NetApp, Inc. v. Nimble Storage, Inc.

U.S. District Court5/12/2014
View on CourtListener

AI Case Brief

Generate an AI-powered case brief with:

📋Key Facts
⚖Legal Issues
📚Court Holding
💡Reasoning
🎯Significance

Estimated cost: $0.001 - $0.003 per brief

Full Opinion

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS’ MOTIONS TO DISMISS

LUCY H. KOH, United States District Judge ‱

Plaintiff NetApp, Inc. filed this suit against Defendants Nimble Storage, Inc. (“Nimble”), Michael Reynolds, and former NetApp employees Daniel Weber, Sandhya Klute, Timothy Binning, Neil Glick, and Christopher Alduino (collectively, “employees”). See ECF Nos. 1 (Compl.), 34 (First Am. Compl.). Nimble, Reynolds, and the group of employees have each moved to dismiss all claims against them on multiple grounds. See ECF Nos. 40, 41, 42. NetApp has opposed all motions and requested jurisdictional discovery in connection with Reynolds. The Court held a hearing on the motions on May 8, 2014. The Court addresses all four motions together. Having considered the briefing, the oral arguments, the record in this case, and applicable law, the Court GRANTS IN PART AND DENIES IN PART the motions for the reasons stated below.

I. BACKGROUND

A. NetApp’s Lawsuit

NetApp and Nimble are competing companies in the data storage industry. First Am. Compl. ¶ 31. Defendants Weber, Klute, Binning, Glick, and Alduino are former NetApp employees who now work for Nimble. Id. ¶¶ 7-11. Defendant Reynolds is an Australian citizen and resident who works at Nimble Storage Australia Pty Limited, an entity related to Defendant Nimble (discussed below). Id. ¶ 6. This lawsuit stems from NetApp’s belief that “Nimble targeted NetApp talent and proprietary and confidential information to compete unfairly in the marketplace.” Id. ¶36. NetApp alleges that “Nimble has achieved rapid growth and customer adoption” by “rely[ing] heavily on foundational information as to the internal working of NetApp’s products and its proprietary business processes.” Id. ¶ 31.

According to NetApp, Reynolds previously worked at Thomas Duryea Consulting (“TDC”), an “IT infrastructure consultancy business” in Australia. Id. ¶ 39. NetApp contracted with TDC for certain services, provided Reynolds with access to NetApp’s computer systems, and offered Reynolds training courses available to NetApp employees, all subject to NetApp’s restrictions on unauthorized access and use of its systems. See id. ¶¶ 41-46. Reynolds left TDC in April 2013 and took a job with Nimble where — NetApp alleges — he accessed NetApp databases repeatedly from June through August 2013 and used confidential, proprietary information to solicit business for Nimble. See id. ¶¶ 47-54.

Regarding its former employees sued here, NetApp claims that each person worked at NetApp until early to mid-2013, *821before departing the company for Nimble. NetApp accuses each former employee of breaching a common “Proprietary Information and Inventions Agreement” by taking, copying, or destroying volumes of confidential NetApp data before leaving. See, e.g., id. ¶¶ 62 (alleging that Weber took “sales material; pricing models; sales strategies; and detailed customer information”), 80 (alleging that “two days before his departure from NetApp, Glick took steps to delete and/or render unrecoverable, inaccessible, and/or unavailable NetApp Company Documents and Materials stored on his NetApp computer.”).

B. Procedural History

On October 29, 2013, NetApp filed this lawsuit, alleging a variety of claims against Nimble and individual defendants Reynolds, Weber, Klute, and other unnamed “Doe” defendants, based on alleged unauthorized access to NetApp’s computer systems and theft of proprietary information.1 Compl. ¶¶ 59-123. On December 20, 2013, the named Defendants collectively filed three motions to dismiss, arguing that NetApp failed to plead sufficient facts to support various claims and challenging subject matter jurisdiction, supplemental jurisdiction, and personal jurisdiction as to Reynolds. See ECF Nos. 22-24.

