California’s Computer Data Access and Fraud Act (CDAFA) (also referred to as the “Anti-Hacking Statute”) prohibits access to computers, computer systems, and networks without permission in order to do harm or engage in unauthorized use. (See California Penal Code § 502). Violation of the CDAFA may range from a misdemeanor to a felony offense, and the Act also provides for a civil remedy in the form of compensatory damages, injunctive relief, and other equitable relief. The intent of the CDAFA is to protect individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.

The Act specifically prohibits the disruption of government computer services and public safety computer systems without permission.

Prosecution for violation of Penal Code section 502 is not limited to outsiders of an organization. Employees who misuse their access to employer computer systems may be held criminally liable for taking, copying, or making use of any data from a computer, computer system, or computer network. According to the U.S. Court of Appeals for the Ninth Circuit, the term “access” as defined in the state statute includes logging into a database with a valid password and subsequently taking, copying, or using the information in the database improperly.

Many employers are ill prepared to defend against insider hacking jobs. Information Technology (“IT”) employees and others with unfettered access to computer systems, data, and employee email accounts may be tempted to eavesdrop and appropriate data beyond what is required in their scope of employment.

Public agencies must protect their electronic information just as private companies must.  Indeed, while numerous local government records are public documents, improper access and/or misuse of public data, such as employee emails, without a business purpose, can create significant disruption within an agency. Also, many local government documents are exempt from public disclosure, including documents pertaining to pending litigation, private personal information, and library circulation records, to name a few. Local government agencies have an obligation to protect such exempt documents from disclosure.

While improper access can be difficult to detect and control, employers can take several important steps to deter unmitigated employee access.

  1. Adopt personnel policies prohibiting employees from gaining access without permission in order to alter, damage, delete, destroy, or otherwise improperly use any data, computer, computer system, or computer network. Such policies should also prohibit making copies of data without permission, and gaining access in order to disrupt services.Community colleges should also note that they are required by Penal Code Section 502(e)(3) to include computer-related crimes as a specific violation of college or university student conduct policies.
  2. Establish in job descriptions and terms of service that access to employer computers, systems, networks, and data are only permitted for legitimate business purposes that fall within the employee’s scope of employment, and that the employer does not consent to access for non-business purposes or for purposes that fall outside of an employee’s scope of employment.
  3. Require employees to acknowledge and agree in writing that access is restricted to designated business purposes, and that they are not permitted to access or misuse employer computers, systems, networks, and data for any other reason. Employees should also be required to acknowledge that unauthorized access or access/use for a non-business purpose may result in discipline up to and including termination, and may result in prosecution under the law. Such acknowledgements should be renewed on a regular basis. User agreements are particularly important for IT employees.
  4. For IT employees, establish a “service” or “trouble” ticket system to define when access to certain systems is appropriate, and when such access is no longer necessary once each ticket is resolved.
  5. In order to discourage misappropriation of agency data, prohibit employees from bringing their own computer equipment, including computers, laptops, hard drives, USB drives and other personal devices, into the workplace.
  6. Finally, in the event that employers need to investigate an employee’s alleged improper access or misuse, advise and regularly remind employees in writing that they have no expectation of privacy regarding their activity on employer-owned devices and systems.

Data theft and computer system disruption can have serious effects on an organization. These steps can help ensure that employees are aware of the rules and expectations related to computer and data access, and will help protect employer data from misuse.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kelly Tuffo Kelly Tuffo

Kelly Tuffo has represented public agencies for over seventeen years. Her areas of expertise are labor negotiations, labor relations, contract administration, public education, and employment law, including employment discrimination, harassment, discipline and investigations. Kelly advises cities, counties and other public sector and public…

Kelly Tuffo has represented public agencies for over seventeen years. Her areas of expertise are labor negotiations, labor relations, contract administration, public education, and employment law, including employment discrimination, harassment, discipline and investigations. Kelly advises cities, counties and other public sector and public education employers on all aspects of employment relations, including labor negotiations, retirement law, and employment benefits and compensation, conducts workplace investigations, and represents clients in fact-finding proceedings, disciplinary proceedings and mediation and arbitration of grievances. Kelly provides training on all areas related to her practice.

As chief labor negotiator, Kelly has negotiated hundreds of labor contracts between public agencies and their employee organizations representing numerous types of employees, including nurses, doctors, police officers, deputy sheriffs, firefighters, mid-managers, probation officers, dispatchers, attorneys, engineers, community college faculty, and other miscellaneous job classifications. She is experienced in conducting collective bargaining agreement audits, mediation, fact-finding, arbitration and PERB proceedings. Kelly has represented clients in matters involving union grievances, arbitrations, unfair labor practices, labor strikes, unilateral implementation and other labor issues. She has negotiated impacts of several police service transfer agreements between public agencies.

Kelly is an experienced workplace investigator. She conducts management training programs on a variety of employment law issues, including discipline, performance evaluation, leaves of absence, and harassment and discrimination prevention.

Prior to law school and joining our San Francisco office, Kelly was a labor relations representative for a private sector company. In that role, she coordinated contract negotiations, represented the company in arbitrations, negotiated and handled grievances and conducted investigations. She also has experience in community mediation for a public sector entity.