Privacy Issues in the Community College Workplace

It prohibits, in pertinent part, the unauthorized use, copying, damage, interference, and access to lawfully created computer data and computer systems from an internal or external computer or network. The statute provides both criminal and civil remedies. Section 502 explicitly excludes individuals who access their employer's computer systems or data when acting within the scope of their lawful employment. However, the statute does not include similar language protecting the employer from liability. Because the statute only applies to “unauthorized” conduct, the employer may avoid liability under section 502 by obtaining the employee’s written acknowledgement and consent to employer monitoring. In another California Court of Appeal case, People v. Childs 428 , the court confirmed the conviction and restitution order of $1.4 million entered against an employee for disrupting or denying computer services to an authorized user (his employer) in violation of Penal Code section 502(c)(5). Penal Code section 502(c)(5) makes it a criminal offense to “knowingly and without permission” disrupt or cause the disruption of computer services or to deny or cause the denial of computer services “to an authorized user of a computer, computer system, or computer network.” The employee, Terry Childs, was the principal network engineer for the Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. He was assigned to “configure, implement and administer” the City’s new fiber-optic wide area network (FiberWAN) using Cisco products. He convinced the City to let him implement the network himself instead of having Cisco do it. Against the expressed concerns of his supervisor, Childs designed the network so that only Childs had access to the passwords to recover the systems and that, if unauthorized users tried to reboot the system, this would erase the system configurations. Also, in response to the possibility of layoffs in his department, Childs told a coworker, “They can’t screw with me, I have the keys to the kingdom.” At some point, the City became concerned about the agitated and potentially violent behavior of Childs. A decision was made to reassign Childs and remove him as the FiberWAN network engineer. When the City met with Childs to reassign him, Childs refused to provide the correct user IDs and passwords for FiberWAN core devices. He first stated that he no longer had administrator access; he then provided incorrect passwords and told the City representatives that he met with that they were not qualified to have the FiberWAN user IDs and passwords. He also refused to provide backup confirmations, stating that there were none.

The City remained locked out of the system from July 9 until July 21, when Childs, through his attorney, gave the correct FiberWan passwords and backup configurations to the Mayor of the City.

After reviewing the legislative history and amendments to Penal Code section 502, the court held that “the Legislature did not intend that subdivision (c)(5) could only be applied to external hackers who obtain unauthorized access to a computer system.” 429 Rather, “[i]t appears that subdivision (c)(5) may properly be applied to an employee who uses his or her authorized access to a computer system to disrupt or deny computer services to another lawful user.” 430 The court also found that case law supported the application of section 502(c) to employees, “in appropriate circumstances.” 431

Privacy Issues in the Community College Workplace ©2019 (c) Liebert Cassidy Whitmore 136