CDK Global, LLC v. Tekion Corp.

See case details

CDK GLOBAL, LLC, Plаintiff, v. TEKION CORP., et al., Defendants.

Case No. 25-cv-01394-JSC

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

July 15, 2025

Re: Dkt. Nos. 45, 52

ORDER RE: CDK‘S MOTION FOR PRELIMINARY INJUNCTION & INDESIGN‘S MOTION TO DISMISS

CDK Global, LLC (“CDK“) sues Tekion Corp. (“Tekion“) and InDesign Data, LLC (“InDesign“) for illicitly entering its Dealer Management System (DMS) to extract CDK‘s proprietary data. (Dkt. No. 1.)¹ Now before the Court are CDK‘s motion for preliminary injunction and InDesign‘s motion to dismiss the complaint. (Dkt. Nos. 45, 52.) After careful consideration of the parties’ briefing, and having had the benefit of oral argument on June 26, 2025, the Court DENIES CDK‘s motion for preliminary injunction and GRANTS in part and DENIES in part InDesign‘s motion to dismiss.

BACKGROUND

I. Complaint Allegations

“CDK is the leading automotive retail software provider[,]” that serves dealerships in the automotive and trucking industry. (Dkt. No. 1 ¶ 1.) CDK‘s Dealer Management System (“DMS“) “is a suite of powerful software tools that equip dealers with the solutions they need in one fully integrated platform.” (Id. ¶¶ 2-3.) The DMS “provides the infrastructure and intellectual property necessary for [CDK‘s automotive] ecosystem to function.” (Id. ¶ 24.) “CDK‘s DMS and related product platforms integrate multiple functions for the Dealerships, including consumer buying, targeted advertising and marketing, automotive sale and lease transactions, financing, and insurance,” as well as “Dealerships’ parts supply, service, and maintenance of vehicles.” (Id. ¶ 25.)

“As CDK‘s contracts with Dealerships and third parties make clear, the DMS is the sole and exclusive property of CDK.” (Id. ¶ 27.) “CDK grants dealerships who purchase its DMS services a personal, non-transferable, license to use CDK‘s DMS in accordance with the terms and conditions of their agreement with CDK.” (Id. ¶ 28.) “The Dealerships, through their access to the DMS, have access to highly sensitive, commercially valuable data belonging to consumers (e.g., the car-buying public), OEMs [“original equipment manufacturers“],² other third parties, and CDK itself.” (Id. ¶ 33.) Similarly, CDK‘s “trade secrets and proprietary information are embedded within the DMS.” (Id. ¶ 35.)

Given the sensitivity of much of this information, “CDK keeps its applications behind firewalls and demands access only through private networks.” (Id. ¶ 39.) Thus, Dealerships use a virtual private network (“VPN“) or a lease-line multiprotocol label switching network (“MPLS“) to communicate between the dealership‘s network and CDK‘s network. (Id. ¶¶ 38, 42.) “By design, the CDK network only accepts electronic communications from devices (i.e., computer workstations) tied to internet protocol (‘IP‘) addresses on the corresponding local Dealership network that have been authorized by CDK to access” CDK‘s DMS. (Id. ¶ 43.) Dealership employees “only ha[ve] access to the parts of the DMS necessary to perform their job functions.” (Id. ¶ 47.) So, typically, employees lack “administrator-level privileges to access all DMS functions, create new DMS users, or access CDK‘s proprietary formulas, code, and similar confidential CDK data. CDK requires Dealerships to designate a limited group of employees, qualified in information management and technology, to receive administrator-level access privileges.” (Id.) And each employee accessing the DMS “must certify that she is a Dealership employee authorized to access the DMS.” (Id. ¶ 49.)

“Dealerships are contractually prohibited from giving unauthorized third parties access to the DMS and the CDK Trade Secrets, including login credentials meant for use solely by Dealership employees.” (Id. ¶ 50.) CDK and dealerships enter into a Master Services Agreement (“MSA“) where each dealership agrees to only “use CDK‘s software for its own internal business purposes and will not sell or otherwise provide, directly or indirectly, any Products or Services, or any portiоn thereof, to any third party.” (Id. ¶ 53.) Importantly, “CDK‘s standard MSA expressly prohibits the Dealership from supplying login credentials to third parties or otherwise granting third parties access to the DMS.” (Id. ¶ 55.) But at the expiration of an MSA, dealerships sometimes seek to move to a different DMS provider, such as Tekion, which necessitates “transferring the Dealership‘s data to the new provider under the terms of the MSA.” (Id. ¶ 62.) “Since April 2020, CDK has completed dozens of data conversions for Dealerships leaving CDL for Tekion and has likewise received from Tekion dozens of data conversions for customers joining CDK.” (Id. ¶ 63.)

“In April 2024, CDK learned that Tekion had entered an engagement to provide ‘Automotive Retail Cloud’ services at four locations for one of CDK‘s Dealerships before the end of the year,” but this dealership had already elected to renew its MSA with CDK through April 2025. (Id. ¶¶ 64-65.) So, “CDK wrote Tekion on April 2, 2024, advising of CDK‘s rights and the Dealership‘s obligations under the MSA,” specifically noting Tekion was prohibited from accessing CDK‘s DMS and its trade secrets. (Id. ¶¶ 67-69.) Tekion acknowledged receipt of the letter on April 5, 2024, but at some point that same year, “Tekion began working hand-in-hand with InDesign to provide Dealerships software scripts and technical assistance to conduct mass data exports from the DMS.” (Id. ¶¶ 70-71.) InDesign‘s product DMSConnect, also known as 1DMS, “is designed for InDesign to be able to access, scrape, and collect data from CDK‘s DMS without CDK‘s permission.” (Id. ¶¶ 72-73.) InDesign and Tekion solicit dealerships conducting data transfers to Tekion to sign engagements with InDesign whereby “InDesign would be provided unauthorized access to the DMS in order to allow InDesign to install its data extraction software, ‘1DMS’ on the Dealership‘s computers, which arе connected by VPN or MPLS to CDK‘s servers containing the DMS.” (Id. ¶ 75.) “Deploying 1DMS necessarily requires that InDesign obtain information about CDK‘s systems and infrastructure, including elements involving confidential and proprietary forms, rules, structured tables, software code tools, and data compilations.” (Id. ¶ 77.)

