Knowing the Basics of Calif.'s Computer Data Access and Fraud Act: A Must for Trade Secrets Lawyers
This article summarizes the essential elements of and discusses several key issues that attorneys should consider when bringing or defending CDAFA claims in civil trades secrets cases.
August 29, 2018 at 02:09 PM
8 minute read
Computers are as common today as paper and pencils were in earlier times. Because they are used in virtually every line of work, computers are almost always involved in contemporary efforts to steal trade secrets. A host of state and federal anti-hacking laws prohibit the use of computers to gain access to, or to copy or use data without the owner's permission. This reality has created a standard of care for lawyers representing plaintiffs alleging misappropriation of trade secrets that requires every trade secrets complaint to include a cause alleging violation of either the Computer Fraud and Abuse Act (18 U.S.C. Section 1030, et seq.) (CFAA) or the relevant state's statutory equivalent.
California's analog to the CFAA—the Computer Data Access and Fraud Act (Cal. Pen. Code Section 502) (CDAFA)—was enacted to prevent hackers from gaining “unauthorized access to computers, computer systems, and computer data.” Pen. Code § 502, subs. (a). Lawyers who litigate trade secrets cases under the California Uniform Trade Secrets Act, Cal. Civ. Code § 3426, et seq. (CUTSA) must therefore be familiar with the CDAFA. This article summarizes the essential elements of and discusses several key issues that attorneys should consider when bringing or defending CDAFA claims in civil trades secrets cases.
Subsection (c) of the CDAFA prohibits 14 different acts by a defendant who “knowingly and without permission” of the owner either gains access or performs certain acts with respect to data, computers, computer systems, computer networks, or computer services. Five subsections of the CDAFA are directly relevant to most CUTSA claims, provided the defendant knowingly gains access to computer resources and, without the owner's permission, allegedly:
- “Uses any data [or] computer [to] wrongfully control or obtain … data.”
- “Takes, copies, or makes use of any data from a computer, … or takes or copies any supporting documentation, whether existing or residing internal or external to a computer.”
- “Uses or causes to be used computer services.”
- “Provides or assists in providing a means of accessing a computer.”
- “Accesses or causes to be accessed any computer.”
CDAFA Provides Civil Action That May Include Attorney Fees and Punitive Damages Awards
Although the CDAFA is fundamentally a criminal statute, subsection (e)(1) expressly provides that any person “who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief.” Subsection (e)(2) of the CDAFA provides for an award of reasonable attorney fees. Subsection (e)(4) provides that punitive or exemplary damages may be awarded for willful violations of subsection (c) if fraud, oppression, or malice, as defined by Civil Code Section 3294, subs. (c) has been proved by clear and convincing evidence. Subsection (e)(5) provides a three-year limitations period for CDAFA claims.
|Causes of Action Pleaded in CDAFA's Statutory Language Will Overcome Demurrer
Requirements to plead a legally sufficient CDAFA claim are minimal: A plaintiff need only allege violations in the language of the statute. See, e.g., Tagged v. Doe, 2010 U.S. Dist. LEXIS 5428, *26-*27 (N.D. Cal. Jan. 25, 2010). There is no requirement to plead particularized facts, and therefore CDAFA claims will not generally be susceptible to challenge or dismissal by demurrer or motion to dismiss. At least one court has granted a motion to dismiss, with leave to amend, for a plaintiff's failure “to affirmatively state which provisions of the CCDFA they allege [were] violated.” (See In re Carrier IQ Consumer Privacy Litigation, 78 F. Supp. 3d 1051, 1097-98 (N.D. Cal. 2015). If a plaintiff alleges merely that the CDAFA was violated, a demurrer may be warranted to determine whether, for example, the claim includes an allegation that the defendant infected computer resources with a virus or accessed computer resources to obtain data. In most cases, however, a demurrer will provide little help to narrow the claims, because each prohibited act is itself comprised of an expansive list of actions. For example, Subsection (c)(1) prohibits a person from knowingly accessing and without permission altering, damaging, deleting, destroying, or otherwise using any data or computer resources to defraud, deceive, or extort or wrongfully control or obtain money, property or data. Thus, while authority supports the filing of a demurrer to determine which of the CDAFA's 14 prohibited acts are being alleged in a complaint, the statutory language itself would reasonably prevent a defendant from learning early in the case whether she is being accused, for example, of gaining access to data to further a fraudulent scheme or to gain possession of money or other property.
|Discovery Into CDAFA Adversary's Computer Resources
Because a CDAFA claim is expressly based on the use of computer resources, CDAFA plaintiffs will almost certainly be able to obtain discovery—and in most cases forensic copies—of all of defendants' electronic devices, without regard to whether such devices are for personal or business use that would enable access to the plaintiff's data or computer resources. At the same time, CDAFA defendants should also be able generally to obtain discovery into any plaintiff computer resources related to CDAFA allegations.
