IKUTA, Circuit Judge:
LVRC Holdings, LLC (LVRC) filed this lawsuit in federal district court against its former employee, Christopher Brekka, his wife, Carolyn Quain, and the couple's two consulting businesses, Employee Business Solutions, Inc., a Nevada corporation
LVRC operates Fountain Ridge, a residential treatment center for addicted persons, in Nevada.
In April 2003, LVRC hired Brekka to oversee a number of aspects of the facility. Part of his duties included conducting internet marketing programs and interacting with LOAD. At the time Brekka was hired, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of internet sites and advertisements. Stuart Smith, the owner and operator of LVRC, was aware of Brekka's businesses, although he states he was not aware of the full nature of their operations.
While Brekka worked for LVRC, he commuted between Florida, where his home and one of his businesses were located, and Nevada, where Fountain Ridge and his second business were located. Brekka was assigned a computer at LVRC, but while commuting back and forth between Florida and Nevada, he emailed documents he obtained or created in connection with his work for LVRC to his personal computer. LVRC and Brekka did not have a written employment agreement, nor did LVRC promulgate employee guidelines that would prohibit employees from emailing LVRC documents to personal computers.
In June 2003, Brekka sent an email to LOAD's administrator, Nick Jones, requesting an administrative log-in for LVRC's website. Jones sent an email with the administrative user name, "firstname.lastname@example.org," and password, "cbrekka," to Brekka's work email, which Brekka downloaded onto his LVRC computer. By using the administrative log-in, Brekka gained access to information about LVRC's website, including the usage statistics gathered by LOAD. Brekka used those statistics in managing LVRC's internet marketing.
In August 2003, Brekka and LVRC entered into discussions regarding the possibility of Brekka purchasing an ownership interest in LVRC. At the end of August 2003, Brekka emailed a number of LVRC documents to his personal
In mid-September 2003, negotiations regarding Brekka's purchase of an ownership interest in LVRC broke down, and Brekka ceased working for LVRC. Brekka left his LVRC computer at the company and did not delete any emails from the computer, so the June 2003 email from Nick Jones, which included the administrative user name and password, remained on his computer.
After Brekka left the company, other LVRC employees had access to Brekka's former computer, including Brad Greenstein, a consultant who was hired shortly before Brekka left and who assumed many of Brekka's responsibilities. At some point after Brekka left, the email with the administrative log-in information was deleted from his LVRC computer.
On November 19, 2004, while performing routine monitoring of the LOAD website, Jones noticed that someone was logged into the LVRC website using the user name "email@example.com" and was accessing LVRC's LOAD statistics. Jones contacted Greenstein about the use of the "cbrekka" log-in. Jones also provided the IP address of the log-in and the location of the Internet Service Provider (ISP) associated with that IP address, namely, Redwood City, California. Greenstein instructed Jones to deactivate the "cbrekka" log-in, and Jones did so the same day. Shorting thereafter, LVRC filed a report with the FBI, alleging that Brekka had unlawfully logged into LVRC's website.
LVRC then brought an action in federal court, alleging that Brekka violated the CFAA when he emailed LVRC documents to himself in September 2003 and when he continued to access the LOAD website after he left LVRC. In addition, LVRC brought a number of state tort actions. In response, Brekka filed a third-party complaint against Smith, Greenstein, and Frank Szabo, alleging that they defamed him by making statements that Brekka had stolen information from LVRC.
The district court granted summary judgment in favor of Brekka. After dismissing the federal law claims, the district court declined to exercise supplemental jurisdiction over the remaining state law claims and dismissed the case. LVRC filed a motion to reconsider. Before the district court ruled on the motion, LVRC filed this appeal. We review the district court's grant of a motion for summary judgment de novo. SDV/ACCI, Inc. v. AT & T Corp., 522 F.3d 955, 958 (9th Cir. 2008).
The CFAA was enacted in 1984 to enhance the government's ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to "access and control high technology processes vital to our everyday lives...." H.R. Rep. 98-894,
LVRC's complaint alleged that Brekka committed two of the crimes established by the CFAA, 18 U.S.C. §§ 1030(a)(2) and (a)(4). Section § 1030(a)(2) provides for criminal penalties to be imposed on a person who:
18 U.S.C. § 1030(a)(2). Section 1030(a)(4) provides for criminal penalties to be imposed on a person who:
18 U.S.C. § 1030(a)(4).
LVRC brought suit under the provision of the statute that creates a right of action for private persons injured by such crimes. Section 1030(g) provides in pertinent part:
18 U.S.C. § 1030(g). Thus, a private plaintiff must prove that the defendant violated one of the provisions of § 1030(a)(1)-(7), and that the violation involved one of the factors listed in § 1030(a)(5)(B).