In November 2024, CDK began an investigation into Tekion‘s conduct after it received a forwarded email conversation from one of its customer dealerships. (Id. ¶¶ 78-80.) In the underlying email chain, a Tekion employee claimed he was tasked with “gaining access to the CDK system,” and said he would ship the dealership a VPN endpoint device which “would allow Tekion to build a ‘tunnel’ from its network to the Dealership network.” (Id. ¶ 81.) The Tekion employee then requested the dealership “provide login credentials for the DMS” and explained that, once the VPN device was installed, “Tekion would be able to extract dаta from the DMS.” (Id.) CDK thereafter began an investigation where it discovered Tekion would “create user accounts and run software scripts that download information from the DMS to Tekion‘s virtual desktops.” (Id. ¶¶ 83-85.) CDK then “disabled the [Tekion] user credentials to prevent further unauthorized access.” (Id. ¶ 86.) Since November 1, 2024, “CDK has disabled dozens of Tekion user credentials.” (Id. ¶¶ 87-89.) CDK sent Tekion a cease-and-desist letter on December 6, 2024, regarding this activity, but “Tekion persisted in using a multitude of methods to gain unauthorized access to the DMS and computer systems.” (Id. ¶¶ 90-92.)

On December 10, 2024, CDK was informed by another dealership Tekion had contacted it to perform the same process to extract its data from the CDK DMS. (Id. ¶¶ 93-94.) And again, on December 17, 2024, the same dealership forwarded another email chain from Tekion and InDesign where both Defendants “were attempting to pеrsuade the Dealership to covertly allow Defendants to latch onto the DMS to extract data.” (Id. ¶¶ 94-97.) Specifically, after the dealership expressed its MSA had a designated process for data transfer, InDesign responded “If for any reason they‘re not able to [approve data transfer], or they don‘t give you AR Approval, then we can be your Plan B.” (Id. ¶¶ 99-100.) “Each time that Defendants access the DMS through a Dealership computer, they access and use valuable pieces of CDK‘s intellectual property,” creating copies of CDK‘s DMS program code, page layouts, graphics, text, organization, and displays in their computers’ temporary memory. (Id. ¶¶ 110-11.)

II. Procedural Background

CDK sues Tekion and InDesign for:

1. Violation of the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030;
2. Violation of the Digital Millenium Copyright Act (DMCA) 17 U.S.C. § 1201;
3. Violation of the Stored Communications Act (SCA) 18 U.S.C. § 2701;
4. Misappropriation of trade secrets under 18 U.S.C. § 1836;
5. Violation of California‘s Comprehensive Computer Data Access and Fraud Act (DAFA);
6. Misappropriation of trade secrets under California Civil Code § 3426;
7. Tortious Interference with existing business ‍‌​​​‌​‌‌‌‌​‌‌‌‌​​​‌​​​‌​‌‌‌‌​​‌‌​​​‌​‌‌‌‌​‌‌​‌​​‍relations under California law;
8. Unfаir business practices under the Unfair Competition Law (“UCL“).

(Id.) CDK seeks injunctive relief and damages against both Defendants.

Tekion sued CDK in December 2024 for alleged antitrust violations. Tekion v. CDK, No. 24-cv-08879 (Dkt. No. 1). On February 10, 2025, CDK moved to dismiss Tekion‘s complaint under Federal Rule of Civil Procedure 12(b)(6), and instituted the present action against both Tekion and InDesign. The Court then related both cases. (Dkt. No. 19.) CDK moved for a preliminary injunction in this case and at the same time moved to dismiss the complaint against it in the related case. (Dkt. No. 45); Tekion v. CDK., No. 24-cv-08879 (Dkt. No. 23). InDesign subsequently filed a motion for summary dismissal of CDK‘s motion for preliminary injunction and to expedite briefing, which the Court denied. (Dkt. Nos. 46, 47, 51.) The Court extended the briefing schedule for CDK‘s motion for preliminary injunction after the parties stipulated to do so. (Dkt. No. 49.)

Now pending before the Court is CDK‘s motion to preliminarily enjoin Defendants’ access to dealer data on its proprietary DMS (Dkt. No. 45), and InDesign‘s motion to dismiss CDK‘s complaint for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). (Dkt. No. 52.)

//

//

ANALYSIS

I. Motion for Preliminary Injunction

“A preliminary injunction is an extraordinary and drastic remedy, one that should not be granted unless the movant, by a clear showing, carries the burden of persuasion.” Apartment Ass‘n of Los Angeles Cnty., Inc. v. City of Los Angeles, 10 F.4th 905, 911 (9th Cir. 2021) (emphasis in original); see also Atwood v. Shinn, 36 F.4th 901, 903 (9th Cir. 2022) (holding the movant must make a “clear showing” it is entitled to preliminary injunctive relief) (quoting Mazurek v. Armstrong, 520 U.S. 968, 972 (1997) (per curium)).

To obtain a preliminary injunction, a plaintiff “must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.” Winter v. Natural Res. Def. Council, Inc., 555 U.S. 7, 20 (2008). “A preliminary injunction may also be appropriate if a movant raises ‘serious questions going to the merits’ and the ‘balance of hardships ... tips sharply towards’ it, as long as the second and third Winter factors are satisfied.” Disney Enters., Inc. v. VidAngel, Inc., 869 F.3d 848, 856 (9th Cir. 2017) (citation omitted).

The Court need not consider all the Winter factors here bеcause the irreparable harm requirement disposes of the motion.