On December 23, 2013, NetApp filed a motion for leave to conduct jurisdictional discovery in connection with Reynolds’s challenge to personal jurisdiction, along with a motion to expedite a hearing on its motion for leave. See ECF Nos. 26, 25. On January 6, 2014, Nimble and Reynolds each filed an opposition to NetApp’s motion for jurisdictional discovery. See ECF Nos. 29, 30. 3 On January 13, 2014, NetApp filed a reply in support of its discovery motion. See ECF No. 36. On January 7, 2014, Court denied NetApp’s motion to expedite. See Order, ECF No. 33. On January 17, 2014, the Court entered an order by- stipulation in which NetApp agreed to withdraw its motion for jurisdictional discovery without prejudice, subject to renewal after amending its complaint. See Order, ECF No. 39. The parties have since renewed their dispute over jurisdictional discovery. See Discovery Dispute Joint Report # 1, ECF No. 43; Order, ECF No. 64.

On January 10, 2014, NetApp filed a First Amended Complaint, adding individual defendants Binning, Glick, and Alduino. See First Am. Compl. ¶¶ 74-82. NetApp pleaded claims against the various defendants for violations of the Computer Fraud and Abuse Act (18 U.S.C. § 1030, “CFAA”), trespass, to chattel, trade secret misappropriation, breach of contract, intentional interference with contract and contractual relations, and unfair competition. See id. ¶¶ 83-176.

On February 18, 2014, Defendants filed new motions to dismiss all claims in the First Amended Complaint, again challenging the sufficiency of NetApp’s pleadings as to various claims and jurisdictional issues. Nimble sought to dismiss NetApp’s state law claims due to lack of supplemental jurisdiction, and moved to dismiss all claims for failure to state a claim or — in the alternative — for a more definite statement under Rule 12(e). See ECF No. 40 (“Nimble Mot.”). Reynolds moved to dismiss for lack of personal jurisdiction and for failure to state any claim against him, and further sought to join and incorporate by reference the motions filed by Nimble and the individual Defendants. See ECF *822No. 41 (“Reynolds Mot.”). All of the former employee Defendants (Weber, Klute, Binning, Glick, and Alduino) collectively moved to dismiss for lack of supplemental jurisdiction and failure to state any claims, and also sought to join and incorporate by reference the motions filed by Nimble and Reynolds. See ECF No. 42 (“Employees Mot”).

On March 27, 2014, NetApp filed an opposition to each motion to dismiss, along with supporting declarations and a request for judicial notice of certain facts related to Nimble’s operations. See ECF Nos. 45 (“NetApp Reynolds Opp’n”), 50 (“NetApp Employees Opp’n”), 51 (“NetApp Nimble Opp’n”), 49 (NetApp Request for Judicial Notice). On April 10, 2014, all Defendants filed replies. See ECF Nos. 58 (“Nimble Reply”), 59 (“Employees Reply”), 60 (“Reynolds Reply”). The Court held a hearing on May 8, 2014.'

II. LEGAL STANDARDS

A. Motion to Dismiss Under Rule 12(b)(6)

A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R.Civ.P. 8(a)(2). If a plaintiff fails to plead “enough facts to state a claim to relief that is plausible on its face,” the complaint may be dismissed for failure to state a claim upon which relief may be granted. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007); Fed.R.Civ.P. 12(b)(6). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). “The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id (internal quotation marks omitted). For purposes of ruling on a Rule 12(b)(6) motion, a court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir.2008).

“Generally, the scope of review on a motion to dismiss for failure to state a claim is limited to the contents of the complaint.” Marder v. Lopez, 450 F.3d 445, 448 (9th Cir.2006). However, a court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States, 234 F.3d 428, 435 (9th Cir.2000), and the “[Cjourt may look beyond the plaintiffs complaint to matters of public record” without converting the Rule 12(b)(6) motion into one for summary judgment, Shaw v. Hahn, 56 F.3d 1128, 1129 n. 1 (9th Cir.1995). Nor is the court required to “ ‘assume the truth of legal conclusions merely because they are cast in the form of factual allegations.’ ” Fayer v. Vaughn, 649 F.3d 1061, 1064 (9th Cir.2011) (per curiam) (quoting W. Mining Council v. Watt, 643 F.2d 618, 624 (9th Cir.1981)). Mere “conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.” Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir.2004); accord Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. Furthermore, “a plaintiff may plead herself out of court” if she “plead[s] facts which establish that [s]he cannot prevail on h[er] ... claim.” Weisbuch v. Cnty. of Los Angeles, 119 F.3d 778, 783 n. 1 (9th Cir.1997) (internal quotation marks omitted).

