UNITED STATES DISTRICT COURT
CENTRAL DISTRICT OF CALIFORNIA
SOUTHERN DIVISIONNORTH TEXAS PREVENTIVE IMAGING, L.L.C.,
Plaintiff,
v.
HARVEY EISENBERG M.D. et al.,

Defendants.
ORDER FINDING FEDERAL QUESTION JURISDICTION; GRANTING IN PART AND DENYING IN PART DEFENDANTS’ MOTION TO DISMISS; GRANTING IN PART PLAINTIFF’S MOTION FOR PRELIMINARY INJUNCTION

INTRODUCTION

In 1994, Congress amended the Computer Fraud and Abuse Act, 18 U.S.C. Section 1030 (“Act” or “CFAA”), the application of which in this case will confer jurisdiction on the district court for some or all of plaintiff’s claims. Plaintiff, a medical diagnostics company, seeks to assert the revised provisions of the Act as private rights of action against defendant software providers. Resolving ambiguities in the legislation in plaintiff’s favor, the Court by this Order concludes that plaintiff has stated a claim under federal question jurisdiction and pled two claims under the revised Act. The jurisdictional issue is examined first, followed by a discussion of defendants’ motion to dismiss plaintiff’s First Amended Complaint (“FAC”) and plaintiff’s motion for preliminary injunction.

II.PROCEDURAL HISTORY

Plaintiff filed this lawsuit on January 23, 1996, alleging only diversity jurisdiction. On March 11, 1996, plaintiff filed the First Amended Complaint (“FAC”), alleging federal question jurisdiction on the basis of the Computer Fraud and Abuse Act.

On April 9, 1996, plaintiff filed a motion for preliminary injunction. Defendants filed opposition on April 18, 1996; plaintiff filed a reply on April 25, 1996. Oral argument occurred on May 1, 1996, at which time the Court took the matter under submission and ordered the parties to file supplemental briefs on jurisdictional issues. Plaintiff filed supplemental papers on May 10, 1996 and May 24, 1996; defendant filed supplemental papers on May 21, 1996.

On April 15, 1996, defendants filed a motion to dismiss the complaint for failure to state a claim. On April 29, 1996, plaintiff filed opposition. On May 1, 1996, the Court heard oral argument on the motion and took the matter under submission. Defendants filed their reply on June 3, 1996.

III.SUMMARY OF FIRST AMENDED COMPLAINT

Plaintiff North Texas Preventive Imaging L.L.C. (“NTPI”) is a Dallas-based provider of medical diagnostic imaging (i.e., CAT scans), a method of diagnosing coronary artery disease, cancer, osteoporosis, and other medical conditions. To assist with its diagnostic imaging, plaintiff purchased a computer system (the “Scribe system”) from defendant Medical Diagnostic Imaging, Inc. (“MDI”). The Scribe system performs computer enhancement of medical images.

Defendant MDI is a California corporation which allegedly owns and controls the Scribe system software at issue. FAC paragraph 5. Defendants Eisenberg and Pura Labs, Inc. do business as MDI. FAC paragraphs 4-6. Defendant Health Technologies & Wellness, Inc. (“HTW”) is a Delaware corporation which, prior to December 27, 1995, owned a majority interest in plaintiff NTPI. FAC paragraph 7. HTW also held itself out as the owner of the Scribe system software. Defendant Harvey Eisenberg is the owner and operator of all the aforementioned business entities. FAC paragraph 8. Defendant Roberta Eisenberg is Harvey Eisenberg’s wife. FAC paragraph 3. Non-party DVI Financial Services, Inc. (“DVIF”) is a financing company which helped plaintiff finance the purchase of the Scribe system software by buying it from defendants and leasing it to plaintiff. FAC paragraph 11. DVIF purchased the Scribe system according to the terms of price quotation 950103 on January 22, 1995. FAC paragraph 12. DVIF leased the software under the terms of lease #8 on February 27, 1995.

