428 F.

3d 504

P.C. YONKERS, INC; Party City Clifton, Inc.; Party City of

Hamilton Square, Inc.; Party City of Lawrenceville, Inc.; Party
City North Bergen, Inc.; P.C. Voorhees, Inc.; East Harrisburg,
P.C., Inc.; Lancaster P.C., Inc.; Montgomeryville P.C., Inc.;
Party City of Cottman Avenue, Inc.; Party City of Harrisburg,
Inc.; Party City of Lehigh Valley, Inc.; Party City of Reading,
Inc.; City of Springfield, Inc.; Party City of New York, Inc.;
Scranton Party City LLC; Stroudsburg P.C. Inc.; Wilkesbarre
Party City LLC; Party City Management, Co., Inc., Appellants
v.
CELEBRATIONS THE PARTY AND SEASONAL
SUPERSTORE, LLC; Andrew Bailen; Andrew Hack.
No. 04-4254.

United States Court of Appeals, Third Circuit.

Argued June 28, 2005.
Filed November 7, 2005.

COPYRIGHT MATERIAL OMITTED Kenneth L. Leiby, Jr., Shackleton

& Hazeltine, Millburn, NJ, Michael Einbinder [Argued], Einbinder &
Dunn, New York, NY, for Appellants.
Karol C. Walker [Argued], St. John & Wayne, Newark, NJ, for Appellees
Celebrations the Party and Seasonal Superstore, LLC; Andrew Bailen.
Peter L. MacIsaac [Argued], Chasan, Leyner & Lamparello, Secaucus, NJ,
for Appellee Andrew Hack.
Before ROTH, RENDELL, and BARRY, Circuit Judges.
RENDELL, Circuit Judge.

Plaintiffs P.C. of Yonkers, Inc., and eighteen related "Party City" affiliates (the
"PC plaintiffs") appeal the District Court's order denying injunctive relief

sought pursuant to the provisions of the federal Computer Fraud and Abuse Act
("CFAA"), and under New Jersey state law. We will affirm because we agree
with the District Court's analysis regarding the lack of evidentiary basis for the
injunction, but we will take this opportunity to clarify the scope of relief
available under CFAA's provisions.
2

The seventeen Party City retail store plaintiffs are all franchisees of Party City
Corporation ("PCC"). Each operates a retail store selling discount party goods
and related products (the "PC Stores"). Plaintiff Party City Management Co.,
Inc. ("PC Management"), manages the operations of the franchised locations.
Defendant Andrew Hack ("Hack") worked for PCC in various positions from
March 1991 until his termination in August 2003. He continued to act as a
consultant to PC Management from September 11, 2003 to November 25, 2003.
Defendant Andrew Bailen ("Bailen"), also a longtime PCC employee, served as
the company's executive vice president for merchandise and marketing from
August 2000 until he left its employ on July 14, 2003.

In 2004, Bailen and Hack formed Celebrations! The Party and Seasonal
Superstore, L.L.C. ("Celebrations"), also a defendant in this case, and opened
two of its own retail party goods stores in the vicinity of two existing PC
Stores, one in Greenburgh, New York, and a second in Clifton, New Jersey, in
late July and August of 2004, respectively. The PC plaintiffs averred that the
Celebrations stores opened "just in time to compete with plaintiff PC stores
during the biggest selling season the weeks leading up to Halloween," and
that "sales during this time of year are critical to a successful business year."
(Compl. 36.)

The PC plaintiffs' primary claim under CFAA was that defendant Hack,
"without authorization and on behalf of defendant Celebrations and defendant
Bailen," accessed PCC's Tomax computer system from his home 125 times
over seven days during October and November of 2003. Eight of the alleged
incursions occurred after Hack ceased working as a consultant to PC
Management.1 Additionally, plaintiffs claim that unauthorized access
purportedly was gained again in December 2003 and a final time in April 2004,
when Hack was no longer associated with any of the PC plaintiffs.

