People v. Childs

Full title: The PEOPLE, Plaintiff and Respondent, v. Terry CHILDS, Defendant and…

Court: Court of Appeal, First District, Division 4, California.

Date published: Jan 29, 2014

220 Cal.App.4th 1079 (Cal. Ct. App. 2014)

164 Cal. Rptr. 3d 287

Opinion

A129583 A132199

2014-01-29

The PEOPLE, Plaintiff and Respondent, v. Terry CHILDS, Defendant and Appellant.

See 2 Witkin & Epstein, Cal. Criminal Law (4th ed. 2012) Crimes Against Property, § 229. Teri L. Jackson, Trial Judge, San Francisco Superior Court. (Super. Ct. Nos. 207523, 2376395)

REARDON

See 2 Witkin & Epstein, Cal. Criminal Law (4th ed. 2012) Crimes Against Property, § 229. Teri L. Jackson, Trial Judge, San Francisco Superior Court. (Super. Ct. Nos. 207523, 2376395) Philip M. Brooks, by appointment of the Court of Appeal pursuant to the Independent Case System, First District Appellate Project, Counsel for Appellant.

Kamala D. Harris, Attorney General of California, Dane R. Gillette, Chief Assistant Attorney General, Gerald A. Engler, Senior Assistant Attorney General, Catherine A. Rivlin, Supervising Deputy Attorney General, Karen Z. Bovarnick, Deputy Attorney General, Counsel for Respondents.

REARDON, J.

A jury convicted appellant Terry Childs of disrupting or denying computer services to an authorized user. (Pen.Code,

¹ § 502, subd. (c)(5).) It also found true an enhancement allegation that damage caused by his offense exceeded $200,000. (§ 12022.6, subd. (a)(2).) He was sentenced to four years in state prison and ordered to pay more than $1.4 million in restitution. (§ 1202.4.) In two consolidated appeals from the conviction and the restitution order, he contends inter alia that subdivision (c)(5) of section 502 was not intended to apply to an employee.

1 All statutory references are to the Penal Code unless otherwise indicated.

² We affirm the conviction and the restitution order.

2 .Section 502, subdivision (c)(5) makes it a crime for any person who “[k]nowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.”

I. FACTS

A. Employment Context

From the time he was employed in April 2003 until July 2008, appellant Terry Childs served as the principal network engineer for Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. DTIS was responsible for administering the city's computer network, providing computer services to city departments such as access to the Internet and to each department's database. It maintained the network, operated it, repaired it if it failed, and made any needed changes to it.

As part of the job application process, Childs was asked about his criminal history. On the first application, he reported that he had no prior convictions; on the second, he admitted that he had suffered one. In fact, Childs had been convicted of multiple criminal offenses in another state. Later, he admitted that he intentionally omitted giving accurate and complete criminal history information to the city at his hiring.

Childs worked at the city's data center at One Market Plaza in San Francisco. As DTIS's highest level engineer, he was highly knowledgeable, but he was also very sensitive and working with him could be difficult. Senior network engineer Glacier Ybanez assisted him. Childs reported to Herbert Tong, the manager of DTIS's network engineering unit. In February 2006, Richard Robinson became chief operating officer of DTIS and Tong's supervisor. B. The FiberWAN Network

In 2005, Childs was assigned to configure, implement and administer the city's then-new fiber-optic wide area network—FiberWAN—using Cisco devices. He had lobbied to be allowed to implement the new network himself, rather than have Cisco do so. When he took on a project, he took ownership of it.

The FiberWAN network was set up side-by-side with the city's legacy computer system. When transfer from the legacy system was complete, FiberWAN could provide a single network infrastructure to most city departments, offering access to email, databases, encrypted information and the Internet. This single infrastructure operated at a higher speed and for a lower cost than the legacy system. Information could be shared between departments or segregated to a specific department, as needed.

FiberWAN devices were both physically connected by cables and logically connected by the path along which data was transmitted between devices. Five core FiberWAN routers

³ were set up in three locations—two each at secondary sites and one at the One Market Plaza data center.

