RANDY SALINAS, Plaintiff, v. THE CORNWELL QUALITY TOOLS COMPANY, Defendant Case No. 5:19-cv-02275-FLA (SPx) United States District Court, C.D. California Filed February 17, 2023 Aenlle-Rocha, Fernando L., United States District Judge ORDER DENYING DEFENDANT'S MOTION FOR REVIEW OF MAGISTRATE JUDGE'S ORDER DENYING MOTION FOR RECONSIDERATION [DKT. 150] RULING *1 Before the court is Defendant The Cornwell Quality Tools Company's (“Cornwell” or “Defendant”) Motion for Review of Ruling on Motion for Reconsideration (“Second Motion for Review”). Dkt. 150 (“Mot.”). For the reasons set forth below, the court DENIES the Motion and AFFIRMS the Magistrate Judge's Order Denying Defendant's Motion for Reconsideration, filed June 10, 2022 (“June 10, 2022 Order”). Dkt. 144. BACKGROUND The relevant facts and procedural history of this action are set out in the July 8, 2021 Order. Dkt. 82. In short, Cornwell produced a document in discovery that contained in the footer a web address to a .pdf file: “corporate.cornwelltools.com/DMReporting/Audit_Print.php?DealerID=66h9” (the “URL”). Dkt. 58 at 11; Dkt. 58-2 (Azada Decl.) at 89 (Ex. E at 7), 107 (Ex. F at 25).[1] After receiving Defendant's production, Plaintiff Randy Salinas (“Plaintiff”) or “Salinas”) discovered that by shortening the URL to “http://corporate.cornwelltools.com/dmreporting/” (the “DMReporting Directory”), he could access and download documents from a directory in Defendant's computer system, including reports from Cornwell's District Managers. Dkt. 58 at 11; Dkt. 58-2 at 107 (Ex. F at 25); see Dkt. 82 at 2. The documents were not password protected, and Plaintiff was able to access approximately 25,000 proprietary company records through a web browser. Dkt. 58 at 11; Dkt. 58-2 at 107 (Ex. F at 25); Dkt. 85-1 at 5. At subsequent depositions, Plaintiff questioned Cornwell's witnesses about certain documents he had obtained from Defendant's computer system. Dkt. 82 (Order) at 2. Cornwell, surprised that Plaintiff had acquired the documents, raised the issue of their origins and theorized Plaintiff had acquired the documents by hacking Cornwell's website or other improper means. Id. After meet and confer efforts and informal discovery conferences, Cornwell filed a Motion for Protective Order and Sanctions (“Motion for Sanctions”), seeking a protective order and sanctions pursuant to the court's inherent authority. Dkt. 58. On July 8, 2021, the Magistrate Judge issued an Order denying the Motion (“July 8, 2021 Order”), finding Defendant failed to identify any misconduct by Plaintiff, let alone conduct that could rise to the level of bad faith required to warrant sanctions. Dkt. 82 at 6-7. On July 22, 2021, Defendant filed a Motion for Review of Ruling on Motion for Protective Order (“First Motion for Review”). Dkt. 85. On March 31, 2022, the court issued an Order on Defendant's First Motion for Review (“March 31, 2022 Order”), and referred Defendant's Motion for Sanctions back to the Magistrate Judge for reconsideration in light of the Supreme Court's recent ruling in Van Buren v. United States, 141 S. Ct. 1648 (2021), and the prohibitions of the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030(a)(2)(C) (“Section 1030”). Dkt. 129. The Magistrate Judge set a briefing schedule regarding reconsideration of the Motion for Sanctions, and the matter came to hearing on May 10, 2022. Dkt. 143. On June 22, 2022, the Magistrate Judge denied Defendant's Motion for Sanctions on reconsideration, finding Plaintiff's conduct did not violate the CFAA. Dkt. 144. *2 On June 28, 2022, Defendant filed the Second Motion for Review, asking the court to reverse the Magistrate Judge's decision and sanction Plaintiff for his conduct. Dkt. 150. Plaintiff opposes the Second Motion for Review. Dkt. 154. The court took the Second Motion for Review under submission on July 20, 2022, finding the matter appropriate for decision without oral argument. Dkt. 154; see Fed. R. Civ. P. 78(b); Local Rule 7-15. DISCUSSION I. Legal Standard A. Discovery Sanctions The Federal Rules of Civil Procedure do not provide the authority to issue protective orders relating to documents obtained outside the scope of discovery. United States v. Comco Mgmt. Corp., Case No. 8:08-cv-00668-JVS (RNBx), 2009 WL 4609595, at *3 (C.D. Cal. Dec. 1, 2009); see also Kirshner v. Uniden Corp. of Am., 842 F.2d 1074 (9th Cir. 1988). Instead, a federal court can issue sanctions relating to such documents under its inherent authority to control and preserve the integrity of its judicial proceedings. Comco, 2009 WL 4609595, at *3-4. Under its inherent powers, a court may impose sanctions where