B. Motion to Dismiss ÍJnder Rule 12(b)(2) for Lack of Personal Jurisdiction

In a motion challenging personal jurisdiction under Rule 12(b)(2), the plain*823tiff, as the party seeking to invoke the jurisdiction of the federal court, has the burden of establishing that jurisdiction exists. See Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 800 (9th Cir.2004). When the motion to dismiss constitutes a defendant’s initial response to the complaint, the plaintiff need only make a prima facie showing that personal jurisdiction exists. See Data Disc, Inc. v. Sys. Tech. Assocs., Inc., 557 F.2d 1280, 1285 (9th Cir.1977). While a plaintiff cannot “ ‘simply rest on the bare allegations of its complaint,’ uncontroverted allegations in the complaint must be taken as true [and] [conflicts between parties over statements contained in affidavits must be resolved in the plaintiffs favor.” Schwarzenegger, 374 F.3d at 800 (quoting Amba Mktg. Sys., Inc. v. Jobar Int’l, Inc., 551 F.2d 784, 787 (9th Cir.1977), and citing AT & T v. Compagnie Bruxelles Lambert, 94 F.3d 586, 588 (9th Cir.1996)).

C. Supplemental Jurisdiction

While a federal court may exercise supplemental jurisdiction over state-law claims “that are so related to claims in the action within [the court’s] original jurisdiction that they form part of the same case or controversy under Article III of the United States Constitution,” 28 U.S.C. § 1367(a), a court may decline to exercise supplemental jurisdiction where a state claim “substantially predominates over the claim or claims over which the district court has . original jurisdiction,” id. § 1367(c)(2); see also Albingia Versicherungs A.G. v. Schenker Int’l Inc., 344 F.3d 931, 937-38 (9th Cir.2003) (§ 1367(c) grants federal courts the discretion to dismiss state law claims when all federal claims have been dismissed). A court, in considering whether to retain supplemental jurisdiction, should consider factors such as “economy, convenience, fairness, and comity.” Acri v. Varian Assocs., 114 F.3d 999, 1001 (9th Cir.1997) (en banc) (internal quotation marks omitted).

D. Leave to Amend

“Dismissal with prejudice and without leave to amend is not appropriate unless it is clear ... that the complaint could not be saved by amendment.” Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir.2003). When dismissing a complaint for failure to state a claim, “a district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir.2000) (en banc) (quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir.1995)). Nonetheless, a court “may exercise its discretion to deny leave to amend due to ... ‘futility of amendment.’ ” Carvalho v. Equifax Info. Servs., LLC, 629 F.3d 876, 892-93 (9th Cir.2010) (citation omitted).

III. DISCUSSION

Defendants present numerous legal theories that potentially dispose of various causes of action on multiple, interdependent grounds. Supplemental jurisdiction over NetApp’s state law claims depends in part on the viability of its CFAA claim, which is the only federal cause of action and is asserted against only Nimble and Reynolds. Both of those Defendants challenge the sufficiency of the CFAA claims under Rule 12(b)(6), while Reynolds also challenges personal jurisdiction. The Court first addresses Reynolds’s personal jurisdiction challenge, then the sufficiency of NetApp’s CFAA claims, followed by supplemental jurisdiction, and the sufficiency of NetApp’s remaining claims within the Court’s jurisdiction.

*824As an initial matter, the Court addresses NetApp’s Request for Judicial Notice. ECF No. 49. While a district court generally may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion, a court may take judicial notice of documents referenced in the complaint, as well as matters in the public record, without converting a motion to dismiss into one for summary judgment. See Lee v. City of Los Angeles, 250 F.3d 668, 688-89 (9th Cir.2001). A matter may be judicially noticed if it is either “generally known within the trial court’s territorial jurisdiction” or “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). NetApp requests judicial notice of four Nimble webpages and excerpts from a Nimble filing with the Securities and Exchange Commission: Khachakourian Decl. Exs. L, O-R (ECF Nos. 45-13, -16 to -19). Defendants have not opposed, and the materials are either referenced in the First Amended Complaint or matters in the public record. Accordingly, the Court grants NetApp’s Request for Judicial Notice.

