- 1 2 3 4 5 IN THE UNITED STATES DISTRICT COURT 6 FOR THE NORTHERN DISTRICT OF CALIFORNIA 7 8 TRUSTLABS, INC., Case No. 21-cv-02606-CRB 9 Plaintiff, ORDER GRANTING IN PART AND 10 v. DENYING IN PART MOTION FOR SUMMARY JUDGMENT 11 DANIEL JAIYONG AN, 12 Defendant. 13 Defendant Daniel Jaiyong An is the cofounder and former CEO of Plaintiff 14 TrustLabs, Inc., a cryptocurrency company. Just before An was fired as CEO, he deleted 15 TrustLabs’ account with Slack, an electronic messaging service that TrustLabs employees 16 frequently used to communicate with one another. TrustLabs sued An under two federal 17 statutes, the Computer Fraud and Abuse Act and the Stored Communications Act, and one 18 California statute, the Comprehensive Computer Data Access and Fraud Act. TrustLabs 19 also seeks punitive damages against An. 20 TrustLabs now moves for summary judgment. The Court finds the matter suitable 21 for resolution without oral argument pursuant to Local Civil Rule 7-1(b), GRANTS the 22 motion as to liability under the California statute, and otherwise DENIES the motion. 23 I. BACKGROUND1 24 Leading up to July 2023, Defendant An was the CEO of Plaintiff TrustLabs. 25 Alexader de Lorraine Decl. (dkt. 140-3) ¶ 4. Rafael Cosman was TrustLabs’ other 26 27 1 The Court views the evidence in the light most favorable to An as the party opposing 1 cofounder, see Alexander de Lorraine Dep. (dkt. 143, Ex. C) at 23:25–24:1, and Alexander 2 de Lorraine was TrustLabs’ Director of Finance and Operations, see de Lorraine Decl. ¶ 2. 3 Cosman and de Lorraine met with An during the last week of June 2023 to discuss their 4 concerns about his performance, and on July 2 de Lorraine told An that TrustLabs’ 5 shareholders “would like to remove [him] from the board” and from his position as CEO. 6 de Lorraine Dep. at 14:7–8. An does not remember these conversations but does not 7 contest that they occurred. Daniel Jaiyong An Dep. (dkt. 140-1, Ex. 1) at 156:2–6. 8 Soon after, on July 6, Cosman emailed An: 9 At the end of your conversation with Alex de Lorraine, you mentioned that you would step down as CEO of TrustLabs, Inc. 10 We have not received your official resignation letter and ask that you forward it by 4pm PST today, the 6th of July 2020. Please 11 note that if we do not receive your answer at or before 4 pm we are forced to enact a stockholder consent which will replace the 12 board of TrustLabs, Inc. and hire a new CEO. 13 … 14 If you choose to resign, the Company is agreeable to treating your resignation as a termination by you for Good Reason and 15 working with you to communicate the decision to the public. If you do not provide an answer by 4 pm and the Company enacts 16 the stockholder consent, the public narrative will necessarily change. 17 18 Id. Exh. 5 (Cosman email) (emphasis omitted). An denies that he ever told de Lorraine 19 that he would resign as CEO. Id. at 156:10–13. 20 An did not tender a resignation letter by 4 p.m. on July 6 or otherwise respond to 21 Cosman’s email. Instead, at 6:36 p.m. he deleted TrustLabs’ Slack account. Def.’s Am. 22 Resps. to Pl.’s Requests for Admission (dkt. 140-1, Ex. 6) at 4. Slack was “one of 23 [TrustLabs’] main means of communication,” Anna Arpilleda Dep. (dkt. 140-1, Ex. 4) at 24 18:12–14, and a “critical piece of company infrastructure,” de Lorraine Dep. at 37:5–6. 25 While TrustLabs’ Slack account was inactive, “[b]usiness pretty much ground to a halt” 26 and “[f]orward progress on company initiatives … was little to none.” Id. at 37:6–16. 27 TrustLabs was able to secure Slack access approximately 12 hours later. Id. at 32:6–12. 1 Decl. (dkt. 140-2) ¶¶ 6–7; de Lorraine Decl. ¶ 8. 2 After An deleted TrustLabs’ Slack account, TrustLabs conducted an emergency 3 stockholder vote, called an emergency session of its board of directors, and voted to 4 remove An from the company board and as CEO. An Dep. Exh. 6 (termination letter). 