In May 1995, the Scribe system was installed in plaintiff’s facility. FAC paragraph 15. Plaintiff has allegedly paid 90% of the sales price for the Scribe system software. FAC paragraph 13. The core of the dispute is the parties’ disagreement over the licensing rights conferred by defendant’s sale of the Scribe system. The parties have no formal licensing contract; their arrangement is reflected in a price quotation which contains the following provision:

Software License Agreements: Software products provided by Multi-Dimensional Imaging are copyrighted, and all rights are reserved by Multi-Dimensional Imaging. The distribution and sale of Multi-Dimensional Imaging software products are intended for the use of the original purchaser only and for use only on the computer system(s) specified. Lawful users of this product are licensed to use the software as loaded on computers and/or provided on floppy disk for copying to computers. Users are also allowed to make back-up copies for safety. Any other copying, duplicating, selling, or otherwise distributing these products are a violation of the law. FAC paragraph 13; Friede Decl. Ex. 7 at 7 (full text of price quotation number 950103).

Plaintiffs were dissatisfied with the operation of the Scribe system and on December 27, 1995, sent a letter to MDI “cancelling” the purchase of the Scribe system and demanding return of $161,721 which had been “overpaid.” FAC paragraph 15. Defendants responded with a letter asking plaintiff to enter into a new licensing arrangement and noting that the software would be disabled on January 31, 1996, if the new license were not executed. FAC paragraph 16.

When the software was installed in March 1995, it contained no time restrictions or other disabling codes. Defendants apparently sent plaintiffs “update disks” periodically to update the Scribe system. In late 1995, defendants sent an “update” floppy computer disk to plaintiff which, unbeknownst to plaintiff, contained disabling codes. Disabling codes, or “time bombs,” are computer software codes which render a software program inoperable at a pre-set time and date. FAC paragraph 14. The software which plaintiffs loaded onto their computer in late 1995 contained a time bomb set to go off on January 31, 1996. The software was prepared on MDI’s computers in California. FAC paragraph 16.

Plaintiff learned of the existence of the time bomb and complained to defendant about its insertion in the Scribe system. A few days before the time bomb was scheduled to go off, MDI sent another set of computer codes which reset the time bomb for May 1, 1996. FAC paragraph 16.

The FAC alleges six causes of action. First, plaintiff alleges that defendants breached the DVIF-MDI purchase contract and that plaintiff, as third party beneficiary of the contract and assignee of DVIF’s rights may enforce the contract. Plaintiff asserts that it received invoices for $511,500, but received goods worth only $278,730. FAC paragraph 19. MDI has been paid $460,350 for goods supplied, and plaintiff alleges the right to the amount it overpaid for the goods — $181,620. FAC paragraph 19.

Second, plaintiff alleges that defendants breached the express and implied warranties for defect-free performance of the software and hardware. FAC paragraph 24. Plaintiff alleges that it has been damaged in the amount of $10,000, representing the cost of labor and measures taken to keep the Scribe system running. FAC paragraph 27; see also p. 24.

Third, plaintiff alleges that defendants’ conduct in secreting the time bomb in its Scribe system constitutes a violation of CFAA sections 1030(a)(5)(A) and (B). In particular, plaintiff claims that defendant, using its computers located in California, clandestinely caused the time bomb to be inserted in the Scribe system at plaintiff’s facility in Texas. FAC paragraph 29. The time bomb potentially impairs the medical examination, diagnosis, and treatment of NTPI’s patients. FAC paragraph 33.

Fourth, plaintiff alleges that defendants intentional insertion of the time bomb in the Scribe system constitutes conversion because it interferes with plaintiff’s right to quiet possession and use of the Scribe system. FAC paragraphs 37-39. Plaintiff requests damages in the amount of $460,350, representing the amount paid for the Scribe system. FAC paragraph 38.

Fifth, plaintiff requests a declaratory judgment because it is impossible to determine who owns and controls the Scribe system software at issue in this lawsuit and that several defendants have used the name “MDI.” Plaintiff requests a declaration as to which defendant owns and controls the software, and whether plaintiff holds a “non-exclusive license to use the software without cloud on title to such right.” FAC paragraph 43.

Sixth, plaintiff alleges that defendants HTW and Harvey Eisenberg committed “fraudulent misrepresentation and constructive fraud.” Claim 6, while captioned as a fraud claim, substantively appears to allege a claim for breach of fiduciary duty. In particular, claim 6 alleges that HT&W, as majority owner of plaintiff, and Eisenberg, as manager of NTPI, owed a fiduciary duty to disclose relevant information regarding the insertion of the time bomb in the Scribe system. Plaintiff alleges that both defendants breached their fiduciary duties to NTPI by knowingly failing to disclose this information. FAC paragraphs 45-46. Plaintiff requests compensatory damages in the amount of $460,350 plus various additional damages caused by defendants’ breach. FAC at p. 26.

