Lvrc Holdings LLC v. Brekka ( 2009 )


Menu:
  •                     FOR PUBLICATION
    UNITED STATES COURT OF APPEALS
    FOR THE NINTH CIRCUIT
    LVRC HOLDINGS LLC,                       
    Plaintiff-Appellant,
    v.                              No. 07-17116
    CHRISTOPHER BREKKA; EMPLOYEE                     D.C. No.
    CV-05-01026-KJD
    BUSINESS SOLUTIONS INC.; CAROLYN
    QUAIN; STUART SMITH; BRAD                        OPINION
    GREENSTEIN; FRANK SZABO,
    Defendants-Appellees.
    
    Appeal from the United States District Court
    for the District of Nevada
    Kent J. Dawson, District Judge, Presiding
    Argued and Submitted
    March 13, 2009—San Francisco, California
    Filed September 15, 2009
    Before: M. Margaret McKeown and Sandra S. Ikuta,
    Circuit Judges, and James V. Selna,* District Judge.
    Opinion by Judge Ikuta
    *The Honorable James V. Selna, United States District Judge for the
    Central District of California, sitting by designation.
    13373
    13376            LVRC HOLDINGS v. BREKKA
    COUNSEL
    Thomas G. Grace, Las Vegas, Nevada, for the plaintiff-
    appellant.
    Norman H. Kirshman, Las Vegas, Nevada, for the defendant-
    appellees.
    OPINION
    IKUTA, Circuit Judge:
    LVRC Holdings, LLC (LVRC) filed this lawsuit in federal
    district court against its former employee, Christopher
    Brekka, his wife, Carolyn Quain, and the couple’s two con-
    sulting businesses, Employee Business Solutions, Inc., a
    Nevada corporation (EBSN), and Employee Business Solu-
    tions, Inc., a Florida corporation (EBSF). LVRC alleged that
    Brekka violated the Computer Fraud and Abuse Act (CFAA),
    18 U.S.C. § 1030, by accessing LVRC’s computer “without
    LVRC HOLDINGS v. BREKKA                     13377
    authorization,” both while Brekka was employed at LVRC
    and after he left the company. See 18 U.S.C. § 1030(a)(2), (4).
    The district court granted summary judgment in favor of the
    defendants. We affirm. Because Brekka was authorized to use
    LVRC’s computers while he was employed at LVRC, he did
    not access a computer “without authorization” in violation of
    § 1030(a)(2) or § 1030(a)(4) when he emailed documents to
    himself and to his wife prior to leaving LVRC. Nor did email-
    ing the documents “exceed authorized access,” because
    Brekka was entitled to obtain the documents. Further, LVRC
    failed to establish the existence of a genuine issue of material
    fact as to whether Brekka accessed the LVRC website without
    authorization after he left the company.
    I
    LVRC operates Fountain Ridge, a residential treatment
    center for addicted persons, in Nevada.1 As part of its market-
    ing efforts, LVRC retained LOAD, Inc. to provide email,
    website, and related services for the facility. Among other
    duties, LOAD monitored internet traffic to LVRC’s website
    and compiled statistics about that traffic.
    In April 2003, LVRC hired Brekka to oversee a number of
    aspects of the facility. Part of his duties included conducting
    internet marketing programs and interacting with LOAD. At
    the time Brekka was hired, Brekka owned and operated EBSN
    and EBSF, two consulting businesses that obtained referrals
    for addiction rehabilitation services and provided referrals of
    potential patients to rehabilitation facilities through the use of
    internet sites and advertisements. Stuart Smith, the owner and
    operator of LVRC, was aware of Brekka’s businesses,
    although he states he was not aware of the full nature of their
    operations.
    1
    Because this appeal comes to us from the grant of a motion for sum-
    mary judgment, we relate the facts in the light most favorable to LVRC.
    See Nolan v. Heald College, 
    551 F.3d 1148
    , 1150 (9th Cir. 2009).
    13378            LVRC HOLDINGS v. BREKKA
    While Brekka worked for LVRC, he commuted between
    Florida, where his home and one of his businesses were
    located, and Nevada, where Fountain Ridge and his second
    business were located. Brekka was assigned a computer at
    LVRC, but while commuting back and forth between Florida
    and Nevada, he emailed documents he obtained or created in
    connection with his work for LVRC to his personal computer.