A. Personal Jurisdiction Over Reynolds

An Australian resident, Reynolds contends that this Court lacks personal jurisdiction over him. Reynolds Mot. at 6-14. NetApp argues primarily that the Court has specific personal jurisdiction based on Reynolds’s efforts to access NetApp’s computer systems in California, with only a cursory argument regarding general jurisdiction. NetApp Reynolds Opp’n at 6-14. The Court agrees with NetApp with respect to specific jurisdiction.

Where no applicable federal statute governs personal jurisdiction, the court applies the law of the state in which it sits. See Fed. R. Civ. P. 4(k)(1)(A); Panavision Int’l, L.P. v. Toeppen, 141 F.3d 1316, 1320 (9th Cir.1998). “Because California’s long-arm jurisdictional statute is coextensive with federal due process requirements, the jurisdictional analyses under state law and federal due process are the same.” Schwarzenegger, 374 F.3d at 800-01. “For a court to exercise personal jurisdiction over a nonresident defen-' dant, that defendant must have at least ‘minimum contacts’ with the relevant forum such that the exercise of jurisdiction ‘does not offend traditional notions of fair play and substantial justice.’ ” Id. at 801 (quoting Int’l Shoe Co. v. Washington, 326 U.S. 310, 316, 66 S.Ct. 154, 90 L.Ed. 95 (1945)).

To determine whether a defendant’s contacts with the forum state are sufficient to establish specific jurisdiction, the Ninth Circuit employs a three-part test:

(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;
(2) the claim must be one which arises out of or relates to the defendant’s forum-related activities; and
(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.

Id. at 802 (quoting Lake v. Lake, 817 F.2d 1416, 1421 (9th Cir.1987)). Plaintiff bears the burden of satisfying the first two prongs. Sher v. Johnson, 911 F.2d 1357, 1361 (9th Cir.1990). If Plaintiff does so, then the burden shifts to Defendant to “set forth a ‘compelling case’ that the exercise of jurisdiction would not be reasonable.” CollegeSource, Inc. v. AcademyOne, Inc., 653 F.3d 1066, 1076 (9th Cir.2011) (quoting Burger King Corp. v. Rudzewicz, 471 U.S. *825462, 476-78, 105 S.Ct. 2174, 85 L.Ed.2d 528 (1985)). The Court addresses each of the three prongs in turn.

1. Purposeful Direction and Availment

The standard under the first prong differs for claims sounding in tort and claims sounding in contract. Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199, 1206 (9th Cir.2006). For tort claims, the “purposeful direction” standard generally applies, and for contract claims, the “purposeful availment” test generally applies. Id. Here, NetApp alleges both tort and contract claims against Reynolds based on the same underlying conduct — unauthorized access to NetApp’s computers (discussed below) — so both standards are relevant. See Action Embroidery Corp. v. Atl. Embroidery, Inc., 368 F.3d 1174, 1180 (9th Cir.2004) (“Personal jurisdiction must exist for each claim asserted against a defendant.”). The Court determines that the first prong is satisfied as to all claims against Reynolds, a. Purposeful Direction

To meet the “purposeful direction” standard for tort-related conduct, Reynolds’s activities must satisfy a three-part “effects test” under Calder v. Jones, 465 U.S. 783, 104 S.Ct. 1482, 79 L.Ed.2d 804 (1984): (1) commission of an intentional act, (2) expressly aimed at the forum state, (3) causing harm that Reynolds knew was likely to be suffered in the forum state. Schwarzenegger, 374 F.3d at 803. “In any personal jurisdiction case we must evaluate all of a defendant’s contacts with the forum state, whether or not those contacts involve wrongful activity by the defendant.” Yahoo!, 433 F.3d at 1207.

The first part of the effects test requires “an intent to perform an actual physical act in the real world, rather than an intent to accomplish a result or consequence of that act.” Schwarzenegger, 374 F.3d at 806. Here, NetApp alleges that Reynolds “intentionally” accessed computer systems and obtained secure information without permission. First Am. Compl. ¶¶ 16, 85, 87, 88. Additionally, NetApp submitted supporting declarations with exhibits. See ECF Nos. 46-48 (Bruce, Davied, and Sun Declarations). Those materials include records documenting Reynolds’s access to NetApp’s computers and notices shown to users of those computers, further indicating that Reynolds purposefully accessed systems in California after receiving notice of where those systems were located. E.g., ECF Nos. 47-3 (list of access dates for Reynolds), 48-2 (screenshot of Synergy Data Privacy Policy). These facts and allegations are sufficient to satisfy this part of the test because they demonstrate intentional activities.

