On April 15, 2015, a customer who identified himself as Larry Bard accessed Defendant's Lateral.ly legal recruiting website. Bard, in fact, was Andrew Wood, Plaintiff's Lateral Link Group LLC's (“Lateral”) Marketing Coordinator and Database Manager. Wood who is not a lawyer was able to gain access to a portion of Defendant's website intended only for lawyers looking for jobs by inputting false information about legal education, Bar membership and current firm employment. Using this false attorney identity information, Wood created a password which he used several times to access information about law firm clients, law firm job offerings and how the Lateral.ly website presents information to its attorney and law firm clients. Wood testified at his deposition that he downloaded several screen shots of various portions of the Lateral.ly website to his computer and also sent these materials to his counsel, Robert Tauler. He also testified that Mr. Tauler instructed him as to what information or screen shots to search for or copy on the Lateral.ly website “for use in the case.”

Wood answered fully at his deposition as to what he did when accessing the Lateral.ly website. He was instructed not to answer, however, when asked about the details of the instructions given to him by Mr. Tauler, invoking the attorney-client privilege and work-product doctrine. Lateral also refuses to produce emails sent to Wood by Mr. Tauler containing some of Mr. Tauler's instructions to Wood. Defendant seeks an order overruling the privilege assertions, compelling the production of Tauler's emails to Wood, and compelling the continuation of Wood's deposition.

State law privileges are not controlling in federal question cases. Garrett v. City and County of San Francisco, 818 F.2d 1515, 1519 n.6 (9th Cir. 1987). The attorney-client privilege in federal question cases is governed by federal common law. Clarke v. Am. Comm. Nat. Bank, 974 F.2d 127, 129 (9th Cir. 1992). A party asserting the attorney-client privilege has the burden of establishing the existence of an attorney-client relationship and the privileged nature of any communications. U.S. v. Graf, 610 F.3d 1148, 1156 (9th Cir. 2010). Because it impedes full and free disclosure of the truth, the privilege is strictly construed. Id. An eight part test determines if a communication is privileged: (1) where legal advice is sought, (2) from a professional legal adviser, (3) the communication relating to that purpose, (4) made in confidence, (5) by the client, (6) is at his instance permanently protected, (7) from disclosure by himself or his legal adviser, (8) unless the protection is waived. Id. Communications concerning “litigation strategy” fall within the privilege. Clarke, 974 F.2d at 129.

*2 The attorney-client privilege attaches to Mr. Tauler's communications with Wood, both those given orally and in emails. Wood makes clear that Mr. Tauler gave him instructions on what to search for on the Lateral.ly website both orally and in emails. As even Defendant has conceded, “The communications at issue—whether oral or in emails—consist of instructions by Plaintiff's counsel to an employee of Plaintiff as to what information to search for and obtain from the Lateral.ly website, for use in the case.” Jt. Stip. 8:10-12. (Emphasis added.) Defendant argues in conclusory fashion that Mr. Tauler's instructions are not legal advice but inherent in the retention of counsel is that counsel would provide advice and instruction in how the case should be handled and discovery conducted. As noted above, “litigation strategy” falls within the attorney-client privilege and Wood's deposition testimony makes clear that what he searched for was a matter of litigation strategy. Plaintiff has met its burden to demonstrate that Mr. Tauler's communications, orally and by email, are attorney-client privileged. Similarly, because Mr. Tauler's instructions were “for use in the case” and a matter of “litigation strategy,” those instructions are protected under the work-product doctrine. See, e.g., Schoenmann v. F.D.I.C., 7 F. Supp. 3d 1009, 1013 (N.D. Cal. 2014).

Defendant next contends that, even if the communications at issue are attorney-client privileged, the privilege has been vitiated pursuant to the crime-fraud exception. More specifically, Defendant argues that Wood's access of the Lateral.ly website violated the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 and its California counterpart, the Computer Data Access and Fraud Act (“CDAFA”), Cal. Pen. Code § 502. Defendant also contends that Wood's access of the Lateral.ly website was fraudulent.

A party seeking to establish the applicability of the crime-fraud exception must show that: (1) the client was engaged in or planning a criminal or fraudulent scheme when it sought the advice of counsel to further the scheme, and (2) the attorney-client communications for which production is sought is sufficiently related to and were made in furtherance of the intended, or present, continuing illegality. In Re Napster, Inc. Copyright Litigation, 479 F.3d 1078, 1090 (9th Cir. 2007), abrogated on other grounds, Mohawk Indus. Inc. v. Carpenter, 558 U.S. 100 (2009). The party asserting the crime-fraud exception must establish its applicability by a preponderance of the evidence. Id. At 1094-95.

Defendant has not met its burden to establish the applicability of the crime-fraud exception, legally or factually. Legally, Defendant did not even identify the specific subsections of CFAA and CDAFA Plaintiff allegedly violated until the reply brief was filed, hardly fair notice to someone accused of a crime. Additionally, Defendant mistakenly treats this case as an unauthorized access case. CFAA applies to anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby obtains information from any protected computer. 18 U.S.C. § 1030(a)(2). Although “without authorization” is not defined, § 1030(e)(6) provides that “the term ‘exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so as to obtain or alter.” The Ninth Circuit made it clear in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009) that a person uses a computer without authorization only when the person has not received permission to use the computer “for any purpose.” A person who “exceeds unauthorized access” under Section 1030(a)(2) “has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” Id. at 1133. Here, Defendant allows anyone, including Plaintiff, to access its Lateral.ly website. This is not an unauthorized access case but an “exceeds authorized access” case.