IV.DISCUSSION

1. Federal Question Jurisdiction: Does the Computer Fraud and Abuse Act (“Act” or “CFAA”) prohibit the conduct complained of in the complaint?
The CFAA proscribes the unauthorized access to certain computer systems for harmful purposes by means of a modem or direct keyboard entry.
Section 1030(a)(5)(A) of statute reads:
“[Whoever] through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or.command to a computer or computer system if — (i) the person causing the transmission intends that such transmission will– (I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or (II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services system or network informstion, data or program, and (ii) the transmission of the harmful component of the program, information, code, or command– (I) occurred without the authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and (II)(aa) causes loss or damage to one or more other persons of value aggregating $1,000 or more during any 1-year period; or (bb) modifies or impairs, or potentially modifies of impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals… [shall be punished as provided in subsection (c) of this section].”

Section 1030(a)(5)(B) of the statute criminalizes the same conduct when done with “reckless disregard of a substantial and unjustifiable risk that the transmission will” cause harmful effects.

However, it is unclear whether the CFAA prohibits a person from sending a disk containing disabling codes to an authorized person who then unwittingly loads the codes onto a computer. The Court has found no cases on point, and indeed very few cases which construe Section (a)(5) at all.[1] The issue appears to be one of first impression. Although written as a criminal prohibition, the statute also creates a private right of action: Any person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages….

18 U.S.C. Section (g).

A. Legislative History of the CFAA

The CFAA, enacted in 1984, was intended to prohibit the gaining of unauthorized access to “federal interest” computers. The original CFAA focussed on unauthorized “access” to computers causing harm and did not reach harms caused by methods other than unauthorized access. The 1984 CFAA therefore contained a loophole in cases where: (1) an authorized person caused harm to a protected computer system, or (2) an unauthorized person gave a floppy computer disk or computer codes to an authorized person who loads it onto the computer.

The CFAA was amended in 1986 and 1994. The 1994 amendment was intended to broaden the scope of criminalized activities to reflect the broader range of techniques being used in society to wreak havoc on computer systems. The sponsor of the 1994 amendment, Senator Leahy, stated that:

These amendments clarify the intent standards, the actions prohibited and the jurisdiction of the current Computer Fraud and Abuse Act…. Under the current statute, prosecution of computer abuse crimes must be predicated upon the violator’s gaining unauthorized access to the affected Federal interest computers. However, computer abusers have developed an arsenal of new techniques which result in the replication and transmission of destructive programs or codes that inflict damage upon remote computers to which the violator never gained “access” in the commonly understood sense of that term.
139 Cong. Rec. S16421-03, Nov. 19, 1993 (stmt. of Sen. Leahy) (reprinted at 1993 WL 490040).
Thus while the pre-1994 CFAA was directed towards the unauthorized “access” of a computer system, presumably by modem or by direct keyboard entry, the post-1994 CFAA is directed towards a broader range of conduct by which a person knowingly “causes” the “transmission” of a program, information, code, or command to a computer. 18 U.S.C. Section 1030(a)(5). Senator Leahy stated that:
The new subsection of the CFAA created by this bill places the focus on harmful intent and resultant harm, rather than on the technical concept of computer access…. The computer abuse amendments make it a felony intentionally to cause harm to a computer or the information stored in it by transmitting a computer program or code — including destructive computer viruses — without the knowledge and authorization of the person responsible for the computer attacked. This is broader than existing law, which prohibits intentionally accessing a federal interest computer without authorization, if that causes damage.
139 Cong. Rec. S16421-03, Nov. 19, 1993 (stmt. of Sen. Leahy) (reprinted at 1993 WL 490040) (emphasis added).
The post-1994 CFAA undoubtedly is and was meant to be broader than previous law. The question, however, is whether the current law proscribes defendants’ conduct in this lawsuit — the act of sending a floppy computer disk containing a time bomb to a party who unknowingly loads it onto a computer.
During debates on the 1994 amendment, software manufacturers objected to the possibility that their practice of inserting “disabling codes” in software programs would be criminalized because disabling codes can be used as a legitimate security measure. On this issue, Senator Leahy stated that the new language would not criminalize the use of disabling codes “when their use is pursuant to a lawful licensing agreement that specifies the conditions for reentry or software disablement.” Cong. Rec. vol. 140 no. 122, 103d Cong., 2d sess., 8/23/94 at S. 12313 (plaintiff’s brief of 5/10/96 at 15-16). Although Senator Leahy did not state the converse proposition, i.e., that the bill did criminalize the use of disabling codes which are not specified in a lawful licensing agreement, this is certainly a reasonable implication of the statement. The Court has found nothing in the statute or legislative history to suggest that Congress intended a blanket exemption for the use of time bombs from the CFAA’s prohibitions[2]. Rather, time bombs would appear to fall within the statute’s proscription on the use of “codes, information, programs, or commands” to cause harm to protected computer systems. Whether the use of a time bomb is illegal appears to require a case-by-case analysis of the defendant’s intent, the type of computer involved, and the resulting harm[3].