Therefore, to bring an action successfully under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2), LVRC must show that Brekka: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value. To bring an action successfully under § 1030(g) based on a violation of § 1030(a)(4), LVRC must show that Brekka: (1) accessed a "protected computer," (2) without authorization or exceeding such authorization that was granted, (3) "knowingly" and with "intent to defraud," and thereby (4) "further[ed] the intended fraud and obtain[ed] anything of value," causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value. See 18 U.S.C. § 1030(a); see also P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 508 (3d. Cir. 2005); Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir.2004).
In granting Brekka's summary judgment motion, the district court held that LVRC had failed to establish a violation of either § 1030(a)(2) or (4). First, the district court stated that "[i]t is undisputed that when Brekka was employed by Plaintiff that he had authority and authorization to access the documents and emails that were found on his home computer and laptop." According to the district court, LVRC adduced no evidence demonstrating that Brekka accessed an LVRC computer or any of the documents on the computer "without authorization" (an element of both §§ 1030(a)(2) and (4)) when he emailed documents to himself and to his wife before he left the company. The district court based this ruling on its conclusion that Brekka had "authorization" to access the LVRC computers for purposes of §§ 1030(a)(2) and (4) because he was employed by LVRC at the time he emailed documents to himself and his wife, and there was no evidence that Brekka had agreed to keep the emailed documents confidential or to return or destroy those documents upon the conclusion of his employment. Second, the district court held that LVRC had not put forth evidence from which a reasonable jury could find that Brekka logged into the LVRC website after leaving LVRC's employ. Because of the lack of evidence that Brekka violated § 1030(a)(2) or (4), the district court dismissed LVRC's claim under § 1030(g).
LVRC disputes both of these determinations, and we address each in turn.
We first consider LVRC's argument that the district court erred in assuming that if Brekka's access occurred during the term of his employment, it must have been authorized for purposes of the CFAA. LVRC argues that because Brekka accessed the company computer and obtained LVRC's confidential information to further his own personal interests, rather than the interests of LVRC, such access was "without authorization" for purposes of §§ 1030(a)(2) and (4).
In interpreting the phrase "without authorization," we start with the plain language of the statute. See United States v. Blixt, 548 F.3d 882, 887 (9th Cir.2008). The CFAA does not define "authorization," and it is a "fundamental canon of statutory construction ... that, unless otherwise defined, words will be interpreted as taking their ordinary, contemporary, common meaning." Perrin v. United States, 444 U.S. 37, 42, 100 S.Ct. 311, 62 L.Ed.2d 199
No language in the CFAA supports LVRC's argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest. Rather, the definition of "exceeds authorized access" in § 1030(e)(6) indicates that Congress did not intend to include such an implicit limitation in the word "authorization." Section 1030(e)(6) provides: "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has "exceed[ed] authorized access." On the other hand, a person who uses a computer "without authorization" has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or "without authorization."
This leads to a sensible interpretation of §§ 1030(a)(2) and (4), which gives effect to both the phrase "without authorization" and the phrase "exceeds authorized access": a person who "intentionally accesses a computer without authorization," §§ 1030(a)(2) and (4), accesses a computer without any permission at all, while a person who "exceeds authorized access," id., has permission to access the computer, but accesses information on the computer that the person is not entitled to access.
In this case, there is no dispute that Brekka had permission to access the computer; indeed, his job required him to use the computer. Cf. Theofel, 359 F.3d at 1072-73 (holding that defendants had accessed a computer "without authorization" for purposes of the Stored Communications Act, 18 U.S.C. § 2701 et seq., when they procured the access by fraud). Moreover, there is no dispute that Brekka was still employed by LVRC when he emailed the documents to himself and to his wife. The most straightforward interpretation of §§ 1030(a)(2) and (4) is that Brekka had authorization to use the computer.