5 TrustLabs formally terminated An’s employment on July 7. Id. Several days later, an 6 individual using An’s name and email address tried to access TrustLabs’ email marketing 7 list and social media accounts. Id. Exh. 13 (cease and desist letter). And on July 24 An 8 emailed the legal counsel of one of TrustLabs’ clients to propose details for an upcoming 9 deal. Id. Exh. 11 (An email). 10 TrustLabs sued An under three statutes: the federal Computer Fraud and Abuse Act, 11 18 U.S.C. § 1030; the federal Stored Communications Act, 18 U.S.C. § 2701, et seq.; and 12 California’s Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502. 13 Compl. (dkt. 1) ¶¶ 26–40. Before the Court is TrustLabs’ motion for summary judgment 14 on all three counts. MSJ (dkt. 140). 15 II. LEGAL STANDARD 16 Summary judgment is proper when there is “no genuine dispute as to any material 17 fact and the [moving party] is entitled to judgment as a matter of law.” Fed. R. Civ. P. 18 56(a). Material facts are those that may affect the outcome of the case. Anderson v. 19 Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A dispute is genuine if “the evidence is 20 such that a reasonable jury could return a verdict for the nonmoving party.” Id. 21 The moving party bears the initial burden of identifying those portions of the 22 pleadings, discovery, and affidavits that demonstrate the absence of a genuine issue of 23 material fact. Celotex Corp. v. Cattrett, 477 U.S. 317, 323 (1986). Once the moving party 24 meets its initial burden, the nonmoving party must go beyond the pleadings to demonstrate 25 the existence of a genuine dispute of material fact by “citing to particular parts of materials 26 in the record” or “showing that the materials cited do not establish the absence or presence 27 of a genuine dispute.” Fed. R. Civ. P. 56(c). If the nonmoving party fails to do so, “the 1 III. DISCUSSION 2 TrustLabs brings against An two federal statutory claims and one state statutory 3 claim. Though the three statutes at issue regulate different conduct, for purposes of this 4 case they apply in similar ways. 5 A. Statutory Standing 6 TrustLabs has established that it suffered over $6,000 in damages when An deleted 7 the company’s Slack account. That is sufficient under all three statutes. See 18 U.S.C. 8 § 1030(c)(4)(A)(i)(I), (g) ($5,000 threshold for private suit under the CFAA); Hahn v. 9 Rothman, No. CV 09-249 ODW, 2010 WL 11507395, at *4–5 (C.D. Cal. Oct. 8, 2010) 10 (citing 18 U.S.C. § 2707(c)) (no damages threshold under the SCA); Mintz v. Mark 11 Bartelstein & Assocs. Inc., 906 F. Supp. 2d 1017, 1032 (C.D. Cal. 2012) (citing Cal. Penal 12 Code § 502) (no damages threshold under the CCDAFA). 13 For his part, An fails to offer any evidence to meaningfully contest the amount of 14 damages. He points to deposition testimony that it took “less than 12 hours” to restore 15 Slack access, de Lorraine Dep. at 32:6–12, but that testimony is consistent with TrustLabs’ 16 assertion that it took over 50 hours to “recover[] the Company’s Slack account” and also 17 “ensur[e] the security of TrustLabs’ remaining digital resources” by “reintegrat[ing] all 18 Slack connections to Company systems, review[ing] access to shared channels, and 19 updat[ing] administrative access credentials.” MSJ at 7 (citing Moore Decl. ¶¶ 4–7). An 20 also argues that TrustLabs’ request for over $6,000 in damages is “convenient” (because it 21 is just slightly over the CFAA’s $5,000 damages threshold) and that TrustLabs’ litigation 22 strategy “suggests that [its] true motive is not to recover minimal losses, but rather to use 23 the legal system as a weapon for retaliation or harassment.” MSJ Opp. (dkt. 143) at 6–7. 24 Yet such “speculation and guesswork” is not enough to create a genuine dispute of 25 material fact. Guidroz-Brault v. Mo. Pac. Ry. Co., 254 F.3d 825, 829 (9th Cir. 2001). 26 B. Qualifying Conduct 27 An concedes that he deleted TrustLabs’ Slack account. This is qualifying conduct 1 First, deleting TrustLabs’ Slack account implicates the CFAA, which prohibits 2 “knowingly caus[ing] the transmission of a program, information, code, or command … to 3 a protected computer.” 18 U.S.C. § 1030(a)(5)(A). An’s computer qualifies as a 4 “protected computer” because TrustLabs operates nationally and internationally. 