Plaintiff Therapeutic Research Faculty sued defendants – NBTY, Rexall Sundown, and Le Naturiste J.M.B. – for violating the terms of a single user license by allowing access and use by multiple individuals. Therapeutic Research Faculty maintains a database of pharmacist-prepared monographs on drug therapy information. The database is available in print annually and through subscription on a password-protected website. Site licenses for access to the website are sold for thousands of dollars. For $100, NBTY purchased a single user subscription that limited access to “one and only one person” and prohibited sharing the password with anyone else. However, plaintiff alleges NBTY shared the confidential password with its employees for two-and-a-half years, Rexall Sundown used the password without authorization, and NBTY improperly obtained access for employees of Le Naturiste.
Therapeutic Research Faculty brought suit in the Eastern District of California. NBTY and Rexall Sundown moved to dismiss eight of plaintiff’s thirteen claims:
(1) copyright infringement;
(2) contributory copyright infringement;
(3) vicarious copyright infringement;
(4) violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030;
(5) violation of Title II of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2701;
(6) violation of the California Comprehensive Data Access and Fraud Act, Cal. Penal Code § 502;
(7) trespass; and
(8) misappropriation of trade secret.
The court considered these claims in its opinion and denied all motions to dismiss.
First, the court found that plaintiff had established a prima facie case of copyright infringement because it owned the copyright to the monographs and alleged infringement of at least one of the exclusive rights granted to copyright holders. The court rejected defendants’ argument that unauthorized access did not constitute “copying” and was not conduct subject to protection by copyright laws. The court find that the word “copying” was shorthand for infringement of any of the rights protected by copyright, and plaintiff’s allegations that defendants pasted text from its database into emails and improperly accessed the database to prepare FDA notifications were sufficient to allege a violation of its exclusive rights to display, reproduce, and distribute its copyrighted works. Defendants also argued that their actions involved purely factual information that could not be copyrighted, but the court found that, given the low threshold of creativity required, plaintiff had adequately pled that their pharmacist-prepared monographs constituted “original material.” Thus, the court denied the motion to dismiss the three copyright-related claims.
Turning to the CFAA claim, the court rejected defendants’ argument that plaintiff had not shown “damage” within the definition of the statute, which required “impairment to the integrity or availability of data.” Precedent held that damage includes impairment to the integrity of data (mere access) even if no data was changed or erased. The court also rejected defendants’ argument thatplaintiff had not pled the required $5,000 in losses. Under the statute, loss includes costs of assessing damage and restoring the system, lost revenue, and other consequential damages. Since plaintiff alleged that a full license for NBTY would cost $40,000, compared to the $100 it had paid, the court found it had sufficiently stated a claim.
Next, the court rejected defendants’ argument that Title II of the ECPA, which punishes unauthorized access to stored communications, was inapplicable because of an exception for authorized conduct. Since plaintiff alleged that the vast majority of defendants’ access was not authorized, the exception did not apply. Similarly, the court rejected defendants’ argument that they had not acted “knowingly and without permission” to access data or provide access under the California statute because they had permission under the site license. Since plaintiff’s allegations focused on the unauthorized access by numerous employees, the court upheld the claim.
In upholding the common law claims, the court found that defendants had not shown that plaintiff’s allegation that it had suffered “irreparable damages” was insufficient to support a cause of action for trespass. Furthermore, plaintiff had sufficiently alleged that the confidential username and password were trade secrets under California law, which defines a trade secret as information that derives independent economic value from not being generally known to the public and is subject to reasonable efforts to maintain its secrecy. Because claims of misappropriation of trade secret could succeed either by showing damage or unjust enrichment, plaintiff’s failure to allege that defendants were unjustly enriched did not warrant dismissal.