Database Access After Failed Negotiations Didn’t Violate the CFAA–Carfax v. Accu-Trade
Plaintiff (Carfax) manages information regarding used cars and light trucks. It owns a “QuickVIN” tool that allows users to search vehicle-related information by license plate number, rather than by VIN number. Defendant Accu-trade is a valuation platform and is a part of a larger entity called “Hollenshead,” which is a major auto wholesaler.
Defendants (Hollenshead and Accu-trade) talked with Carfax about using Carfax’s QV tool in exchange for the provision of data by defendants to Carfax. Carfax provided Accu-trade with a test account and a limited data set. The parties never executed a formal agreement, and Accu-trade advised Carfax that it was no longer interested in using the QV tool. As alleged in the complaint, Accu-trade and possibly Hollenshead accessed the tool and data following termination of the negotiations. When confronted, Accu-trade’s CFO signed a previously sent over (but-unexecuted) agreement. Apparently, not only had Accu-trade continued to use the QV tool, it also allegedly allowed use by others downstream, including allowing one party to access the tool who then authorized 100 of its own customers to do so.
Plaintiff alleges claims under the CFAA and the Virginia computer crimes statute. Defendants moved to dismiss the complaint.
Personal Jurisdiction: The court first engages in a lengthy detour while evaluating personal jurisdiction. The court concludes:
- Defendants engaged in acts or omissions in Virginia that caused tortious harm (plaintiff’s servers were located in Virginia).
- The co-defendant and individual defendant were sufficiently complicit in the acts that they too are subject to Virginia’s long-arm statute.
- Defendants purposefully availed themselves of the benefits of conducting business in Virginia. The court takes a further detour regarding the effect of a server in the jurisdiction and some personal jurisdiction cases involving spam.
- The court rejects Defendants’ arguments that Walden v. Fiore nullified the “effects test”.
CFAA Claim: The parties argued whether plaintiff stated a claim under Fourth Circuit precedent as modified (if at all) by Van Buren:
Defendants argue that Van Buren‘s bright-line “gates-up-or-gates-down” view of authorization under the CFAA makes Plaintiff’s allegations as to Count I of no moment. To that end, Defendants contend that Plaintiff’s allegation that Accu-Trade was not permitted to use the QV tool after allegedly rejecting Plaintiff’s contract is “not enough.” As such Defendants contend that because Plaintiff did not allege it attempted to disable Accu-Trade’s ability to access the QV tool or issue some clear message to Accu-Trade that their access to the QV tool was no more, the Complaint fails to assert that Accu-Trade accessed the QV tool without authorization.
Plaintiff acknowledged it could not state a claim on the basis that defendants “exceeded authorized access”, but argued that it stated a claim because defendants’ access was “without authorization” when Accu-trade informed plaintiff that it was not interested in a licensing relationship and would not be using the QV tool.
The court agreed that, while the parties were discussing a possible relationship, Carfax had granted Accu-trade and company some sort of access to the information in question. Carfax cannot assert a claim as to access during this period. The court then turns to the key question:
That leaves the Court with the question: Were the gates to the QV tool ever re-erected following Accu-Trade’s representations to Plaintiff on November 3, 2018 so as to provide a plausible basis for Plaintiff’s claim that Defendants continued to access the QV tool “without authorization”? Framed differently, the Court must determine, as a matter of law, whether an affirmative act by Plaintiff to re-raise the gates around the QV tool server is required to establish that Defendants had acted “without authorization.” Because this Court construes the issue as a question of law and not a disputed fact, resolution of this issue is required in making a plausibility assessment of Count I and is therefore a proper exercise at the motion to dismiss stage. See, e.g., WEC, 687 F.3d at 203 (affirming the district court’s consideration of how to interpret “without authorization” at the motion to dismiss stage).
[Eric’s note: this judge is treating gates like fences, not portcullises, so “up” means that the gates are meant to block access.]
The court looks to WEC (a pre-Van Buren Fourth Circuit case involving an employee that endorsed a CFAA claim, I blogged about here) and says three factors prompted the court to find that the so-called “gates were up” (1) the former employee access the information after he left the company; (2) the company took steps to revoke access; (3) the employee acknowledged he lacked authorization following his resignation. The court says plaintiff falls short of establishing that here. The court also notes that the Fourth Circuit endorsed the Ninth Circuit’s “narrow view” of the CFAA. (Cites to Nosal and Power Ventures.)
State Law Claims: Notwithstanding rejection of the CFAA claim, the court says Carfax does state a claim under the Virginia Computer Crimes Act. This statute pre-dated the CFAA and is not “derivative” of the CFAA. Courts have not employed the rule of lenity in interpreting it.
A few comments about this ruling.
The jurisdictional discussion illustrates that courts struggle with reconciling Supreme Court rulings limiting the reach of personal jurisdiction with existing precedent taking a broad approach.
Second, Carfax does not appear to have required defendants to enter into an evaluation agreement, although the ruling is silent on this point. I wondered if an evaluation agreement would have been helpful. Would language in correspondence saying “at the conclusion of this evaluation relationship, we revoke your access to any databases, servers, etc.” have been helpful to plaintiff?
This is another example of Van Buren’s “gates-up-or-down” metaphor not being very helpful. Kieran McCarthy’s recent post is worth quoting:
As with Finnegan’s Wake, the most important content of that opinion comes in the form of an opaque metaphor, the “gates-up-or-gates-down inquiry.” And while I may have my own opinions about what that metaphor means (and if it has any meaning at all), every time I read about how others interpret it, the results are different.
Finally, Van Buren was a case involving a license plate database (albeit a law enforcement one). This case involves two companies battling over VIN and license plate information as well. I vaguely wondered where these companies get the data they are fighting over in the first place.
Case citation: Carfax, Inc. v. Accu-Trade, LLC, et al., 1:21-cv-00360 (E.D. Va. Mar. 4, 2022)