a party has willfully disobeyed a court order, or where the party has acted in bad faith, vexatiously, wantonly, or for oppressive reasons. Am. Unites for Kids v. Rousseau, 985 F.3d 1075, 1090 (9th Cir. 2021) (citation omitted). A court exercising its inherent authority has broad discretion to “fashion an appropriate sanction for conduct which abuses the judicial process.” Id. at 1088; Chambers v. NASCO, Inc., 501 U.S. 32, 44-45 (1991). A district court may, among other things, dismiss a case in its entirety, bar witnesses, exclude other evidence, award attorney's fees, or assess fines. Am. Unites, 985 F.3d at 1088. These powers, however, “must be exercised with restraint and discretion.” Chambers, 501 U.S. at 44. The bad faith requirement sets a “high threshold,” which may be met by willful misconduct, or recklessness that is combined with an additional factor such as frivolousness, harassment, or an improper purpose. Primus Auto. Fin. Servs., Inc. v. Batarse, 115 F.3d 644, 649 (9th Cir. 1997); Fink v. Gomez, 239 F.3d 989, 993-94 (9th Cir. 2001). “It is the moving party's burden to demonstrate that the party against whom it seeks sanctions acted with the requisite bad faith or improper purpose.” Lofton v. Verizon Wireless LLC, 308 F.R.D. 276, 285 (N.D. Cal. 2015). B. Review of the Magistrate Judge's Rulings Fed. R. Civ. Proc. 72(a) (“Rule 72(a)”) provides that when a magistrate judge decides a pretrial matter not dispositive of a party's claim or defense, the district judge assigned to a case “must consider timely objections and modify or set aside any part of the order that is clearly erroneous or is contrary to law.” Fed. R. Civ. P. 72(a); 28 U.S.C. § 636(b)(1)(A); see also Grimes v. City & County of San Francisco, 951 F.2d 236, 241 (9th Cir. 1991) (“Pretrial orders of a magistrate under 636(b)(1)(A) are reviewable under the ‘clearly erroneous and contrary to law’ standard; they are not subject to de novo determination....”) (citations omitted). “The clear error standard is significantly deferential and is not met unless the reviewing court is left with a definite and firm conviction that a mistake has been committed.” In re Mersho, 6 F.4th 891, 898 (9th Cir. 2021) (internal quotation marks and citations omitted). “A finding is ‘clearly erroneous’ when although there is evidence to support it, the reviewing court on the entire record is left with the definite and firm conviction that a mistake has been committed.” United States v. U.S. Gypsum Co., 333 U.S. 364, 395 (1948). If a magistrate judge's account of the evidence is plausible in light of the record viewed in its entirety, the district court may not reverse it even if it would have weighed the evidence differently had it been sitting as the trier of fact. See Anderson v. Bessemer City, 470 U.S. 564, 573-74 (1985); Phoenix Eng'g & Supply Inc. v. Universal Electric Co., 104 F.3d 1137, 1141 (9th Cir. 1997). “A ruling usually cannot be clearly erroneous if there is no Ninth Circuit authority on point, or the question has not been addressed by any circuit court.” In re Mersho, 6 F.4th at 898. *3 A ruling is contrary to law “if it applies an incorrect legal standard or fails to consider an element of the applicable standard.” Conant v. McCaffrey, Case No. 3:97-cv-00139-FMS (N.D. Cal. Mar. 16, 1998); see also DCD Partners, LLC v. Transamerica Life Ins. Co., Case No. 2:15-cv-03238-CAS (GJSx), 2018 U.S. Dist. LEXIS 226010, at *5 (C.D. Cal. June 13, 2018) (“An order is contrary to law when it fails to apply or misapplies relevant statutes, case law, or rules of procedure.”) (quotation marks and citation omitted). Unlike the “clearly erroneous” standard, the “contrary to law” standard permits independent review of purely legal determinations by the magistrate judge. Green v. Baca, 219 F.R.D. 485, 489 (C.D. Cal. 2003). The Ninth Circuit has explained the difference between the two standards in connection with Fed. R. Civ. P. 52, which applies the same standard: Deference to the determinations of the fact-finder has been justified because the fact-finder can best observe the demeanor of witnesses and the nuances of the evidence. However, the selection and application of a rule of law to the established facts and to reasonable inferences enjoys no such deference; the trial court's “conclusions of law” stand or fall according to legal rules. United States v. One Twin Engine Beech Airplane, 533 F.2d 1106, 1108 (9th Cir. 1976); see also United States v. McConney, 728 F.2d 1195, 1205 (9th Cir. 1984). II. Analysis This court referred Defendant's Motion for Sanctions (Dkt. 58) back to the Magistrate Judge for reconsideration in light of the Supreme Court's ruling in Van Buren v. United States, 141 S. Ct. 1648 (2021), and the prohibitions of the CFAA.