The access in December 2003 lasted a total of 19.4 minutes. Hack testified that
he had a home office during his years with PCC and had been authorized to use
his computer from home; as proof, he offered e-mails demonstrating that he did
so. He could not recall making this particular access but stated that he imagined
it would have been for PC Management business as he never accessed the
Tomax system for anything but PC Management related work. The PC

plaintiffs contested Hack's asserted authorization in their submissions. The

April access was for a total of 5 minutes and 49 seconds, and Hack testified that
it appears to have been an automatic redial of the last call he had made to the
PC Lancaster store in December. There is a paucity of information as to
precisely what could have been obtained from the system in these incursions,
although the PC plaintiffs' computer consultant, Joseph Savin, stated that
"reports" could be ordered in a matter of seconds and then "later, with a few
keystrokes," downloaded and sent to a remote location. (Savini Certification
6, Oct. 8, 2004.)
6

The PC plaintiffs averred that the defendants used the information obtained
from this access to decide where to locate their stores, where to focus marketing
efforts and budgets, and to obtain valuable information as to sales during the
Halloween season. They urge that by using this valuable information,
defendants purportedly obtained an unfair competitive advantage. The PC
plaintiffs specifically averred that defendants' unauthorized access resulted in
damage or loss to the PC plaintiffs of not less than $5,000 within the meaning
of CFAA, 18 U.S.C. 1030.

The PC plaintiffs sought an injunction prohibiting Celebrations from operating

the Celebrations stores and from using the PC plaintiffs' trade secrets and
confidential and proprietary information, and ordering the return of such
information. They also averred that defendants' conduct violated New Jersey
statutory and common law, entitling the PC plaintiffs to damages.

After limited discovery, the District Court heard oral argument on the motion
and expressed doubt that 18 U.S.C. 1030, which is primarily a criminal
statute, provided for any civil relief. However, the District Court reasoned that
even if the statute were read to provide a civil remedy, the PC plaintiffs had
failed to frame their claim as a claim under subsection (a)(5) of 1030, and
thus were not entitled to injunctive relief under CFAA. Further, the District
Court held that, even if a claim could properly be brought under subsection (a)
(4) of 1030, the PC plaintiffs had failed to demonstrate a likelihood of success
on the merits of such a claim, because they had not shown what, "if anything,
was actually taken from the Tomax system [by defendants], nor for that matter,
confirm with certainty that the incursions were inappropriate or outside the
scope of a legitimate work purpose."2 (Trans. of Op. at 34.)

The Court also ruled that the PC plaintiffs had not demonstrated that they
would succeed under the related New Jersey statute prohibiting certain
computer incursions, or on the merits of their common law trade secret
misappropriation claim. This latter finding was based on the PC plaintiffs'

failure to prove that the information in the Tomax system was indeed entitled to
protection as a "trade secret" and also because monetary damages would
compensate for any injury, thus making injunctive relief inappropriate.
10

The District Court had jurisdiction over this matter pursuant to 18 U.S.C.
1030 and 28 U.S.C. 1331 and 1367. Our jurisdiction over this appeal from
an interlocutory order arises under 28 U.S.C. 1292(a)(1).

11

This Court has held that a district court may permissibly grant the
"extraordinary remedy" of a preliminary injunction only if "(1) the plaintiff is
likely to succeed on the merits; (2) denial will result in irreparable harm to the
plaintiff; (3) granting the injunction will not result in irreparable harm to the
defendant; and (4) granting the injunction is in the public interest." Nutrasweet
Co. v. Vit-Mar Enterprises, 176 F.3d 151, 153 (3d Cir.1999) (quoting
Maldonado v. Houstoun, 157 F.3d 179, 184 (3d Cir.1998)). The burden lies
with the plaintiff to establish every element in its favor, or the grant of a
preliminary injunction is inappropriate. See id.

12

We review the denial of a preliminary injunction for "an abuse of discretion, an

error of law, or a clear mistake in the consideration of proof." KOS Pharms.,
Inc. v. Andrx Corp., 369 F.3d 700, 708 (3d Cir.2004) (quotation omitted). "Any
determination that is a prerequisite to the issuance of an injunction . . . is
reviewed according to the standard applicable to that particular determination."
Id. Therefore, we exercise plenary review over the district court's conclusions
of law and its application of law to the facts, but review its findings of fact for
clear error. Duraco Prods., Inc. v. Joy Plastic Enters., Ltd., 40 F.3d 1431, 1438
(3d Cir.1994).

DISCUSSION
13

(1) Denial of Injunctive Relief.

14

We will not disturb the District Court's ruling that if 1030(g) is interpreted as
providing a civil remedy, and injunctions in aid thereof, the PC plaintiffs failed
to prove that they were likely to succeed on the merits of their claim because
they failed to demonstrate any conduct on the part of defendants other than the
alleged access (which may or may not have been authorized). As the District
Court correctly found, there is absolutely no evidence as to what, if any,
information was actually viewed, let alone taken. Lacking such a showing, the
elements of the causes of action brought by the PC plaintiffs cannot succeed.

