Lvrc Holdings LLC v. Brekka ( 2009 )

                    FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
LVRC HOLDINGS LLC,                       
Plaintiff-Appellant,
v.                              No. 07-17116
CHRISTOPHER BREKKA; EMPLOYEE                     D.C. No.
CV-05-01026-KJD
BUSINESS SOLUTIONS INC.; CAROLYN
QUAIN; STUART SMITH; BRAD                        OPINION
GREENSTEIN; FRANK SZABO,
Defendants-Appellees.

Appeal from the United States District Court
for the District of Nevada
Kent J. Dawson, District Judge, Presiding
Argued and Submitted
March 13, 2009—San Francisco, California
Filed September 15, 2009
Before: M. Margaret McKeown and Sandra S. Ikuta,
Circuit Judges, and James V. Selna,* District Judge.
Opinion by Judge Ikuta
*The Honorable James V. Selna, United States District Judge for the
Central District of California, sitting by designation.
13373
13376            LVRC HOLDINGS v. BREKKA
COUNSEL
Thomas G. Grace, Las Vegas, Nevada, for the plaintiff-
appellant.
Norman H. Kirshman, Las Vegas, Nevada, for the defendant-
appellees.
OPINION
IKUTA, Circuit Judge:
LVRC Holdings, LLC (LVRC) filed this lawsuit in federal
district court against its former employee, Christopher
Brekka, his wife, Carolyn Quain, and the couple’s two con-
sulting businesses, Employee Business Solutions, Inc., a
Nevada corporation (EBSN), and Employee Business Solu-
tions, Inc., a Florida corporation (EBSF). LVRC alleged that
Brekka violated the Computer Fraud and Abuse Act (CFAA),
18 U.S.C. § 1030, by accessing LVRC’s computer “without
LVRC HOLDINGS v. BREKKA                     13377
authorization,” both while Brekka was employed at LVRC
and after he left the company. See 18 U.S.C. § 1030(a)(2), (4).
The district court granted summary judgment in favor of the
defendants. We affirm. Because Brekka was authorized to use
LVRC’s computers while he was employed at LVRC, he did
not access a computer “without authorization” in violation of
§ 1030(a)(2) or § 1030(a)(4) when he emailed documents to
himself and to his wife prior to leaving LVRC. Nor did email-
ing the documents “exceed authorized access,” because
Brekka was entitled to obtain the documents. Further, LVRC
failed to establish the existence of a genuine issue of material
fact as to whether Brekka accessed the LVRC website without
authorization after he left the company.
I
LVRC operates Fountain Ridge, a residential treatment
center for addicted persons, in Nevada.1 As part of its market-
ing efforts, LVRC retained LOAD, Inc. to provide email,
website, and related services for the facility. Among other
duties, LOAD monitored internet traffic to LVRC’s website
and compiled statistics about that traffic.
In April 2003, LVRC hired Brekka to oversee a number of
aspects of the facility. Part of his duties included conducting
internet marketing programs and interacting with LOAD. At
the time Brekka was hired, Brekka owned and operated EBSN
and EBSF, two consulting businesses that obtained referrals
for addiction rehabilitation services and provided referrals of
potential patients to rehabilitation facilities through the use of
internet sites and advertisements. Stuart Smith, the owner and
operator of LVRC, was aware of Brekka’s businesses,
although he states he was not aware of the full nature of their
operations.
1
Because this appeal comes to us from the grant of a motion for sum-
mary judgment, we relate the facts in the light most favorable to LVRC.
See Nolan v. Heald College, 

