Vaquero Energy, Inc. v. Herda et al, No. 1:2015cv00967 - Document 43 (E.D. Cal. 2015)
Court Description: ORDER GRANTING IN PART 27 Defendant's Motion to Dismiss, signed by Magistrate Judge Jennifer L. Thurston on 9/21/2015. (Hall, S)
Download PDF
<![CDATA[
Vaquero Energy, Inc. v. Herda et al Doc. 43 1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 EASTERN DISTRICT OF CALIFORNIA 10 11 12 13 14 15 16 VAQUERO ENERGY, INC., ) ) Plaintiff, ) ) v. ) ) JEFF HERDA, et al., ) ) Defendants. ) ________________________________ ) 17 Case No.: 1:15-cv-0967 - AWI - JLT ORDER GRANTING IN PART DEFENDANTS’ MOTION TO DISMISS (Doc. 27) Plaintiff Vaquero Energy, Inc., operates oil and gas collection and installations in California, 18 Texas, Colorado, and Wyoming. Plaintiff contracted with Defendants to provide “[i]nformation 19 technology maintenance, updates, upgrades and coordination services for oil and gas collection facility 20 software, hardware and/or firmware.” (Doc. 16 at 3-4) On August 20, 2015, Defendants filed a motion 21 to dismiss Plaintiff’s claims under the Computer Fraud and Abuse Act and the Stored Communications 22 Act pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. (Doc. 27) Plaintiff filed its 23 opposition to the motion on September 3, 2015 (Doc. 40), to which Defendants filed a reply on 24 September 14, 2015 (Doc. 41). 25 The Court heard the oral arguments of the parties at a hearing held on September 21, 2015. For 26 the following reasons, Defendants’ motion is GRANTED IN PART. 27 I. 28 Background and Plaintiff’s Allegations Vaquero hired Jeff Herda in 2008 to provide the following services: “Information technology 1 Dockets.Justia.com 1 maintenance, updates, upgrades and coordination services for oil and gas collection facility software, 2 hardware and/or firmware (combination of hardware and embedded software; e.g., mobile phones or 3 digital cameras) including but not limited to Vaquero finance, operational and administrative software 4 and systems, programmable logic controllers [PLC’s] and a related centralized supervisory control and 5 data acquisition [SCADA] system.” (Doc. 16 at 3-4, ¶ 10) Plaintiff alleges the services involved “the 6 translation of instructions received from plaintiff Vaquero’s employees into a so-called ladder logic, 7 whereby Defendants utilized third-party software… to select from a drop-down menu a series of 8 instructions to establish a desired sequence to control and instruct effectively the PLC devices 9 connected to oil and gas collection facilities.” (Id. at 4, ¶ 11) 10 Plaintiff asserts that in 2014, Vaquero “initiated a restructuring of its information technology 11 requirements, staffing and strategy.” (Doc. 16 at 5, ¶ 15) Plaintiff alleges that prior to the restructuring, 12 Defendants used a single password … for certain steam generators that was provided to, and known by, 13 plaintiff Vaquero employees.” (Id.) However, after the restructuring, Vaquero discovered the 14 password “was no longer valid.” (Id.) Plaintiff alleges, that unknown to Vaquero “and without 15 permission or authorization, Defendants accessed [the] computer system and imposed new passwords 16 and access control limitations on key or critical PLC devices, SCADA system, and central Vaquero 17 operations and administrative software, hardware, firmware and systems.” (Id.) 18 Plaintiff alleges that in December 2014, Plaintiff requested Herda provide all “logins and 19 passwords to the various server, firewalls, and any other devices.” (Doc. 16 at 6, ¶ 15(A)) In response, 20 Herda provided “an Excel® spreadsheet which did not include or identify all requested information, or 21 the information was inaccurate and did not allow access to various systems.” (Id.) According to 22 Plaintiff, on March 31, 2015, “Herda met with plaintiff Vaquero employees to discuss Vaquero’s needs 23 and strategy for information technology.” (Doc. 16 at 6, ¶15(B)) Plaintiff asserts that at the meeting, 24 the Vaquero employees again requested Herda provide “documentation files for the PLC ladder logic 25 and all user names, passwords and access controls for all Vaquero, PLC’s SCADA, and other software 26 and systems.” (Id.) 27 28 Vaquero asserts the information was not provided, and Seth Hunter (the Operations Manager) made another request for “passwords and documentation files” during a telephone conversation with 2 1 Herda in May 2015. (Doc. 16 at 6, ¶15(C)) Plaintiff contends that Herda refused to disclose the 2 information, and “demanded … a license agreement by which plaintiff Vaquero would be required to 3 pay to defendant Herda an unspecified license fee.” (Id.) Further, Plaintiff asserts that Defendants 4 “without authority deleted and modified the Passwords, ladder logic and/or data previously installed 5 and activated on those PLC’s … for the purpose of preventing plaintiff Vaquero’s use and access to its 6 own systems, computers and files.” (Id. at 9, ¶ 18) Plaintiff alleges Defendants stopped providing 7 services to Vaquero in May 2015, by which time Vaquero paid Defendants more than $1.3 million for 8 the services rendered. (Id. ¶¶ 15, 16) According to Vaquero, if the company “does not receive user names, passwords, control access 9 10 information and documentation for all its PLC’s, SCADA, and other software and systems, it will be 11 unable to completely or effectively maintain, update, upgrade, add, remove and/or coordinate those 12 devices, software and systems.” (Doc. 16 at 8, ¶ 17) Consequently, Vaquero alleges that “the integrity, 13 safety and security of plaintiff Vaquero’s gas and oil collection installations, and all employees at those 14 installations, are in jeopardy of a singular (or cascade of) failure(s) of the device(s), software and 15 system(s) that may cause (a) mechanism(s) to malfunction – at a potentially catastrophic level.”1 (Id. at 16 8-9, ¶ 17) Based upon these facts, Plaintiff alleges Defendants are liable for violations of (1) the Computer 17 18 Fraud and Abuse Act, 18 U.S.C. § 1030; (2) the California Computer Data Access and Fraud Act, Cal. 19 Pen. Code §502; (3) the Stored Communications Act, 18 U.S.C. § 2701; and (4) California’s Unfair 20 Competition Law, Cal. Bus. & Prof. Code § 17200. (See generally Doc. 16) Here, Defendants seek 21 dismissal of the first and third causes of action. (Doc. 27 at 1-2) 22 III. Legal Standards for a Motion to Dismiss 23 A Rule 12(b)(6) motion “tests the legal sufficiency of a claim.” Navarro v. Block, 250 F.3d 24 729, 732 (9th Cir. 2001). Dismissal under Rule 12(b)(6) is appropriate when “the complaint lacks a 25 cognizable legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v. 26 27 28 1 Vaquero requested a preliminary injunction to compel Defendants to disclose “passwords, user-names, .dat files, and all related access controls for all Vaquero computers, servers, and/or firmware and related attached equipment and components,” and to enjoin Defendants from any further access of the PLCs and SCADA systems. (Doc. 15 at 2-3) The Court granted the preliminary injunction on August 28, 2015. (Docs. 34, 39) 3 1 Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). Thus, under Rule 12(b)(6), “review 2 is limited to the complaint alone.” Cervantes v. City of San Diego, 5 F.3d 1273, 1274 (9th Cir. 1993). Allegations of a complaint must be accepted as true when the Court considers a motion to 3 4 dismiss. Hospital Bldg. Co. v. Rex Hospital Trustees, 425 U.S. 738, 740 (1976). “To survive a 5 motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a 6 claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell 7 Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The Supreme Court explained, A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a “probability requirement,” but it asks for more than a sheer possibility that a defendant has acted unlawfully. Where a complaint pleads facts that are “merely consistent with” a defendant=s liability, it “stops short of the line between possibility and plausibility of ‘entitlement to relief.’” 8 9 10 11 12 Iqbal, 556 U.S. at 678 (internal citations, quotation marks omitted). A court must construe the pleading in the light most favorable to the plaintiff, and resolve all 13 14 doubts in favor of the plaintiff. Jenkins v. McKeithen, 395 U.S. 411, 421 (1969). “The issue is not 15 whether a plaintiff will ultimately prevail, but whether the claimant is entitled to officer evidence to 16 support the claims. Indeed it may appear on the face of the pleadings that a recovery is very remote and 17 unlikely but that is not the test.” Scheuer v. Rhodes, 416 U.S. 232, 236 (1974). However, the Court 18 “will dismiss any claim that, even when construed in the light most favorable to plaintiff, fails to plead 19 sufficiently all required elements of a cause of action.” Student Loan Marketing Assoc. v. Hanes, 181 20 F.R.D. 629, 634 (S.D. Cal. 1998). Leave to amend should not be granted if “it is clear that the 21 complaint could not be saved by an amendment.” Livid Holdings Ltd. v. Salomon Smith Barney, Inc., 22 416 F.3d 940, 946 (9th Cir. 2005). 