5 de Lorraine Decl. ¶ 10; see also 18 U.S.C. § 1030(e)(2)(B) (a “protected computer” is one 6 that “is used in or affecting interstate or foreign commerce or communication”). 7 Second, An’s conduct implicates the SCA, which prohibits “intentionally 8 access[ing] … a facility through which an electronic communication service is provided … 9 and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic 10 communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). 11 TrustLabs’ Slack account is a “facility through which an electronic communication service 12 is provided” as it “provides to users [] the ability to send or receive wire or electronic 13 communications.” Id. § 2510(15); see also In re iPhone Application Litig., 844 F. Supp. 14 2d 1040, 1057 (N.D. Cal. 2012) (“the computer systems of an email provider, a bulletin 15 board system, or an ISP are uncontroversial examples of facilities that provide electronic 16 communications services”).2 17 Third, An’s conduct falls under several provisions of the CCDAFA. As relevant 18 here, that statute prohibits (1) knowingly “alter[ing], damage[ing], delet[ing], or 19 destroy[ing] any data, computer software, or computer programs which reside or exist 20 internal or external to a computer, computer system, or computer network”; (2) knowingly 21 “disrupt[ing] or caus[ing] the disruption of computer services”; and (3) knowingly 22 “den[ying] or caus[ing] the denial of computer services to an authorized user of a 23 computer, computer system, or computer network.” Cal. Penal Code § 502(c)(4)–(5). 24 Slack, an “electronic message service,” is a “computer service” for purposes of 25 California’s statute. Id. § 502(b)(4). 26 An does not contest that these statutes apply to deleting TrustLabs’ Slack account. 27 1 C. Authorization or Permission 2 The core dispute in this action is An’s status with respect to TrustLabs when he 3 deleted the company’s Slack account. Both the CFAA and the SCA prohibit conduct that 4 is without authorization or in excess of authorization. See 18 U.S.C. §§ 1030(a)(5)(A), 5 2701(a). California’s CCDAFA, meanwhile, prohibits conduct undertaken “without 6 permission.” Cal. Penal Code § 502(c)(4), (5). 7 Federal Claims. TrustLabs primarily relies on Cosman’s July 6, 2020 email to An 8 as proof that An deleted the company’s Slack account without authorization. TrustLabs 9 argues that An’s “authorization to access TrustLabs’ Slack account was revoked—at the 10 latest—upon the Company’s formal notice that his employment would be involuntarily 11 terminated if he did not provide a resignation letter by 4 p.m. on July 6, 2020.” MSJ at 12. 12 But Cosman’s email does not conclusively establish that An’s authority as CEO—and with 13 it, his authority to delete TrustLabs’ Slack account—was revoked at 4 p.m. on July 6, 14 2020. In his email, Cosman explained that “if we do not receive your answer at or before 4 15 pm we are forced to enact a stockholder consent which will replace the board of TrustLabs, 16 Inc. and hire a new CEO.” An Dep. Exh. 5. While that statement could mean that An’s 17 authority as CEO expired at 4 p.m. on July 6 whether or not he tendered his resignation, it 18 could also mean that An’s failure to tender his resignation by 4 p.m. on July 6 would 19 merely cause Cosman and de Lorraine to seek his termination through other means. 20 Indeed, that is what seems to have played out: by refusing to resign, An initiated a 21 sequence of events that ultimately culminated in the board firing him as CEO. It is at least 22 possible that An’s authority as CEO did not expire until the board actually fired him— 23 which it did only after An deleted the company’s Slack account. Additionally, it is not 24 clear that Cosman (or de Lorraine, for that matter) himself had authority to strip An of his 25 CEO role, so his email might not be of any legal significance. 