, 1150 (9th Cir. 2009).
13378            LVRC HOLDINGS v. BREKKA
While Brekka worked for LVRC, he commuted between
Florida, where his home and one of his businesses were
located, and Nevada, where Fountain Ridge and his second
business were located. Brekka was assigned a computer at
LVRC, but while commuting back and forth between Florida
and Nevada, he emailed documents he obtained or created in
connection with his work for LVRC to his personal computer.
LVRC and Brekka did not have a written employment agree-
ment, nor did LVRC promulgate employee guidelines that
would prohibit employees from emailing LVRC documents to
personal computers.
In June 2003, Brekka sent an email to LOAD’s administra-
tor, Nick Jones, requesting an administrative log-in for
LVRC’s website. Jones sent an email with the administrative
user name, “cbrekka@fountainridge.com,” and password,
“cbrekka,” to Brekka’s work email, which Brekka down-
loaded onto his LVRC computer. By using the administrative
log-in, Brekka gained access to information about LVRC’s
website, including the usage statistics gathered by LOAD.
Brekka used those statistics in managing LVRC’s internet
marketing.
In August 2003, Brekka and LVRC entered into discus-
sions regarding the possibility of Brekka purchasing an own-
ership interest in LVRC. At the end of August 2003, Brekka
emailed a number of LVRC documents to his personal email
account and his wife’s personal email account. These docu-
ments included a financial statement for the company,
LVRC’s marketing budget, admissions reports for patients at
Fountain Ridge, and notes Brekka took from a meeting with
another Nevada mental health provider. On September 4,
2003, Brekka emailed a master admissions report, which
included the names of past and current patients at Fountain
Ridge, to his personal email account.
In mid-September 2003, negotiations regarding Brekka’s
purchase of an ownership interest in LVRC broke down, and
LVRC HOLDINGS v. BREKKA                    13379
Brekka ceased working for LVRC. Brekka left his LVRC
computer at the company and did not delete any emails from
the computer, so the June 2003 email from Nick Jones, which
included the administrative user name and password,
remained on his computer.
After Brekka left the company, other LVRC employees had
access to Brekka’s former computer, including Brad Green-
stein, a consultant who was hired shortly before Brekka left
and who assumed many of Brekka’s responsibilities. At some
point after Brekka left, the email with the administrative log-
in information was deleted from his LVRC computer.
On November 19, 2004, while performing routine monitor-
ing of the LOAD website, Jones noticed that someone was
logged into the LVRC website using the user name
“cbrekka@fountainridge.com” and was accessing LVRC’s
LOAD statistics. Jones contacted Greenstein about the use of
the “cbrekka” log-in. Jones also provided the IP address of the
log-in and the location of the Internet Service Provider (ISP)
associated with that IP address, namely, Redwood City, Cali-
fornia. Greenstein instructed Jones to deactivate the “cbrekka”
log-in, and Jones did so the same day. Shorting thereafter,
LVRC filed a report with the FBI, alleging that Brekka had
unlawfully logged into LVRC’s website.
LVRC then brought an action in federal court, alleging that
Brekka violated the CFAA when he emailed LVRC docu-
ments to himself in September 2003 and when he continued
to access the LOAD website after he left LVRC. In addition,
LVRC brought a number of state tort actions. In response,
Brekka filed a third-party complaint against Smith, Green-
stein, and Frank Szabo, alleging that they defamed him by
making statements that Brekka had stolen information from
LVRC.2
2
Brekka’s third-party complaint against Smith, Greenstein, and Frank
Szabo is not on appeal before us.
13380                LVRC HOLDINGS v. BREKKA
The district court granted summary judgment in favor of
Brekka. After dismissing the federal law claims, the district
court declined to exercise supplemental jurisdiction over the
remaining state law claims and dismissed the case. LVRC
filed a motion to reconsider. Before the district court ruled on
the motion, LVRC filed this appeal. We review the district
court’s grant of a motion for summary judgment de novo.
SDV/ACCI, Inc. v. AT&T Corp., 