23 IV. 24 Request for Judicial Notice In considering a motion to dismiss, the Court may consider material outside the pleadings when 25 it is properly the subject of judicial notice. See Lee v. City of Los Angeles, 250 F.3d 668, 689 (9th Cir. 26 2001); MGIC Indemnity Corp. v. Weisman, 803 F.2d 500, 504 (9th Cir. 1986). The Court may take 27 judicial notice of a fact that “is not subject to reasonable dispute because it (1) is generally known 28 within the trial court’s territorial jurisdiction; or (2) can be accurately and readily determined from 4 1 sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201. 2 Here, Defendants request that the Court take judicial notice of the declarations of Seth Hunter, 3 Don Lawson, Mark Creasey, and Wyatt Shipley. (Doc. 29 at 1-2) However, Defendants fail to show 4 the statements made by these individuals are subject to judicial notice. To the contrary, the statements 5 made are subject to reasonable dispute, and many statements made by Vaquero’s employees are, in 6 fact, disputed by Defendants. Therefore, Defendants’ request for judicial notice is DENIED. 7 V. 8 Discussion and Analysis Defendants seek dismissal of Plaintiff’s claims arising under the Computer Fraud and Abuse 9 Act and the Stored Communications act, asserting Vaquero fails to state cognizable claims under these 10 acts because “defendants’ conduct was authorized, and because plaintiff’s computers and servers do not 11 fall within the definition of electronic storage or electronic communication service facilities, as required 12 by the Stored Communications Act.” (Doc. 27 at 1-2) 13 A. Computer Fraud and Abuse Act, 18 U.S.C. §1030 14 Congress enacted the Computer Fraud and Abuse Act (“CFAA”) “to target hackers who 15 accessed computers to steal information or to disrupt or destroy computer functionality, as well as 16 criminals who possessed the capacity to access and control high technology processes vital to our 17 everyday lives.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) (internal 18 quotation marks, citation omitted). “The CFAA prohibits a number of different computer crimes, the 19 majority of which involve accessing computers without authorization or in excess of authorization, and 20 then taking specified forbidden actions, ranging from obtaining information to damaging a computer or 21 computer data.” Id. (citing 18 U.S.C. § 1030(a)(1)-(7)). 22 The term “without authorization” is undefined, but the Ninth Circuit has determined that a 23 person uses a computer “without authorization” under the CFAA “when the person has not received 24 permission to use the computer for any purpose (such as when a hacker accesses someone’s computer 25 without any permission), or when the [computer’s owner] has rescinded permission to access the 26 computer and the defendant uses the computer anyway.” LVRC Holdings LLC, 581 F.3d at 1135. To 27 exceed authorized access “means to access a computer with authorization and to use such access to 28 obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 5 1 U.S.C. § 1030(e)(6); see also LVRC Holdings LLC, 581 F.3d at 1133 (“an individual who is authorized 2 to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as 3 someone who has ‘exceed[ed] authorized access’”). Here, Plaintiff asserts Defendants violated 4 Sections 1030(a)(5) and 1030(a)(7). (Doc. 16 at 10) 1. 5 Section 1030(a)(5) 6 Pursuant to this section, an individual violates the CFAA when he or she: 7 (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss[.] 8 9 10 11 12 18 U.S.C. § 1030(a)(5). Under the CFAA, “damage means any impairment to the integrity or 13 availability of the data, a program, a system, or information[.]” Id., § 1030(e)(8). Therefore, there are 14 two possible kinds of damage: damage resulting from impairment to the integrity of the data, program 15 or system; and damage resulting from the inability to access the identified data, program, system, or 16 information. 