Ruling Limits Protection Against Corporate Data Theft

Due to a recent decision by the Federal Court for the Northern District of California, protection for private information stored on a computer took a hit. The court ruled against the corporation NetApp, which alleged that a contracted third-party accessed its servers and stole trade secrets and then gave that information to one of NetApp’s competitors. Not only did NetApp lose, but the court’s holding that the information NetApp sought to protect was not “property” leads to some troubling ramifications for future victims of cyber-crimes.

NetApp brought suit against the corporation Nimble and Michael Reynolds, an employee of Nimble, claiming unfair competition, trespass to chattels, and violations of the Computer Fraud and Abuse Act (CFAA), among other things. Reynolds had previously worked for a company with which NetApp contracted. NetApp alleged that Reynolds accessed its system to gain confidential and proprietary information, which he then used to lure customers to Nimble, a company that competes directly with NetApp.

The court first found that Nimble was not vicariously liable for Reynolds. None of the theories set forth by NetApp—employer-employee relationship, alter-ego, and conspiracy—were sufficient to hold Nimble liable for Reynolds’s alleged actions.

CFAA Claim

The court then turned to the CFAA charges. The “CFAA imposes liability on whomever:

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.[1]

Section 1030(e)(8) defines ‘damage’ as ‘any impairment to the integrity or availability of data, a program, a system, or information.’”[2] NetApp argued that Reynolds damaged it in three ways: by copying and moving its information to an insecure place, by diminishing the information’s value by giving it to a competitor, and by modifying its performance data. The court denied all three arguments.

Copying and moving the information was not ruled as damage under the CFAA[3] because the CFAA was not written to protect computers from the transferring of trade secrets, copying does not cause damage to the “integrity” of the systems, and simply copying does not lead to any sort of destruction of data. NetApp’s second argument that by accessing the information and giving it to a direct competitor Reynolds reduced its value, was also dismissed by the court. The court reasoned that the information retained its integrity (in that it was still the exact same as before) and that it was still fully available to NetApp, which left it outside of the CFAA’s reach. The court applied the same rationale to NetApp’s third argument that Reynolds modified its performance data and dismissed that argument as well.

Trespass to Chattels

NetApp also accused Reynolds of trespass to chattels (taking of personal “things”), the chattels being NetApp’s information on its servers including training materials and internal company documents and forms. NetApp claimed Nimble could use all of those materials without investing time and money (as NetApp did) to create them. The court ruled that NetApp failed to show any positive law[4] that gave it a propriety interest in those materials, and thus dismissed the trespass to chattels claim.

Unfair Competition

Finally, NetApp alleged unfair competition against Nimble based on the competing company’s attempt to draw NetApp employees to Nimble and using NetApp employees to help acquire the information from NetApp’s servers. Unfair competition requires a separate “nucleus of facts” from the trespass to chattels and trade secrets claims, and the court was suspect that NetApp sufficiently plead a different set of facts. The court ultimately ruled that NetApp’s pleadings were too vague to determine whether or not California trade secret law or federal copyright law preempted NetApp’s claims, and it rejected the claims.

NetApp also alleged unfair competition against Reynolds himself. The court again found that federal copyright law and California trade secret law preempted some of the claims. However, the court denied the Defendants’ motion to dismiss saying that some of NetApp’s claims may not be preempted and could possibly be heard.

In the end, NetApp was, practically speaking, completely defeated by the ruling. While not binding precedent, the ruling is a scary one for companies trying to protect their electronic and online services. The most worrisome ruling being that NetApp’s seemingly proprietary information was not supported by positive law and thus unprotected by many anti-theft laws. Only time will tell if this interpretation finds a solid footing elsewhere.

[1] NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406, 38 (N.D. Cal. Jan. 29, 2015) (citing 18 U.S.C. § 1030(a)(5)).

[2] Id. (citing 18 U.S.C. § 1030(e)(8)).

[3] By this court. However, the court did acknowledge that there is a split opinion amongst courts. Id. at 43-44.

[4] NetApp argued that it had a copyright interest in the materials, but the court was unconvinced.