LVRC attempts to counter this conclusion by pointing to a Seventh Circuit decision, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). According to LVRC, Citrin supports its argument that the CFAA incorporates an additional limitation in the word "authorization,"
If we applied the reasoning in Citrin to this case, Brekka would have breached his duty of loyalty to LVRC when he allegedly resolved to transfer key LVRC documents and information to his personal computer to further his own competing business, and at that point his authorization to access the computer would have ended. Applying this reasoning, Brekka would have acted "without authorization" for purposes of §§ 1030(a)(2) and (4) once his mental state changed from loyal employee to disloyal competitor.
We are unpersuaded by this interpretation. First, and most important, § 1030 is primarily a criminal statute, and §§ 1030(a)(2) and (4) create criminal liability for violators of the statute. Although this case arises in a civil context, our interpretation of §§ 1030(a)(2) and (4) is equally applicable in the criminal context. See Leocal v. Ashcroft, 543 U.S. 1, 11 n. 8, 125 S.Ct. 377, 160 L.Ed.2d 271 (2004) (holding that where a statute "has both criminal and noncriminal applications," courts should interpret the statute consistently in both criminal and noncriminal contexts). It is well established that "ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity." United States v. Carr, 513 F.3d 1164, 1168 (9th Cir.2008) (quoting Rewis v. United States, 401 U.S. 808, 812, 91 S.Ct. 1056, 28 L.Ed.2d 493 (1971)). The Supreme Court has long warned against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants. See United States v. Santos, ___ U.S. ___, 128 S.Ct. 2020, 2025, 170 L.Ed.2d 912 (2008) (J. Scalia) (plurality opinion) (citing United States v. Bass, 404 U.S. 336, 347-49, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971); McBoyle v. United States, 283 U.S. 25, 27, 51 S.Ct. 340, 75 L.Ed. 816 (1931); United States v. Gradwell, 243 U.S. 476, 485, 37 S.Ct. 407, 61 L.Ed. 857 (1917)). "This venerable rule ... vindicates
In this case, as noted above, "authorization" means "permission or power granted by an authority." RANDOM HOUSE UNABRIDGED DICTIONARY, 139. The definition of the term "exceeds authorized access" from § 1030(e)(6) implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer. The plain language of the statute therefore indicates that "authorization" depends on actions taken by the employer. Nothing in the CFAA suggests that a defendant's liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer. If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA. It would be improper to interpret a criminal statute in such an unexpected manner. See Carr, 513 F.3d at 1168.
Because LVRC's proposed interpretation based on Citrin does not comport with the plain language of the CFAA, and given the care with which we must interpret criminal statutes to ensure that defendants are on notice as to which acts are criminal, we decline to adopt the interpretation of "without authorization" suggested by Citrin. Rather, we hold that a person uses a computer "without authorization" under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.
Based on this plain-language interpretation of the CFAA, we must consider whether Brekka acted "without authorization" when he emailed LVRC documents from his work computer to himself and to his wife. There is no dispute that Brekka was given permission to use LVRC's computer and that he accessed documents or information to which he was entitled by virtue of his employment with LVRC. Because Brekka had authorization to use the LVRC computer, he did not access a computer "without authorization." Therefore, the district court did not err in holding that LVRC failed to raise a genuine issue of material fact with respect to LVRC's claim that Brekka violated §§ 1030(a)(2) and (4) while he was still employed by LVRC.
We next consider whether the district court erred in holding that LVRC did not raise a genuine issue of material fact with respect to its claim that Brekka violated the CFAA by logging into the LOAD website after he left LVRC. There is no dispute that if Brekka accessed LVRC's information on the LOAD website after he left the company in September 2003, Brekka would have accessed a protected computer "without authorization" for purposes of the CFAA.
LVRC argues that there was sufficient evidence to create a genuine issue of material fact as to whether Brekka was responsible for the "cbrekka" log-in on November 19, 2004 to the LOAD website and also as to whether he accessed the website on numerous other occasions after he left LVRC. We disagree.