, 958 (9th Cir.
2008).
II
The CFAA was enacted in 1984 to enhance the govern-
ment’s ability to prosecute computer crimes. The act was
originally designed to target hackers who accessed computers
to steal information or to disrupt or destroy computer func-
tionality, as well as criminals who possessed the capacity to
“access and control high technology processes vital to our
everyday lives . . . .” H.R. Rep. 98-894, 1984 U.S.C.C.A.N.
3689, 3694 (July 24, 1984). The CFAA prohibits a number of
different computer crimes, the majority of which involve
accessing computers without authorization or in excess of
authorization, and then taking specified forbidden actions,
ranging from obtaining information to damaging a computer
or computer data. See 18 U.S.C. § 1030(a)(1)-(7) (2004).3
[1] LVRC’s complaint alleged that Brekka committed two
of the crimes established by the CFAA, 18 U.S.C.
§§ 1030(a)(2) and (a)(4). Section § 1030(a)(2) provides for
criminal penalties to be imposed on a person who:
3
The CFAA has been amended multiple times since 1984; for purposes
of this case, the 1986 amendments are applicable. The act was amended
again in 2008. See Pub. L. 110-326, §§ 203-08. Unless otherwise indi-
cated, all citations in this opinion are to the 2004 U.S. Code, which con-
tains the version of the CFAA in force during the relevant time period in
this case.
LVRC HOLDINGS v. BREKKA                       13381
intentionally accesses a computer without authoriza-
tion or exceeds authorized access, and thereby
obtains— . . .
(C) information from any protected computer if the
conduct involved an interstate or foreign communi-
cation . . . .
18 U.S.C. § 1030(a)(2). Section 1030(a)(4) provides for crim-
inal penalties to be imposed on a person who:
knowingly and with intent to defraud, accesses a
protected computer without authorization, or exceeds
authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of
value . . . .
18 U.S.C. § 1030(a)(4).4
[2] LVRC brought suit under the provision of the statute
that creates a right of action for private persons injured by
such crimes. Section 1030(g) provides in pertinent part:
Any person who suffers damage or loss by reason of
a violation of this section may maintain a civil action
against the violator to obtain compensatory damages
and injunctive relief or other equitable relief. A civil
action for a violation of this section may be brought
only if the conduct involves 1 of the factors set forth
in clause (I), (ii), (iii), (iv), or (v) of subsection
(a)(5)(B).
4
For purposes of these sections, a “protected computer” is defined as
including any computer “used in interstate or foreign commerce or com-
munication, including a computer located outside the United States that is
used in a manner that affects interstate or foreign commerce or communi-
cation of the United States.” 18 U.S.C. § 1030(e)(2).
13382                  LVRC HOLDINGS v. BREKKA
18 U.S.C. § 1030(g). Thus, a private plaintiff must prove that
the defendant violated one of the provisions of
§ 1030(a)(1)-(7), and that the violation involved one of the
factors listed in § 1030(a)(5)(B).5 LVRC claims that Brekka’s
conduct involved the factor described in subsection
(a)(5)(B)(i), which proscribes conduct that causes “loss to 1
or more persons during any 1-year period . . . aggregating at
least $5,000 in value.” 18 U.S.C. § 1030(a)(5)(B)(i).
Therefore, to bring an action successfully under 18 U.S.C.
§ 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2),
LVRC must show that Brekka: (1) intentionally accessed a
computer, (2) without authorization or exceeding authorized
access, and that he (3) thereby obtained information (4) from
any protected computer (if the conduct involved an interstate
or foreign communication), and that (5) there was loss to one
or more persons during any one-year period aggregating at
least $5,000 in value. To bring an action successfully under
§ 1030(g) based on a violation of § 1030(a)(4), LVRC must
show that Brekka: (1) accessed a “protected computer,” (2)
without authorization or exceeding such authorization that
was granted, (3) “knowingly” and with “intent to defraud,”
5
The factors set forth in § 1030(a)(5)(B)(i)-(v) are:
(i) loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related
course of conduct affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a govern-
ment entity in furtherance of the administration of justice,
national defense, or national security . . . .
18 U.S.C. § 1030(a)(5)(B).
LVRC HOLDINGS v. BREKKA                   13383
and thereby (4) “further[ed] the intended fraud and obtain[ed]
anything of value,” causing (5) a loss to one or more persons
during any one-year period aggregating at least $5,000 in
value. See 18 U.S.C. § 1030(a); see also P.C. Yonkers, Inc. v.
Celebrations the Party and Seasonal Superstore, LLC, 

, 508 (3d. Cir. 2005); Theofel v. Farey-Jones, 

, 1078 (9th Cir. 2004).
In granting Brekka’s summary judgment motion, the dis-
trict court held that LVRC had failed to establish a violation
of either § 1030(a)(2) or (4). First, the district court stated that
“[i]t is undisputed that when Brekka was employed by Plain-
tiff that he had authority and authorization to access the docu-
ments and emails that were found on his home computer and
laptop.” According to the district court, LVRC adduced no
evidence demonstrating that Brekka accessed an LVRC com-
puter or any of the documents on the computer “without
authorization” (an element of both §§ 1030(a)(2) and (4))
when he emailed documents to himself and to his wife before
he left the company. The district court based this ruling on its
conclusion that Brekka had “authorization” to access the
LVRC computers for purposes of §§ 1030(a)(2) and (4)
because he was employed by LVRC at the time he emailed
documents to himself and his wife, and there was no evidence
that Brekka had agreed to keep the emailed documents confi-
dential or to return or destroy those documents upon the con-
clusion of his employment. Second, the district court held that
LVRC had not put forth evidence from which a reasonable
jury could find that Brekka logged into the LVRC website
after leaving LVRC’s employ. Because of the lack of evi-
dence that Brekka violated § 1030(a)(2) or (4), the district
court dismissed LVRC’s claim under § 1030(g).
LVRC disputes both of these determinations, and we
address each in turn.
III
We first consider LVRC’s argument that the district court
erred in assuming that if Brekka’s access occurred during the
13384             LVRC HOLDINGS v. BREKKA
term of his employment, it must have been authorized for pur-
poses of the CFAA. LVRC argues that because Brekka
accessed the company computer and obtained LVRC’s confi-
dential information to further his own personal interests,
rather than the interests of LVRC, such access was “without
authorization” for purposes of §§ 1030(a)(2) and (4).
[3] In interpreting the phrase “without authorization,” we
start with the plain language of the statute. See United States
v. Blixt, 