A. Tekion

In its preliminary injunction opposition, Tekion represented that upon receipt of CDK‘s December 2024 cease and desist letter it stopped accessing CDK‘s DMS through dealership-provided credentials—precisely the conduct CDK seeks to preliminarily enjoin. (Dkt. No. 65-1 at ¶ 27 (“Tekion received a cease-and-desist letter dated December 6, 2024, from CDK‘s attorneys demanding that Tekion cease using dealership accounts to access and export data for migration to Tekion, which I understand CDK has included as an exhibit to its preliminary injunction motion. Dkt. 45-10. Upon receiving this correspondence, Tekion stopped providing data access assistance to dealers by using dealership-provided credentials as described in Sections IV and V, аbove. Tekion has not resumed this activity.“).) At the June 26, 2025 hearing, Tekion confirmed it will not access CDK‘s DMS by using dealership-provided credentials—upon penalty of contempt— until further order of this Court. So, as to Tekion, the need for injunctive relief is moot and there is no risk of irreparable harm.

B. InDesign

CDK has not made a “clear showing” that it will be irreparably harmed by continuation of the status quo as to InDesign because it has been aware of precisely how InDesign operates since at least June 2019 and has not identified a single instance of harm from InDesign‘s long-time operations.

A “long delay before seeking a preliminary injunction implies a lack of urgency and irreparable harm.” Oakland Trib., Inc. v. Chron. Pub. Co., 762 F.2d 1374, 1377 (9th Cir. 1985) (citing Lydo Ents. v. City of Las Vegas, 745 F.2d 1211, 1213-14 (9th Cir. 1984); GTE Corp. v. Williams, 731 F.2d 676, 678-79 (10th Cir. 1984)). CDK has been aware of InDesign‘s activities since at least 2016 (Dkt No. 72-4 ¶¶ 3-4), and in June 2019 deposed InDesign‘s CEO who testified to the exact same practices CDK now seeks to еnjoin six years later. (Dkt. No. 46-3 at 9-13.) So, CDK did not act diligently to enjoin InDesign‘s activities after it discovered them. Indeed, CDK did not send a cease and desist letter or even raise any concern with InDesign about its activities until it filed its present motion. (Dkt. Nos. 73-1 ¶¶ 3-14; 62-2 ¶ 48 (“In all those years, CDK never contacted us, or raised any concerns, about InDesign‘s dealer-authorized access methods.“)).³ CDK does not dispute that “[o]n February 11, 2025—the day after CDK filed its lawsuit against InDesign—CDK sent InDesign a cease-and-desist letter” for the first time. (Dkt. No. 62-2 ¶ 51; see also Dkt. No. 73-1 ¶ 37 (Mr. LaGreca attesting to the same).)

CDK‘s reliance on Disney Enters., Inc. v. VidAngel, Inc., 869 F.3d 848 (9th Cir. 2017), for the proposition its investigation was a proper basis for delaying legal action is unpersuasive. There, in July 2015 the defendant notified the studios of its services, indicating it was in beta-testing, and the defendant began its service in earnest in August 2015. Id. at 854. The studios that believed the defendant was infringing their copyright filed suit eleven months latеr, id. at 855, after a “cautious investigation of [the defendant]” and “only after [the defendant] expanded from beta-testing into a real threat, and [the defendant‘s] admission that ‘it intends to continue to stream [the Studios‘] works and add other future releases, unless enjoined.‘” Id. at 866. Here, CDK has been aware of InDesign‘s exact conduct since it deposed InDesign‘s CEO six years ago, and CDK even contends it had disabled InDesign accounts long before then. And although CDK responds it moved for an injunction soon after conducting its investigation, it does not explain why it delayed its investigation of InDesign for all those years. Further, while CDK in reply argues that it “only recently learned the scope of InDesign‘s access,” as support it cites Mr. LaGreca‘s declarations, but the declarations do not supply any investigatory justification for its years-long delay. (Dkt. No. 73 at 11 (citing Dkt. Nos. 45-1 ¶ 47; 73-1 ¶¶ 7-13).) CDK also argues InDesign‘s continued access results in increased likelihood of security breaches, but it identifies no data breach resulting from InDesign‘s access to the DMS, even though its has been engaging in such conduct for more than a decade.

So, CDK has failed to make a “clear showing” that it will be irreparably harmed by the maintenance of the years-long status quo as to InDesign.

*

*

*

Accordingly, CDK‘s motion for preliminary injunction is DENIED.

II. Motion to Dismiss

InDesign moves to dismiss each of CDK‘s claims against it. (Dkt. No. 52.)

A. CFAA Claim (Claim 1)

The Computer Fraud and Abuse Act “prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use. It creates criminal and civil liability for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.” Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1065-66 (9th Cir. 2016) (cleaned up). “In other words, it is an anti-hacking statute.” Watters v. Breja, No. 23-cv-03183-HSG, 2024 WL 201356, at *2 (N.D. Cal. Jan. 18, 2024).

While the complaint cites several CFAA provisions (Dkt. No. 1 at ¶¶ 137-145.), CDK‘s opposition argues it states a claim under 18 U.S.C. § 1030(a)(2). (Dkt. No. 69 at 12 (relying on Niantic, Inc. v. Global++, No. 19-CV-03425-JST, 2019 WL 8333451, at *6 (N.D. Cal. Sept. 26, 2019) for the elements of its CFFA claim, where Niantic addressed an (a)(2) claim). To state a CFAA claim under section 1030(a)(2), a plaintiff must allege facts plausibly supporting an inference the defendant “(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that [it] (3) thereby obtained information (4) from any protected computer ..., and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). In analyzing whether conduct runs afoul of the CFAA, courts “look to whether the conduct at issue is analogous to ‘breaking and entering.‘” hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1197 (9th Cir. 2022) (citing H.R. Rep. No. 98-894, at 20).

The crux of InDesign‘s argument is that it always had and has the dealers’ permission to access dealer-owned data within CDK‘s DMS. So, the claim fails because (1) InDesign had authorization to access the DMS, and (2) InDesign‘s access was not analogous to breaking-and-entering. Separately, InDesign finally argues CDK did not suffer financial loss.

i. Intentional access without authorization

The “pivotal CFAA question here” is whether, as alleged in the complaint, InDesign‘s access of CDK‘s DMS using Dealer credentials “was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute.” hiQ Labs, 31 F.4th at 1195 (quoting 18 U.S.C. § 1030(a)(2)). “[W]ithout authorization” means “accessing a protected computer without permission.” United States v. Nosal, 844 F.3d 1024, 1028 (9th Cir. 2016) (”Nosal II“) overruled in part on other grounds by Lagos v. United States, 584 U.S. 577 (2018). Exceeding authorized access means “obtaining access with authorization but then using that access improperly.” Musacchio v. United States, 577 U.S. 237, 240 (2016). So, “‘without authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorization access’ would apply to inside hackers (individuals whose initial accеss to a computer is authorized but who access unauthorized information or files).” Nosal II, 844 F.3d at 1034. (citation omitted). And though the CFAA is a criminal statute, 18 U.S.C. § 1030(g) provides a private right of action for “[a]ny person who suffers damage or loss by reason of a violation” of the CFAA.

