An Administrator's Guide to California Private School Law

Chapter 10 - Privacy Rights Of Students And Employees

the employer from liability. Because the statute only applies to “unauthorized” conduct, the employer may avoid liability under section 502 by obtaining the employee’s written acknowledgement and consent to employer monitoring. The California Court of Appeal has held that misuse of a computer system to which an employee had a right to access as part of the scope of his employment does not constitute conduct that violates Section 502. In Chrisman v. City of Los Angeles, 1761 the City fired an L.A. police officer for misusing his department computer. The officer, Chrisman, improperly inquired about celebrities, friends and others via the City’s computer. The City claimed that Chrisman had violated Section 502. Section 502 makes it a public offense to “knowingly and without permission access or cause to be accessed any computer, computer system, or computer network.” It defines “access” as “hacking,” or breaking into a computer. Section 502 specifically refers to the hacking of computers and not simply an employee's misuse of a computer that he has the right to access. The Court concluded: “One cannot reasonably describe appellant's improper computer inquiries about celebrities, friends, and others as hacking.” 1762 The Court explained that Chrisman’s conduct was not to penetrate into systems to which he did not have access, but instead he used the computers “to get information to which he was entitled when performing his job, but retrieved it for non-work-related reasons.” 1763 The Court concluded that under these circumstances, Section 502 did not apply. In another California Court of Appeal case, People v. Childs 1764 , the court confirmed the conviction and restitution order of $1.4 million entered against an employee for disrupting or denying computer services to an authorized user (his employer) in violation of Penal Code section 502(c)(5). Penal Code section 502(c)(5) makes it a criminal offense to “knowingly and without permission” disrupt or cause the disruption of computer services or to deny or cause the denial of computer services “to an authorized user of a computer, computer system, or computer network.” The employee, Terry Childs, was the principal network engineer for the Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. He was assigned to “configure, implement and administer” the City’s new fiber-optic wide area network (FiberWAN) using Cisco products. He convinced the City to let him implement the network himself instead of having Cisco do it. Against the expressed concerns of his supervisor, Childs designed the network so that only Childs had access to the passwords to recover the systems and that, if unauthorized users tried to reboot the system, this would erase the system configurations. Also, in response to the possibility of layoffs in his department, Childs told a coworker, “They can’t screw with me, I have the keys to the kingdom.” At some point, the City became concerned about the agitated and potentially violent behavior of Childs. A decision was made to reassign Childs and remove him as the FiberWAN network engineer. When the City met with Childs to reassign him, Childs refused to provide the correct user IDs and passwords for FiberWAN core devices. He first stated that he no longer had administrator access; he then provided incorrect passwords and told the City representatives that he met with that they were not qualified to have the FiberWAN user IDs and passwords. He also refused to provide backup confirmations, stating that there were none. The City remained locked out of the system from July 9 until July 21, when Childs, through his attorney, gave the correct FiberWan passwords and backup configurations to the Mayor of the City.

An Administrator’s Guide to California Private School Law ©2019 Liebert Cassidy Whitmore 397