3 A router is a device that chooses the best path to direct data.

⁴ These key devices were linked so that an isolated disruption would not bring down the network. Instead, traffic was redirected through another router on the network. This design redundancy allowed the FiberWAN network to continue to operate while part of the network was being repaired, or if one device suffered a power failure. City departments had customer edge (CE) devices located at their sites. The DTIS routers and the city department CE devices were also linked to allow DTIS to provide computer services to each department.

4 The data center had only one device because of DTIS budgetary constraints. DTIS's long-term plan was to acquire a second core router for the data center. In the meantime, the risk of failure of the single PE03 core router located at the data center was thought to be less than at the other two sites because the data center was staffed around-the-clock. Physical entry to the data center required multiple levels of electronic card reader approval.

As its principal network engineer, Childs developed the FiberWAN's configurations—the instructions needed to make the computer system work—based on standards set by the DTIS network architect. To protect the security of this critical infrastructure, all FiberWAN configurations were confidential.

Vital network information is usually stored in a computer system's non-volatile random access memory (NVRAM). Information “saved” to NVRAM can be accessed again if the computer is powered off and is then “rebooted.” By contrast, information stored in volatile random access memory (VRAM) is lost once a computer is powered off and back on. If network configurations are stored in VRAM, they are lost when the system powers off and the system cannot reboot itself.

Experts recommend that network configurations—or a backup copy of them

⁵—be stored in NVRAM so that a power loss will not compel a complete reconfiguration of the network. To rebuild the configurations would cause a significant network disruption that might last for days. Likewise, network devices should not be run on VRAM, even if the security of the information in those devices is sensitive because the risk of losing that information in the event of a system crash is too great.

5 A backup copy of the configurations may be stored on a laptop computer. It appears that Childs used a laptop when he physically reloaded configurations onto core devices at a secondary DTIS site after a March 2008 fire.

Childs had full administrative access to the FiberWAN computer system. Only a person with this access may make administrative changes to the network. Administrative access is essential in order to log into the network, to review network configurations, to troubleshoot problems, to add city departments, and to modify the network. To obtain administrative access to the network, a person must know the programmed password. Because network configurations are so vital to system administration, it is typical for several network engineers to have access to them.

Some FiberWAN computer devices have a password recovery feature that allows retrieval of backup configurations in case the primary configurations become corrupted. Password recovery is conducted through a device's console port. With physical access to a device through this console port—which is typically password-protected itself for security reasons—an administrator can access the network, clear out corrupted configurations and replace them with backup configurations, as long as the system can be rebooted. There is no way to reboot the network without powering off the computer and powering it back on again.

Configurations can also be restored by means of a modem connected to the network. A system administrator can access a network remotely to obtain what is called “out-of-band management” of the network—authorized access made by means outside the normal network flow. At two secondary computer sites, Childs installed devices that allowed him to dial into the computer network remotely if an emergency arose and he was not able to be physically present at these locations. Such remote access by means of a dial-up modem poses a security risk, because it could permit undetected “back door” access by an unauthorized person. A record of the users entering the FiberWAN system was crucial to its integrity. Childs knew that when he used a modem to access core devices, no record of his use was tracked. C. Childs Assumes Sole Control of FiberWAN

During the first months of work on the FiberWAN network, its configurations were available to all network engineers. Childs and his assistant Ybanez both had and used the password needed to access the FiberWAN. In 2006, the first city department was connected to FiberWAN, with other departments regularly added afterward.

Gradually, Childs became more possessive of the FiberWAN network. By July 2006, Robinson had received numerous complaints about network outages and service disruptions, some of which he believed were caused by undocumented FiberWAN changes. A memorandum went out to the network engineering staff, reminding them that all configurations changes were to be tracked, and noting that repeated failure to track changes could result in disciplinary action. Apparently, Childs regarded the memorandum as a personal attack on his authority. He responded by threatening to take a stress leave if DTIS outsourced any FiberWAN installations.

⁶

6 There was other evidence that Childs opposed outsourcing of any FiberWAN work, preferring to do it himself.

In March or April 2007, Ybanez returned to the FiberWAN project after being on another assignment for many months. During that assignment, only Childs worked on FiberWAN. When Ybanez returned, he learned that the administrative access passwords had been changed and backup configurations had been moved off of a server once available to more of the network engineering staff.