[2] Dkt. 129 at 1. The Magistrate Judge, thereafter, found that: (1) the CFAA does not apply to Defendant's publicly accessible database, and (2) nothing in the record indicates Plaintiff intentionally accessed private documents from Defendant's publicly accessible database without authorization. Dkt. 144 at 10-16. Defendant objects to the June 10, 2022 Order on grounds including that the Magistrate Judge was clearly erroneous and contrary to law in finding Plaintiff did not act without authorization in accessing documents from Defendant's computer systems by bypassing password protection by URL manipulation. Mot. at 3. The CFAA “subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,’ and thereby obtains computer information.”[3] Van Buren, 141 S. Ct. at 1652. Section 1030(a)(2) specifies two distinct ways of obtaining information unlawfully: First, an individual violates the provision when he “accesses a computer without authorization.” [Citation.] Second, an individual violates the provision when he “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain.” [Citation.] *4 Id. at 1658 (citing 18 U.S.C. § 1030(a)(2), (e)(6)) (emphasis in original). “[A]n individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases, that are off limits to him.” Id. at 1662. Although Section 1030(a)(2)'s prohibition initially “barred accessing only certain financial information,” “[i]t has since expanded to cover any information from any computer ‘used in or affecting interstate or foreign commerce or communication.’ As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet.” Id. at 1652 (citing 18 U.S.C. § 1030(a)(2)(C), (e)(2)(B)). In hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), the Ninth Circuit considered how Van Buren applies to public websites that are available for viewing by anyone with a web browser. There, the defendant, LinkedIn Corp. (“LinkedIn”), argued that plaintiff, hiQ Labs, Inc. (“hiQ”), had violated the CFAA by using search engine crawlers and other web robots to automatically collect (“scrape”) from LinkedIn's website information that was publicly viewable by the general public, in violation of LinkedIn's user agreement. Id. at 1185-87. The district court issued an order preliminarily enjoining LinkedIn from denying hiQ access to publicly available member profiles on LinkedIn's website, and the Ninth Circuit affirmed the preliminary injunction. Id. at 1184-85. Although the Ninth Circuit did not resolve the parties' legal dispute definitively, the court held that hiQ raised a “serious question” regarding whether the CFAA prohibits a company from “scraping” information from websites made freely accessible on the Internet, sufficient to support a preliminary injunction in hiQ's favor. Id. at 1196-99. As the Ninth Circuit explained, “the CFAA is best understood as an anti-intrusion statute and not as a ‘misappropriation statute[.]’ ” Id. at 1196. [T]he CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). ... With regard to websites made freely accessible on the Internet, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt. Id. at 1197-98. “Van Buren's distinction between computer users who ‘can or cannot access a computer system,’ suggests a baseline in which there are ‘limitations on access’ that prevent some users from accessing the system (i.e., a ‘gate’ exists, and can be either up or down).” Id. at 1198-99. “The Court's ‘gates-up-or-down inquiry’ thus applies to the latter two categories of computers we have identified: if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down.” Id. at 1199. *5 The Magistrate Judge held that the CFAA did not apply to Defendant's database under Van Buren and hiQ, because “Plaintiff's counsel could and did access the system by simply plugging in the modified URL into a web browser.” Dkt. 144 at 13. As Plaintiff was able to access the directory using a web browser, without facing any password protection, apparent terms and conditions of use, or warning that the contents were confidential, the Magistrate Judge found Defendant “failed to erect any gate to protect its documents,” and “the database falls into the first category of computer systems discussed in HiQ: computers for which access is open to the general public and permission is not required.” Id. at 13. It is undisputed that Plaintiff, through counsel, accessed the documents at issue by altering a web address that had been stated in a document Defendant produced in discovery. Dkt. 144 at 2. Defendant contends this conduct violated the