, 887 (9th Cir. 2008). The CFAA does
not define “authorization,” and it is a “fundamental canon of
statutory construction . . . that, unless otherwise defined,
words will be interpreted as taking their ordinary, contempo-
rary, common meaning.” Perrin v. United States, 

,
42 (1979); see also United States v. Morris, 

,
511 (2d Cir. 1991) (holding that the word “authorization” for
purposes of the CFAA is “of common usage, without any
technical or ambiguous meaning,” and therefore the district
court “was not obliged to instruct the jury on its meaning”).
Authorization is defined in the dictionary as “permission or
power granted by an authority.” RANDOM HOUSE UNABRIDGED
DICTIONARY, 139 (2001); see also WEBSTER’S THIRD
INTERNATIONAL DICTIONARY, 146 (2002) (defining authoriza-
tion as “the state of being authorized” and “authorize” as “to
endorse, empower, justify, permit by or as if by some recog-
nized or proper authority”). Based on this definition, an
employer gives an employee “authorization” to access a com-
pany computer when the employer gives the employee per-
mission to use it. Because LVRC permitted Brekka to use the
company computer, the “ordinary, contemporary, common
meaning,” 

, of the statute suggests that
Brekka did not act “without authorization.”
[4] No language in the CFAA supports LVRC’s argument
that authorization to use a computer ceases when an employee
resolves to use the computer contrary to the employer’s inter-
est. Rather, the definition of “exceeds authorized access” in
§ 1030(e)(6) indicates that Congress did not intend to include
LVRC HOLDINGS v. BREKKA                 13385
such an implicit limitation in the word “authorization.” Sec-
tion 1030(e)(6) provides: “the term ‘exceeds authorized
access’ means to access a computer with authorization and to
use such access to obtain or alter information in the computer
that the accesser is not entitled so to obtain or alter.” 18
U.S.C. § 1030(e)(6). As this definition makes clear, an indi-
vidual who is authorized to use a computer for certain pur-
poses but goes beyond those limitations is considered by the
CFAA as someone who has “exceed[ed] authorized access.”
On the other hand, a person who uses a computer “without
authorization” has no rights, limited or otherwise, to access
the computer in question. In other words, for purposes of the
CFAA, when an employer authorizes an employee to use a
company computer subject to certain limitations, the
employee remains authorized to use the computer even if the
employee violates those limitations. It is the employer’s deci-
sion to allow or to terminate an employee’s authorization to
access a computer that determines whether the employee is
with or “without authorization.”
[5] This leads to a sensible interpretation of §§ 1030(a)(2)
and (4), which gives effect to both the phrase “without autho-
rization” and the phrase “exceeds authorized access”: a person
who “intentionally accesses a computer without authoriza-
tion,” §§ 1030(a)(2) and (4), accesses a computer without any
permission at all, while a person who “exceeds authorized
access,” 

to access the computer, but
accesses information on the computer that the person is not
entitled to access.
[6] In this case, there is no dispute that Brekka had permis-
sion to access the computer; indeed, his job required him to
use the computer. Cf. 