The second part of the effects test turns on whether Reynolds “expressly aimed” his intentional acts at California. “The ‘express aiming’ analysis depends, to a significant degree, on the specific type of tort at issue.” Schwarzenegger, 374 F.3d at 807. As explained above, all of Reynolds’s alleged transgressions (under all pleaded causes of actions) involve improper access to NetApp’s computer systems in California. NetApp claims that Reynolds received password-protected access to its computer systems as part of his work for TDC (First Am. Compl. ¶¶ 41, 44); that the NetApp systems and databases at issue were located in California at all relevant times; (id. ¶¶ 41, 45); that Reynolds received multiple notices that NetApp and the computer systems were located in California (id. ¶¶ 16, 45, 51); that Reynolds repeatedly accessed multiple NetApp systems between June and August 2013 after leaving TDC (id. ¶49); and that Reynolds accepted a EULA (end user license agreement) that restricted access to certain databases, was deemed executed in Califor*826nia, and is governed by California law (id. ¶5 1). See also Yenkatesan Decl. (ECF No. 41-2) ¶3, Ex. A (purported NetApp EULA submitted by Reynolds; “This EULA shall be deemed to have been made in ... the State of California.”).

Reynolds disputes the adequacy of these allegations, pointing out that all of his relevant acts occurred in Australia while employed with Australian companies, and that he never knew that the systems he accessed were in California. See Reynolds Mot. at 10-12; Reynolds Reply at 5-8. Reynolds also submits a declaration in which he maintains: “Throughout my employment at TDC and to this day, I do not know, and have never known, where the information on these databases is located.” Reynolds Decl. (ECF No. 22-1) ¶ 10. However, these arguments do not defeat jurisdiction in this case. Based on NetApp’s factual allegations, Reynolds had, at minimum, reason to know that he was accessing NetApp’s computer systems in California. Moreover, courts have held that similar activities over the Internet can be sufficient to support personal jurisdiction. In Panavision, the Ninth Circuit affirmed personal jurisdiction over an individual defendant who allegedly registered as Internet domain names trademarks of a company with a principal place of business in California. 141 F.3d at 1321. The court rejected the defendant’s argument that “he has not directed any activity toward Panavision in California” because “the injury occurred in cyberspace,” holding that such activities satisfied the “effects test.” Id. at 1322. More recently, this district found personal jurisdiction over out-of-state parties who accessed the Facebook website because they specifically directed actions towards the website, even if those parties did not know Facebook’s physical location: “Here, there is no dispute that PNS and Williams were fully aware that Facebook existed, and that they specifically targeted their conduct against Facebook. That they were able to do so while remaining ignorant of Face-book’s precise location may render this case factually distinct from prior precedents finding jurisdiction for acts of express aiming, but not in a manner that warrants a different result.” Facebook, Inc. v. ConnectU LLC, No. C 07-01389, 2007 WL 2326090, at *6 (N.D.Cal. Aug. 13, 2007).

Reynolds’s counter-examples are distinguishable. Reynolds cites Jewish Defense Organization, Inc. v. Superior Court of Los Angeles County, in which a California court ruled that “defendants’ conduct in registering Rambam’s name as a domain name and posting passive Web sites on the Internet is not sufficient to subject them to jurisdiction in California.” 72 Cal.App.4th 1045, 1060, 85 Cal.Rptr.2d 611 (1999). However, the court distinguished Panavision because there was no basis to conclude that the company’s principal place of business was in California, and noted specifically that the defendant’s activities were “passive.” Id. at 1059, 1060 n. 4, 85 Cal.Rptr.2d 611. By contrast, Reynolds’s alleged violations did not involve “passive” activities or merely visiting a foreign website, but rather deliberately accessing NetApp’s proprietary databases to take information after performing work for NetApp and receiving repeated notices of access restrictions. As another, example, Reynolds relies on Pfister v. Selling Source, LLC, where the District of Nevada rejected the argument that running a “highly interactive website” would support personal jurisdiction, noting that “courts within this circuit have rejected the contention that server location within the forum can constitute a basis for the exercise of personal jurisdiction.” 931 F.Supp.2d 1109, 1116 (D.Nev.2013). However, that case specifically addressed general jurisdiction *827and noted that the location of a server did not support “continuous and systematic contacts.” Id. (emphasis added). Thus, Pfister does not foreclose specific jurisdiction based on Reynolds’s alleged conduct here. The Court finds sufficient allegations that Reynolds “expressly aimed” activities at California.