Here, drawing all reasonable inferences in CDK‘s favor, it has plausibly alleged InDesign accessed CDK‘s DMS without authorization. It limits DMS access through private networks and only accepts electronic communications from computer workstations tied to IP addresses ‍‌​​​‌​‌‌‌‌​‌‌‌‌​​​‌​​​‌​‌‌‌‌​​‌‌​​​‌​‌‌‌‌​‌‌​‌​​‍on dealership networks specifically authorized by CDK. As InDesign is not a dealer to which CDK authorized private network access tied to InDesign‘s IP address, the complaint supports an inference InDesign intentional accessed CDK‘s DMS “without authorization.”

And the allegations also plausibly support an inference “the conduct at issue is analogous to ‘breaking and entering.‘” hiQ Labs, 31 F.4th at 1197 (quoting H.R. Rep. No. 98-894, at 20). “The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.” Id. So, the breaking-and-entering inquiry involves determining whether the computer system accessed was “one which no one could access without authorization.” Id. at 1199 (citing Nosal II, 844 F.3d at 1038). See, e.g., Watters, 2024 WL 201356 at *3 (holding a person who accessed “a public, unrestricted webpage” did not commit conduct analogous to breaking and entering). CDK plausibly alleges the DMS was not publicly accessible as dealers required a VPN and valid login credentials, and even all login credentials were not granted administrator-level privileges and “required [employees] to complete multi-factor authentication to confirm their identity.” (Dkt. No. 1 ¶ 47.)

InDesign responds that the complaint itself alleges the dealerships voluntarily shared their authorized access with InDesign so its access of CDK‘s DMS was “with authorization.” See CDK Global, LLC v. Brnovich, 461 F. Supp. 3d 906, 915 (D. Ariz. 2020) (noting the CFAA “does not limit how access might be authorized“). For purposes of this motion, the Court assumes the dealerships’ voluntary sharing of their access, without more, means InDesign‘s access was authorized. See hiQ Labs, 31 F.4th at 1200 (holding the rule of lenity applies given the court “must interpret the statute consistently, whether [it] encounter[s] its application in a criminal or noncriminal context“) (quoting Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004)). The complaint still supports a plausible inference InDesign accessed CDK‘s computers without authorization at least after December 2024. In December 2024, a dealership advised InDesign that dealerships could not validly grant it authorization to access CDK‘s DMS, since such actions were expressly prohibited by the dealerships’ MSA with CDK. (Id. ¶¶ 94-97; see also ¶ 50 (“Dealerships are contractually prohibited from giving unauthorized third parties access to the DMS and the CDK Trade Secrets, including login credentials meant for use solely by Dealership employees.“)). And InDesign continued (and continues) to access CDK‘s DMS after the dealer notified it that CDK prohibited such access. (Id.) Because CDK alleges InDesign accessed its DMS, scraped and downloaded proprietary and copyrighted material from the same, and did so all while knowing CDK prohibited dealers from sharing their DMS access with unauthorized third parties, it plausibly alleges InDesign‘s “unauthorized access.”

InDesign‘s cited cases do not persuade the Court otherwise, at least at this early stage in the litigation. In WalkMe Ltd. v. Whatfix, Inc., the plaintiff similarly alleged the dеfendant “used customer credentials to access the [plaintiff‘s] platform, which [the plaintiff] alleges was ‘expressly prohibited under the terms of [its] agreements with its customers.‘” WalkMe Ltd. v. Whatfix, Inc., No. 23-cv-03991-JSW, 2024 WL 1221960, at *5 (N.D. Cal. Mar. 21, 2024). The court held such allegations were insufficient to state a claim because “[t]he phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Id. (quoting United States v. Nosal, 676 F.3d 854, 864 (9th Cir. 2012) (”Nosal I“)). But CDK‘s claim is not that InDesign exceeded authorized access, it is that the dealerships could not authorize InDesign‘s access and InDesign knew that fact as of December 2024—so after that date no access at all was authorized. Further, WalkMe did not indicate that the defendant knew that the plaintiff‘s customers’ contracts with the plaintiff prohibited the customer from authorizing access to third parties.

Similarly, in AtPac, Inc. v. Aptitude Solutions, Inc., 730 F. Supp. 2d 1174 (E.D. Cal. 2010), the court concluded that the plaintiff‘s licensee‘s sharing of access with the defendant meant that the defendant did not act “without authorization,” but expressly noted the defendant was not on notice of the terms of the license that prohibited the sharing of access. Id. at 1082. Again, here, in contrast, CDK alleges InDesign knew as of December 2024 that dealerships were contractually prohibited from sharing their CDK credentials with InDesign. So, drawing all reasonable inferences in CDK‘s favor, the allegations plausibly support an inference InDesign‘s continued intrusion into the DMS after that point was “without authorization.”

InDesign next argues that to state a CFAA claim, CDK must affirmatively revoke InDesign‘s dealership-authorized access and that such affirmative act—the cease and desist letter to InDesign—did not occur until after the complaint was filed and therefore the claim, as currently pled, fails. As support InDesign reliеs on Power Ventures, 844 F.3d at 1067. There, Facebook, a social media platform where users were required to have password-protected accounts to make website posts, sued the defendant, a company whose business model involved obtaining user permission to access and post on those users’ Facebook accounts. Id. at 1062-63. When Facebook became aware of the defendant‘s activities, it immediately sent a cease-and-desist letter and subsequently sued under various state and federal laws, including under the CFAA. Id. In upholding the lower court‘s grant of summary judgment in favor of Facebook, the Ninth Circuit held “after receiving the cease-and-desist letter from Facebook, Power intentionally accessed Facebook‘s computers knowing that it was not authorized to do so, making Power liable under the CFAA.” Id. at 1069. Specifically, “[p]еrmission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.” Id. at 1068. Relevant to InDesign‘s argument, the court also held the defendant‘s initial access prior to the cease and desist letter did not violate the CFAA because it “reasonably could have thought that consent from Facebook users to share the promotion was permission for [the defendant] to access Facebook‘s computers.” Id. at 1067.

