As promised last week, here’s the lowdown on Penal Code section 502, otherwise known as California’s Comprehensive Computer Data Access and Fraud Act.
Nowadays, of course, cybercrime can include any flavor of fraud, identity theft, or other scheme or swindle that is committed by computers or related to their use. Not to mention other crimes like stalking and child pornography.
Section 502, however, is found in the part of the Penal Code that deals with theft, larceny, and other crimes against property, and it lists fourteen separate ways you can land yourself in hot water by harming, hacking into, or misappropriating computer data or systems or by helping others to do so. See Pen. Code § 502(c). The list covers a lot of ground, and you can read it yourself here if you scroll two-thirds of the way down the page. The law also covers a lot of ground geographically, as it authorizes long-arm jurisdiction over your activities in every state to which or from which you direct them. Id. § 502(j).
The more serious offenses are wobblers. If they are charged as felonies, they are punishable by imprisonment in the county jail for 16 months, two years, or three years; a fine of up to $10,000; or both. If they are charged as misdemeanors they are punishable by imprisonment in the county jail for up to one year; a fine of $5,000; or both.
Some of the fourteen provisions are broad in scope, and one punishes you simply for knowingly using computer services without permission. See Pen. Code § 502(c)(3). If it’s your first violation, and you didn’t cause any injury to any computer data or systems, and you didn’t use more than $950 worth of computer services, then it’s a misdemeanor punishable by up to one year in the county jail, a fine of up to $5,000, or both. The term injury, however, means any alteration, deletion, damage, or denial of access you may have caused. Id. § 502(b)(10). If it’s not your first time, or you did cause injury to data, or you used more than $950 worth of computer services, or it costs the victim more than $5,000 to investigate the breach, then it’s a wobbler punishable as a felony or misdemeanor.
The least serious offenses—where you accessed stuff without permission but didn’t cause any injury—may be infractions if it’s your first time, and you may get off with a fine of $1,000 or less. If it’s not your first time, or if it costs the victim $5,000 or less to investigate the breach, then it’s a misdemeanor punishable by up to one year in the county jail, a fine of up to $5,000, or both. If it costs more than $5,000 to investigate the breach, it’s a wobbler.
Beyond criminal prosecution, section 502 gives the victim a private right of action to sue you civilly for money damages and other relief. The court may even order you to pay the victim’s legal fees, and it may hold you liable for punitive damages if your conduct was bad enough. And parents, take note: you can be held liable for your kid’s conduct. Or, if you’re a college student, you may face automatic disciplinary proceedings at your school on top of everything else. See generally id. § 502(e).
But not all is lost for those who can’t help goofing around at work. First off, there’s an exception to prosecution for acts that were within the scope of your employment, meaning they were reasonably necessary to the performance of your assignment. Id. § 502(h)(1). But even if you acted outside the scope of your employment, you can’t be punished if you didn’t cause any injury to your employer or anyone else, or if the total value of the goods or services you used didn’t exceed $250. Id. § 502(h)(2), (i). See also Chrisman v. City of L.A. (2007) 155 Cal. App. 4th 29, 34-37 (applying these exceptions to a police officer who misused a law-enforcement database to look up celebrities and others). Finally, the statute directs a court to consider alternate sentencing, including community service, if you’ve demonstrated remorse and an inclination not to repeat the offense. Pen. Code § 502(k).