The third part of the effects test examines whether Reynolds’s acts caused harm that Reynolds knew would likely occur in California. NetApp has alleged that Reynolds harmed NetApp by taking and disseminating confidential information. See First Am. Compl. ¶¶ 52-53. ‱ Reynolds does not deny that he knew that NetApp was located in California, and as explained above, if Reynolds did in fact repeatedly misappropriate sensitive information from NetApp’s computers, he would have known that he was injuring NetApp. Accordingly, this part of the effects test is met.

b. Purposeful Availment

All three parts of the effects test are satisfied, which demonstrates “purposeful direction” as to the tort-based claims. As to the contract-based claims, the parties dispute whether Reynolds’s acceptance and breach of the Synergy EULA {e.g., First Am. Compl. ¶¶ 51, 115) suffices to demonstrate “purposeful availment.” See Reynolds Mot. at 9-10. The Court need not resolve this dispute because “a court may assert pendent personal jurisdiction over a defendant with respect to a claim for which there is no independent basis of personal jurisdiction so long as it arises out of a common nucleus of operative facts with a claim in the same suit over which the court does have personal jurisdiction.” Action Embroidery, 368 F.3d at 1180-81 (adopting, doctrine of pendent personal jurisdiction); see also Wash. Shoe Co. v. A-Z Sporting Goods Inc., 704 F.3d 668, 673 (9th Cir.2012) (following Action Embroidery). Here, both the contract-based claims and the tort-based claims are based on common factual predicates: Reynolds’s unauthorized computer access.2 Therefore, under Ninth Circuit precedent, specific jurisdiction over the contract claims is appropriate in this circumstance.

2. Forum-Related Activities

Under the second prong of the Ninth Circuit’s analysis for specific jurisdiction, the court must determine whether NetApp’s claims arise from or are related to Reynolds’s forum-related activities. This inquiry turns on whether NetApp “would not have been injured ‘but for’” Reynolds’s alleged misconduct. Panavision, 141 F.3d at 1322. Here, there can be no dispute that Reynolds’s activities towards California relate directly to NetApp’s causes of action, which are all based on his unauthorized access to NetApp’s computers.

3. Reasonableness

Under the third prong, Reynolds bears the burden of presenting a “compelling case” that jurisdiction here would not comport with “fair play and substantial justice,” based on seven established factors: “(1) the extent of the defendants’ purposeful injection into the forum state’s’ affairs; (2) the burden on the defendant of defending in the forum; (3) the extent of the conflict with the sovereignty of the defendant’s state; (4) the forum state’s interest in adjudicating the dispute; (5) the most efficient judicial resolution of the controversy; (6) the importance of the forum to the plaintiffs interest in convenient and *828effective relief; and (7) the existence of an alternative forum.” CollegeSource, 653 F.3d at 1079. Here, Reynolds argues that subjecting him to jurisdiction in California would be burdensome because he lives in Australia and has otherwise minimal contacts with the state. See Reynolds Mot. at 13-14. While the Supreme Court has counseled that foreign defendants may face “unique burdens,” Asahi Metal Indus. Co. v. Superior Court of Cal., 480 U.S. 102, 114, 107 S.Ct. 1026, 94 L.Ed.2d 92 (1987), courts have appropriately exercised jurisdiction over foreign parties, e.g., Yahoo!, 433 F.3d at 1211 (personal jurisdiction over French defendants). See also Ajuba Int'l L.L.C. v. Saharia, 871 F.Supp.2d 671, 683-84 (E.D.Mich.2012) (personal jurisdiction over Indian defendant for trade secret misappropriation claims). Additionally, California’s interest in adjudicating any harm that occurred here favors jurisdiction, and Reynolds has not shown that any alternative forum exists.