Reaffirming Brekka, the Ninth Circuit in U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), held that “exceeds authorized access” does not extend to violations of use restrictions. The Court specifically noted that § 1032(a)(2)(C), the provision relied on by Defendant, would make every violation of a private computer use policy a federal crime. Id. At 859. The Court then adopted a narrower interpretation of “exceeds authorized access” that limits its reach to hacking and “circumvention of technical barriers.” Id. At 863-64. Essentially the same standard has been adopted for CDAFA. See Facebook, Inc. V. Power Ventures, Inc., 2010 WL 3291750*11 (N.D. Cal.) (unauthorized access requires overcoming “technical or code-based barriers”).

*3 What occurred in this case was merely a violation of use restrictions. Wood provided false information to allow him access to a portion of the Lateral.ly website that Defendant claims is confidential. Wood did not “hack” anything and did not circumvent technical barriers. Wood accessed the allegedly confidential portion of the website because the website allowed him to do so, albeit through information that was false. Wood did not use code or other technical means like apps nor did he use electronic devices or disable anything on the website in order to gain access to the next level of the website. Significantly, Wood did not gain access to the names of the attorneys seeking jobs through the website. To do so presumably would have required hacking and overcoming technical barriers. Thus, there was no violation of 18 U.S.C. § 1032(a)(2) or Cal. Pen. Code § 502(c)(7).

The Court is reinforced in its decision here by the fact that Defendant would not be entitled to relief under 18 U.S.C. § 1030(g) which authorizes civil suits where the damage alleged for a violation of § 1032(a)(2) must be at least $5,000. See Brekka, 581 F.3d 1131-32 (statutes renumbered: (a)(5)(B)(i) is now (c)(4)(A)(i)). Additionally, Plaintiff committed no offense under § 1030(a)(4) because exceeding authorized access with intent to defraud must further the intended fraud and obtain something of value, in excess of $5,000. The CDAFA also requires proof of loss or damage. In Re Google Android Consumer Privacy Litigation, 2013 WL 128236*11 (N.D. Cal. 2013).

Similarly, detrimental reliance and damages are essential elements of any fraud claim, whether it be the crime of common law fraud, Laser Industries, Ltd. v. Reliant Tech, Inc., 167 F.R.D. 417, 423 (N.D. Cal. 1996) or the civil tort of fraudulent deceit. Small v. Fritz Cos. Inc., 30 Cal. 4th 167, 173 (2003). Defendant has not demonstrated any detrimental reliance, harm or damage of any material or legal consequence to establish a claim for fraud that would vitiate the attorney-client privilege or work-product doctrine. Fundamentally, Defendant overstates the harm and damage caused by Wood's incursion into their website. What did Wood see that was confidential and valuable? Defendant asserts that Wood obtained information about law firm clients and law firm job offerings, but names of law firms appear on the portion of the website available to the general public. Law firms presumably inform traditional legal recruiters like Plaintiff of the same job offerings listed on Lateral.ly website. This information is not confidential and does not become unlawful by limiting access on its website to otherwise public information. Defendant CEO Micah Springut states in his declaration that some job offerings are not publicly available or generally accessible to the public but these assertions are not evidence the offerings would not be known by other recruiters like Plaintiff. Defendant, moreover, has presented no evidence that Plaintiff either used or profited in any way by viewing job offerings on Defendant's website. Additionally, as already noted, Wood did not access the website's confidential list of attorney clients.

The only arguably confidential information of value that Defendant was induced to disclose by Wood's false information is how Lateral.ly presents information to employers and potential lateral lawyers. Even this information is available to numerous lawyers and law firms, and presumably can be shared with third parties, even if not so authorized. This information, in other words, is not and cannot be truly controlled. Defendant does not present any evidence of the value of the information it presents to the lawyers and law firms and has not even presented screen shots of that information to the Court for evaluation. Plaintiff, moreover, does not appear to have obtained any financial benefit from its incursion into Defendant's website, nor did he alter any information on the website or damage the website in any way. Put another way, the feature of the website that Defendant considers most valuable and innovative, i.e., direct access by lawyers to job offerings without going through a traditional recruiter middleman, was entirely unaffected by Wood's incursion.

*4 The Springut Declaration offers only generalized assertions of harm, unsupported by concrete evidence. Springut says Defendant had to investigate the system to determine what damage may have been caused but provides no specifics and does not assert any damage. Springut says Defendant has designed and implemented new methods and procedures for verifying users but does not indicate what new methods and procedures were implemented, which presumably would be something valuable to do in any event. Mr. Springut makes the wholly unsupported and speculative assertions that the value of the website has been diminished and that Wood's access hurt Defendant's standing with its client employers. Notably, Mr. Springut makes no assertion of financial loss, or of any poaching of job offerings or of potentially lateral attorney clients. Thus, the detrimental reliance and harm demonstrated by Defendant is minimal at best, and insufficient to establish the sort of fraud that would vitiate the attorney-client privilege and work-product protection. This result is in accord with § 1030(a)(4).