    LVRC and Brekka did not have a written employment agree-
    ment, nor did LVRC promulgate employee guidelines that
    would prohibit employees from emailing LVRC documents to
    personal computers.
    In June 2003, Brekka sent an email to LOAD’s administra-
    tor, Nick Jones, requesting an administrative log-in for
    LVRC’s website. Jones sent an email with the administrative
    user name, “cbrekka@fountainridge.com,” and password,
    “cbrekka,” to Brekka’s work email, which Brekka down-
    loaded onto his LVRC computer. By using the administrative
    log-in, Brekka gained access to information about LVRC’s
    website, including the usage statistics gathered by LOAD.
    Brekka used those statistics in managing LVRC’s internet
    marketing.
    In August 2003, Brekka and LVRC entered into discus-
    sions regarding the possibility of Brekka purchasing an own-
    ership interest in LVRC. At the end of August 2003, Brekka
    emailed a number of LVRC documents to his personal email
    account and his wife’s personal email account. These docu-
    ments included a financial statement for the company,
    LVRC’s marketing budget, admissions reports for patients at
    Fountain Ridge, and notes Brekka took from a meeting with
    another Nevada mental health provider. On September 4,
    2003, Brekka emailed a master admissions report, which
    included the names of past and current patients at Fountain
    Ridge, to his personal email account.
    In mid-September 2003, negotiations regarding Brekka’s
    purchase of an ownership interest in LVRC broke down, and
    LVRC HOLDINGS v. BREKKA                    13379
    Brekka ceased working for LVRC. Brekka left his LVRC
    computer at the company and did not delete any emails from
    the computer, so the June 2003 email from Nick Jones, which
    included the administrative user name and password,
    remained on his computer.
    After Brekka left the company, other LVRC employees had
    access to Brekka’s former computer, including Brad Green-
    stein, a consultant who was hired shortly before Brekka left
    and who assumed many of Brekka’s responsibilities. At some
    point after Brekka left, the email with the administrative log-
    in information was deleted from his LVRC computer.
    On November 19, 2004, while performing routine monitor-
    ing of the LOAD website, Jones noticed that someone was
    logged into the LVRC website using the user name
    “cbrekka@fountainridge.com” and was accessing LVRC’s
    LOAD statistics. Jones contacted Greenstein about the use of
    the “cbrekka” log-in. Jones also provided the IP address of the
    log-in and the location of the Internet Service Provider (ISP)
    associated with that IP address, namely, Redwood City, Cali-
    fornia. Greenstein instructed Jones to deactivate the “cbrekka”
    log-in, and Jones did so the same day. Shorting thereafter,
    LVRC filed a report with the FBI, alleging that Brekka had
    unlawfully logged into LVRC’s website.
    LVRC then brought an action in federal court, alleging that
    Brekka violated the CFAA when he emailed LVRC docu-
    ments to himself in September 2003 and when he continued
    to access the LOAD website after he left LVRC. In addition,
    LVRC brought a number of state tort actions. In response,
    Brekka filed a third-party complaint against Smith, Green-
    stein, and Frank Szabo, alleging that they defamed him by
    making statements that Brekka had stolen information from
    LVRC.2
    2
    Brekka’s third-party complaint against Smith, Greenstein, and Frank
    Szabo is not on appeal before us.
    13380                LVRC HOLDINGS v. BREKKA
    The district court granted summary judgment in favor of
    Brekka. After dismissing the federal law claims, the district
    court declined to exercise supplemental jurisdiction over the
    remaining state law claims and dismissed the case. LVRC
    filed a motion to reconsider. Before the district court ruled on
    the motion, LVRC filed this appeal. We review the district
    court’s grant of a motion for summary judgment de novo.
    SDV/ACCI, Inc. v. AT&T Corp., 
    522 F.3d 955
    , 958 (9th Cir.
    2008).
    II
    The CFAA was enacted in 1984 to enhance the govern-
    ment’s ability to prosecute computer crimes. The act was
    originally designed to target hackers who accessed computers
    to steal information or to disrupt or destroy computer func-
    tionality, as well as criminals who possessed the capacity to
    “access and control high technology processes vital to our
    everyday lives . . . .” H.R. Rep. 98-894, 1984 U.S.C.C.A.N.