CFAA because the unmodified URL led to a password-protected login page and because Plaintiff only learned of the URL from a document that was produced in discovery. Mot. at 12. According to Defendant, this was sufficient to establish that the “gates were down for Plaintiff[.]” Id. As noted in the July 8, 2021 Order (Dkt. 82 at 3), the URL was listed in a document that was filed publicly on September 3, 2020, in connection with Plaintiff's Request to Compel Further Responses to his Request for Production No. 26. Dkt. 34-2 (Markley Decl., Ex. O) at 131-53. Defendant did not designate this document as confidential or protected, as allowed under the parties' Stipulated Protective Order. See Dkt. 32 at 6-8. The URL and the modified version of the URL have also been listed in publicly filed documents, including Defendant's Motion for Sanctions. E.g., Dkt. 58-1 at 11. Defendant has not requested the court seal references to the original or modified versions of the URL, or otherwise taken steps to keep this URL out of the public record. Furthermore, while Defendant contends the directory is private and contains information that is confidential and not intended for public consumption, Defendant does not appear to have made any efforts to add password protection to that directory or to correct the purported security vulnerability as of the date of this Order, despite having been notified that the directory lacks password protection as of December 9, 2020 at the latest. See Dkt. 82 at 2; Dkt. 71-1 (Litney Decl. Ex. 3) at 26. It appears the directory in question and documents contained therein, are still accessible by the general public and not password-protected or otherwise marked as private or confidential. Finally, a review of the “top-level” domain of the URL, “http://corporate.cornwelltools.com/” shows that this webpage appears to be directed to and readily accessible by the general public. This supports the Magistrate Judge's determination that Plaintiff's counsel did not act with the requisite mens rea by accessing the modified URL using a web browser. Based on these facts and the specific circumstances at hand, the court finds the Magistrate Judge's factual determination that Defendant's database is a computer system open to the general public for which permission is not required (Dkt. 144 at 13-14) is not “clearly erroneous or contrary to law.” See Fed. R. Civ. P. 72(a). Similarly, the court finds the Magistrate Judge's determination that Plaintiff's counsel did not act in bad faith by accessing the directory (Dkt. 82 at 6-8; Dkt. 144 at 10-13) is not “clearly erroneous or contrary to law.” The court, therefore, DENIES Defendant's Second Motion for Review and request for a protective order and sanctions. *6 This ruling is limited to the specific facts of this case and should not be interpreted as a determination that an individual, company, or attorney cannot violate the CFAA by modifying a URL or accessing a modified URL using a web browser, as a matter of law. The court expressly declines to consider whether such conduct could constitute a clear violation of the CFAA or warrant sanctions in other circumstances, such as if the URL in question had been listed on a document designated as confidential by the producing party or if the producing party had taken steps consistent with its stated belief that the URL address and documents contained within the destination directory were private, confidential, and/or sensitive. CONCLUSION For the foregoing reasons, the court finds the Magistrate Judge's orders denying Defendant's requests for sanctions were not clearly erroneous or contrary to law. The court, therefore, AFFIRMS the Magistrate Judge's denial of Defendant's Motion for Sanctions. IT IS SO ORDERED. Footnotes [1] Citations to page numbers of docket entries are to the page numbers assigned by the court's CM/ECF header. [2] Defendant objects to the limited scope of the Magistrate Judge's reconsideration of the July 8, 2021 Order, and argues that this court referred the entire Motion for Sanctions back to the Magistrate Judge for reconsideration. Mot. at 4-5. In the March 31, 2022 Order, this court referred the Motion for Sanctions back to the Magistrate Judge for limited reconsideration in light of the Supreme Court's ruling in Van Buren v. United States, 141 S. Ct. 1648 (2021). Dkt. 129. Accordingly, Defendant's objection to the scope of the Magistrate Judge's reconsideration is OVERRULED. [3] The term “computer” “includes any data storage facility or communication facility directly related to or operating in conjunction with such [computer] device.” 18 U.S.C. § 1030(e)(1).