*1 Before the Court is a motion to dismiss Plaintiff Mark Greenburg's second amended complaint (“SAC”) for failure to state a claim, brought by Defendants Amanda Wray, Daniel Wray, Edmond Richard, Kimberly Stafford, John Stafford, Lindsay Alvey, and Taylor Alvey. (Doc. 73.) For reasons explained below, the motion will be granted in part and denied in part.[1]

I. Background

Amanda manages a 2,000-member Facebook group called “SUSD-CAN,” where she posts anti-mask, anti-vaccine, anti-LGTBQ, and anti-Critical Race Theory policies concerning Scottsdale Unified School District (“SUSD”). (Doc. 61 at 5.) Kimberly, Edmond, and Lindsay are members of Amanda's group. (Id. at 6-8.) The remaining defendants are spouses named to bind their respective marital communities. (Id.)

Greenburg resides in Scottsdale, and during the relevant time his son was a SUSD board member. (Id. at 4.) Prior to this lawsuit, Greenburg collected records on Defendants, including photographs, video footage, background checks, and social media posts, along with Greenburg's own political and private commentary. (Id. at 8-9.) Greenburg housed the documents in his personal Google Drive in a folder called “CAN Folder,” to which he shared access with three other individuals, including his son. (Id.)

In 2021, Kimberly accused Greenburg's son of defamation. (Id. at 10.) His son responded via email with 13 screenshots stored in the CAN Folder. (Id.) However, unknown to Greenburg's son, the folder's unique, 68-charcter uniform resource locator (“URL”) was visible in a photograph. (Id. at 10-11.) Greenburg was further unaware of a setting which enabled third parties to access the folder by re-typing the URL into an internet browser. (Id. at 10.) Prior to the inadvertent disclosure, Greenburg and three others accessed the folder by logging into their password-protected Google accounts, and the URL was otherwise not searchable or guessable. (Id. at 9-10.)

Defendants accessed the folder by creating a hyperlink from the URL disclosed to Kimberly. (Id. at 6.) They downloaded, deleted, added, re-organized, and publicly disclosed the CAN Folder's contents to the media. (Id. at 13.) Greenburg then hired a forensic IT consultant to assess damage and sued Defendants under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2). (Id. at 14-15.) Defendants now move to dismiss Greenburg's SAC. (Doc. 73.)

II. Legal Standard

When analyzing a complaint for failure to state a claim to relief under Rule 12(b)(6), the Court accepts well-pled factual allegations as true and construes them most favorably to the nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). However, the Court does not accept conclusions couched as factual allegations. Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). Thus, to avoid dismissal, the complaint must plead sufficient facts to state a claim to relief that is plausible on its face. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007).

III. Discussion

*2 Count I alleges Defendants accessed Greenburg's Google Drive without authorization in violation of the CFAA. (Doc. 61 at 15.) To bring an action under § 1030(a)(2), Greenburg must allege that Defendants: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, (3) thereby obtaining information, (4) from any protected computer, and that (5) there was loss to one or more persons during a one-year period aggregating at least $5,000 in value. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Defendants argue that Greenburg failed to plead the second element. (Doc. 73 at 7.)

This is not the first time Defendants have raised this argument or that the Court has considered it. Greenburg's first amended complaint (“FAC”) accused a sub-set of Defendants of violating this provision, and those Defendants moved to dismiss for reasons similar to those now argued. (Docs. 9, 15.) Following full briefing, oral argument, and thorough consideration, the Court denied the motion. (Doc. 38.) In its order, the Court acknowledged that whether Greenburg had adequately pled the “without authorization” element was a “close call,” but the Court resolved it in Greenburg's favor given the motion to dismiss standard and the Court's analysis of the leading Ninth Circuit case on the issue, hiQ Labs Inc., v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). (Id. at 3.) The Court concluded that Greenburg's Google Drive was not accessible to anyone with a web browser because it generally was accessible only by four people through password-protected accounts, and the 68-character URL Defendants used to gain access was non-guessable and non-searchable. The Court further reasoned that the inadvertent disclosure of the URL did not per se grant authorization. See Theofel v. Farey-Jones, 359 F.3d 1066, 1074 (9th Cir. 2004).

Greenburg then filed the SAC, naming additional defendants, bringing additional claims, and adding new factual allegations. Defendants insist their latest motion to dismiss is not an untimely motion for reconsideration of the Court's prior ruling, but rather that the additional factual allegations in the SAC and some cases not previously presented to the Court should lead the Court to resolve the close call in their favor this time around. (Doc. 73 at 8-10.) The Court disagrees, addressing both arguments in turn.

The additional factual allegations in the SAC, namely that Defendants accessed the CAN Folder only and not Greenburg's entire Google Drive, do not materially alter the Court's analysis. (Doc. 61 at 10.) Here, the parties dispute whether Defendants accessed Greenburg's Google Drive without authorization. (Doc. 73 at 7.) This is not a case in which some access indisputably was granted and the dispute centers on whether the defendant exceeded the scope of that access. The Court therefore is unpersuaded by Defendants argument that accessing a singular folder, rather than the entire Google Drive, paints a “markedly different picture.” (Id. at 9.)