Cloud computing accounts are likely to pose discovery and evidentiary challenges because the logic and meaning of cloud account access and use logs may be difficult to determine and is unlikely to be publicly known or determinable. In many cases, obtaining access and use logs from cloud accounts will require expert testimony or additional discovery to ensure that these documents—which have the potential to be used to great effect by either party—can be authenticated and properly interpreted in support of or opposition to a dispositive motion or at trial.
|CDAFA Claims Don't Apply to Former Employees if Employer Computer Resources Were Accessed Within Scope of Employment
The broad scope of the CDAFA virtually ensures that CDAFA claims will not be susceptible to early resolution by dispositive motion practice. Subsection (h)(1) provides a potentially dispositive defense for former employees accused of violating CDAFA, however, because “subdivision (c) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment.” The CDAFA defines acting within the scope of employment to be whenever the defendant “performs acts which are reasonably necessary to the performance of his or her work assignment.”
The CDAFA's employee exemption has not yet been interpreted in a published decision, however, so trial courts are free to apply it as they see fit. CDAFA plaintiffs should argue that this provision must be interpreted narrowly because the plain language means an employee acting with the scope of his or her lawful employment is only exempted from being “punished” for violating the CDAFA, and punishment is not the same as civil liability: Punishment only refers to criminal sanctions or punitive damages. This argument is supported by the Assembly Committee on Public Safety, Report on SB 255 (as amended May 21, 1987), which stated: “This bill exempts employees who were acting within the “scope of employment” from criminal liability.”
On the other hand, CDAFA defendants should argue that CDAFA simply “does not apply” to situations where an employee has accessed a computer system when acting within the scope of his or her lawful employment. (See ”Overview of Recent Changes in California Computer Crime Laws: The Criminalization of Computer Contamination and Strengthened Penalty Provisions,” California Penal Code Sections, 502, 502.01, 1203.047, 1203.048, K. DeGroot, 6 Santa Clara High Technology Law Journal 135, 138-9, n. 25 (1990).) A broad exemption from liability is both just and consistent with California's policy of indemnifying employees who incur losses while performing job duties (see, e.g., Labor Code Section 2802). One can readily imagine, for example, a computer technician whose job includes overseeing the employer's computer security functions and who, while performing her duties knowingly, but mistakenly, damages, deletes or destroys employer data. While such a mistake might well justify her employer's decision to terminate or demote her, a narrow interpretation of the CDAFA's employee exemption could, at least in theory, expose an employee who may have been terminated or demoted to civil liability for making a mistake while working. To avoid such an unfair, if unintended consequence, an expansive interpretation of Section (h)(1), where an employee acting within the scope of her employment is completely exempt from the CDAFA in its entirety, is warranted.
|Conclusion
That CDAFA claims are commonly alleged in civil trade secret misappropriations claims today is far removed from the initial purpose of the statute: to deter computer hacking by making it a felony. CDAFA's kitchen sink of prohibited acts, which are stated in language that can reasonably support multiple interpretations has provided trade secrets plaintiffs with a powerful weapon. The relatively small number of cases that have generated published appellate opinions in over 30 year since CDAFA's enactment suggests that civil CDAFA claims rarely result in verdicts or judgments, but rather have their greatest impact pretrial as ancillary claims, and trade secrets lawyers should not expect that to change radically any time soon.
Jeffrey M. Judd is managing partner of Judd Law Group, a boutique litigation firm that specializes in helping businesses—and the people who own businesses—to resolve disputes involving property, governance and contracts.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCalifornia’s Workplace Violence Laws: Protecting Victims’ Rights in the Workplace
6 minute read'Nothing Is Good for the Consumer Right Now': Experts Weigh Benefits, Drawbacks of Updated Real Estate Commission Policies
FTC Issues Final Rule Banning Most Noncompetes, but Immediate Legal Challenges Ensue
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250