(holding
that defendants had accessed a computer “without authoriza-
tion” for purposes of the Stored Communications Act, 18
U.S.C. § 2701 et seq., when they procured the access by
fraud). Moreover, there is no dispute that Brekka was still
employed by LVRC when he emailed the documents to him-
13386                LVRC HOLDINGS v. BREKKA
self and to his wife. The most straightforward interpretation
of §§ 1030(a)(2) and (4) is that Brekka had authorization to
use the computer.
LVRC attempts to counter this conclusion by pointing to a
Seventh Circuit decision, International Airport Centers, LLC
v. Citrin, 

(7th Cir. 2006). According to LVRC,
Citrin supports its argument that the CFAA incorporates an
additional limitation in the word “authorization,” such that an
employee can lose authorization to use a company computer
when the employee resolves to act contrary to the employer’s
interest. In Citrin, the court held that an employee’s authori-
zation to access a computer ended for purposes of § 1030(a)(5)6
when the employee violated his duty of loyalty to his
employer. The employee had decided to start a competing
business in violation of his employment contract and erased
all data from his work laptop computer before quitting his job.

The erased data included both valuable information
belonging to his employer and evidence that the employee
had engaged in misconduct. 

Circuit held that,
under common law agency principles, the employee breached
his duty of loyalty to his employer “when, having already
engaged in misconduct and decided to quit [the company] in
violation of his employment contract, he resolved to destroy
files that incriminated himself and other files that were also
the property of his employer, in violation of the duty of loy-
alty that agency law imposes on an employee.” 

The
court held that this breach of the duty of loyalty to his
employer terminated the employee’s agency relationship “and
with it his authority to access the laptop, because the only
basis of his authority had been that relationship.” 

Accordingly, the Seventh Circuit held that the
6
18 U.S.C. § 1030(a)(5) provides for criminal penalties to be imposed
on a person who, among other things, “intentionally accesses a protected
computer without authorization, and as a result of such conduct, recklessly
causes damage” or “intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage.”
LVRC HOLDINGS v. BREKKA                 13387
employee’s actions were “without authorization” for purposes
of § 1030(a)(5). 

If we applied the reasoning in Citrin to this case, Brekka
would have breached his duty of loyalty to LVRC when he
allegedly resolved to transfer key LVRC documents and
information to his personal computer to further his own com-
peting business, and at that point his authorization to access
the computer would have ended. Applying this reasoning,
Brekka would have acted “without authorization” for pur-
poses of §§ 1030(a)(2) and (4) once his mental state changed
from loyal employee to disloyal competitor.
We are unpersuaded by this interpretation. First, and most
important, § 1030 is primarily a criminal statute, and
§§ 1030(a)(2) and (4) create criminal liability for violators of
the statute. Although this case arises in a civil context, our
interpretation of §§ 1030(a)(2) and (4) is equally applicable in
the criminal context. See Leocal v. Ashcroft, 

, 11
n.8 (2004) (holding that where a statute “has both criminal
and noncriminal applications,” courts should interpret the stat-
ute consistently in both criminal and noncriminal contexts). It
is well established that “ambiguity concerning the ambit of
criminal statutes should be resolved in favor of lenity.” United
States v. Carr, 

, 1168 (9th Cir. 2008) (quoting
Rewis v. United States, 

, 812 (1971)). The
Supreme Court has long warned against interpreting criminal
statutes in surprising and novel ways that impose unexpected
burdens on defendants. See United States v. Santos, 

, 2025 (2008) (J. Scalia) (plurality opinion) (citing
United States v. Bass, 

, 347-49 (1971); McBoyle
v. United States, 

, 27 (1931); United States v.
Gradwell, 

, 485 (1917)). “This venerable rule . . .
vindicates the fundamental principle that no citizen should be
held accountable for a violation of a statute whose commands
are uncertain, or subjected to punishment that is not clearly
prescribed.” 

rule of lenity, which is
rooted in considerations of notice, requires courts to limit the
13388             LVRC HOLDINGS v. BREKKA
reach of criminal statutes to the clear import of their text and
construe any ambiguity against the government.” United
States v. Romm, 

, 1001 (9th Cir. 2006).
In this case, as noted above, “authorization” means “per-
mission or power granted by an authority.” RANDOM HOUSE
UNABRIDGED DICTIONARY, 139. The definition of the term “ex-
ceeds authorized access” from § 1030(e)(6) implies that an
employee can violate employer-placed limits on accessing
information stored on the computer and still have authoriza-
tion to access that computer. The plain language of the statute
therefore indicates that “authorization” depends on actions
taken by the employer. Nothing in the CFAA suggests that a
defendant’s liability for accessing a computer without authori-
zation turns on whether the defendant breached a state law
duty of loyalty to an employer. If the employer has not
rescinded the defendant’s right to use the computer, the defen-
dant would have no reason to know that making personal use
of the company computer in breach of a state law fiduciary
duty to an employer would constitute a criminal violation of
the CFAA. It would be improper to interpret a criminal statute
in such an unexpected manner. See 