C. Conclusion

By casting the net broadly to include many different “transmission” techniques, the 1994 amendment shifted the CFAA’s focus from the act of unauthorized access to the intent of the defendant. The transmission of a disabling code by floppy computer disk may fall within the new language, if accompanied by the intent to cause harm 18 U.S.C. Section 1030(a)(5). Accordingly, plaintiff has established federal question jurisdiction in claim 3 of the first amended complaint. The Court also chooses to exercise federal question jurisdiction over claim 5 (declaratory relief) and supplemental jurisdiction over remaining state law claims 1, 2, 4, and 6.

2. Defendants’ Motion to Dismiss the First Amended Complaint

Defendants seek to dismiss all six claims in the FAC for failure to state a claim upon which relief can be granted or, alternatively, to require a more definite statement or to strike parts of the FAC. As noted, the FAC alleges causes of action for: (1) breach of contract, (2) breach of implied and express warranties, (3) violation of the CFAA, (4) conversion, (5) declaratory relief, (6) and fraud.

A. Claim 1 — Breach of Contract

Defendants move to dismiss claim 1 on grounds the FAC does not adequately identify the contract which was allegedly breached. Claim 1 states that defendants “failed to supply goods specified on its written price quotatlon number 950103.” FAC paragraph 19. Further, claim 1 alleges that defendants breached the software use license contained in the price quotation by “demanding that NTPI enter into a new written software license agreement on substantially different terms, without any additional consideration…” FAC paragraph 20.

Defendants allege that claim 1 fails to identify the contract being sued upon, the provisions of the contract allegedly breached, the breaching act, or the breaching party. Claim 1 identifies the contract as price quotation number 950103; however, it does not identify which provisions were allegedly breached. The claim states that defendants “substituted certain inferior, or lower priced goods, for items specified” in the contract, and that as a result plaintiff received goods worth only $278,730. FAC paragraph 19. However, claim 1 fails to identify which goods were substituted or how plaintiff calculated the value received at only $278,730. Accordingly, it is difficult to see how defendants can adequately respond to the allegations. Defendants’ motion to dismiss claim 1 is granted.

B. Claim 2 — Breach of Express and Implied Warranty

Defendants seek to dismiss claim 2 because it fails to identify: (1) the source of the express warranty, (2) the source of the implied warranty, (3) the breaching party, or (4) the breaching act.

However, the FAC identifies the source of the express warranty as price quotation number 950103, see FAC paragraph 24, and defendants quote the exact language of the express warranty in their moving papers. Mtn. at 7:2-3. The FAC also appears to allege that the same sale gave rise to the implied warranty of fitness for intended use. FAC paragraph 24. Further, the FAC identifies the breaching party as “all defendants,” see FAC Count Two, or as “MDI.” FAC paragraphs 24-26. Plaintiff identifies the breaching party sufficiently for defendants to prepare a response. FAC paragraph 4. Finally, plaintiff lists a number of ways in which the product delivered by defendants allegedly failed to perform according to the warranties and caused damages. FAC paragraphs 26-27. Accordingly, defendants’ motion to dismiss claim 2 is denied.

C. Claim 3 — Violation of the CFAA

Defendants argue for dismissal of claim 3 on grounds that: (1) claim 3 fails to identify any individual responsible for the acts alleged, (2) claim 3 fails to plead violations of subsections (B)(i) and (B)(ii) (I), as required to state a claim under 18 U.S.C. Section 1030 (a) (5)(B). First, claim 3 alleges that “MDI has knowingly developed computer program code which it sent to NTPI in Texas, containing instructions through which MDI has sought to disable the operation of NTPI’s Scribe System…” FAC paragraph 33. Plaintiff has therefore identified the parties responsible, as well as identified the conduct which allegedly violates the CFAA.