*1 Before the Court is a Motion for Sanctions (“Motion”) filed by Plaintiff Deborah Manchester (“Plaintiff” or “Manchester”) against Defendants Sivantos GmbH and Sivantos, Inc. (collectively “Sivantos” or “Defendants”). (Dkt. 237, corrected.) Plaintiff contends that Sivantos improperly accessed confidential trade secret documents from her software developer's Google Drive, in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2). Plaintiff asks the Court to sanction Defendants under its inherent authority. Plaintiff does not seek terminating or evidentiary sanctions but an order requiring Sivantos to return or destroy the documents at issue, provide Plaintiff with a list of all individuals to whom Sivantos circulated the documents, payment of monetary sanctions and any other sanctions the Court deems appropriate. Sivantos denies that its access to the Google Drive documents was unauthorized as Plaintiff produced in discovery an email containing a link that provided access to the Google Drive documents without requiring a password, login or other security restriction, and was not marked with any confidential designation. Indeed, a message appeared, stating “Anyone with the link can view.” (Dkt. 250-3, ¶ 6, Ex. 1; 253-1, ¶ 6; 253-2, Ex. 1.) The Court DENIES Plaintiff's Motion for the reasons discussed below.

A. Relevant Federal Law

Under its inherent authority, a court can assess attorney's fees when a party has acted in bad faith, vexatiously, wantonly or for oppressive reasons. Chambers v. Nasco, Inc., 501 U.S. 32, 44-46 (1991); see also Custom Packaging Supply, Inc. v. Phillips, 2015 WL 8334793*6 (C.D. Cal.). The bad faith requirement sets a high threshold. Primus Auto Fin. Servs., Inc. v. Batarse, 115 F.3d 644, 649 (9th Cir. 1997). Mere recklessness without more does not justify sanctions under a court's inherent authority. Fink v. Gomez, 239 F.3d 989, 993-94 (9th Cir. 2001). Inherent powers must be exercised with restraint and discretion. Chambers, 501 U.S. at 44.

Plaintiff's primary contention is that Defendants criminally “hacked” her confidential documents in violation of the CFAA, 18 U.S. § 1030(a)(2). That statute provides that:

Subsection (c) imposes a fine or imprisonment for a violation. Subsection (g) authorizes a civil action to obtain compensatory damages and injunctive relief. A protected computer is any computer used in interstate or foreign commerce. Subsection (e)(2)(B).

Initiated by Plaintiff, both parties get diverted by the use of the term “hacking” and whether a violator must circumvent a technological access barrier to constitute “hacking.” The Ninth Circuit did hold in United States v. Nosal (Nosal II), 844 F.3d 1024, 1038-39 (9th Cir. 2016) that circumvention of technological barriers is not a requirement of a CFAA violation or even mentioned in the statute. The same is true of “hacking.” The term does not appear in the statute, much less given a definition there. The more appropriately stated legal standard is that criminal and civil liability may be imposed on anyone who intentionally accesses a computer “without authorization” or “exceeds authorized access” and thereby obtains information. A violation of the terms of use of a computer, however, is not covered by CFAA. Id. at 1034. (“CFAA was not intended to cover unauthorized use of information”); see also Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016) (a violation of the terms of use of a website — without more — cannot establish liability under CFAA).

B. Factual Background

*2 On July 19, 2018 Defendants received a production of documents from Plaintiff. (Bean Decl., Dkt. 130-1, ¶¶ 9-10.) When reviewing the documents produced by Plaintiff, defense counsel Caleb Bean clicked on a live active link in an email between Plaintiff and her software developer Michael Caruso. (Id., ¶ 10.) Bean clicked on the link which opened a web page in an internet browser which appeared to be a Google Drive cloud storage space for stored documents. (Id.) It contained an “Open” box which led to a folder that included HARP development documents Plaintiff had contributed to the folder. (Id.) To the right of the first page is a message stating “Anyone with the link can view.” (Dkt. 250-3, ¶ 6, Ex. 1; 253-1, ¶ 6, Ex. 1, p. 2). Neither the email that was produced nor the web page with the “Open” box nor the HARP page with “Anyone with the link can view” was marked with any confidentiality designation at all. (Dkt. 130-1, ¶ 10, Ex. 6; 250-3, ¶ 6.) Mr. Bean was never prompted nor ever entered any username, password, or credential or other requested form of security, or login or grant of access to open the link or to view the documents. (Dkt. 130-1, ¶ 10; 253-1, ¶ 6). Mr. Bean states, “At the time I opened the Google Drive link at issue, which was located in emails produced by Plaintiff, I assumed that Plaintiff had intended to produce the documents therein and that the documents I saw were part of Plaintiff's production as they were responsive to Sivantos' discovery requests.” (Dkt. 253-1, ¶ 5.)

