Computers are as common today as paper and pencils were in earlier times. Because they are used in virtually every line of work, computers are almost always involved in contemporary efforts to steal trade secrets. A host of state and federal anti-hacking laws prohibit the use of computers to gain access to, or to copy or use data without the owner's permission. This reality has created a standard of care for lawyers representing plaintiffs alleging misappropriation of trade secrets that requires every trade secrets complaint to include a cause alleging violation of either the Computer Fraud and Abuse Act (18 U.S.C. Section 1030, et seq.) (CFAA) or the relevant state's statutory equivalent.

California's analog to the CFAA—the Computer Data Access and Fraud Act (Cal. Pen. Code Section 502) (CDAFA)—was enacted to prevent hackers from gaining “unauthorized access to computers, computer systems, and computer data.” Pen. Code § 502, subs. (a). Lawyers who litigate trade secrets cases under the California Uniform Trade Secrets Act, Cal. Civ. Code § 3426, et seq. (CUTSA) must therefore be familiar with the CDAFA. This article summarizes the essential elements of and discusses several key issues that attorneys should consider when bringing or defending CDAFA claims in civil trades secrets cases.

Subsection (c) of the CDAFA prohibits 14 different acts by a defendant who “knowingly and without permission” of the owner either gains access or performs certain acts with respect to data, computers, computer systems, computer networks, or computer services. Five subsections of the CDAFA are directly relevant to most CUTSA claims, provided the defendant knowingly gains access to computer resources and, without the owner's permission, allegedly:

  • “Uses any data [or] computer [to] wrongfully control or obtain … data.”
  • “Takes, copies, or makes use of any data from a computer, … or takes or copies any supporting documentation, whether existing or residing internal or external to a computer.”
  • “Uses or causes to be used computer services.”
  • “Provides or assists in providing a means of accessing a computer.”
  • “Accesses or causes to be accessed any computer.”
|

CDAFA Provides Civil Action That May Include Attorney Fees and Punitive Damages Awards

Although the CDAFA is fundamentally a criminal statute, subsection (e)(1) expressly provides that any person “who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief.” Subsection (e)(2) of the CDAFA provides for an award of reasonable attorney fees. Subsection (e)(4) provides that punitive or exemplary damages may be awarded for willful violations of subsection (c) if fraud, oppression, or malice, as defined by Civil Code Section 3294, subs. (c) has been proved by clear and convincing evidence. Subsection (e)(5) provides a three-year limitations period for CDAFA claims.

|

Causes of Action Pleaded in CDAFA's Statutory Language Will Overcome Demurrer

Requirements to plead a legally sufficient CDAFA claim are minimal: A plaintiff need only allege violations in the language of the statute. See, e.g., Tagged v. Doe, 2010 U.S. Dist. LEXIS 5428, *26-*27 (N.D. Cal. Jan. 25, 2010). There is no requirement to plead particularized facts, and therefore CDAFA claims will not generally be susceptible to challenge or dismissal by demurrer or motion to dismiss. At least one court has granted a motion to dismiss, with leave to amend, for a plaintiff's failure “to affirmatively state which provisions of the CCDFA they allege [were] violated.” (See In re Carrier IQ Consumer Privacy Litigation, 78 F. Supp. 3d 1051, 1097-98 (N.D. Cal. 2015). If a plaintiff alleges merely that the CDAFA was violated, a demurrer may be warranted to determine whether, for example, the claim includes an allegation that the defendant infected computer resources with a virus or accessed computer resources to obtain data. In most cases, however, a demurrer will provide little help to narrow the claims, because each prohibited act is itself comprised of an expansive list of actions. For example, Subsection (c)(1) prohibits a person from knowingly accessing and without permission altering, damaging, deleting, destroying, or otherwise using any data or computer resources to defraud, deceive, or extort or wrongfully control or obtain money, property or data. Thus, while authority supports the filing of a demurrer to determine which of the CDAFA's 14 prohibited acts are being alleged in a complaint, the statutory language itself would reasonably prevent a defendant from learning early in the case whether she is being accused, for example, of gaining access to data to further a fraudulent scheme or to gain possession of money or other property.

|

Discovery Into CDAFA Adversary's Computer Resources

Because a CDAFA claim is expressly based on the use of computer resources, CDAFA plaintiffs will almost certainly be able to obtain discovery—and in most cases forensic copies—of all of defendants' electronic devices, without regard to whether such devices are for personal or business use that would enable access to the plaintiff's data or computer resources. At the same time, CDAFA defendants should also be able generally to obtain discovery into any plaintiff computer resources related to CDAFA allegations.