Reynolds also contends that “NetApp’s assertion impermissibly broadens personal jurisdiction, as any person in the world receiving materials from a California corporation could be haled into California court.” Reynolds Mot. at 11. This concern is misleading. As explained above, Reynolds is not accused of passively “receiving materials” or simply setting up a website, but rather intentionally accessing a former client’s databases for financial gain. NetApp points out that the legislative history of the CFAA suggests that Congress intended to address foreign activity. See S.Rep. No. 104-357 (1996) (noting that prior version of CFAA omitted “computers used in foreign communications or commerce, despite the fact that hackers are often foreign-based”). Reynolds has not demonstrated that it would be unreasonable for this Court to assert jurisdiction over a person who purposefully intrudes on a secure computer system in California.

Accordingly, the Court denies Reynolds’s motion to dismiss for lack of personal jurisdiction. NetApp’s motion for leave to conduct jurisdictional discovery is denied as moot in light of the Court’s ruling on personal jurisdiction and the case schedule set at the May 8, 2014 Case Management Conference (ECF No. 65).

B. CFAA Claims

The Court next addresses the sufficiency of NetApp’s claims under Rule 12(b)(6). NetApp’s only cause of action based on federal law is its CFAA claim against Nimble and Reynolds. Because supplemental jurisdiction over' all other claims depends on the sufficiency of NetApp’s federal claims, the Court addresses the CFAA claims first.

The CFAA imposes civil liability on whoever:

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... informa°tion from any protected computer (18 U.S.C. § 1030(a)(2)(C));
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of-such use is not more than $ 5,000 in any 1-year period (id. § 1030(a)(4));
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
*829(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss (id. § 1030(a)(5)).

NetApp alleges that Nimble violated § 1030(a)(2)(C) vicariously by having Reynolds, as its agent,- intentionally and impermissibly access NetApp’s computers and obtain secret information; that Reynolds and Nimble violated § 1030(a)(4) by intending to defraud NetApp; and that Reynolds and Nimble violated all subsections of § 1030(a)(5) by damaging NetApp’s computer systems. First Am. Compl. ¶¶ 85-88. NetApp also contends that Nimble and Reynolds conspired to violate the CFAA. Id. ¶84; see also § 1030(b) (“Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.”).

The Defendants raise several challenges to the sufficiency of NetApp’s CFAA claims under Rule 12(b)(6), which the Court addresses in turn.

1. “Without Authorization or Exceeding Authorized Access”

First, Reynolds argues that NetApp failed to plead facts that could support an inference that he accessed any computers “without authorization” or by “exceeding authorized access,” which is required by all asserted CFAA provisions (§§ 1030(a)(2)(C), (a)(4), and (a)(5)). See Reynolds Mot. at 14-17. Reynolds argues that his access to NetApp’s systems-was never revoked, even after he stopped working for TDC, and therefore he did not breach any “technological barriers,” which Reynolds claims is a requirement to demonstrate lack of authorization under the CFAA. See Reynolds Reply at 9. In response, NetApp contends that CFAA liability does not require circumvention of any technological barriers, and that Reynolds lost his permission to access NetApp’s systems (and knew that he lost that permission) as soon as he left TDC and no longer performed services for NetApp. See NetApp Reynolds Opp’n at 15-19.

This Court agrees with NetApp that the scope of authorized computer access for purposes of the CFAA does not depend entirely on circumvention of a technological barrier. The Ninth Circuit and the Northern District of California have not squarely resolved whether computer access is unauthorized or exceeds authorization under the CFAA when a person has authorization under an employment arrangement, but then changes jobs, and the computer’s owner has not disabled that person’s access through technological controls. However, the weight of current authority supports NetApp’s interpretation.

In LVRC Holdings LLC v. Brekka, the Ninth Circuit confronted a similar case where a company accused a former employee of violating the CFAA by e-mailing himself sensitive documents while employed and by continuing to access the company’s private websitĂ© after his employment ended. 581 F.3d 1127 (9th Cir.2009). The court first addressed the definitions of “without authorization” and “exceeds authorized access,” concluding that “without authorization” in the CFAA refers only to access without any permissions at all: “we hold that a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the com*830puter and the defendant uses the computer any

Additional Information

NetApp, Inc. v. Nimble Storage, Inc. | Law Study Group