X (Formerly Twitter) v CCDH: Analysis of CFAA Violation Claim

C. Violation of CFAA[26]

The complaint’s second cause of action is for violation of the CFAA. See FAC ¶¶ 80–88. “Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking.” United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (“Nosal I”). Under the CFAA, a party may be subject to liability if it “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C § 1030(a)(2)(C).[27] Courts are to interpret this prong of the statute narrowly, as the CFAA “is primarily a criminal statute” and is interpreted similarly across criminal and civil cases. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134 (9th Cir. 2009). A private right of action is available to “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g).

X Corp. alleges that “Defendants, except ECF, have violated the CFAA by knowingly, and with intent to defraud X Corp., accessing a protected computer, without authorization, and by means of such conduct furthered the fraud and obtained one or more things of value.” FAC ¶ 82. It alleges that X Corp. provided non-public data to Brandwatch, which Brandwatch stored on a protected computer “accessible to only those with login credentials.” Id. ¶ 83. It alleges that Defendants other than ECF “were never validly given login credentials,” knew that the data was secured by the Brandwatch Agreements, and knew that they did not have authorization to access it, but nonetheless “conspired with ECF[] to share its login credentials.” Id. ¶ 84. It continues: “Defendants other than ECF then accessed that data without authorization” in order to mischaracterize the data in CCDH publications. Id. It further alleges that ECF and CCDH conspired to violate the CFAA so that CCDH could access X Corp.’s data, and, in knowing violation of X Corp.’s agreements with Brandwatch and ECF’s agreements with Brandwatch, ECF gave CCDH its login credentials. Id. ¶ 85. X Corp. finally alleges that it suffered a loss of over $5,000 as a result of the violations, including money spent on internal investigations, employee resources and time to assist in those investigations, and attorneys’ fees. Id. ¶ 87.

CCDH argues that X Corp. fails to state a claim for violation of the CFAA because (1) X Corp. has not adequately alleged that CCDH accessed the Brandwatch data “without authorization”; (2) X Corp. has not adequately alleged loss; and (3) X Corp. has failed to specify which CFAA subsection was violated. MTD&S at 19–23. The Court concludes that CCDH’s argument about loss is persuasive, and does not reach CCDH’s other arguments.

A civil claim under the CFAA requires “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I); Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1262 (9th Cir. 2019). The CFAA “defines ‘loss’ as ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damages assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.’” Andrews, 932 F.3d at 1262 (quoting 18 U.S.C. § 1030(e)(11)).

CCDH argues that X Corp.’s loss allegations are inadequate because they are not losses from technical harms. MTD&S at 21. That is indeed a requirement under the CFAA, as the Supreme Court held in Van Buren v. United States, 141 S. Ct. 1648, 1659– 60 (2021). The Court explained that “[t]he term ‘loss’ . . . relates to costs caused by harm to computer data, programs, systems, or information services.” Id. Despite X Corp.’s suggestion at the motion hearing that only damages must relate to “damage to the system,” see Tr. of 2/29/24 Hearing at 26:9–24, the Court in Van Buren stated that both damages and loss under the CFAA “focus on technological harms—such as the corruption of files— of the type unauthorized users cause to computer systems and data,” Van Buren, 141 S. Ct. at 1660. It observed that “[l]imiting ‘damage’ and ‘loss’ in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.’” Id. (quoting Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 760 (6th Cir. 2020)). The Ninth Circuit recognized this required showing of “technological harms” in the hiQ case. See hiQ 2022 Circuit opinion, 31 F.4th at 1195 n.12 (quoting Van Buren, 141 S. Ct. at 1659–60).

X Corp. responds that “[c]osts to investigate and stop alleged violations of the CFAA are cognizable losses,” but it cites only to an unopposed Report and Recommendation, and a distinguishable one. See Opp’n at 26 (citing Facebook, Inc. v. Holper, No. 20-cv-6023-JCS, 2022 WL 17167958, at *8 (N.D. Cal. Sept. 27, 2022)). In Holper, 2022 WL 17167958, at *8, in trying to meet the CFAA’s damages threshold, Facebook pointed to its employees’ “efforts to investigate and stop” the defendant’s conduct. Facebook’s employees had disabled the defendant’s accounts, blocked his access, and sent him a cease and desist letter. Id. at *2. Here, though, X Corp. employees did not disable CCDH’s Brandwatch account, or block CCDH’s Brandwatch access, and they could not “stop” CCDH from accessing Brandwatch, because X Corp. is not Brandwatch.