15

The federal and state law causes of action asserted by the PC plaintiffs have

15

The federal and state law causes of action asserted by the PC plaintiffs have
several elements. It is undisputed that the conduct complained of falls under
subsection (a)(4) of 1030. A claim under CFAA 1030(a)(4) has four
elements: (1) defendant has accessed a "protected computer;" (2) has done so
without authorization or by exceeding such authorization as was granted; (3)
has done so "knowingly" and with "intent to defraud"; and (4) as a result has
"further[ed] the intended fraud and obtain[ed] anything of value." 18 U.S.C.A.
1030(a)(4); see also Pacific Aerospace & Elecs., Inc. v. Taylor, 295
F.Supp.2d 1188, 1195 (E.D.Wash.2003).

16

New Jersey state law provides that any person "damaged in business or
property" as a result of "[t]he purposeful or knowing, and unauthorized altering,
damaging, taking or destruction of any data, data base, computer program,
computer software or computer equipment existing internally or externally to a
computer, computer system or computer network," may recover damages. N.J.
Stat. Ann. 2A:38A-3(a). Lastly, under New Jersey law, to establish a claim
for misappropriation of a trade secret, a plaintiff must show, inter alia, the
existence of a trade secret and that it was "acquired by the competitor with
knowledge of the breach of confidence." Rohm & Haas Co. v. Adco Chem. Co.,
689 F.2d 424, 429-30 (3d Cir.1982). Whether or not the data at issue here was a
trade secret, there has been no showing that anything was "acquired" by
defendants.

17

It is clear that PC plaintiffs do not know, have not shown, and cannot show,
what information, if any, was taken. Mr. Nasuti, president of PC Management,
stated repeatedly in his deposition that plaintiffs do not know what, if anything,
was actually taken, much less information that could be deemed to be a trade
secret, and this is uncontroverted. In fact, no proof of conduct other than access
has been shown, thus dooming both of the New Jersey state law claims, which
require proof of some activity vis-a-vis the information other than simply
gaining access to it.3

18

Under CFAA, too, more is required. The third and fourth elements we cite
above (3) knowingly and with intent to defraud, and (4) as a result . . .
furthered the intended fraudulent conduct and obtained anything of value
pose hurdles that PC plaintiffs have not demonstrated they can overcome.

19

The only evidence that might arguably support an inference as to these elements
consists of a one-line e-mail sent in December 2003 by Hack to Savin, seeking
SKU numbers "confidentially." Access occurred from Hack's home computer
later that month. While this raises some level of suspicion, without more we
cannot infer anything of probative value. It is too slim a reed upon which to

rely as proof of the necessary elements under CFAA.

20

The PC plaintiffs urge that we draw inferences of intent and the obtaining of
valuable information from the mere fact that unauthorized access has been
shown, and ask defendants to rebut these inferences by demonstrating the
innocence of their purpose or actions. However, the elements of the claims
asserted are part of a plaintiff's burden. That information was taken does not
flow logically from mere access. Access could be accidental, and, even if
access were purposeful and unauthorized, information could be viewed but not
used or taken. Furthermore, without a showing of some taking, or use, of
information, it is difficult to prove intent to defraud, and indeed, the PC
plaintiffs have not shown that they can do so.

21

Here, the PC plaintiffs needed something more. Perhaps they could have
produced evidence of identical merchandise code numbers (known as SKUs) in
the Celebrations stores, or of vendors contacted by Hack or Bailen in temporal
proximity to the unauthorized access. Or, perhaps, they could have adduced
evidence tending to show that neither Hack nor Bailen could independently
have started and stocked the Celebrations stores. But, absent any such evidence,
the logical inference is not that there was access and use of information that
harmed them, but, to the contrary, that in opening and stocking their stores,
defendants Bailen and Hack were employing their expertise gained through
years of experience in the retail party goods business, unaided by any
information obtained through access to the PC plaintiffs' computer system.

22

Bailen had been the number two executive for PCC before leaving in 2003, and
had had the direct responsibility for all of its buying, marketing, visual
merchandising planning, and allocation of supply chain efforts for over 500
stores nationwide. The record contains the numerous e-mails sent by Hack over
the relevant time period pertaining to his plans and the steps he was taking with
Bailen to start Celebrations, none of which contains any reference to any
outside information. Nor do PC plaintiffs point to any conduct by Hack or
Bailen that might imply use of any type of information gained from the Tomax
system.

23

We have only the unauthorized access in December 2003 and then again in
April 2004, and PC plaintiffs' failure to complain prior to their bringing an
injunction motion in September 2004, when the Halloween season was
imminent. This does not satisfy the proof necessary for injunctive relief in aid
of the claims at issue.

