Privacy Issues in the Workplace
permission access or cause to be accessed any computer, computer system, or computer network.” It defines “access” as “hacking,” or breaking into a computer. Section 502 specifically refers to the hacking of computers and not simply an employee's misuse of a computer that he has the right to access. Although the City disapproved of Chrisman’s conduct, his use of the mobile digital terminal computer was not outside the scope of his employment, and, therefore, not violative of Section 502. In another California Court of Appeal case, People v. Childs 458 , the court confirmed the conviction and restitution order of $1.4 million entered against an employee for disrupting or denying computer services to an authorized user (his employer) in violation of Penal Code section 502(c)(5). Penal Code section 502(c)(5) makes it a criminal offense to “knowingly and without permission” disrupt or cause the disruption of computer services or to deny or cause the denial of computer services “to an authorized user of a computer, computer system, or computer network.” The employee, Terry Childs, was the principal network engineer for the Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. He was assigned to “configure, implement and administer” the City’s new fiber-optic wide area network (FiberWAN) using Cisco products. He convinced the City to let him implement the network himself instead of having Cisco do it. Against the expressed concerns of his supervisor, Childs designed the network so that only Childs had access to the passwords to recover the systems and that, if unauthorized users tried to reboot the system, this would erase the system configurations. Also, in response to the possibility of layoffs in his department, Childs told a coworker, “They can’t screw with me, I have the keys to the kingdom.” At some point, the City became concerned about the agitated and potentially violent behavior of Childs. A decision was made to reassign Childs and remove him as the FiberWAN network engineer. When the City met with Childs to reassign him, Childs refused to provide the correct user IDs and passwords for FiberWAN core devices. He first stated that he no longer had administrator access; he then provided incorrect passwords and told the City representatives that he met with that they were not qualified to have the FiberWAN user IDs and passwords. He also refused to provide backup confirmations, stating that there were none.
The City remained locked out of the system from July 9 until July 21, when Childs,, through his attorney, gave the correct FiberWan passwords and backup configurations to the Mayor of the City.
After reviewing the legislative history and amendments to Penal Code section 502, the court held that “the Legislature did not intend that subdivision (c)(5) could only be applied to external hackers who obtain unauthorized access to a computer system.” 459 Rather, “[i]t appears that subdivision (c)(5) may properly be applied to an employee who uses his or her authorized access to a computer system to disrupt or deny computer services to another lawful user.” 460 The court also found that case law supported the application of section 502(c) to employees, “in appropriate circumstances.” 461
Privacy Issues in the Workplace ©2021 (s) Liebert Cassidy Whitmore 145
Made with FlippingBook Learn more on our blog