.
[7] Because LVRC’s proposed interpretation based on Cit-
rin does not comport with the plain language of the CFAA,
and given the care with which we must interpret criminal stat-
utes to ensure that defendants are on notice as to which acts
are criminal, we decline to adopt the interpretation of “with-
out authorization” suggested by Citrin. Rather, we hold that
a person uses a computer “without authorization” under
§§ 1030(a)(2) and (4) when the person has not received per-
mission to use the computer for any purpose (such as when
a hacker accesses someone’s computer without any permis-
sion), or when the employer has rescinded permission to
access the computer and the defendant uses the computer any-
way.
LVRC HOLDINGS v. BREKKA                        13389
[8] Based on this plain-language interpretation of the
CFAA, we must consider whether Brekka acted “without
authorization” when he emailed LVRC documents from his
work computer to himself and to his wife. There is no dispute
that Brekka was given permission to use LVRC’s computer
and that he accessed documents or information to which he
was entitled by virtue of his employment with LVRC.
Because Brekka had authorization to use the LVRC computer,
he did not access a computer “without authorization.” There-
fore, the district court did not err in holding that LVRC failed
to raise a genuine issue of material fact with respect to
LVRC’s claim that Brekka violated §§ 1030(a)(2) and (4)
while he was still employed by LVRC.7
IV
We next consider whether the district court erred in holding
that LVRC did not raise a genuine issue of material fact with
respect to its claim that Brekka violated the CFAA by logging
into the LOAD website after he left LVRC. There is no dis-
pute that if Brekka accessed LVRC’s information on the
LOAD website after he left the company in September 2003,
Brekka would have accessed a protected computer “without
authorization” for purposes of the CFAA.
7
On appeal, LVRC argues only that Brekka was “without authorization”
to access LVRC’s computer and documents. To the extent LVRC implic-
itly argues that Brekka’s emailing of documents to himself and to his wife
violated §§ 1030(a)(2) and (4) because the document transfer “exceed[ed]
authorized access,” such an argument also fails. As stated by the district
court, it is undisputed that Brekka was entitled to obtain the documents at
issue. Moreover, nothing in the CFAA suggests that a defendant’s authori-
zation to obtain information stored in a company computer is “exceeded”
if the defendant breaches a state law duty of loyalty to an employer, and
we decline to read such a meaning into the statute for the reasons
explained above. Accordingly, Brekka did not “obtain or alter information
in the computer that the accesser is not entitled so to obtain or alter,” see
18 U.S.C. § 1030(e)(6), and therefore did not “exceed[ ] authorized
access” for purposes of §§ 1030(a)(2) and (4).
13390             LVRC HOLDINGS v. BREKKA
[9] LVRC argues that there was sufficient evidence to
create a genuine issue of material fact as to whether Brekka
was responsible for the “cbrekka” log-in on November 19,
2004 to the LOAD website and also as to whether he accessed
the website on numerous other occasions after he left LVRC.
We disagree.
First, LVRC claims that no LVRC employee except Brekka
had knowledge of the “cbrekka” log-in. Brekka, however,
provided undisputed evidence that he left the email containing
the administrative user name and password on his computer
when he left LVRC, that at least two LVRC employees used
the computer, and that others had access to the computer after
Brekka left the company. Although LVRC points to evidence
that the email with the log-in information was deleted from
Brekka’s LVRC computer, the district court correctly deter-
mined that the record does not indicate when the log-in infor-
mation was deleted. While we must draw all reasonable
inferences in favor of the non-moving party, we need not
draw inferences that are based solely on speculation. See
Lakeside-Scott v. Multnomah County, 

, 802-03
(9th Cir. 2009); see also Lujan v. Nat’l Wilderness Fed’n, 

, 888 (1990) (holding that the summary judgment
standard does not require that all ambiguities in the evidence
be resolved in favor of the non-moving party). On appeal,
LVRC relies on a declaration by its computer expert stating
that the computer was reformatted before the other employees
used it. However, this declaration was not part of the record
before the district court on summary judgment, and therefore
we do not consider it. See Forsberg v. Pac. Nw. Bell Tel. Co.,