Powers does not mandate dismissal. First, Powers was on review of summary judgment in the plaintiff‘s favor; so, when the court recited what the defendant “could have thought,” it was applying the summary judgment standard that all reasonable inferences had to be drawn in the non-moving party‘s favor. See id. at 1064 (holding the court assumed all facts in favor of the non-moving party in reference to a different claim). Here, on InDesign‘s mоtion to dismiss, all reasonable inferences must to be drawn in CDK‘s favor. Under that standard, the allegations support an inference that at least by December 2024, when a dealer affirmatively told InDesign that its form agreement with CDK did not permit it to share its access to CDK‘s DMS, InDesign knew that it did not have permission to access CDK‘s DMS. Second, the Powers court recited all of the evidence supporting the conclusion that at least by the cease-and-desist letter, there was no genuine dispute that the defendant did not have authorization to access Facebook‘s computers. Powers in no way suggests a cease-and-desist letter is required to support an inference access is not authorized. Third, while Powers cited Nosal I for the proposition that “a violation of the terms of use of a website—without more—cannot establish liability under the CFAA,” id. at 1067, it did not hold that a third party aсts “with authorization” when it obtains access to a VPN-protected computer system from an entity it knows does not have permission to provide it with access.

ii. Cognizable harm or financial loss

The final CFAA element is “loss to one or more persons during any one-year period aggregating at least $5,000 in value.” Brekka, 581 F.3d at 1132. “Loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). Here, CDK plausibly alleges loss in the form of its investigation and response to InDesign‘s conduct. InDesign does not contest CDK‘s loss prior to the issuance of the cease-and-desist letter; instead, InDesign argues the only conduct that is potentially cognizable under the statute is that which occurred after the letter. As explained above, the Court disagrees. Additionally, at the pleading stage, the Court must draw reasonable inferences in CDK‘s favor, and, in so doing, CDK plausibly alleges loss of at least $5,000.

*

*

*

So, because CDK plausibly alleges a claim under the CFAA, InDesign‘s motion to dismiss this claim is DENIED.

B. CCDAFA Claim (Count 5)

InDesign‘s only argument for dismissal of CDK‘s claim under California‘s analogue computer-hacking statute, the Comprehensive Data Access and Fraud Act (“CCDAFA“), is that CDK fails to allege a claim under the federal CFAA. Having held CDK plausibly alleges its CFAA claim, InDesign‘s motion to dismiss this claim is likewise DENIED.

C. DMCA Claim (Count 2)

Congress enacted the DMCA, 17 U.S.C. § 1201, to “mitigate the problems presented by copyright enforcement in the digital age.” MDY Indus., LLC v. Blizzard Ent., Inc., 629 F.3d 928, 942 (9th Cir. 2010), as amended on denial of reh‘g (Feb. 17, 2011), opinion amended and superseded on denial of reh‘g, No. 09-15932, 2011 WL 538748 (9th Cir. Feb. 17, 2011) (citation omitted). The DMCA “create[s] two distinct types of claims.” Id. at 944. “First, § 1201(a) prohibits the circumvention of any technological measure that effectively controls ‍‌​​​‌​‌‌‌‌​‌‌‌‌​​​‌​​​‌​‌‌‌‌​​‌‌​​​‌​‌‌‌‌​‌‌​‌​​‍access to a protected work and grants copyright owners the right to enforce that prohibition.” Id. “Second, and in contrast to § 1201(a), § 1201(b)(1) prohibits trafficking in technologies that circumvent technological measures that effectively protect “a right of a copyright owner.” Id. CDK purports to bring both claims. (Dkt. No. 1 ¶ 177).

To state a claim under these provisions a plaintiff “must allege that (i) the work at issue was protected under the Copyright Act, (ii) the copyrighted work was protected by a ‘technological measure,’ and (iii) the technological measure was ‘circumvented’ in order to obtain access to the copyrighted work.” iSpot.tv, Inc. v. Teyfukova, No. 21-cv-06815-MEMF (MARx), 2023 WL 3602806, at *4 (C.D. Cal. May 22, 2023) (citing 17 U.S.C. § 1201(a)(1)(A); MDY Indus., 629 F.3d at 944).

i. Copyrighted work

InDesign first argues CDK‘s claim fails the first element because the Ninth Circuit‘s 2021 decision in Brnovich held that CDK “[does] not hold a copyright in the data itself, which consists of facts about dealers’ customers and business operations.” CDK Glob. LLC v. Brnovich, 16 F.4th 1266, 1278 (9th Cir. 2021).⁴ But CDK does not allege that the dealer data itsеlf is the protected copyright material; instead, it alleges CDK‘s systems and infrastructure are copyright protected. CDK “owns valid copyrights over its proprietary DMS system” and InDesign‘s 1DMS allows it to “obtain information about CDK‘s systems and infrastructure, including elements involving confidential and proprietary forms, rules, structured tables, software code, tools, and data compilations.” (Dkt. No. 1 ¶¶ 77, 169.) So, CDK plausibly alleges access to its copyrighted work.

ii. Circumvention of a technological measure

Circumvention under the DMCA “means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” 17 U.S.C. § 1201(a)(3)(A). InDesign argues that because it uses dealer credentials to log into the DMS, its 1DMS software does not circumvent CDK‘s technological measures.

Drawing reasоnable inferences from the allegations in CDK‘s favor, CDK‘s password protected database is a technological measure. For the most part, its applications are behind a firewall and only allow private network access. (Dkt. No. 1 ¶ 39.) CDK deploys specialized hardware at the dealerships to secure the connections between the dealers and CDK‘s network. (Id. ¶ 41.) CDK‘s system only accepts communications from the dealers’ IP address that CDK has previously authorized. (Id. ¶ 43.) And the communications between the dealers and CDK are all encrypted. (Id. at ¶¶ 44-45.)

