My Other Computer is Your Computer: Preventing Employee Cybercrimes and Maximizing the Protections of California’s Anti-Hacking Statute

California’s Computer Data Access and Fraud Act (CDAFA) (also referred to as the “Anti-Hacking Statute”) prohibits access to computers, computer systems, and networks without permission in order to do harm or engage in unauthorized use. (See California Penal Code § 502). Violation of the CDAFA may range from a misdemeanor to a felony offense, and the Act also provides for a civil remedy in the form of compensatory damages, injunctive relief, and other equitable relief. The intent of the CDAFA is to protect individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.

The Act specifically prohibits the disruption of government computer services and public safety computer systems without permission.

Prosecution for violation of Penal Code section 502 is not limited to outsiders of an organization. Employees who misuse their access to employer computer systems may be held criminally liable for taking, copying, or making use of any data from a computer, computer system, or computer network. According to the U.S. Court of Appeals for the Ninth Circuit, the term “access” as defined in the state statute includes logging into a database with a valid password and subsequently taking, copying, or using the information in the database improperly.

Many employers are ill prepared to defend against insider hacking jobs. Information Technology (“IT”) employees and others with unfettered access to computer systems, data, and employee email accounts may be tempted to eavesdrop and appropriate data beyond what is required in their scope of employment.

Public agencies must protect their electronic information just as private companies must.  Indeed, while numerous local government records are public documents, improper access and/or misuse of public data, such as employee emails, without a business purpose, can create significant disruption within an agency. Also, many local government documents are exempt from public disclosure, including documents pertaining to pending litigation, private personal information, and library circulation records, to name a few. Local government agencies have an obligation to protect such exempt documents from disclosure.

While improper access can be difficult to detect and control, employers can take several important steps to deter unmitigated employee access.

1. Adopt personnel policies prohibiting employees from gaining access without permission in order to alter, damage, delete, destroy, or otherwise improperly use any data, computer, computer system, or computer network. Such policies should also prohibit making copies of data without permission, and gaining access in order to disrupt services.Community colleges should also note that they are required by Penal Code Section 502(e)(3) to include computer-related crimes as a specific violation of college or university student conduct policies.
2. Establish in job descriptions and terms of service that access to employer computers, systems, networks, and data are only permitted for legitimate business purposes that fall within the employee’s scope of employment, and that the employer does not consent to access for non-business purposes or for purposes that fall outside of an employee’s scope of employment.
3. Require employees to acknowledge and agree in writing that access is restricted to designated business purposes, and that they are not permitted to access or misuse employer computers, systems, networks, and data for any other reason. Employees should also be required to acknowledge that unauthorized access or access/use for a non-business purpose may result in discipline up to and including termination, and may result in prosecution under the law. Such acknowledgements should be renewed on a regular basis. User agreements are particularly important for IT employees.
4. For IT employees, establish a “service” or “trouble” ticket system to define when access to certain systems is appropriate, and when such access is no longer necessary once each ticket is resolved.
5. In order to discourage misappropriation of agency data, prohibit employees from bringing their own computer equipment, including computers, laptops, hard drives, USB drives and other personal devices, into the workplace.
6. Finally, in the event that employers need to investigate an employee’s alleged improper access or misuse, advise and regularly remind employees in writing that they have no expectation of privacy regarding their activity on employer-owned devices and systems.

Data theft and computer system disruption can have serious effects on an organization. These steps can help ensure that employees are aware of the rules and expectations related to computer and data access, and will help protect employer data from misuse.