Ninth Circuit Holds That California's Anti-Hacking Law Does Not Proscribe Unauthorized "Access" to a Database
California’s Computer Data Access And Fraud Act, Cal. Pen. Code, § 502 (CDAFA) is a state law analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (CFAA). Both are aimed at fighting unauthorized intrusions into electronic data (for a primer on these statutes, see Strategies For Businesses Protecting Electronic Data Within California here). (See Craigslist Inc. v. 3Taps Inc. (N.D. Cal. 2013) 942 F.Supp.2d 962, 968 [identifying the CDAFA as a state law corollary to the federal statute].)
However, at least according to one federal court, there is a significant difference between the California and federal statute. (United States v. Christensen (9th Cir. 2016) 828 F.3d 763, 789.) By way of background, the CFAA requires that a defendant access a protected computer without authorization. (18 U.S.C. § 1030(a)(5)(A)-(C); see also LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, 1133.) Thus, the focus of a purported violation of the CFAA is whether an alleged hacker has accessed a computer without authorization or has exceeded a specific authorized access. The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information. (United States v. Nosal, (9th Cir. 2012) 676 F.3d 854, 863-864.)
Section 502(c) of the CDAFA lists a number of violations with the following language as a precondition: [k]nowingly accesses and without permission . . . . Thus, the section provides that a person who commits, inter alia, any of the following acts is guilty of a public offense:
(1) [k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;
(2) [k]nowingly accesses and without permission takes, copies, or makes use of any data from computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;
(4) [k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network, computer system, or computer network; . . .
In United States v. Christensen, supra, 828 F.3d 763, concerning particular identity theft jury instructions, the criminal defendant relied upon United States v. Nosal, supra, 676 F.3d at pp. 864, and claimed that a section 502(c)(2) violation requires that use of a computer or database be unauthorized. The defendant asserted error because the trial court did not so instruct the jury. However, the court of appeals rejected the argument.
The federal court ruled that access, as used throughout California’s section 502(c), in contrast to the federal CFAA, does not require unauthorized access to a computer, but merely requires knowing access. (Id. at p. 789.) According to the court, what makes access unlawful under section 502(c)(2), is that an alleged hacker without permission takes, copies or makes use of data on the computer. (Ibid.) A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information. (Ibid.; emphasis added.) It does not criminalize unauthorized access to a computer, database or data. In sum, the court held: We conclude that the term ‘access’ as defined in the California statute includes logging into a database with a valid password and subsequently taking, copying or using the information in the database improperly. (Ibid.)
There is currently a split of authority in the California courts on the issue which Christensen addressed. Christensen itself acknowledged this split. (Ibid.) On the one hand, there is Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29, 34-35, in which the Court of Appeal held that unauthorized access meant breaking into a computer. On the other hand, there is Gilbert v. City of Sunnyvale (2005) 130 Cal.App.4th 1264, 1281, in which the Court of Appeal emphasized that [k]nowingly accessing and without permission making use of any data from a computer system is a crime under section 502. The Gilbert court did not discuss unauthorized access to a computer or database.
Christensen rejected Chrisman and ruled consistently with Gilbert. It seems that the Christensen holding (as well as Gilbert) is the more textually grounded ruling. The statutory phrase in section 502 without permission modifies the taking or use of information in a database and not the initial access of the computer or database itself. How the California Supreme Court may resolve the issue, if and when presented, remains to be seen.
*This E-Alert was assisted by Gabriella S. Perez, a 3rd year student at Loyola Law School.