And CDK also plausibly alleges that technological measures to ensure dealer-only access to CDK‘s DMS were “avoided” or “bypassed” by InDesign‘s use of the dealers’ credentials to create an InDesign log in. (Id. ¶¶ 74-75, 96.) See, e.g., Actuate Corp. v. Int‘l Bus. Machns. Corp., 2010 WL 1340519 *9 (N.D. Cal. April. 5, 2010) (holding “unauthorized distribution of passwords and usernames avoids and bypasses a technological measure in violation of sections 1201(a)(2) and (b)(1)“); Microsoft Corp. v. EEE Bus. Inc., 555 F. Supp. 2d 1051, 1059 (N.D. Cal. 2008) (holding a license holder violated the statute by “distributing a[n] [access key] without authorization,” because, in doing so, it “effectively circumvented [plaintiff‘s] technological measure to control access to a copyrighted work in violation of the DCMA.“); 321 Studios v. MGM Studios, Inc., 307 F. Supp. 2d 1085, 1098 (N.D. Cal. 2004) (“However, while [the defendant‘s] software does use the authorized key to access the DVD, it does not have authority to use this key, as licensed DVD players do, and it therefore avoids and bypasses [the technological measure].“); see also Synopsys, Inc. v. InnoGrit, Corp., No. 19-cv-02082-LHK, 2019 WL 4848387, at *8 (N.D. Cal. Oct. 1, 2019) (collecting cases) (“[t]he majority of the courts in this district have found that a defendant‘s unauthorized use of license keys or passwords, as [the defendant] has alleged, constitutes circumvention under Section 1201(a)(1).“). Drawing all reasonable inferences in CDK‘s favor, using the dealers’ credentials to create InDesign‘s own log-in to access CDK‘s system “avoided” or “bypassed” CDK‘s technological measures to ensure dealer-only access.

The cases InDesign cites do not persuade the Court otherwise. In iSpot.tv, for example, the defendant used a username and password to access the plaintiff‘s system after having ended her employment with the entity that gave her credentials to access the plaintiff‘s system. iSpot.tv, 2023 WL 3602806 at *5. The court held the defendant “individually used the credentials in the technological manner by which she was authorized to do so albeit without authorization,” so she did not circumvent the plaintiff‘s technological measures. Id. But more than mere unauthorized use of an originally lawfully-obtained password is alleged here: CDK implemented certain technological measures—such as permitting electronic communications only with CDK authorized dealer-networks—that were “avoided” or “bypassed” by InDesign using the dealers’ network and credentials to access CDK‘s system. Adobe Sys. Inc. v. A&S Elecs. Inc., 15-cv-2288-SBA, 2015 WL 13022288 (N.D. Cal. Aug. 19, 2015) and Egilman v. Keller & Hackman, LLP, 401 F. Supp. 2d 105 (D.D.C. 2005) are distinguishable for the same reasons. None of these cases involve a defendant “getting around” a plaintiff‘s technological measure of restricting access to its copyrighted material to approved IP networks.

Accordingly, InDesign‘s actions, as alleged in the complaint and drawing reasonable inferences in CDK‘s favor, plausibly constitute circumvention of a technological measure.

iii. Primarily designed to circumvent technological measures

InDesign argues CDK does not plead a claim under § 1201(a)(2)(A) which forbids a person from trafficking in a product “primarily designed” to circumvent technological measures. (Dkt. No. 52 at 25.) But in opposition, CDK does not arguе it plausibly alleges a claim under § 1201(a)(2)(A), though its complaint refers to all three subsections of § 1201(a)(2). (Compare Dkt. No. 1 ¶ 168; with Dkt. No. 69 at 24.) So, CDK concedes it does not plead a claim under § 1201(a)(2)(A). Instead, it argues it pleads liability under § 1201(a)(2)(C) which does not require the software be “primarily designed” for that purpose, but only to be marketed for that purpose.

CDK alleges facts that plausibly support an inference of a § 1201(a)(2)(C) violation. CDK alleges InDesign‘s “business model appears to revolve around designing technology to circumvent the security and access protocols established by CDK to protect its intellectual property and confidential information.” (Dkt. No. 1 ¶ 73.) And InDesign markets to users that its 1DMS software allows users to “access ‘every part of the DMS that your application demands,’ including sales, service, parts, accounting, and customer resource management, ‘to mention a few.‘” (Id. ¶ 74.) Further, InDesign sent solicitation emails from its “Support Team” that stated “We convert dealers to Tekion (data and docs). I‘ve already got your 2 dealerships in my system with Tekion ID numbers,” through a process that includes “installing our automation software” and then “creating a CDK user so we can extract all the data and docs before your CDK service ends.” (Id. ¶ 96.) In all, these allegations sufficiently allege InDesign “marketed” itself and its 1DMS “for use in circumventing a technological measure that effectively controls access to a work protected.” 17 U.S.C. § 1201(a)(2)(C).

InDesign counters that because the 1DMS itself does not circumvent the password and IP protections, a “marketing” violation is inadequately pled. But § 1201(a)(2) applies to a person who traffics in “any technology, product, service, deviсe, component, or part thereof.” 17 U.S.C. § 1201(a)(2) (emphasis added). Further, the 1DMS, as alleged, functions to circumvent the IP address requirements of the CDK DMS by functioning on dealership computers. So, CDK plausibly alleges a violation of § 1201(a)(2)(C). And InDesign does not separately address the 1201(b)(1) claim.

*

*

*

As CDK plausibly alleges its DMCA claim, InDesign‘s motion to dismiss this claim is DENIED.