Eric Goldberg, counsel for counter-claimant Auralcare Hearing Centers d/b/a My Hearing Centers (“MHC”), also had the same experience. (Goldberg Decl.; Dkt. 250-1.) He received an email from Plaintiff's counsel on July 18, 2018 which included a link that was not password protected. (Id., ¶ 13.) He states, “In order to gain access to the documents that appeared in the Google Drive, all I had to do was open it. I was never prompted to type in any password to the Google Drive itself, provide any credentials, other information or confirm my identity before the documents appeared in the Google Drive.” (Id.) He further stated, “I naturally assumed that whatever was available at the website links produced by Plaintiff was discovery Plaintiff intended the recipients to have.” (Id.)

On July 20, 2018, Defendants deposed Plaintiff Deborah Manchester. (Rome Decl., Dkt. 236-2, ¶ 2.) When defense counsel presented Plaintiff with a technical specifications document for HARP obtained from the Google Drive repository, Dr. Manchester stated that the document was “never supposed to have been sent to you.” (Id., Ex. A, p. 6 or 288.) Mr. Rome accused defense counsel of violating CFAA. (Id., ¶ 5.) On the same day, the Google Drive link was altered so that, when clicking the link, a message appears stating “You need permission” and no longer provides access to the previously accessible documents on the Google Drive link. (Bean Decl., Dkt. 250-3, ¶ 7, Ex. 2.)

Mr. Caruso in his Declaration states that the Google Drive links are non-shareable and will not work if forwarded. (Caruso Decl., Dkt. 168, ¶¶ 4, 5, 8.) Mr. Bean, however, obtained publicly available information from Google that the Google Drive links can be forwarded by the original recipient to other persons who can then access the documents without any login credentials or passwords. (Bean Decl., Dkt. 250-3, ¶ 11, Ex. 4.) Mr. Bean verified that Google Drive links are shareable by having a colleague forward a Google Drive link (not Caruso's) to him who then accessed the document without a password. (Id., ¶ 12.)

Mr Bean states that he never accessed or viewed any source code which is written in an X-code that he could not open. (Bean Decl., Dkt. 253-1, ¶ 10.) Mr. Bean also made clear that he has not distributed the documents in the Google Drive repository to experts, clients, in-house counsel or anyone else, (Id., ¶ 13, Ex. 5, email dated July 24, 2018; ¶ 14.)

There is no dispute that the documents are relevant to Plaintiff's claims. Nor is there any contention that the documents are attorney-client privileged or work product protected. Plaintiff in fact has said repeatedly that she will produce the documents when an outside attorney's eyes-only amended protective order is in place, which occurred on November 13, 2018. (Dkt. 262.)

C. Analysis

*3 The Court finds that there is compelling evidence that Plaintiff produced the HARP documents at issue without any confidentiality designation and without requiring any password, login credentials or other security measures, nor were the documents non-shareable. Plaintiff continues to maintain that the documents were secure but Plaintiff's contention does not explain how the Sivantos Defendants and also MHC were able to access them. Additionally, Plaintiff has acknowledged imposing security measures barring access to the documents after Dr. Manchester's deposition on July 20, 2018, (Dkt. 250-1 at 64; 254-13), which means that those specific measures were not in place before July 20, 2018 when the documents were accessed by Sivantos and MHC. At his recent deposition, Mr. Caruso admitted he changed the security settings so that no one, including Dr. Manchester, had access anymore to the Google Drive and that these settings did not exist before. (Bean Decl., Dkt. 261, Ex. 1 at 88-89, 99.) Plaintiff appears to want the Court to infer that Defendants did more than they have described in accessing Plaintiff's HARP documents, such as some form of technological circumvention of security barriers or other improper electronic tampering. Plaintiff, however, presents no specific, concrete evidence of same. Plaintiff repeatedly uses the term “hacking” but never defines it or presents any evidence of what it is Defendants must have or might have done, much less what they did. Plaintiff bears the burden on her Motion, and a high burden it is to establish a criminal violation or to prove bad faith. Plaintiff has not met her burden.