24

Accordingly, we agree with the District Court that the PC plaintiffs' proffer was

24

Accordingly, we agree with the District Court that the PC plaintiffs' proffer was
not sufficient and that due to the speculative nature of their proof, they failed to
demonstrate that they could succeed on the merits of any of their claims so as to
warrant injunctive relief.

25

(2) CFAA

26

The District Court struggled with the meaning of, and relationships among,
various provisions of CFAA. It is, as the District Court noted, a criminal
statute, criminalizing and penalizing unauthorized access to computers, and, as
noted by the Court in Pacific Aerospace, the majority of CFAA cases still
involve "classic" hacking activities. 295 F.Supp.2d at 1196. However, the
scope of its reach has been expanded over the last two decades. "Employers . . .
are increasingly taking advantage of the CFAA's civil remedies to sue former
employees and their new companies who seek a competitive edge through
wrongful use of information from the former employer's computer system." Id;
see also Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119
F.Supp.2d 1121, 1124 & n. 3 (W.D.Wash.2000) (explicitly recognizing that
Congress' 1994 amendment to the CFAA added a private cause of action under
1030(g)).

27

As currently in force, 18 U.S.C. 1030 lists seven different types of conduct

punishable by fines or imprisonment. These are set forth in subsection 1030(c).
The prohibited conduct ranges from trafficking in passwords to knowing and
unauthorized access to government computers. Subsection 1030(d) grants
authority to various agencies of the federal government to investigate offenses.
Subsection 1030(e) contains definitions, while subsection (f) provides that the
powers under the federal law are not exclusive of state powers. Subsection (g)
containing the purported civil remedy at issue here provides:

28

(g) Any person who suffers damage or loss by reason of a violation of this
section may maintain a civil action against the violator to obtain compensatory
damages and injunctive relief or other equitable relief. A civil action for a
violation of this section may be brought only if the conduct involves 1 of the
factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).
Damages for a violation involving only conduct described in subsection (a)(5)
(B)(i) are limited to economic damages. No action may be brought under this
subsection unless such action is begun within 2 years of the date of the act
complained of or the date of the discovery of the damage. No action may be
brought under this subsection for the negligent design or manufacture of
computer hardware, computer software, or firmware.

29

18 U.S.C. 1030(g).

30

The District Court focused on the criminal provisions and found it difficult to
infer a civil application within the statutory framework and concluded that it
could not do so, although the Court did acknowledge that several other courts
had determined to the contrary. However, we conclude that not only the
relevant case law, but also the plain language of the statute, militate in favor of
the availability of a civil remedy, and specifically, the type of injunctive relief
sought by the PC plaintiffs.

31

Numerous courts have recognized that a civil cause of action is apparent from
the text of 1030(g). Although we acknowledge the criminal thrust of the
section in general, as it is found in Title 18, there is ample authority for
permitting civil actions to proceed based on violations of the section pursuant to
the language of 1030(g). See, e.g., Theofel v. Farey-Jones, 359 F.3d 1066,
1078 (9th Cir.2003) ("The civil remedy extends to `[a]ny person who suffers
damage or loss by reason of a violation of this section.'") (emphasis in original);
I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521,
526 (S.D.N.Y.2004) (stating that 1030(g) affords civil action for any violation
of CFAA). Accordingly, we conclude that civil relief is available under
1030(g).

32

Defendants make a novel argument, however, in an attempt to undercut the

availability of relief here. They posit that the third sentence of subsection (g)
which limits recovery to only economic damages for a violation solely
involving conduct described in subsection (a)(5)(B)(i) also operates to
exclude injunctive relief for claims involving such conduct. That reading is
unwarranted. We read that sentence to mean, instead, that if one who is harmed
does seek compensatory damages based on such conduct, which are available
by virtue of the general statement contained in the first sentence, then those
damages will be so limited. That is, compensatory damages for such conduct
will be awarded only for economic harm. Nothing in the third sentence,
however, countermands or limits the type of injunctive relief specifically
authorized in the first sentence of (g). In fact, two courts have held that the third
sentence does not even limit all compensatory damage claims but only those
based on the specific subsection of 1030 referred to in the third sentence. See
In re Intuit Privacy Litig., 138 F.Supp.2d 1272, 1281 (C.D.Cal.2001); In re
DoubleClick Privacy Litig., 154 F.Supp.2d 497, 519-526 (S.D.N.Y.2001).4
Accordingly, claims for other types of compensatory damages for conduct
other than violations of (a)(5)(B)(i) are clearly allowed, as are claims for
any and all types of injunctive relief.