    3689, 3694 (July 24, 1984). The CFAA prohibits a number of
    different computer crimes, the majority of which involve
    accessing computers without authorization or in excess of
    authorization, and then taking specified forbidden actions,
    ranging from obtaining information to damaging a computer
    or computer data. See 18 U.S.C. § 1030(a)(1)-(7) (2004).3
    [1] LVRC’s complaint alleged that Brekka committed two
    of the crimes established by the CFAA, 18 U.S.C.
    §§ 1030(a)(2) and (a)(4). Section § 1030(a)(2) provides for
    criminal penalties to be imposed on a person who:
    3
    The CFAA has been amended multiple times since 1984; for purposes
    of this case, the 1986 amendments are applicable. The act was amended
    again in 2008. See Pub. L. 110-326, §§ 203-08. Unless otherwise indi-
    cated, all citations in this opinion are to the 2004 U.S. Code, which con-
    tains the version of the CFAA in force during the relevant time period in
    this case.
    LVRC HOLDINGS v. BREKKA                       13381
    intentionally accesses a computer without authoriza-
    tion or exceeds authorized access, and thereby
    obtains— . . .
    (C) information from any protected computer if the
    conduct involved an interstate or foreign communi-
    cation . . . .
    18 U.S.C. § 1030(a)(2). Section 1030(a)(4) provides for crim-
    inal penalties to be imposed on a person who:
    knowingly and with intent to defraud, accesses a
    protected computer without authorization, or exceeds
    authorized access, and by means of such conduct
    furthers the intended fraud and obtains anything of
    value . . . .
    18 U.S.C. § 1030(a)(4).4
    [2] LVRC brought suit under the provision of the statute
    that creates a right of action for private persons injured by
    such crimes. Section 1030(g) provides in pertinent part:
    Any person who suffers damage or loss by reason of
    a violation of this section may maintain a civil action
    against the violator to obtain compensatory damages
    and injunctive relief or other equitable relief. A civil
    action for a violation of this section may be brought
    only if the conduct involves 1 of the factors set forth
    in clause (I), (ii), (iii), (iv), or (v) of subsection
    (a)(5)(B).
    4
    For purposes of these sections, a “protected computer” is defined as
    including any computer “used in interstate or foreign commerce or com-
    munication, including a computer located outside the United States that is
    used in a manner that affects interstate or foreign commerce or communi-
    cation of the United States.” 18 U.S.C. § 1030(e)(2).
    13382                  LVRC HOLDINGS v. BREKKA
    18 U.S.C. § 1030(g). Thus, a private plaintiff must prove that
    the defendant violated one of the provisions of
    § 1030(a)(1)-(7), and that the violation involved one of the
    factors listed in § 1030(a)(5)(B).5 LVRC claims that Brekka’s
    conduct involved the factor described in subsection
    (a)(5)(B)(i), which proscribes conduct that causes “loss to 1
    or more persons during any 1-year period . . . aggregating at
    least $5,000 in value.” 18 U.S.C. § 1030(a)(5)(B)(i).
    Therefore, to bring an action successfully under 18 U.S.C.
    § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2),
    LVRC must show that Brekka: (1) intentionally accessed a
    computer, (2) without authorization or exceeding authorized
    access, and that he (3) thereby obtained information (4) from
    any protected computer (if the conduct involved an interstate
    or foreign communication), and that (5) there was loss to one
    or more persons during any one-year period aggregating at
    least $5,000 in value. To bring an action successfully under
    § 1030(g) based on a violation of § 1030(a)(4), LVRC must
    show that Brekka: (1) accessed a “protected computer,” (2)
    without authorization or exceeding such authorization that
    was granted, (3) “knowingly” and with “intent to defraud,”
    5
    The factors set forth in § 1030(a)(5)(B)(i)-(v) are:
    (i) loss to 1 or more persons during any 1-year period (and, for
    purposes of an investigation, prosecution, or other proceeding
    brought by the United States only, loss resulting from a related
    course of conduct affecting 1 or more other protected computers)
    aggregating at least $5,000 in value;
    (ii) the modification or impairment, or potential modification or
    impairment, of the medical examination, diagnosis, treatment, or
    care of 1 or more individuals;
    (iii) physical injury to any person;
    (iv) a threat to public health or safety; or
    (v) damage affecting a computer system used by or for a govern-
    ment entity in furtherance of the administration of justice,
    national defense, or national security . . . .