, 1417-18 (9th Cir. 1988).
Second, LVRC argues that because the computer that
logged into the LVRC website on November 19 was con-
nected to an ISP in Redwood City, a city located in Northern
California, and Brekka was attending a meeting in San Fran-
cisco, which is also in Northern California, a reasonable juror
could infer that Brekka was the person who accessed the web-
LVRC HOLDINGS v. BREKKA                13391
site. But Brekka put forth an expert who stated that the infor-
mation regarding Redwood City was related to the location of
the ISP server, and did not indicate the location of the person
using the “cbrekka” log-in. Jones, LVRC’s witness, testified
that he did not know where the person logging into the com-
puter was located. No other evidence supported the inference
that Brekka used the Redwood City ISP. Accordingly, evi-
dence of the ISP’s location is insufficient to create a genuine
issue of material fact that Brekka was the person logging into
the LVRC website. See 

(refusing to
draw inferences in favor of the non-moving party that were
not supported with specific evidence).
Finally, in connection with its action against Brekka,
LVRC retained a computer expert who examined Brekka’s
personal computers. The expert’s report stated that Brekka’s
personal computer had been used to access reports and statis-
tics from LOAD at various times, including on September 17,
2005. LVRC argues that this report indicates that Brekka
logged into the LOAD website after he left LVRC’s employ.
This argument also fails. As the district court noted, the
expert’s evidence that Brekka logged into the site on Septem-
ber 17, 2005 was contradicted by Nick Jones’s testimony that,
upon Greenstein’s request, he deactivated the “cbrekka” user
name and password no later than November 19, 2004. In its
response to the motion for summary judgment, LVRC did not
provide any explanation, let alone supporting evidence, to
show how the log-in could have been used nearly a year after
LVRC’s own witness testified that it had been deactivated. “If
the factual context makes the non-moving party’s claim of a
disputed fact implausible, then that party must come forward
with more persuasive evidence than otherwise would be nec-
essary to show that there is a genuine issue for trial.” Blue
Ridge Ins. Co. v. Stanewich, 

, 1147 (9th Cir.
1998). With no explanation or evidence as to how Brekka
would have used the “cbrekka “ log-in to access the LOAD
website after the log-in was deactivated, we cannot say that
13392             LVRC HOLDINGS v. BREKKA
there was a genuine issue of material fact regarding whether
Brekka logged into the LOAD website after he left LVRC.
The district court did not err when it refused to resolve the
ambiguities in LVRC’s own evidence in favor of LVRC.
On appeal, LVRC argues for the first time that it subse-
quently reactivated the “cbrekka” user name to help LVRC
catch and identify the person who was misusing the log-in.
LVRC points to an FBI report in the record that contains a
statement from an unknown person to this effect. The FBI
report was submitted as part of the summary judgment motion
in Brekka’s third-party suit, but LVRC did not draw the dis-
trict court’s attention to this statement regarding the reactiva-
tion of the “cbrekka” log-in in its response to the motion for
summary judgment in this case, or even refer to the reactiva-
tion of the log-in in any of its filings. We will not reverse a
district court’s grant of summary judgment unless the party
opposing the summary judgment motion has identified the
evidence establishing a genuine issue of material fact in its
opposition to summary judgment. See Carmen v. San Fran-
cisco Unified School District, 

, 1031 (9th Cir.
2001). Because LVRC failed to do so in this case, we do not
consider LVRC’s proffered evidence that the “cbrekka” log-in
was reactivated in November 2004.
Because LVRC did not meet its burden of producing “evi-
dence that is significantly probative or more than ‘merely col-
orable’ that a genuine issue of material fact exists for trial,“
FTC v. Gill, 

, 954 (9th Cir. 2001) (quoting
Anderson v. Liberty Lobby, Inc., 

, 249-50
(1986)), the district court did not err in granting summary
judgment in favor of Brekka.
V
[10] Brekka’s use of LVRC’s computers to email docu-
ments to his own personal computer did not violate
§ 1030(a)(2) or § 1030(a)(4) because Brekka was authorized
LVRC HOLDINGS v. BREKKA               13393
to access the LVRC computers during his employment with
LVRC. Moreover, construing the evidence in the record
before the district court in the light most favorable to LVRC,
there is not enough evidence upon which a reasonable jury
could find that Brekka violated the CFAA after he left the
company.
AFFIRMED.