17 Plaintiff alleges its computers and servers “store its confidential information” and are ‘protected 18 computers’ within the scope of 18 U.S.C. § 1030(e)(2).” (Doc. 16 at 10) In addition, Plaintiff alleges 19 Defendants “intentionally accessed Vaquero’s computers and servers and without authorization have 20 intentionally locked Vaquero out of the use of those computers and servers.” (Id.) Specifically, 21 Plaintiff asserts Defendants accessed “Vaquero’s Tunnell Master PLC and Ardantz Pad C PLC and, 22 approximately between May 5, and May 15, 2015, without authority deleted and modified the 23 Passwords, ladder logic and/or data previously installed and activated on those PLC’s on May 5, 2015 24 for the purpose of preventing plaintiff Vaquero’s use and access to its own systems, computers and 25 files.” (Id.) In addition, Plaintiff alleges Defendants changed the passwords to its five steam generators. 26 (Id.) Because Plaintiff alleges Defendants were not authorized to modify the passwords or delete 27 ladder logic, Plaintiff alleges facts sufficient to support a determination that Defendants intentionally 28 accessed Vaquero’s systems and exceeded the scope of the authorization to access the systems. 6 2. 1 Section 1030(a)(7) Plaintiff alleges Defendants violated this section of the CFAA, which provides a cause of action 2 3 against an individual who “with intent to extort from any person any money or other thing of value, 4 transmits in interstate or foreign commerce any communication containing any— 5 (A) threat to cause damage to a protected computer; 6 (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion” 7 8 9 10 18 U.S.C. § 1030(a)(7). As discussed above, Vaquero asserts Defendants changed the passwords to the PLCs, and seems 11 12 to suggest this was for the purpose of extorting money from the company. (See Doc. 16 at 10) 13 However, Plaintiff fails to allege Defendants made any threats2 to Vaquero, or made demands that were 14 transmitted “in interstate or foreign commerce.” Plaintiff alleges its counsel “delivered a demand” 15 requesting the passwords and other data and, in response, Defendants “replied.” (Doc. 16 at 7) Finally, 16 Vaquero fails to allege facts to support a conclusion that the passwords were, in fact, changed for the 17 purpose of extorting money, rather than protecting the copyright interest claimed by Defendants. 18 Consequently, Plaintiff fails to state a cognizable claim under Section 1030(a)(7). 3. 19 Damages or loss In addition to imposing criminal penalties for the prohibited conduct, the CFAA creates a 20 21 private right of action for “[a]ny person who suffers damage or loss by reason of a violation” of the 22 statute. 18 U.S.C. § 1030(g). However, a private claim “may be brought only if the conduct involves 1 23 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” Id. Thus, it is 24 not enough that Plaintiff be able to show Defendants acted without authorization, or beyond the scope 25 of authorization. To state a claim under the CFAA, a plaintiff must further show one of the following: (I) 26 loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a 27 28 2 Seemingly, at issue in the first amended complaint, are the acts of Defendants taken to install passwords on the PLCs and other equipment certain when Defendants were authorized to access Plaintiff’s system. 7 related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; 1 2 (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; 4 (III) physical injury to any person; 5 (IV) a threat to public health or safety; 6 (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or (VI) damage affecting 10 or more protected computers during any 1-year period[.] 3 7 8 9 18 U.S.C. § 1030(c)(4)(A)(i). 10 In this case, Plaintiff alleges Vaquero incurred “substantial costs in excess of $5,000 to 11 investigate and attempt to remediate” the actions taken by Defendants, including password-protecting 12 the PCL and SCADA systems. (Doc. 16 at 10-11) Thus, Plaintiff has alleged damages sufficient to 13 support a claim for relief under CFAA. However, Plaintiff fails to allege sufficient facts to support its 14 CFAA claim premised upon Section 1030(a)(7). Accordingly, Defendants’ motion to dismiss the first 15 cause of action is GRANTED IN PART, and the claim, to the extent it is based upon Section 16 1030(a)(7), is dismissed with leave to amend. 17 B. Stored Communications Act, 18 U.S.C. § 2701 18 Vaquero asserts Defendants are liable for a violation of the Stored Communications Act 19 (“SCA”), which creates criminal and civil liability for some acts of unauthorized access to wire and 20 electronic communications and records in temporary and backup storage. See Knopp v. Hawaiian 21 Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002). The SCA creates a private right of action against 22 “whoever— 23 24 25 (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in storage in such system…” 26 27 28 18 U.S.C. § 2701(a); see also 18 U.S.C. § 2707 (creating a private right of action). The SCA defines the term “electronic communication services” as “any service which provides 8 1 to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2 2510(15). Likewise, the SCA defines “electronic communications” as “any transfer of signs, signals, 3 writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, 4 radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign 5 commerce [with four irrelevant exceptions].” 