The Ninth Circuit Holds that California’s Anti-Hacking Law, Penal Code Section 502, does not Proscribe Unauthorized “Access” to a Database; Rather, the Section Prohibits Unauthorized Use, Copying, or Manipulation of Information in the Database

[co-author: Gabriella Perez - Law Student]

California’s Computer Data Access And Fraud Act, Cal. Pen. Code, § 502 (“CDAFA”) is a state law analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”). Both are aimed at fighting unauthorized intrusions into electronic data (for a primer on these statutes, see “Strategies For Businesses Protecting Electronic Data Within California” here). (See Craigslist Inc. v. 3Taps Inc. (N.D. Cal. 2013) 942 F.Supp.2d 962, 968 [identifying the CDAFA as a state law corollary to the federal statute].)

However, at least according to one federal court, there is a significant difference between the California and federal statute. (United States v. Christensen (9th Cir. 2016) 828 F.3d 763, 789.) By way of background, the CFAA requires that a defendant access a protected computer “without authorization.” (18 U.S.C. § 1030(a)(5)(A)-(C); see also LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, 1133.) Thus, the focus of a purported violation of the CFAA is whether an alleged hacker has accessed a computer without authorization or has exceeded a specific authorized access. The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information. (United States v. Nosal, (9th Cir. 2012) 676 F.3d 854, 863-864.)

Section 502(c) of the CDAFA lists a number of violations with the following language as a precondition: “[k]nowingly accesses and without permission . . . .” Thus, the section provides that a person who commits, inter alia, any of the following acts is guilty of a public offense:

(1) [k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;

(2) [k]nowingly accesses and without permission takes, copies, or makes use of any data from computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;

………………………………………………………………………………………

(4) [k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network, computer system, or computer network; . . .

(Emphasis added.)

In United States v. Christensen, supra, 828 F.3d 763, concerning particular identity theft jury instructions, the criminal defendant relied upon United States v. Nosal, supra, 676 F.3d at pp. 864, and claimed that a section 502(c)(2) violation requires that use of a computer or...