Cloud computing accounts are likely to pose discovery and evidentiary challenges because the logic and meaning of cloud account access and use logs may be difficult to determine and is unlikely to be publicly known or determinable. In many cases, obtaining access and use logs from cloud accounts will require expert testimony or additional discovery to ensure that these documents—which have the potential to be used to great effect by either party—can be authenticated and properly interpreted in support of or opposition to a dispositive motion or at trial.

|

CDAFA Claims Don't Apply to Former Employees if Employer Computer Resources Were Accessed Within Scope of Employment

The broad scope of the CDAFA virtually ensures that CDAFA claims will not be susceptible to early resolution by dispositive motion practice. Subsection (h)(1) provides a potentially dispositive defense for former employees accused of violating CDAFA, however, because “subdivision (c) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment.” The CDAFA defines acting within the scope of employment to be whenever the defendant “performs acts which are reasonably necessary to the performance of his or her work assignment.”

The CDAFA's employee exemption has not yet been interpreted in a published decision, however, so trial courts are free to apply it as they see fit. CDAFA plaintiffs should argue that this provision must be interpreted narrowly because the plain language means an employee acting with the scope of his or her lawful employment is only exempted from being “punished” for violating the CDAFA, and punishment is not the same as civil liability: Punishment only refers to criminal sanctions or punitive damages. This argument is supported by the Assembly Committee on Public Safety, Report on SB 255 (as amended May 21, 1987), which stated: “This bill exempts employees who were acting within the “scope of employment” from criminal liability.”

On the other hand, CDAFA defendants should argue that CDAFA simply “does not apply” to situations where an employee has accessed a computer system when acting within the scope of his or her lawful employment. (See ”Overview of Recent Changes in California Computer Crime Laws: The Criminalization of Computer Contamination and Strengthened Penalty Provisions,” California Penal Code Sections, 502, 502.01, 1203.047, 1203.048, K. DeGroot, 6 Santa Clara High Technology Law Journal 135, 138-9, n. 25 (1990).) A broad exemption from liability is both just and consistent with California's policy of indemnifying employees who incur losses while performing job duties (see, e.g., Labor Code Section 2802). One can readily imagine, for example, a computer technician whose job includes overseeing the employer's computer security functions and who, while performing her duties knowingly, but mistakenly, damages, deletes or destroys employer data. While such a mistake might well justify her employer's decision to terminate or demote her, a narrow interpretation of the CDAFA's employee exemption could, at least in theory, expose an employee who may have been terminated or demoted to civil liability for making a mistake while working. To avoid such an unfair, if unintended consequence, an expansive interpretation of Section (h)(1), where an employee acting within the scope of her employment is completely exempt from the CDAFA in its entirety, is warranted.

|

Conclusion

That CDAFA claims are commonly alleged in civil trade secret misappropriations claims today is far removed from the initial purpose of the statute: to deter computer hacking by making it a felony. CDAFA's kitchen sink of prohibited acts, which are stated in language that can reasonably support multiple interpretations has provided trade secrets plaintiffs with a powerful weapon. The relatively small number of cases that have generated published appellate opinions in over 30 year since CDAFA's enactment suggests that civil CDAFA claims rarely result in verdicts or judgments, but rather have their greatest impact pretrial as ancillary claims, and trade secrets lawyers should not expect that to change radically any time soon.

Jeffrey M. Judd is managing partner of Judd Law Group, a boutique litigation firm that specializes in helping businesses—and the people who own businesses—to resolve disputes involving property, governance and contracts.