    18 U.S.C. § 1030(a)(5)(B).
    LVRC HOLDINGS v. BREKKA                   13383
    and thereby (4) “further[ed] the intended fraud and obtain[ed]
    anything of value,” causing (5) a loss to one or more persons
    during any one-year period aggregating at least $5,000 in
    value. See 18 U.S.C. § 1030(a); see also P.C. Yonkers, Inc. v.
    Celebrations the Party and Seasonal Superstore, LLC, 
    428 F.3d 504
    , 508 (3d. Cir. 2005); Theofel v. Farey-Jones, 
    359 F.3d 1066
    , 1078 (9th Cir. 2004).
    In granting Brekka’s summary judgment motion, the dis-
    trict court held that LVRC had failed to establish a violation
    of either § 1030(a)(2) or (4). First, the district court stated that
    “[i]t is undisputed that when Brekka was employed by Plain-
    tiff that he had authority and authorization to access the docu-
    ments and emails that were found on his home computer and
    laptop.” According to the district court, LVRC adduced no
    evidence demonstrating that Brekka accessed an LVRC com-
    puter or any of the documents on the computer “without
    authorization” (an element of both §§ 1030(a)(2) and (4))
    when he emailed documents to himself and to his wife before
    he left the company. The district court based this ruling on its
    conclusion that Brekka had “authorization” to access the
    LVRC computers for purposes of §§ 1030(a)(2) and (4)
    because he was employed by LVRC at the time he emailed
    documents to himself and his wife, and there was no evidence
    that Brekka had agreed to keep the emailed documents confi-
    dential or to return or destroy those documents upon the con-
    clusion of his employment. Second, the district court held that
    LVRC had not put forth evidence from which a reasonable
    jury could find that Brekka logged into the LVRC website
    after leaving LVRC’s employ. Because of the lack of evi-
    dence that Brekka violated § 1030(a)(2) or (4), the district
    court dismissed LVRC’s claim under § 1030(g).
    LVRC disputes both of these determinations, and we
    address each in turn.
    III
    We first consider LVRC’s argument that the district court
    erred in assuming that if Brekka’s access occurred during the
    13384             LVRC HOLDINGS v. BREKKA
    term of his employment, it must have been authorized for pur-
    poses of the CFAA. LVRC argues that because Brekka
    accessed the company computer and obtained LVRC’s confi-
    dential information to further his own personal interests,
    rather than the interests of LVRC, such access was “without
    authorization” for purposes of §§ 1030(a)(2) and (4).
    [3] In interpreting the phrase “without authorization,” we
    start with the plain language of the statute. See United States
    v. Blixt, 
    548 F.3d 882
    , 887 (9th Cir. 2008). The CFAA does
    not define “authorization,” and it is a “fundamental canon of
    statutory construction . . . that, unless otherwise defined,
    words will be interpreted as taking their ordinary, contempo-
    rary, common meaning.” Perrin v. United States, 
    444 U.S. 37
    ,
    42 (1979); see also United States v. Morris, 
    928 F.2d 504
    ,
    511 (2d Cir. 1991) (holding that the word “authorization” for
    purposes of the CFAA is “of common usage, without any
    technical or ambiguous meaning,” and therefore the district
    court “was not obliged to instruct the jury on its meaning”).
    Authorization is defined in the dictionary as “permission or
    power granted by an authority.” RANDOM HOUSE UNABRIDGED
    DICTIONARY, 139 (2001); see also WEBSTER’S THIRD
    INTERNATIONAL DICTIONARY, 146 (2002) (defining authoriza-
    tion as “the state of being authorized” and “authorize” as “to
    endorse, empower, justify, permit by or as if by some recog-
    nized or proper authority”). Based on this definition, an
    employer gives an employee “authorization” to access a com-
    pany computer when the employer gives the employee per-
    mission to use it. Because LVRC permitted Brekka to use the
    company computer, the “ordinary, contemporary, common
    meaning,” 
    Perrin, 444 U.S. at 42
    , of the statute suggests that
    Brekka did not act “without authorization.”