//

D. SCA Claim (Claim 3)

The SCA prohibits unauthorized access to information and is “nearly identical to the CFAA.” hiQ Labs, 31 F.4th at 1199-1200 (comparing 18 U.S.C. § 2701(a) with 18 U.S.C. § 1030(a)(2)(C)). So, the two provisions are interpreted ”pari passu.” Id. (quoting Northcross v. Bd. Of Educ. Of Memphis City Schs., 412 U.S. 427, 428 (1973)). Unlike the CFAA, however, the SCA provides an exception to liability “with respect to conduct authorized ... by a user of that service with respect to a communication of or intended for that user.” 18 U.S.C. § 2701(c). CDK does not argue dealerships are not users as defined by the statute; instead, it argues the exception does not apply to InDesign because the dealerships could not authorize access to data not intended for thе dealers. But CDK does not allege facts that plausibly support an inference InDesign‘s access ever exceeded the dealerships’ intended access. The complaint‘s conclusory allegation that InDesign‘s access was “in excess of any Dealership‘s authorization to the DMS” (Dkt. No. 1 ¶ 190), is not sufficient.

Accordingly, CDK‘s SCA claim against InDesign ‍‌​​​‌​‌‌‌‌​‌‌‌‌​​​‌​​​‌​‌‌‌‌​​‌‌​​​‌​‌‌‌‌​‌‌​‌​​‍is DISMISSED with leave to amend.

E. Trade Secrets Claims under DTSA (Claim 4) and CUTSA (Claim 6)

To state a claim under either the DTSA or CUTSA, a plaintiff must allege “(1) the plaintiff owned a trade secret; (2) the defendant misappropriated the trade secret; and (3) the defendant‘s actions damaged the plaintiff.” Alta Devices, Inc. v. LG Elecs., Inc., 343 F. Supp. 3d 868, 877 (N.D. Cal. 2018). Under both statutes, misappropriation means “either (1) the ‘[a]cquisition of a trade secret by another person who knows or has reason to know that the trade secret was acquired by improper means;’ оr (2) the ‘[d]isclosure or use of a trade secret of another without express or implied consent.‘” Id. at 877 (quoting 18 U.S.C. § 1839(5); Cal. Civ. Code § 3426.1(b)). InDesign seeks to dismiss both trade secrets claims on the grounds CDK does not allege InDesign misappropriated CDK‘s trade secrets.

CDK plausibly alleges, when drawing reasonable inferences in its favor, that InDesign accessed CDK‘s trade secrets and disclosed them to Tekion without CDK‘s express or implied consent. InDesign‘s 1DMS software “is designed for InDesign to be able to access, scrape, and collect data from CDK‘s DMS without CDK‘s permission.” (Dkt. No. 1 ¶ 73.) “Deploying 1DMS necessarily requires that InDesign obtain information about CDK‘s systems and infrastructure, including elements involving confidential and proprietary forms, rules, structured tables, software code, tools, and data compilations.” (Id. ¶ 77.) InDesign worked with Tekion by “providing Dealerships automated script software for the рurpose of extracting data for conversion to Tekion.” (Id. ¶ 109.) And accounts with the email domain “@mail.1dms.com“—InDesign‘s 1DMS accounts—used queries “to retrieve all data from a particular source for an entire month,” extracting this data, and converting it to Tekion. (Id. ¶¶ 107-109.) So, drawing reasonable inferences in CDK‘s favor, the complaint alleges “disclosure or use of the trade secret without consent.” 7EDU Impact Acad. Inc. v. You, 760 F. Supp. 3d 981, 997 (N.D. Cal. 2024) (citing 18 U.S.C. § 1839(5)(A)-(B); Cal. Civ. Code § 3426.1(b)).

InDesign‘s challenge to CDK‘s use of “Defendants” throughout the complaint fails because CDK alleges Tekion and InDesign both accessed its trade secrets through their data-scraping methods. Indeed, while CDK uses the plural “Defendants” in parts of its complaint its allegations laying out each actor‘s conduct, taken together with allegations where Defendants are grouped, gives each Defendant notice of what role each played in the alleged harm. Cf. Sebastian Brown Prods., LLC v. Muzooka, Inc., 143 F. Supp. 3d 1026, 1037 (N.D. Cal. 2015) (cleaned up) (“As a general rule, when a pleading fails to allege what role each Defendant played in the alleged harm, this makes it exceedingly difficult, if not impossible, for individual Defendants to respond to Plaintiffs’ allegations.“); (see Dkt No. 1 ¶¶ 72-77; 99-102; 105-112; 124.) So, InDesign has “fair notice of what the claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (cleaned up).

Accordingly, InDesign‘s motion to dismiss the trade secrets claims is DENIED.

F. Tortious Interference Claim (Claim 7)

To state a claim under California‘s intentional interference with contractual relations, a plaintiff must allege “(1) the existence of a valid contract between the plaintiff and a third party, (2) the defendant‘s knowledge of that contract, (3) the defendant‘s intentional acts designed to induce a breach or disruption of the contractual relationship, (4) actual breach or disruption of the contractual relationshiр, and (5) resulting damage.” Tradeshift, Inc. v. BuyerQuest, Inc., No. 20- cv-01294-RS, 2020 WL 8920622, at *4 (N.D. Cal. May 20, 2020) (citing Reeves v. Hanlon, 33 Cal. 4th 1140, 1148 (2004)). “To establish the claim, the plaintiff need not prove that a defendant acted with the primary purpose of disrupting the contract, but must show the defendant‘s knowledge that the interference was certain or substantially certain to occur as a result of his or her action.” Reeves, 33 Cal. 4th at 1148. InDesign argues CDK fails to allege intent (3) and actual breach (4). (Dkt. No. 52 at 29.)

The complaint does not plausibly allege intent and actual breach. The complaint alleges InDesign, since at least December 2024, was aware CDK had agreements with dealerships that prohibited its unauthorized access of CDK‘s DMS. (Dkt. No. 1 ¶¶ 99-102.) But CDK only alleges InDesign attempted to induce the breach of the contract between it and a dealership. (Id. ¶¶ 99-102.) It does not allege InDesign acted intentionally to induce breach of any particular contract after it bеcame aware that CDK did not permit dealers to share their credentials. So, while CDK alleges InDesign had knowledge of the operative master services agreement provision, it does not allege InDesign then subsequently “induce[d] a breach or disruption of the contractual relationship” between CDK and any particular dealership. Tradeshift, Inc., 2020 WL 8920622, at *4 (citing Reeves, 33 Cal. 4th at 1148). Accordingly, CDK has failed to “specify the [] contracts at issue, [and] adequately allege how” InDesign‘s conduct “led to the disruption of these [MSAs].” DirecTV, LLC v. E&E Enters. Glob., Inc., No. 17-cv-06110-DDP-PLA, 2017 WL 6888500, at *5 (C.D. Cal. Nov. 20, 2017).