33

The only remaining issue pertains to an aspect of section 1030(g) that was also
of concern to the District Court. That is, does the reference in section 1030(g) to
subsection (a)(5)(B) preclude relief for violations that are brought as PC
plaintiffs' is under subsection (a)(4)? We conclude that it does not, provided
that the claim brought under subsection (a)(4) or any other section for that
matter "involves" one of the five enumerated results in 1030(a)(5)(B)(i)(v). For ease of reference, we repeat both section 1030(a)(4) and (a)(5) in the
footnote below.5

34

Here, PC plaintiffs' claim is clearly based on a violation of (a)(4), but they

included in their complaint a specific allegation of loss in excess of $5,000,
which satisfies (a)(5)(B)(i). We do not read section 1030(g)'s language that the
claim must involve one or more of the numbered subsections of subsection (a)
(5)(B) as limiting relief to claims that are entirely based only on subsection (a)
(5), but, rather, as requiring that claims brought under other sections must meet,
in addition, one of the five numbered (a)(5)(B) "tests." See I.M.S., 307
F.Supp.2d at 526. Otherwise, the language would not have referred to one or
more of the numbered subsections, but would have said that relief is only
available for claims under subsection (a)(5). We must take Congress' use of
language as purposeful. See Conn. Nat'l Bank v. Germain, 503 U.S. 249, 25354, 112 S.Ct. 1146, 117 L.Ed.2d 391 (1992) (noting that "courts must presume
that a legislature says in a statute what it means and means in a statute what it
says"). Accordingly, we conclude that the claim asserted by PC plaintiffs fits
squarely within the class of claims eligible for injunctive relief, for it involves
one of the factors contained in subsection (a)(5)(B), namely, the $5,000 loss
provision of (a)(5)(B)(i).

35

We note that one court seems to have read section 1030(g)'s reference to
subsection (a)(5)(B) as limiting relief under section 1030(g) to only subsection
(a)(5) claims, but we disagree. See McLean v. Mortg. One & Fin. Corp., 2004
WL 898440 (D.Minn. Apr. 9, 2004), 2004 U.S. Dist. LEXIS 7279, *5. The
weight of authority is clearly to the contrary. See Theofel, 359 F.3d at 1078
("The conduct must involve one of five factors listed in 18 U.S.C. 1030(a)(5)
(B), which include a loss in excess of $ 5000."); Nexans Wires S.A. v. SarkUSA, Inc., 319 F.Supp.2d 468, 472 (S.D.N.Y.2004) (holding that requirement is
met where plaintiff meets the jurisdictional threshold by asserting loss in excess
of $5,000 under (a)(5)(B)(i)); I.M.S., 307 F.Supp.2d at 526 (holding that
subsection (g) affords a civil action for any CFAA violation, but requires an
allegation of one of the five enumerated factors in 1030(a)(5)(B)).

CONCLUSION

36

We conclude that although the PC plaintiffs' claim for injunctive relief under
CFAA is cognizable under the statutory framework and language, and we
therefore disagree with the District Court to the extent it opined to the contrary,
we will AFFIRM the judgment of the District Court that the PC plaintiffs failed
to adduce sufficient proof of a violation under CFAA and were therefore not
entitled to injunctive relief under that statute or under applicable New Jersey
law.

Notes:
1

It is undisputed that Hack ceased consulting for PC Management on November

25, 2003

We do not distinguish among the defendants in terms of the conduct

complained of, as it is not necessary to our ruling

We need not address separately the District Court's ruling regarding trade
secrets or the availability of monetary relief, as we affirm all aspects of the
District Court's ruling based on the general ground that absent proof of
something more than mere access, whether or not the information in the system
was secret, there can be no likelihood of success on any of the state law claims
asserted

These cases concerned specific language found in a prior version of 1030(g)before the October 26, 2001 amendments to the statuteSee 18 U.S.C. 1030
(1996) (amended by current version at 18 U.S.C. 1030(g)). The third sentence
then referred to violations involving damage as defined in subsection (e)(8)(A),
id., whereas the current version references (a)(5)(B)(i), see 18 U.S.C. 1030(g)
(2005).

18 U.S.C. 1030(a): . . . (4) knowingly and with intent to defraud, accesses a

protected computer without authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and obtains anything of
value, unless the object of the fraud and the thing obtained consists only of the
use of the computer and the value of such use is not more than $5,000 in any 1year period;
(5)(A)(i) knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer;

(ii) intentionally accesses a protected computer without authorization, and as a

result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a
result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused
(or, in the case of an attempted offense, would, if completed, have caused)
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an
investigation, prosecution, or other proceeding brought by the United States
only, loss resulting from a related courts of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of
the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in
furtherance of the administration of justice, national defense, or national
security; . . .