The Court accepts that Mr. Caruso did not intend these documents to be accessible by anyone other than Dr. Manchester. In the absence of any evidence of a contrary explanation, however, the Court finds that the most reasonable interpretation of the record is that Mr. Caruso emailed the documents to Dr. Manchester who emailed them to Plaintiff's counsel who emailed them to Sivantos and MHC, without any restrictions in place that would limit shareability solely to Dr. Manchester or prevent shareability by those to whom Dr. Manchester emailed the link. Plaintiff is heavily reliant on the Declaration of Mr. Caruso (Dkt. 168) but his recent deposition testimony seriously undermines Plaintiff's Motion. In his Declaration (¶ 7), Mr. Caruso states that Sivantos' lawyers accessed his Google Drive “covertly.” At his deposition, Mr. Caruso stated that Plaintiff's counsel prepared his declaration and chose the word “covertly.” (Bean Decl., Dkt. 261, Ex. 1: 117, 118.) When asked whether the actions undertaken by Sivantos' counsel to review the documents on the Google Drive were covert or not covert, he answered, “I – I don't know either way.” (Id.) He also testified he does not know how Sivantos' lawyers gained access to the Google Drive documents. (Id. at 104.) Mr. Caruso did not intend to share the link with anyone other than Dr. Manchester but conceded he did not know, if she shared the email with others, others could open the link (id. at 98-99), that sharing could occur with a setting for anyone with a link can view (id. 99), he can't remember if he did anything to ensure that Dr. Manchester could not share the data (id. at 93-94), does not recall ever choosing to turn off the option that says anyone with a link could receive the Google Drive (id. at 116) and that it “could be” shared with others to the extent Dr. Manchester sent the link to others. (Id. at 105).

Plaintiff's attempts to blunt the force of these admissions fail. In her Reply Brief, Plaintiff states that the Google Drive had been password protected all along, citing Mr. Caruso's deposition testimony available on request by the Court. (Dkt. 254-7: 9-11.) First, Plaintiff has the burden to provide evidence to the Court without which the Court can give no weight to it. Second, the fact that the Google Drive is otherwise password protected does not mean that the documents are not accessible through “anyone with the link can view” shareability. Third, Sivantos and MHC gained access to the Google Drive documents without a password, a fact Plaintiff cannot explain. Similarly, Mr. Caruso related a test where he took steps to ensure that an email with a link had no sharing settings on it and could not be opened. (Id. at 92-93.) The Court concludes that such restrictions were not put in place on the email link he sent to Dr. Manchester or that she sent to Plaintiff's counsel. Mr. Caruso admits that Dr. Manchester was free to share the Google Drive with others. (Id. at 119). She did because Plaintiff's counsel made the email with the link available to Sivantos and MHS. They then obtained access to the Google Drive documents without a password or login credentials and no shareability restrictions on those to whom Dr. Manchester emailed the link.

*4 Plaintiff next asserts that Sivantos' counsel Mr. Bean had to know that Plaintiff did not intend to produce the HARP documents. Mr. Bean had participated in conversations that led to a temporary agreement on July 17, 2018 that documents to be used at Dr. Manchester's deposition would be subject to an outside attorney's eyes-only designation. Thus, Bean should have known the documents were inadvertently produced and returned them. Plaintiff also contends that Bean knew she did not intend to produce the HARP documents in the email link until an amended protective order was in place, which occurred on November 13, 2018. (Dkt. 262.)

There are several problems with these assertions. First, the assertions do not address how Defendants obtained access to the HARP documents. They are intended terms of use or use restrictions or allegations of misuse, which are not covered by CFAA. Nosal II, 844 F.3d at 1034.

Second, as to bad faith, Plaintiff fails to acknowledge any responsibility for producing the documents, creating an ambiguous situation that caused both Sivantos and MHC to assume that Plaintiff intended to produce the documents. Indeed, defense counsel Ms. Mikulka, by introducing one of the HARP documents at Dr. Manchester's deposition, obviously did not believe the documents had been inadvertently produced or that she or Mr. Bean had done anything wrong. The act of sending the documents to Defendants was apparent authorization for them to view the documents. The Court finds nothing improper about viewing the documents, without more, to find out what they were. To the extent that the scope of the review and the copying of the documents could be considered questionable, the Court finds that those actions do not rise to the level of bad faith.