26 For these same reasons, TrustLabs’ reliance on Astec America LLC v. Li, 27 No. 14CV1457 JLS, 2014 WL 12516024 (S.D. Cal. Nov. 17, 2014), is misplaced. That 1 after the company had informed the employee of his pending termination and demanded 2 the return of the laptop. Id. at *3. The court rejected the employee’s argument that he had 3 authorization to access the laptop while his termination was pending and he was still an 4 employee, holding that “once he went on medical leave and [the company] demanded the 5 laptop be returned, his authority was revoked.” Id. Cosman’s email, by contrast, is more 6 ambiguous. It contains no language equivalent to the demand in Astec America that the 7 employee return the laptop. Nor does it establish that Cosman (or de Lorraine) even could 8 revoke An’s authority as CEO—something not at issue in Astec America. This case is 9 therefore unsuitable to resolving at summary judgment.3 10 To be clear, the Court does not hold that Cosman’s July 6, 2020 email is insufficient 11 to establish that An’s authority was revoked as a matter of law. Context—such as details 12 about the stockholder consent process or Cosman and de Lorraine’s authority—might be 13 sufficient for a finder of fact to conclude that An’s authority as CEO was in fact revoked 14 before he deleted TrustLabs’ Slack account. All the Court now holds is that the email is 15 not enough, standing alone, to conclusively establish that An’s authority had been revoked. 16 TrustLabs’ secondary argument is that An had agreed to resign as CEO at some 17 point before July 6, 2020. MSJ Reply (dkt. 144) at 6. But An clearly disputes this: he 18 declared under oath that he “never agreed nor provided indication that [he] would provide 19 notice of resignation as CEO of TrustLabs ever.” Daniel Jaiyong An Decl. (dkt. 143) ¶ 3. 20 TrustLabs tries to write off An’s declaration as “self-serving” and “conclusory,” MSJ 21 Reply at 6 n.2, but it is of no legal significance that a declaration is self-serving, see Nigro 22 v. Sears, Roebuck & Co., 784 F.3d 495, 497 (9th Cir. 2015), and it is not conclusory for 23 An to deny that he made a specific statement. (Perhaps An’s additional statement that he 24 never “provided indication” that he would resign is conclusory, but the Court need not, and 25 does not, rely on that statement to deny summary judgment.) The finder of fact may well 26 reject An’s testimony as to what he did or did not say leading up to July 6, 2020, but such a 27 1 classic credibility determination is an issue for trial, not summary judgment. 2 The Court therefore denies the motion for summary judgment with respect to 3 TrustLabs’ federal claims. 4 State Claim. Unlike the federal CFAA and SCA, California’s CCDAFA prohibits 5 conduct undertaken “without permission,” rather than without authorization. California’s 6 statute is thus more expansive, as it “may properly be applied to an employee who uses his 7 or her authorized access to a computer system to disrupt or deny computer services to 8 another lawful user.” People v. Childs, 220 Cal. App. 4th 1079, 1104 (2013) (CCDAFA 9 properly applies to network engineer who configured county computer system to restrict 10 access to anyone but himself); see also Cal. Pen. Code § 502(b)(10) (“‘Injury’ means … 11 the denial of access to legitimate users of a computer system, network, or program.”). 12 That said, California’s statute also includes a defense that the defendant acted “within the 13 scope of [his] lawful employment”—that is, that his actions were “reasonably necessary to 14 the performance of [his] work assignment.” Cal. Pen. Code § 502(h)(1); Childs, 220 Cal. 15 App. 4th at 1102–03 (describing the “scope of employment” defense). 16 TrustLabs has shown that when An deleted Slack, he denied access to that program 17 to the entire company, including many legitimate users. And An fails to identify any 18 evidence that deleting Slack was within the scope of his lawful employment.” He states in 19 his brief that his “management of company communication systems, including the decision 20 to transition away from Slack, falls within [the] scope” of his lawful employment, MSJ 21 Opp. at 11, but he does not support this assertion with evidence, and “[u]nsupported 22 allegations made in briefs are not sufficient [] to defeat a motion for summary judgment.” 