So, InDesign‘s motion to dismiss the tortious interference with existing business relation claim is GRANTED with leave to amend.

G. UCL Claim (Claim 8)

CDK‘s final claim is brought under California‘s Unfair Competition Law (“UCL“), Cal. Business & Professions Code §§ 17200 et seq. The UCL defines unfair competition as “any unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200.

i. “Unfair” practice

In a case arising from a “claim of unfair competition between direct competitors,’ conduct is ‘unfair’ pursuant to Section 17200 if it has some ‘actual or threatened impact on competition,‘” so, a plaintiff must “alge harm to competition, not harm to an individual competitor.” Silverlit Toys Manufactory Ltd. v. Rooftop Grp., USA, Inc., No. 08-cv-07631-CBM (PJWx), 2010 WL 11509314, at *7 (C.D. Cal. Jan. 21, 2010) (quoting Cel-Tech Commc‘ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 187-88 (1999)). CDK expressly alleges it is in direct competition with InDesign. (Dkt. No. 1 ¶ 208 (“Defendants’ wrongful access to the DMS allowed them to access, copy and use the CDK Trade Secrets to further their businesses in direct competition with CDK, and to wrongfully divert CDK‘s business model and Dealership clients.“)) So, to state an “unfair” prong UCL claim CDK must plausibly allege harm “to competition, not harm to an individual competitor.” Silverlit Toys, 2010 WL 11509314, at *7 (citing Cel- Tech, 20 Cal. 4th at 188-191).

CDK does not plausibly allege harm to competition. Indeed, it opposes dismissal on the grounds it “does not allege that InDesign is its direct competitor or has violated antitrust and false advertising laws, [so] CDK does not need to allege gеneral harm to competition to state a UCL claim.” (Dkt. No. 69 at 30.) But CDK does allege it is in direct competition with InDesign. (Dkt. No. 1 ¶ 208.) And the Cel-Tech court did not limit the harm to competition test to cases involving the antitrust or false advertising laws. To the contrary, it held the test applies “[w]hen a plaintiff [] claims to have suffered injury from a direct competitor[].” Cel-Tech, 20 Cal. 4th 186. Since CDK alleges the parties are direct competitors, it is required to allege harm to competition. And since CDK has not alleged any harm to competition, but instead only alleges harm to itself and its business, CDK fails to plausibly allege an UCL unfair prong violation.

ii. “Unlawful” Business Practice

CDK does not allege a UCL violation based on fraud, but it does allege a UCL violation based on InDesign‘s “unlawful” activity. And while CDK‘s allegations against InDesign do not pass the direct-competitor test, the California Supreme Court cautioned in Cel-Tech, “[n]othing we say relates to actions by consumers or by competitors alleging other kinds of violations of the unfair competition law such as ‘fraudulent’ or ‘unlawful’ business practices or ‘unfair, deceptive, untrue or misleading advertising.‘” Id. at 187 n.12. As the Court concludes above that CDK has plausibly alleged violations under the CFAA, DAFA, and the DMCA, so CDK plausibly alleges an “unlawful” prong UCL claim. See Scott v. Cintas Corp., No. 23-cv-05764-JSC, 2024 WL 3304793, at *7 (N.D. Cal. July 3, 2024) (“Because Plaintiff states a claim for the predicate violations, Plaintiff also states a claim under the UCL“).

So, InDesign‘s motion to dismiss this claim is GRANTED insofar as CDK brings an unfair prong claim, but DENIED as to the “unlawful” prong.

CONCLUSION

Because CDK has not shown it will suffer irreparable harm, preliminary injunction is not warranted, and CDK‘s motion is therefore DENIED. Further, for the reasons stated above, InDesign‘s motion to dismiss is GRANTED on its SCA, tortious interference with business relations, and UCL unfair prong claims with leave to amend. InDesign‘s motion to dismiss is otherwise DENIED. An amended complaint, if any, must be filed by August 7, 2025. The amended complaint should identify the statutory subsections under which each claim is brought.

This Order disposes of Docket Nos. 45 and 52.

IT IS SO ORDERED.

Dated: July 15, 2025

JACQUELINE SCOTT CORLEY

United States District Judge

Notes

1

Record citations are to material in the Electronic Case File (“ECF“); pinpoint citations are to the ECF-generated page numbers at the top of the documents.

2

These include companies such as GM, Ford, Toyota, Subaru, Porsche, and Jaguar. (Id. ¶ 29.)

3

There is a factual dispute about whether CDK ever disabled InDesign dealer-created credentials, as CDK‘s CEO attests it has since 2016 disabled InDesign accounts (Dkt. No. 73-1 ¶¶ 4-8), while InDesign claims “[p]rior to roughly April 14, 2025, CDK has never ‍‌​​​‌​‌‌‌‌​‌‌‌‌​​​‌​​​‌​‌‌‌‌​​‌‌​​​‌​‌‌‌‌​‌‌​‌​​‍cut off or disabled InDesign‘s dealer-authorized access credentials.” (Dkt. No. 62-2 ¶ 50.) Regardless, CDK admits it for years knew of InDesign‘s activities regarding the CDK DMS and it did not demand InDesign stop or take any legal action against InDesign.

4

In Brnovich, CDK sued to enjoin enforcement of Arizona‘s Dealer Law which granted rights to dealerships to access their data on CDK‘s DMS. Id. at 1272-73.

Case Details

Case Name: CDK Global, LLC v. Tekion Corp.

Court Name: District Court, N.D. California

Date Published: Jul 15, 2025

Citation: 3:25-cv-01394

Docket Number: 3:25-cv-01394

Court Abbreviation: N.D. Cal.