Third, the July 17, 2018 temporary outside attorney's eyes-only agreement was in place when Mr. Bean accessed the HARP documents on July 19, 2018. On the next day, July 20, 2018, at her deposition Dr. Manchester made clear she never intended to produce the documents. Since July 20, 2018, Defendants have treated the documents as if they were subject to the July 17, 2018 temporary agreement and the November 13, 2018 amended protective order. Mr. Bean has not circulated the documents to the Sivantos clients, in-house counsel or experts. (Dkt. 253-1, ¶ 13, Ex. 5 email dated July 214, 2018, ¶ 14.) The documents used at Mr. Caruso's deposition were under seal as were other documents submitted in the litigation. (See Dkt. 196-1 and 196-2). Simply put, Plaintiff has not demonstrated any harm or prejudice from Defendants' access to documents that are relevant and privileged, and that Plaintiff repeatedly has said she would produce once the amended protective order was entered.

Fourth, Plaintiff argues that Defendants were ethically obligated to return the documents, citing ABA Model Rule 4.4(b) (lawyer must return inadvertently produced legally privileged documents). The Model Rule, however, does not apply here because it is undisputed that the HARP documents are not privileged or work product protected. Plaintiff cites non-binding out-of-Circuit District Court cases that a party's ethical obligation regarding inadvertent production of documents extends to proprietary or confidential documents. Burt Hill, Inc. v. Vihassan, 2010 WL 419433 n.11 (W.D. Pa.); Lahy v. Fullbright & Jaworski, LLP, 1996 WL 34393321*2 (N.D. Tex.). All of the cases cited, however, involved documents that were stolen or hacked or marked confidential. Here, the documents were not improperly obtained, they were not marked as confidential and Plaintiff's intention in producing the documents was unclear at first. Additionally, there would be no reason not to return attorney-client privileged documents that could not be used as evidence in the case unless the holder of the privilege log permits same. By contrast, Plaintiff here concedes that the documents must be produced. The documents are relevant and no doubt will be used in the case. Plaintiff does not cite any authority, much less definitive authority, that a party must return inadvertently produced documents not labeled confidential that Plaintiff admits are relevant and will be produced soon, where no harm or prejudice has been demonstrated. Even if it could be said Defendants should have returned the documents, their failure to do so does not constitute bad faith on the circumstances of the case.

*5 Plaintiff has not presented any evidence to discredit the accounts of Sivantos and MHC of how they obtained access to the HARP documents on the Google Drive. Plaintiff has not demonstrated that Mr. Bean's behavior and/or Ms. Mikulka's behavior meet the high standard for bad faith misconduct. To bolster her argument, Plaintiff has resorted to mischaracterizations of the record, false allegations and exaggerated “purple prose.” Plaintiff asserts that Ms. Mikulka admitted that Sivantos' counsel had “covertly” accessed the Google Drive. As the transcript presented in the Motion (5:4-23) makes clear, she made no such admission. She merely acknowledged she accessed the link. Plaintiff added the characterization “covertly.” Defendants also never admitted to “hacking.” Plaintiff asserts that Defendants “furtively” extracted data from the Google Drive (254 at 1:13) but in fact Sivantos and MHC simply opened the email link Plaintiff's counsel sent them. Plaintiff asserts that Mr. Bean “inadvertently” clicked the link to the Google Drive (Motion, 7:5-9) but Mr. Bean's Declaration never uses the word “inadvertently.” See Dkt. 130-1, ¶ 10. Plaintiff also contends that Bean testified that the Google Drive contained source documents (Motion, 7:20-22) but in fact Mr. Bean stated Plaintiff has not produced the source code to date. See Dkt. 130-1, ¶ 12. Plaintiff accuses Defendants of accessing the HARP source code but Mr. Bean states that he never accessed it because of encoding that prevents access. (Bean Decl., Dkt. 253-1, ¶ 10.) Plaintiff continues to accuse Defendants of distributing the HARP documents to Sivantos, in-house counsel and experts even though Mr. Bean made clear in July he has not done so. (Dkt. 253-1, ¶ 13, Ex. 5 email dated July 24, 2018; ¶ 14.) Specific evidence is necessary to prove bad faith, not accusations, suspicions and unfounded attributions of bad motive.

The relief sought by the Motion is either moot or unnecessary. Plaintiff wants the documents returned or destroyed but this would be pointless as Plaintiff has said the documents will be produced and an amended protective order is in place. Plaintiff wants a list of those to whom the documents were circulated in a declaration but Mr. Bean already has responded in a declaration under oath that the documents were not circulated to anyone. Plaintiff also seeks monetary sanctions but Plaintiff did not prove a CFAA violation or bad faith misconduct by Defendants, and the Court DENIES her Motion.

The Court also DENIES Defendants' request for monetary sanctions. The facts are complicated enough that Plaintiff was substantially justified in bringing the Motion.