    [4] No language in the CFAA supports LVRC’s argument
    that authorization to use a computer ceases when an employee
    resolves to use the computer contrary to the employer’s inter-
    est. Rather, the definition of “exceeds authorized access” in
    § 1030(e)(6) indicates that Congress did not intend to include
    LVRC HOLDINGS v. BREKKA                 13385
    such an implicit limitation in the word “authorization.” Sec-
    tion 1030(e)(6) provides: “the term ‘exceeds authorized
    access’ means to access a computer with authorization and to
    use such access to obtain or alter information in the computer
    that the accesser is not entitled so to obtain or alter.” 18
    U.S.C. § 1030(e)(6). As this definition makes clear, an indi-
    vidual who is authorized to use a computer for certain pur-
    poses but goes beyond those limitations is considered by the
    CFAA as someone who has “exceed[ed] authorized access.”
    On the other hand, a person who uses a computer “without
    authorization” has no rights, limited or otherwise, to access
    the computer in question. In other words, for purposes of the
    CFAA, when an employer authorizes an employee to use a
    company computer subject to certain limitations, the
    employee remains authorized to use the computer even if the
    employee violates those limitations. It is the employer’s deci-
    sion to allow or to terminate an employee’s authorization to
    access a computer that determines whether the employee is
    with or “without authorization.”
    [5] This leads to a sensible interpretation of §§ 1030(a)(2)
    and (4), which gives effect to both the phrase “without autho-
    rization” and the phrase “exceeds authorized access”: a person
    who “intentionally accesses a computer without authoriza-
    tion,” §§ 1030(a)(2) and (4), accesses a computer without any
    permission at all, while a person who “exceeds authorized
    access,” 
    id., has permission
    to access the computer, but
    accesses information on the computer that the person is not
    entitled to access.
    [6] In this case, there is no dispute that Brekka had permis-
    sion to access the computer; indeed, his job required him to
    use the computer. Cf. 
    Theofel, 359 F.3d at 1072-73
    (holding
    that defendants had accessed a computer “without authoriza-
    tion” for purposes of the Stored Communications Act, 18
    U.S.C. § 2701 et seq., when they procured the access by
    fraud). Moreover, there is no dispute that Brekka was still
    employed by LVRC when he emailed the documents to him-
    13386                LVRC HOLDINGS v. BREKKA
    self and to his wife. The most straightforward interpretation
    of §§ 1030(a)(2) and (4) is that Brekka had authorization to
    use the computer.
    LVRC attempts to counter this conclusion by pointing to a
    Seventh Circuit decision, International Airport Centers, LLC
    v. Citrin, 
    440 F.3d 418
    (7th Cir. 2006). According to LVRC,
    Citrin supports its argument that the CFAA incorporates an
    additional limitation in the word “authorization,” such that an
    employee can lose authorization to use a company computer
    when the employee resolves to act contrary to the employer’s
    interest. In Citrin, the court held that an employee’s authori-
    zation to access a computer ended for purposes of § 1030(a)(5)6
    when the employee violated his duty of loyalty to his
    employer. The employee had decided to start a competing
    business in violation of his employment contract and erased
    all data from his work laptop computer before quitting his job.
    
    Id. at 419.
    The erased data included both valuable information
    belonging to his employer and evidence that the employee
    had engaged in misconduct. 
    Id. The Seventh
    Circuit held that,
    under common law agency principles, the employee breached
    his duty of loyalty to his employer “when, having already
    engaged in misconduct and decided to quit [the company] in
    violation of his employment contract, he resolved to destroy
    files that incriminated himself and other files that were also
    the property of his employer, in violation of the duty of loy-
    alty that agency law imposes on an employee.” 
    Id. at 420.
    The
    court held that this breach of the duty of loyalty to his
    employer terminated the employee’s agency relationship “and
    with it his authority to access the laptop, because the only
    basis of his authority had been that relationship.” 
    Id. at 420-21.
    Accordingly, the Seventh Circuit held that the
    6
    18 U.S.C. § 1030(a)(5) provides for criminal penalties to be imposed
    on a person who, among other things, “intentionally accesses a protected
    computer without authorization, and as a result of such conduct, recklessly
    causes damage” or “intentionally accesses a protected computer without
    authorization, and as a result of such conduct, causes damage.”