18 U.S.C. § 2510(12). The SCA does not define the term 6 “facility.” However, courts have determined that a “facility” is operated by electronic communication 7 service providers. Cousineau v. Microsoft Corp., 6 F. Supp. 3d 1167, 1174 (W.D. Wash. 2014). 8 In Cousineau, the court determined whether a smart phone was a “facility” for purposes of the 9 SCA. In relying heavily on In re iPhone Application Litigation, 844 F.Supp.2d, 1040, 1050 (N.D. Cal. 10 2012), Cousineau rejected that the smart phone was a facility when it held that, “The fact that the phone 11 not only received but also sent data does not change this result, because nearly all mobile phones 12 transmit data to service providers.” Notably, cases after iPhone—as noted in Cosineau—determined 13 that for a device to be a “facility” under the SCA, “it must perform server-like functions.” For 14 example, in In re Pharmatrak, Inc. Privacy Litig., 220 F. Supp. 2d 4, 13 (D. Mass. 2002) the Court 15 explained, 16 17 18 19 20 21 22 23 Defendants are correct that an individual Plaintiff's personal computer is not a “facility through which an electronic communication service is provided” for the purposes of § 2701. Plaintiffs find it noteworthy that “[p]ersonal computers provide consumers with the opportunity to access the Internet and send or receive electronic communications,” and that “[w]ithout personal computers, most consumers would not be able to access the Internet or electronic communications.” Fair enough, but without a telephone, most consumers would not be able to access telephone lines, and without televisions, most consumers would not be able to access cable television. Just as telephones and televisions are necessary devices by which consumers access particular services, personal computers are necessary devices by which consumers connect to the Internet. While it is possible for modern computers to perform server-like functions, there is no evidence that any of the Plaintiffs used their computers in this way. While computers and telephones certainly provide services in the general sense of the word, that is not enough for the purposes of the ECPA. The relevant service is Internet access, and the service is provided through ISPs or other servers, not though Plaintiffs' PCs. 24 25 Id. 220 F. Supp. 2d 4, 13 (D. Mass. 2002) (emphasis added); See also Theofel v. Farey-Jones, 359 F.3d 26 1066, 1071 (9th Cir. 2004) [pleading is sufficient if the “substance of plaintiffs’ claims is that 27 defendants improperly accessed [the defendant’s] servers.”] 28 Here, though Plaintiff alleges Defendants exceeded the scope of the authorization given to 9 1 access the PLCs and SCADA systems, Plaintiff fails to allege facts sufficient to support a conclusion 2 that the PLCs and SCADA systems are “facilities” under the SCA. Consequently, Defendants’ motion 3 to dismiss the third cause of action is GRANTED, and the claim is dismissed with leave to amend. 4 VI. 5 6 7 Conclusion and Order Based upon the foregoing, IT IS HEREBY ORDERED that Defendants’ motion to dismiss is GRANTED IN PART, as follows: 1. Defendants’ motion to dismiss the first cause of action for a violation of the Computer 8 Fraud and Abuse Act is DENIED to the extent it is based upon a violation of Section 9 1030(a)(5) and GRANTED to the extent the cause of action is based upon a violation of Section (a)(7); 10 11 2. Communications Act is GRANTED; and 12 13 Defendants’ motion to dismiss the third cause of action for a violation for the Stored 3. Plaintiff SHALL file any amended complaint no later than September 21, 2015 of the 14 date of service of this order. If Plaintiff chooses to not file a Second Amended 15 Complaint, the First Amended Complaint will stand, with the claims dismissed as 16 identified by this Order. 17 18 19 20 IT IS SO ORDERED. Dated: September 21, 2015 /s/ Jennifer L. Thurston UNITED STATES MAGISTRATE JUDGE 21 22 23 24 25 26 27 28 10
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
