Last week, the Ninth Circuit issued an important decision for employers in United States v. Christensen, No. 08-50531, 2015 WL 5010591, at *14 (9th Cir. Aug. 25, 2015). In that case, the Court of Appeals held that employees who misuse their access to their employers’ computer systems can be held criminally liable under California Penal Code § 502(c)(2). While many lower-court decisions within the Ninth Circuit had questioned the scope of Section 502(c) and certain of its sub-parts, and some considered it to be primarily an “anti-hacking statute,” the Ninth Circuit’s decision makes clear that § 502(c) applies even to an employee who accesses a database or system with a valid password, but proceeds to take, copy, or use data without permission to do so.
In Christensen, six defendants were convicted of a criminal enterprise operating as a private investigation service known as the Pellicano Investigative Agency (PIA). Among numerous other charges, the Defendants were charged with computer fraud and unauthorized computer access under the Computer Fraud and Abuse Act (CFAA), and with aggravated identity theft under 18 U.S.C. § 1028 based on underlying violations of the CFAA and California Penal Code § 502(c). Specifically, Defendant Turner was convicted of aiding and abetting computer fraud by paying telephone company employees to assist in setting up illegal wiretaps on targets being investigated by the PIA, and bribing law enforcement officials to use their access to police databases to obtain confidential information on PIA targets. The Christensen court addressed whether the employees’ access of the databases, with valid passwords and credentials, could violate the CFAA or § 502(c).
Turning first to the CFAA offenses, the court noted that the CFAA requires, as an element of the charge, that the defendant “knowingly..access[ed] a protected computer without authorization or exceed[ed] authorized access.” 18 U.S.C. 1030(a)(4). In U.S. v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012), the Ninth Circuit held that both forms of access — “without authorization” and “exceeding authorized access” — required some form of “hacking” into the system in order to violate the most widely used provisions of the CFAA, including those at issue in Christensen. Under Nosal, to prove a violation of Section 1030(a)(4) of the CFAA, it is not enough that an employee’s access of a work computer violated a computer use or security policy to which the employee was subject. So long as the employee had the right to access the computer at the time he did so, he cannot be held liable under Section 1030(a)(4) of the CFAA, even if he then abuses that access. Id. at 857. The Nosal court feared that interpreting “exceeding authorized access” or “without authorization” to mean in violation of a company policy as opposed to hacking, would “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” Id.
The Christiansen court, relying on Nosal, overturned Defendants’ convictions under Section 1030(a)(4) of the CFAA, finding that neither the telephone company employee nor the law enforcement officer had hacked into their computers, and that they had valid access to the databases they used to conduct the improper acts at the time of access. Christensen, 2015 WL 5010591 at * 12-13.
However, the Court reached the opposite conclusion with regard to whether the Defendants had the requisite criminal intent to violate California Penal Code § 502(c) in order to support Defendants’ convictions for identity theft. Cal. Penal Code § 502(c)(2) provides that a person commits a criminal offense if he or she “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.” (underlining added)
In light of conflicting state law on whether § 502(c) required “hacking” or not (compare Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29, 34-35 (2007) (requiring “hacking” for violations of § 502(c)(7)) with Gilbert v. City of Sunnyvale, 130 Cal. App. 4th 1264, 1281 (2005) (finding access alone sufficient to violate § 502(c)(2)), the Court looked to the plain language of § 502(c) and concluded “the term ‘access’ as defined in the California statutes included logging into a database with a valid password and subsequently taking, copying, or using the information in the database improperly.” Christensen, 2015 WL 5010591 at * 14. There is no requirement that the access be “without authorization” or “exceeds authorized access” as understood under certain provisions of the CFAA. As the Court noted, not only did the plain language of the statute support this interpretation, it was also in line with the exception carved out in §502(c)(h), which exempts employees acting within the scope of their employment from liability for certain § 502(c) offenses. The Christensen court reasoned such an exception would be meaningless if § 502(c) required hacking into a computer system. Accordingly, the Court upheld the defendants’ convictions based on their intent to violate § 502(c).
This decision is good news for employers. The Christensen court’s holding will likely provide a valuable tool to employers who are increasingly facing the theft or misuse of their data at the hands of their own employees, and will dispel the notion echoed by some courts that § 502(c) is merely an anti-hacking statute, subject to the same Nosal-based restrictions as the most widely used provisions of the CFAA. See, e.g., Sunbelt Rentals, Inc. v. Victor, 43 F. Supp. 3d 1026, 1032 (N.D. Cal. 2014) (“Section 502 is an anti-hacking statute intended to prohibit unauthorized use of any computer system” and holding that “without permission” requires the defendant “circumvent technical or code-based barriers” to access.)