    LVRC HOLDINGS v. BREKKA                 13387
    employee’s actions were “without authorization” for purposes
    of § 1030(a)(5). 
    Id. at 421.
    If we applied the reasoning in Citrin to this case, Brekka
    would have breached his duty of loyalty to LVRC when he
    allegedly resolved to transfer key LVRC documents and
    information to his personal computer to further his own com-
    peting business, and at that point his authorization to access
    the computer would have ended. Applying this reasoning,
    Brekka would have acted “without authorization” for pur-
    poses of §§ 1030(a)(2) and (4) once his mental state changed
    from loyal employee to disloyal competitor.
    We are unpersuaded by this interpretation. First, and most
    important, § 1030 is primarily a criminal statute, and
    §§ 1030(a)(2) and (4) create criminal liability for violators of
    the statute. Although this case arises in a civil context, our
    interpretation of §§ 1030(a)(2) and (4) is equally applicable in
    the criminal context. See Leocal v. Ashcroft, 
    543 U.S. 1
    , 11
    n.8 (2004) (holding that where a statute “has both criminal
    and noncriminal applications,” courts should interpret the stat-
    ute consistently in both criminal and noncriminal contexts). It
    is well established that “ambiguity concerning the ambit of
    criminal statutes should be resolved in favor of lenity.” United
    States v. Carr, 
    513 F.3d 1164
    , 1168 (9th Cir. 2008) (quoting
    Rewis v. United States, 
    401 U.S. 808
    , 812 (1971)). The
    Supreme Court has long warned against interpreting criminal
    statutes in surprising and novel ways that impose unexpected
    burdens on defendants. See United States v. Santos, 
    128 S. Ct. 2020
    , 2025 (2008) (J. Scalia) (plurality opinion) (citing
    United States v. Bass, 
    404 U.S. 336
    , 347-49 (1971); McBoyle
    v. United States, 
    283 U.S. 25
    , 27 (1931); United States v.
    Gradwell, 
    243 U.S. 476
    , 485 (1917)). “This venerable rule . . .
    vindicates the fundamental principle that no citizen should be
    held accountable for a violation of a statute whose commands
    are uncertain, or subjected to punishment that is not clearly
    prescribed.” 
    Id. Therefore, “[t]he
    rule of lenity, which is
    rooted in considerations of notice, requires courts to limit the
    13388             LVRC HOLDINGS v. BREKKA
    reach of criminal statutes to the clear import of their text and
    construe any ambiguity against the government.” United
    States v. Romm, 
    455 F.3d 990
    , 1001 (9th Cir. 2006).
    In this case, as noted above, “authorization” means “per-
    mission or power granted by an authority.” RANDOM HOUSE
    UNABRIDGED DICTIONARY, 139. The definition of the term “ex-
    ceeds authorized access” from § 1030(e)(6) implies that an
    employee can violate employer-placed limits on accessing
    information stored on the computer and still have authoriza-
    tion to access that computer. The plain language of the statute
    therefore indicates that “authorization” depends on actions
    taken by the employer. Nothing in the CFAA suggests that a
    defendant’s liability for accessing a computer without authori-
    zation turns on whether the defendant breached a state law
    duty of loyalty to an employer. If the employer has not
    rescinded the defendant’s right to use the computer, the defen-
    dant would have no reason to know that making personal use
    of the company computer in breach of a state law fiduciary
    duty to an employer would constitute a criminal violation of
    the CFAA. It would be improper to interpret a criminal statute
    in such an unexpected manner. See 
    Carr, 513 F.3d at 1168
    .
    [7] Because LVRC’s proposed interpretation based on Cit-
    rin does not comport with the plain language of the CFAA,
    and given the care with which we must interpret criminal stat-
    utes to ensure that defendants are on notice as to which acts
    are criminal, we decline to adopt the interpretation of “with-
    out authorization” suggested by Citrin. Rather, we hold that
    a person uses a computer “without authorization” under
    §§ 1030(a)(2) and (4) when the person has not received per-
    mission to use the computer for any purpose (such as when
    a hacker accesses someone’s computer without any permis-
    sion), or when the employer has rescinded permission to
    access the computer and the defendant uses the computer any-
    way.