23 Stanley v. Univ. of S. Cal., 178 F.3d 1069, 1076 (9th Cir. 1999). 24 At bottom, An points to no evidence, and the Court could not find any, to suggest 25 that it was reasonably necessary for him to delete TrustLabs’ Slack account when he did 26 so. The Court therefore GRANTS summary adjudication against An as to An’s liability 27 under the CCDAFA. 1 D. Punitive Damages 2 The final issue is the question of punitive damages. TrustLabs argues that An not 3 only acted knowingly (the requisite intent for liability under all three statutes)4 but that he 4 also acted intentionally and with malice and therefore owes punitive damages. MSJ at 19– 5 20. As evidence of An’s intent and malice, TrustLabs points to An’s post-termination 6 conduct—specifically, his purported attempts to log into several of the company’s 7 accounts and his communications with one of the company’s clients. Id. 8 An vigorously contests TrustLabs’ assertion that he acted maliciously. In doing so, 9 he raises various allegations of misconduct on the part of TrustLabs, apparently for the 10 purpose of portraying himself as a sort of whistleblower acting with pure intentions. See 11 MSJ Opp. at 6, 10–11, 23.5 While An failed to properly substantiate most of these 12 allegations, and any evidence on this topic would be irrelevant to determining An’s 13 statutory liability, TrustLabs’ alleged misconduct around the time that An was terminated 14 may have some limited relevance to the question of punitive damages. So there is a 15 genuine dispute of material fact as to whether punitive damages are appropriate, and the 16 Court DENIES TrustLabs’ motion for summary judgment as to punitive damages on all 17 counts.6 18 4 See 18 U.S.C. §§ 1030(a)(5), 2701(a); Cal. Pen. Code § 502(c)(4), (5). An does not 19 seriously dispute that he acted knowingly when he deleted TrustLabs’ Slack account; indeed, he concedes that he did so and suggests only that his motive may have been 20 legitimate. See MSJ Opp. at 6, 11. 5 An attempted to file supplemental authority consisting of an SEC complaint against 21 TrustLabs and a press release regarding the parties’ subsequent settlement. Mot. for Leave to File Supp. Evid. (dkt. 145). This motion would be procedurally improper under either 22 Local Civil Rule 7-3(d)(2), which applies only to “relevant judicial opinion[s]” (emphasis added), or Local Civil Rule 7-11, which requires a stipulation or a declaration explaining 23 the absence of one. The authority itself is irrelevant in any case, as “a consent judgment between a federal agency and a private corporation [] is not the result of an actual 24 adjudication of any of the issues.” Twin City Fire Ins. Co. v. SLRA Inc., No. 19-cv-6131- JSC, 2020 WL 3035793, at *4 (N.D. Cal. June 5, 2020) (quoting Lipsky v. Commonwealth 25 United Corp., 551 F.2d 887, 893 (2d Cir. 1976)). An’s motion is therefore DENIED. 6 TrustLabs’ federal claims will go to trial regardless, so it is in the interest of judicial 26 economy for the finder of fact to evaluate punitive damages for all three claims at the same time. See United Energy Trading, LLC v. Pac. Gas & Elec. Co., No. 15-cv-2383-RS, 2018 27 WL 11431182, at *6 n.6 (N.D. Cal. Jan. 22, 2018) (“Where an issue is closely intertwined 1 IV. CONCLUSION 2 For the foregoing reasons, the Court vacates the hearing set for November 15, 2024 3 at 10 a.m. and 4 • GRANTS summary adjudication in favor of TrustLabs and against An as to 5 liability under the Comprehensive Computer Data Access and Fraud Act; 6 • DENIES summary adjudication as to liability under the Computer Fraud and 7 Abuse Act and the Stored Communications Act; and 8 • DENIES summary adjudication as to damages on all counts. 9 IT IS SO ORDERED. 10 Dated: November 13, 2024 CHARLES R. BREYER 11 United States District Judge 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Document Info
Docket Number: 3:21-cv-02606
Filed Date: 11/13/2024
Precedential Status: Precedential
Modified Date: 11/14/2024