Privacy Issues in the Workplace

The first is California Penal Code section 502, which was enacted to address the proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. 454 Section 502 protects computer systems, data, the privacy of individuals and “the well-being of financial institutions, business concerns, governmental agencies, and others.” It prohibits, in pertinent part, the unauthorized use, copying, damage, interference, and access to lawfully created computer data and computer systems from an internal or external computer or network. The statute provides both criminal and civil remedies. Section 502 explicitly excludes individuals who access their employer’s computer systems or data when acting within the scope of their lawful employment. However, the statute does not include similar language protecting the employer from liability. Because the statute only applies to “unauthorized” conduct, the employer may avoid liability under Section 502 by obtaining the employee’s written acknowledgement and consent to employer monitoring. The California Court of Appeal case of Chrisman v. City of Los Angeles, 455 involved the firing of an L.A. police officer for misusing his department computer. Chrisman improperly inquired about celebrities, friends and others via the City’s computer. The City claimed that Chrisman had violated Section 502. Section 502 makes it a public offense to “knowingly and without permission access or cause to be accessed any computer, computer system, or computer network.” It defines “access” as “hacking,” or breaking into a computer. Section 502 specifically refers to the hacking of computers and not simply an employee's misuse of a computer that he has the right to access. Although the City disapproved of Chrisman’s conduct, his use of the mobile digital terminal computer was not outside the scope of his employment, and, therefore, not violative of Section 502. In another California Court of Appeal case, People v. Childs 456 , the court confirmed the conviction and restitution order of $1.4 million entered against an employee for disrupting or denying computer services to an authorized user (his employer) in violation of Penal Code section 502(c)(5). Penal Code section 502(c)(5) makes it a criminal offense to “knowingly and without permission” disrupt or cause the disruption of computer services or to deny or cause the denial of computer services “to an authorized user of a computer, computer system, or computer network.” The employee, Terry Childs, was the principal network engineer for the Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. He was assigned to “configure, implement and administer” the City’s new fiber-optic wide area network (FiberWAN) using Cisco products. He convinced the City to let him implement the network himself instead of having Cisco do it. Against the expressed concerns of his supervisor, Childs designed the network so that only Childs had access to the passwords to recover the systems and that, if unauthorized users tried to reboot the system, this would erase the system configurations. Also, in response to the possibility of layoffs in his department, Childs told a coworker, “They can’t screw with me, I have the keys to the kingdom.” At some point, the City became concerned about the agitated and potentially violent behavior of Childs. A decision was made to reassign Childs and remove him as the FiberWAN network engineer. When the City met with Childs to reassign him, Childs refused to provide the correct user IDs and passwords for FiberWAN core devices. He first stated that he no longer had administrator access; he then provided incorrect passwords and told the City representatives that

Privacy Issues in the Workplace ©2019 (s) Liebert Cassidy Whitmore 139