    LVRC HOLDINGS v. BREKKA                        13389
    [8] Based on this plain-language interpretation of the
    CFAA, we must consider whether Brekka acted “without
    authorization” when he emailed LVRC documents from his
    work computer to himself and to his wife. There is no dispute
    that Brekka was given permission to use LVRC’s computer
    and that he accessed documents or information to which he
    was entitled by virtue of his employment with LVRC.
    Because Brekka had authorization to use the LVRC computer,
    he did not access a computer “without authorization.” There-
    fore, the district court did not err in holding that LVRC failed
    to raise a genuine issue of material fact with respect to
    LVRC’s claim that Brekka violated §§ 1030(a)(2) and (4)
    while he was still employed by LVRC.7
    IV
    We next consider whether the district court erred in holding
    that LVRC did not raise a genuine issue of material fact with
    respect to its claim that Brekka violated the CFAA by logging
    into the LOAD website after he left LVRC. There is no dis-
    pute that if Brekka accessed LVRC’s information on the
    LOAD website after he left the company in September 2003,
    Brekka would have accessed a protected computer “without
    authorization” for purposes of the CFAA.
    7
    On appeal, LVRC argues only that Brekka was “without authorization”
    to access LVRC’s computer and documents. To the extent LVRC implic-
    itly argues that Brekka’s emailing of documents to himself and to his wife
    violated §§ 1030(a)(2) and (4) because the document transfer “exceed[ed]
    authorized access,” such an argument also fails. As stated by the district
    court, it is undisputed that Brekka was entitled to obtain the documents at
    issue. Moreover, nothing in the CFAA suggests that a defendant’s authori-
    zation to obtain information stored in a company computer is “exceeded”
    if the defendant breaches a state law duty of loyalty to an employer, and
    we decline to read such a meaning into the statute for the reasons
    explained above. Accordingly, Brekka did not “obtain or alter information
    in the computer that the accesser is not entitled so to obtain or alter,” see
    18 U.S.C. § 1030(e)(6), and therefore did not “exceed[ ] authorized
    access” for purposes of §§ 1030(a)(2) and (4).
    13390             LVRC HOLDINGS v. BREKKA
    [9] LVRC argues that there was sufficient evidence to
    create a genuine issue of material fact as to whether Brekka
    was responsible for the “cbrekka” log-in on November 19,
    2004 to the LOAD website and also as to whether he accessed
    the website on numerous other occasions after he left LVRC.
    We disagree.
    First, LVRC claims that no LVRC employee except Brekka
    had knowledge of the “cbrekka” log-in. Brekka, however,
    provided undisputed evidence that he left the email containing
    the administrative user name and password on his computer
    when he left LVRC, that at least two LVRC employees used
    the computer, and that others had access to the computer after
    Brekka left the company. Although LVRC points to evidence
    that the email with the log-in information was deleted from
    Brekka’s LVRC computer, the district court correctly deter-
    mined that the record does not indicate when the log-in infor-
    mation was deleted. While we must draw all reasonable
    inferences in favor of the non-moving party, we need not
    draw inferences that are based solely on speculation. See
    Lakeside-Scott v. Multnomah County, 
    556 F.3d 797
    , 802-03
    (9th Cir. 2009); see also Lujan v. Nat’l Wilderness Fed’n, 
    497 U.S. 871
    , 888 (1990) (holding that the summary judgment
    standard does not require that all ambiguities in the evidence
    be resolved in favor of the non-moving party). On appeal,
    LVRC relies on a declaration by its computer expert stating
    that the computer was reformatted before the other employees
    used it. However, this declaration was not part of the record
    before the district court on summary judgment, and therefore
    we do not consider it. See Forsberg v. Pac. Nw. Bell Tel. Co.,
    
    840 F.2d 1409
    , 1417-18 (9th Cir. 1988).
