Opinion
CV-22-00122-PHX-DLR
06-16-2022
Mark Alan Greenburg, Plaintiff, v. Amanda Wray, et al., Defendants.
ORDER
Douglas L. Rayes United States District Judge
Pending before the Court is Defendants Amanda Wray and Daniel Wray's motion to dismiss Plaintiff Mark Greenburg's first amended complaint for failure to state a claim. (Doc. 15, 16, 17.) For the following reasons, the Court denies the motion.
I. Background
Amanda Wray manages a 2, 000-member Facebook group (the “Facebook Group”) “dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District.” Daniel Wray is a member of the group. Plaintiff's son serves on the Scottsdale Unified No. 48 Governing Board, the elected governing body that manages Scottsdale Unified No. 48 School District (the “District”). (Doc. 9 at 3-4.)
In response to activities by Defendants and the Facebook Group, Plaintiff began collecting information on them, including photographs, video footage, discussions with third parties concerning them, personal comments and thoughts, and political memes. Plaintiff stored these records on his personal “Google Drive” server. Plaintiff specifically shared server access with three individuals (including Plaintiff's son), who could access the server by signing into their own password-protected Google accounts. Although Plaintiff didn't realize it at the time, the sharing settings on his Google Drive also allowed anyone to access the server by typing in the exact URL. (Doc. 9 at 4-6.)
In 2021, Plaintiff's son was accused of defamation. He responded to his accuser by emailing “13 photographs of public Facebook comments, made by his accuser, some of which were stored on the server.” One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda's possession, where she noticed the URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive. (Doc. 9 at 6-8.)
Plaintiff learned of the access and hired a forensic IT consultant team to conduct a damage assessment. He then sued Defendants under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. (a)(2), alleging a loss of at least $5,000. (Doc. 9 at 8.)
II. Analysis
To survive a Rule 12(b)(6) motion to dismiss, a complaint must contain factual allegations sufficient to “raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). The task when ruling on a motion to dismiss “is to evaluate whether the claims alleged [plausibly] can be asserted as a matter of law.” Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004); accord Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). When analyzing the sufficiency of a complaint, the well-pled factual allegations are taken as true and construed in the light most favorable to the plaintiff. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). However, legal conclusions couched as factual allegations are not entitled to the assumption of truth, Iqbal, 556 U.S. at 680, and therefore are insufficient to defeat a motion to dismiss for failure to state a claim, In re Cutera Sec. Litig., 610 F.3d 1103, 1108 (9th Cir. 2008).
To “bring an action successfully under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2), ” Plaintiff must allege that Defendants:
(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Defendants argue that Plaintiff has not pled the second and fifth elements.
Citing hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), Defendants argue that Plaintiff did not allege that Amanda accessed the Google Drive without authorization. (Doc. 15.) In hiQ, a data analytics company, hiQ, was scraping data on public LinkedIn profiles, data indexed by search engines. Id. at 1186-87. LinkedIn found out, sent hiQ a cease-and desist-letter, and imposed technical measures to prevent scraping data from public profile. Id. at 1187. But hiQ didn't stop and instead sought a declaratory judgment that LinkedIn “could not lawfully invoke the CFAA” against it for scraping the data found on public LinkedIn profiles. Id. Ultimately, the Ninth Circuit determined that hiQ's data scraping did not fall within the CFAA because “anyone with a web browser” could access the data.
On review, the Ninth Circuit reasoned that “the prohibition on unauthorized access is properly understood to apply only to private information-information delineated as private through use of a permission requirement of some sort.” Id. at 1197. Thus, for a website to fall under CFAA protections, it must have erected “limitations on access.” Id. at 1199. And if “anyone with a browser” could access the website, it had no limitations on access.
This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters. What's more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn't just “anyone with a browser” who could stumble upon the Google Drive on a web search-the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court's eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.
Plaintiff alleges that the disclosure of the URL-the limitation-did not grant Amanda authorization to access the Google Drive. He asserts that the disclosure was inadvertent. As the Ninth Circuit has recognized, inadvertent disclosure of the means around a limitation on access does not per se grant authorization. See Theofel v. Farey Jones, 359 F.3d 1066, 1074, 1078 (9th Cir. 2004). Plaintiff has sufficiently plead the elements of a violation of 18 U.S.C. § 1030(a)(2).
Defendants next argue that Plaintiff's allegations of $5,000 in damages are too conclusory to state a claim. Not so. Plaintiff alleges that Amanda accessed the Google Drive without authorization, causing changes to the files saved there, and that he had to hire a forensic IT team to determine the scope of the damage, all of which he alleges cost at least $5,000. (Doc. 9 at 7-8.) Plaintiff is not obligated to provide itemized receipts at the pleading stage.
Finally, Defendants argue that because the complaint includes no allegation that Daniel accessed Plaintiff's computer, he must be dismissed as a defendant. Plaintiff maintains that if Amanda is liable under the CFAA, Daniel must be joined so that any resulting judgment may be collected from the marital community. See A.R.S. § 25-215; Spudnuts, Inc. v. Lane, 676 P.2d 669, 670 (Ariz.Ct.App. 1984) (“[I]f a plaintiff wants to hold a marital community accountable for an obligation, both spouses must be sued jointly. A judgment against one spouse does not bind the community.”). In reply, Defendants offer no reason why Daniel's joinder on this basis is improper. The Court notes, however, that Plaintiff's first amended complaint and response both are bereft of any argument or allegation that Daniel accessed the Google Drive. Thus, the Court understands that Daniel is named solely for purposes of collecting any potential judgment from the marital community.
Finally, Plaintiff asks the Court to strike portions of the motion to dismiss that contain matters outside the pleadings or else convert the motion to dismiss to a motion for summary judgment. Even if the matters fell outside the pleadings, they have no bearing on the Court's analysis here, and so the Court declines to grant Plaintiff's requested relief.
IT IS ORDERED that Defendants' motion to dismiss (Doc. 15) is DENIED.
IT IS FURTHER ORDERED setting this matter for a Rule 16 scheduling conference on Thursday, July 7, 2022, at 11:00 a.m. The Court anticipates this hearing will be held telephonically. The parties will be provided with call-in information via separate email. If the parties wish to submit a revised proposed discovery plan, the revised discovery plan shall be filed no later than June 30, 2022.