Defendants also highlight that there was more than one point of entry according to the SAC, which indicates that sub-folders within the CAN Folder also have URLs that would grant one access to the CAN Folder. (Id.) Although the Court acknowledges there was no traditional barrier to prevent Defendants’ access, such as a password requirement, the bottom line is that Defendants accessed the CAN Folder via an inadvertently disclosed, 68-character, non-guessable and non-searchable URL, and but for the inadvertent disclosure would not have been able to access it. The Court again recognizes that this issue is a close call. But Defendants have not persuaded the Court that the added detail in the SAC materially changes the analysis.

*3 The additional cases cited by Defendants do not persuade the Court to change course. Salinas v. Cornwell Quality Tools Co., supports Defendants’ position that a person's intent to restrict access cannot support CFAA liability if the person does not also erect gates to protect privacy, but the court in that case addressed the issue in a different procedural posture. No. 5:19-cv-02275-FLA (SPx), 2022 WL 3130875, at *1, 9 (C.D. Cal. June 10, 2022). The issue arose in the context of a motion for reconsideration of an order denying a motion for sanctions. The court was not applying the plausibility standard governing motions to dismiss. In contrast to the fact-finding role performed by the court in Salinas, this Court must accept all factual allegations in the SAC as true and draw all reasonable inferences in Greenburg's favor. The Court is not persuaded that the analysis in Salinas requires dismissal of Greenburg's CFAA claim.

Nor does Ryanair DAC v. Booking Holdings Inc., No. 20-1191-WCB, 2022 WL 13946243 (D. Del. Oct. 24, 2022), help Defendants. There, the court found that resolution of whether the plaintiff sufficiently protected its website from unwanted incursions was improperly decided at the motion to dismiss stage because it depended on forthcoming facts developed in litigation. Id. at *12. The Court shares that view here. Greenburg's SAC contains sufficient factual allegations to make it at least plausible that Defendants accessed the CAN Folder without authorization. At the motion to dismiss stage, the Court screens for wholly implausible claims, not for weak ones, mindful that a complaint need not contain every conceivable fact that might bear on a question. So long as the claim is plausible, the parties may proceed to discovery, where further factual development will either strengthen or weaken Greenburg's case. The Court remains unconvinced that dismissal is warranted.

B. Civil Conspiracy and Aiding and Abetting Claims

Count II alleges that Defendants conspired to violate the CFAA. (Doc. 61 at 16.) Under Arizona law, civil conspiracy is not an independent tort, but requires “an underlying tort which the conspirators agreed to commit.” Health Indus. Bus. Commc'ns Council Inc. v. Animal Health Inst., 481 F. Supp. 3d 941, 959 (D. Ariz. 2020). Thus, to plausibly plead civil conspiracy, Greenburg must allege that Defendants “agreed to accomplish an unlawful purpose or a lawful purpose by unlawful means, and accomplish the underlying tort, which in turn caused damages.” In re Bill Johnson's Restaurants, Inc., 255 F. Supp. 3d 927, 937 (D. Ariz. 2017) (internal quotation and citation omitted).

Count III alleges that Kimberly, Amanda, and Edmond provided substantial assistance in accessing the CAN Folder without authorization, thus aiding, and abetting one another. (Doc. 61 at 16-19.) Under Arizona law, a claim for aiding and abetting has three elements: “(1) the primary tortfeasor must commit a tort that causes injury to the plaintiff; (2) the defendant must know the primary tortfeasor's conduct constitutes a breach of duty; and (3) the defendant must substantially assist or encourage the primary tortfeasor in the achievement of the breach.” Merritt v. Arizona, 425 F. Supp. 3d 1201, 1233 (D. Ariz. 2019). “There must be some distinction between the primary tortfeasor and the aiding and abetting conduct.” Counts v. Tech. Ins. Co. Inc., No. CV-18-00488-TUC-JAS, 2019 WL 13195132 at *2 (D. Ariz. July 12, 2019).

Greenburg failed to plausibly plead civil conspiracy and aiding and abetting claims under Arizona law because a federal statutory violation is not a tort. See In re Apple Inc. Device Performance Litig., 347 F. Supp. 3d 434, 453 (N.D. Cal. 2018) (“A CFAA claim is decidedly not a state-law tort claim but is instead a federal claimed appended to a federal statute.”); see also BioD LLC v. Amino Tech., LLC, No. 2:13-CV-1670-HRH, 2014 WL 268644, at *11 (D. Ariz. Jan. 24, 2014) (finding a civil conspiracy claim cannot be based on allegations that defendants conspired to violate the Lanham Act because a claim under the Lanham Act is not a tort). Greenburg's argument that a CFAA violation seems to meet Black's Law Dictionary's definition of a tort is unpersuasive in light of case law distinguishing statutory claims from torts. And in any event, this argument does not salvage Greenburg's aiding and abetting claim because the SAC fails to distinguish between the primary tortfeasor and the aiding and abetting conduct.

*4 IT IS ORDERED that Defendants’ motion to dismiss (Doc. 73) is GRANTED IN PART and DENIED IN PART. Counts II and III of the SAC are dismissed but Count I may proceed.