First, LVRC claims that no LVRC employee except Brekka had knowledge of the "cbrekka" log-in. Brekka, however, provided undisputed evidence that he left the email containing the administrative user name and password on his computer when he left LVRC, that at least two LVRC employees used the computer, and that others had access to the computer after Brekka left the company. Although LVRC points to evidence that the email with the log-in information was deleted from Brekka's LVRC computer, the district court correctly determined that the record does not indicate when the log-in information was deleted. While we must draw all reasonable inferences in favor of the non-moving party, we need not draw inferences that are based solely on speculation. See Lakeside-Scott v. Multnomah County, 556 F.3d 797, 802-03 (9th Cir. 2009); see also Lujan v. Nat'l Wildlife Fed'n, 497 U.S. 871, 888, 110 S.Ct. 3177, 111 L.Ed.2d 695 (1990) (holding that the summary judgment standard does not require that all ambiguities in the evidence be resolved in favor of the non-moving party). On appeal, LVRC relies on a declaration by its computer expert stating that the computer was reformatted before the other employees used it. However, this declaration was not part of the record before the district court on summary judgment, and therefore we do not consider it. See Forsberg v. Pac. Nw. Bell Tel. Co., 840 F.2d 1409, 1417-18 (9th Cir.1988).
Second, LVRC argues that because the computer that logged into the LVRC website on November 19 was connected to an ISP in Redwood City, a city located in Northern California, and Brekka was attending a meeting in San Francisco, which is also in Northern California, a reasonable juror could infer that Brekka was the person who accessed the website. But Brekka put forth an expert who stated that the information regarding Redwood City was related to the location of the ISP server, and did not indicate the location of the person using the "cbrekka" log-in. Jones, LVRC's witness, testified that he did not know where the person logging into the computer was located. No other evidence supported the inference that Brekka used the Redwood City ISP. Accordingly, evidence of the ISP's location is insufficient to create a genuine issue of material fact that Brekka was the person logging into the LVRC website. See Lujan, 497 U.S. at 888, 110 S.Ct. 3177 (refusing to draw inferences in favor of the non-moving party that were not supported with specific evidence).
Finally, in connection with its action against Brekka, LVRC retained a computer expert who examined Brekka's personal computers. The expert's report stated that Brekka's personal computer had been
This argument also fails. As the district court noted, the expert's evidence that Brekka logged into the site on September 17, 2005 was contradicted by Nick Jones's testimony that, upon Greenstein's request, he deactivated the "cbrekka" user name and password no later than November 19, 2004. In its response to the motion for summary judgment, LVRC did not provide any explanation, let alone supporting evidence, to show how the log-in could have been used nearly a year after LVRC's own witness testified that it had been deactivated. "If the factual context makes the non-moving party's claim of a disputed fact implausible, then that party must come forward with more persuasive evidence than otherwise would be necessary to show that there is a genuine issue for trial." Blue Ridge Ins. Co. v. Stanewich, 142 F.3d 1145, 1147 (9th Cir.1998). With no explanation or evidence as to how Brekka would have used the "cbrekka" log-in to access the LOAD website after the log-in was deactivated, we cannot say that there was a genuine issue of material fact regarding whether Brekka logged into the LOAD website after he left LVRC. The district court did not err when it refused to resolve the ambiguities in LVRC's own evidence in favor of LVRC.
On appeal, LVRC argues for the first time that it subsequently reactivated the "cbrekka" user name to help LVRC catch and identify the person who was misusing the log-in. LVRC points to an FBI report in the record that contains a statement from an unknown person to this effect. The FBI report was submitted as part of the summary judgment motion in Brekka's third-party suit, but LVRC did not draw the district court's attention to this statement regarding the reactivation of the "cbrekka" log-in in its response to the motion for summary judgment in this case, or even refer to the reactivation of the log-in in any of its filings. We will not reverse a district court's grant of summary judgment unless the party opposing the summary judgment motion has identified the evidence establishing a genuine issue of material fact in its opposition to summary judgment. See Carmen v. San Francisco Unified School District, 237 F.3d 1026, 1031 (9th Cir.2001). Because LVRC failed to do so in this case, we do not consider LVRC's proffered evidence that the "cbrekka" log-in was reactivated in November 2004.
Because LVRC did not meet its burden of producing "evidence that is significantly probative or more than `merely colorable' that a genuine issue of material fact exists for trial," FTC v. Gill, 265 F.3d 944, 954 (9th Cir.2001) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 249-50, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986)), the district court did not err in granting summary judgment in favor of Brekka.
Brekka's use of LVRC's computers to email documents to his own personal computer did not violate § 1030(a)(2) or § 1030(a)(4) because Brekka was authorized to access the LVRC computers during his employment with LVRC. Moreover, construing the evidence in the record before the district court in the light most favorable to LVRC, there is not enough evidence upon which a reasonable jury could find that Brekka violated the CFAA after he left the company.
18 U.S.C. § 1030(a)(5)(B).