaffirming the ruling in Nosal – that a person who is authorized to access a password protected website does not violate the CFAA by downloading and distributing the materials to unauthorized persons. More importantly, the ruling is notable because Judge Armstrong found that the heightened pleading requirements of Rule 9 apply to the CFAA. Companies would be wise to take this into account in asserting fraudulent conduct claims under the CFAA, and make sure their pleadings are sufficiently detailed and particularized to meet the heightened pleading standard.