CACI 1812 Comprehensive Computer Data and Access Fraud Act—Essential Factual Elements (Pen. Code, § 502)
California Civil Jury Instructions CACI
1812 Comprehensive Computer Data and Access Fraud Act—Essential Factual Elements (Pen. Code, § 502)
[Name of plaintiff] claims that [name of defendant] has violated the Comprehensive Computer Data and Access Fraud Act. To establish this claim, [name of plaintiff] must prove all of the following:
1.That [name of plaintiff] is the [owner/lessee] of the [specify computer, computer system, computer network, computer program, and/or data];
2.That [name of defendant] knowingly [specify one or more prohibited acts from Pen. Code, § 502(c), e.g., accessed [name of plaintiff]’s data on a computer, computer system, or computer network];
[3.That [name of defendant]’s [specify conduct from Pen. Code, § 502(c), e.g., use of the computer services] was without [name of plaintiff]’s permission;]
[4.]That [name of plaintiff] was harmed; and
[5.]That [name of defendant]’s conduct was a substantial factor in causing [name of plaintiff]’s harm.
Directions for Use
Give this instruction for a claim under the Comprehensive Computer Data Access and Fraud Act (CDAFA). CDAFA makes civil remedies available to any person who suffers damage or loss by reason of the commission of certain computer-related offenses. (Pen. Code, § 502(c), (e)(1).)
For element 1, the court may need to define the technology (e.g., “computer network,” “computer program or software,” “computer system,” or “data”) or other statutory term depending on the facts and circumstances of the particular case. (See Pen. Code, § 502(b) [defining various terms].) For a definition of “access,” see CACI No. 1813, Definition of “Access.”
Some of the prohibited acts for element 2 may also require that the defendant do something specific with the access or that the defendant have a specific purpose. For example, if the defendant allegedly deleted or used plaintiff’s computer data, it must have been done without permission and either to (a) devise or execute any scheme or artifice to defraud, deceive, or extort, or (b) wrongfully control or obtain money, property, or data. (See Pen. Code, § 502(c)(1).) Modify the instruction to include these elements where required.
Include element 3 regarding lack of permission depending on the violation(s) alleged. Lack of permission is a required element for violations of subdivisions (c)(1)–(7) and (c)(9)–(13), but not for violations of subdivisions (c)(8) and (c)(14). Modify element 3 accordingly. Delete element 3 for violations of the latter subdivisions.
If plaintiff’s claim involves a “government computer system” or a “public safety infrastructure computer system” and there is a factual dispute about the type of computer system involved, this instruction should be modified to add that issue as an element. (See Pen. Code, § 502(c)(10), (11), (12), (13), and (14).)
Sources and Authority
•Comprehensive Computer Data Access and Fraud Act. Penal Code section 502.
•“Penal Code section 502, subdivision (e)(1) permits a civil action to recover expenses related to investigating the unauthorized computer access.” (Verio Healthcare, Inc. v. Superior Court (2016) 3 Cal.App.5th 1315, 1321 fn. 3 [208 Cal.Rptr.3d 436].)
•“Four of the section 502, subdivision (c) offenses include access as an element. The provision under which [defendant] was charged does not. When different words are used in adjoining subdivisions of a statute that were enacted at the same time, that fact raises a compelling inference that a different meaning was intended. The Legislature’s requirement of unpermitted access in some section 502 offenses and its failure to require that element in other parts of the same statute raise a strong inference that the subdivisions that do not require unpermitted access were intended to apply to persons who gain lawful access to a computer but then abuse that access.” (People v. Childs (2013) 220 Cal.App.4th 1079, 1102 [164 Cal.Rptr.3d 287], internal citations omitted.)
•“[The CDAFA] does not require unauthorized access. It merely requires knowing access. What makes that access unlawful is that the person ‘without permission takes, copies, or makes use of’ data on the computer. A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information.” (United States v. Christensen (9th Cir. 2015) 828 F.3d 763, 789, original italics, internal citations omitted.)
•“Because [defendant] had implied authorization to access [plaintiff]’s computers, it did not, at first, violate the [CDAFA]. But when [plaintiff] sent the cease and desist letter, [defendant], as it conceded, knew that it no longer had permission to access [plaintiff]’s computers at all. [Defendant], therefore, knowingly accessed and without permission took, copied, and made use of [plaintiff]’s data.” (Facebook, Inc. v. Power Ventures, Inc. (9th Cir. 2016) 844 F.3d 1058, 1069.)
•“[T]aking data using a method prohibited by the applicable terms of use, when the taking itself generally is permitted, does not violate the CDAFA.” (Oracle USA, Inc. v. Rimini Street, Inc. (9th Cir. 2018) 879 F.3d 948, 962, reversed in part on other grounds by Rimini Street, Inc. v. Oracle USA, Inc. (2019) — U.S. — [139 S.Ct. 873, 881, 203 L.Ed.2d 180], original italics.)