    Second, LVRC argues that because the computer that
    logged into the LVRC website on November 19 was con-
    nected to an ISP in Redwood City, a city located in Northern
    California, and Brekka was attending a meeting in San Fran-
    cisco, which is also in Northern California, a reasonable juror
    could infer that Brekka was the person who accessed the web-
    LVRC HOLDINGS v. BREKKA                13391
    site. But Brekka put forth an expert who stated that the infor-
    mation regarding Redwood City was related to the location of
    the ISP server, and did not indicate the location of the person
    using the “cbrekka” log-in. Jones, LVRC’s witness, testified
    that he did not know where the person logging into the com-
    puter was located. No other evidence supported the inference
    that Brekka used the Redwood City ISP. Accordingly, evi-
    dence of the ISP’s location is insufficient to create a genuine
    issue of material fact that Brekka was the person logging into
    the LVRC website. See 
    Lujan, 497 U.S. at 888
    (refusing to
    draw inferences in favor of the non-moving party that were
    not supported with specific evidence).
    Finally, in connection with its action against Brekka,
    LVRC retained a computer expert who examined Brekka’s
    personal computers. The expert’s report stated that Brekka’s
    personal computer had been used to access reports and statis-
    tics from LOAD at various times, including on September 17,
    2005. LVRC argues that this report indicates that Brekka
    logged into the LOAD website after he left LVRC’s employ.
    This argument also fails. As the district court noted, the
    expert’s evidence that Brekka logged into the site on Septem-
    ber 17, 2005 was contradicted by Nick Jones’s testimony that,
    upon Greenstein’s request, he deactivated the “cbrekka” user
    name and password no later than November 19, 2004. In its
    response to the motion for summary judgment, LVRC did not
    provide any explanation, let alone supporting evidence, to
    show how the log-in could have been used nearly a year after
    LVRC’s own witness testified that it had been deactivated. “If
    the factual context makes the non-moving party’s claim of a
    disputed fact implausible, then that party must come forward
    with more persuasive evidence than otherwise would be nec-
    essary to show that there is a genuine issue for trial.” Blue
    Ridge Ins. Co. v. Stanewich, 
    142 F.3d 1145
    , 1147 (9th Cir.
    1998). With no explanation or evidence as to how Brekka
    would have used the “cbrekka “ log-in to access the LOAD
    website after the log-in was deactivated, we cannot say that
    13392             LVRC HOLDINGS v. BREKKA
    there was a genuine issue of material fact regarding whether
    Brekka logged into the LOAD website after he left LVRC.
    The district court did not err when it refused to resolve the
    ambiguities in LVRC’s own evidence in favor of LVRC.
    On appeal, LVRC argues for the first time that it subse-
    quently reactivated the “cbrekka” user name to help LVRC
    catch and identify the person who was misusing the log-in.
    LVRC points to an FBI report in the record that contains a
    statement from an unknown person to this effect. The FBI
    report was submitted as part of the summary judgment motion
    in Brekka’s third-party suit, but LVRC did not draw the dis-
    trict court’s attention to this statement regarding the reactiva-
    tion of the “cbrekka” log-in in its response to the motion for
    summary judgment in this case, or even refer to the reactiva-
    tion of the log-in in any of its filings. We will not reverse a
    district court’s grant of summary judgment unless the party
    opposing the summary judgment motion has identified the
    evidence establishing a genuine issue of material fact in its
    opposition to summary judgment. See Carmen v. San Fran-
    cisco Unified School District, 
    237 F.3d 1026
    , 1031 (9th Cir.
    2001). Because LVRC failed to do so in this case, we do not
    consider LVRC’s proffered evidence that the “cbrekka” log-in
    was reactivated in November 2004.
    Because LVRC did not meet its burden of producing “evi-
    dence that is significantly probative or more than ‘merely col-
    orable’ that a genuine issue of material fact exists for trial,“
    FTC v. Gill, 
    265 F.3d 944
    , 954 (9th Cir. 2001) (quoting
    Anderson v. Liberty Lobby, Inc., 
    477 U.S. 242
    , 249-50
    (1986)), the district court did not err in granting summary
    judgment in favor of Brekka.
    V
    [10] Brekka’s use of LVRC’s computers to email docu-
    ments to his own personal computer did not violate
    § 1030(a)(2) or § 1030(a)(4) because Brekka was authorized
    LVRC HOLDINGS v. BREKKA               13393
    to access the LVRC computers during his employment with
    LVRC. Moreover, construing the evidence in the record
    before the district court in the light most favorable to LVRC,
    there is not enough evidence upon which a reasonable jury
    could find that Brekka violated the CFAA after he left the
    company.
    AFFIRMED.