X Corp.’s losses in connection with “attempting to conduct internal investigations in efforts to ascertain the nature and scope of CCDH’s unauthorized access to the data,” see FAC ¶ 87, are not technological in nature. The data that CCDH accessed does not belong to X Corp., see Kaplan Decl. Ex. A at 13 (providing that users own their content and grant X Corp. “a worldwide, non-exclusive, royalty-free license”), and there is no allegation that it was corrupted, changed, or deleted. Moreover, the servers that CCDH accessed are not even X Corp.’s servers. X Corp. asserted at the motion hearing that its servers “stream data to Brandwatch servers in response to queries from a logged in user” and so “you cannot say fairly it’s not our systems.” Tr. of 2/29/24 Hearing at 28:16–20. But that is not what the complaint alleges. The complaint alleges that “X Corp. provided non-public data to Brandwatch” and “[t]hat data was then stored on a protected computer.” FAC ¶ 83; see also id. ¶ 86 (“the Licensed Materials were stored on servers located in the United States that Brandwatch used for its applications. CCDH and ECF thus knew that, in illegally using ECF’s login credentials and querying the Licensed Materials, CCDH was targeting and gaining unauthorized access to servers used by Brandwatch in the United States.”) (emphasis added); id. ¶ 29 (Twitter would stream its Licensed Materials from its servers, “including in California,” to “servers used by Brandwatch [] located in the United States, which Brandwatch’s applications accessed to enable [its] users with login credentials to analyze the data.”).[28] It is therefore hard to see how an investigation by X Corp. into what data CCDH copied from Brandwatch’s servers could amount to “costs caused by harm to computer data, programs, systems, or information services.” See Van Buren, 141 S. Ct. at 1659–60.

Additionally, it is impossible to see how attorneys’ fees could amount to technological harm. See Delacruz v. State Bar of Cal., No. 16-cv–6858-BLF, 2018 WL 3077750, at *8 (N.D. Cal. Mar. 12, 2018) (“legal expenses are not a cognizable loss under the CFAA”) (citing Wichansky v. Zowine, 150 F. Supp. 3d 1055, 1071–72 (D. Ariz. 2015); Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 474–75 (S.D.N.Y. 2004)); cf. Fraser v. Mint Mobile, LLC, No. C 22-138 WHA, 2022 WL 2391000, at *2 (N.D. Cal. July 1, 2022) (fees to expert to trace stolen assets “were not related to remedying technological harms inflicted on the breached computer or system”).

Loss incurred “not . . . to assess the breached system but to ‘assess [one’s] damages’” are not cognizable under the CFAA. See Fraser, 2022 WL 2391000, at *2. The Court will therefore dismiss the CFAA claim based on X Corp.’s failure to allege losses based on technological harms. See also NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 964 (N.D. Cal. 2014) (“the majority of cases cited by defendants in which the court found an absence of CFAA-qualifying loss are summary judgment cases,” but “[t]hose cases cited by defendants that do concern pleading motions involve situations where the plaintiff failed to allege that the defendant’s conduct caused impairment of data or interruption of service.”).

[26] Again, the CFAA cause of action is not subject to the motion to strike because it is federal. See Hilton, 599 F.3d at 901 (“[T[he anti-SLAPP statute does not apply to federal law causes of action.”).

[27] A “protected computer” includes essentially any computer connected to the Internet. See hiQ 2022 Circuit opinion, 31 F.4th at 1195; 18 U.S.C. § 1030(e)(2).

[28] FAC ¶ 36 is a slightly closer fit to what X Corp. argued at the motion hearing, as it references both X Corp.’s servers and Brandwatch’s servers, but it is vaguer than paragraphs 29, 83, and 86 about where the Licensed Materials were stored. Even if the Licensed Materials were stored on the X Corp. servers and then streamed to Brandwatch servers whenever a Brandwatch user ran a query, X Corp. did not articulate how CCDH logging into the Brandwatch system using a Brandwatch subscriber’s valid login information could cause technological harm to X Corp.’s server.