⁷ Childs refused to give Ybanez administrative access to the FiberWAN, concerned that if pressed to do so, Ybanez would reveal the access codes to management. Ybanez replied that he would tell management the access codes if asked, because the access codes did not belong to him.

7 Childs testified that Tong told him to take FiberWAN off this server, to prevent an unskilled person from modifying it.

From thereon, from the spring of 2007 on, only Childs had administrative access to FiberWAN. In May 2007, a city department had difficulty accessing a state database while Childs was away from DTIS without his cell phone or laptop—devices that would have allowed him to connect to the network from a remote location. When Tong instructed Ybanez to resolve the problem, Ybanez told Tong that he did not have administrative access to the network.

As Childs's supervisor, Tong was torn about his employee. Childs was an experienced and hard-working—albeit volatile—network engineer with a strong sense of responsibility for the network. Tong was under pressure to complete FiberWAN implementation, which Childs was working hard to accomplish. He hoped the implementation would be finished in another six to nine months. However, Tong knew that Childs's sole administrative access to FiberWAN made him the single point of failure, posing a danger to the city's computer network. The system could not function if Childs could not access it. Tong expected that eventually, Childs would give Ybanez access to FiberWAN. He also believed that Childs would not harm FiberWAN, as this would reflect badly on the principal network engineer's skill and expertise.

When Childs returned from vacation, Tong chose not to confront him about the limited access issue, fearing that Childs might retaliate by reducing his productivity. Instead, he hoped that the implementation would be completed soon and Childs would be reassigned to another project before the access issue became a problem. If DTIS did not have the FiberWAN password by that time, Tong believed that the password recovery feature would allow a new administrator to create a new one.

When Childs took extended time off, he delivered a sealed envelope to Tong that he said contained the FiberWAN passwords. Tong had no need for administrative access to FiberWAN during these absences. When Childs returned to work, Tong returned the unopened envelope to him to prove that he had not used them. Tong did not want Childs to speculate that someone modified the network configurations in his absence.

In December 2007, the city's Human Services Agency (HSA) experienced a power outage. When power was restored, its computers could not connect to FiberWAN—the configurations of its CE device had been erased because they had been saved to VRAM. Childs reloaded the configurations and got the system reconnected. When the HSA information security officer learned that the CE configurations had been stored in VRAM, he protested to Childs that this was unacceptable. Citing security concerns, Childs explained that he wanted to prevent a physical connection to the CE that would allow someone to obtain the configurations using the password recovery feature. He suggested disabling the password recovery feature instead; the information security officer agreed. Tong also agreed to this solution, as it would address a concern about hacking into the HSA's CE device. Soon, Childs disabled the password recovery feature on all CE devices citywide, and there were no backup configurations on any of the city's CE devices. As the password recovery feature could not be disabled on core PE devices, Childs erased their configurations that had been stored on NVRAM.

By the end of 2007, the city was planning how to connect the city's law enforcement functions on FiberWAN. The combined system would allow users access to state and federal databases. For security reasons, all DTIS employees had to pass a criminal background check in order to have access to the law enforcement system. Childs had adult felony convictions that he had not revealed when he applied to work for the city.

⁸ When asked to submit to a voluntary background check, Childs balked. Instead, he made a temporary arrangement with Tong and law enforcement officials to have Ybanez—who had passed his background check—escort him when Childs was required to work on the law enforcement network. This procedure continued to be used through July 9, 2008.

8 In February 2005, a San Francisco County sheriff told Childs that he needed to undergo a criminal background check. Childs offered both his California and Kansas driver's licenses to the sheriff, prompting an out-of-state inquiry. The sheriff discussed his findings about Childs's criminal history with his supervisor, who agreed that Childs could work on the project. Months later, the sheriff acknowledged to Childs that he knew of this criminal history when he praised the network engineer for “turning his life around.”

In February 2008,

⁹ Ybanez was assigned to work on a police department network project that required him to have FiberWAN administrative access. Tong instructed Childs to give Ybanez administrative access to FiberWAN; Childs refused. When Ybanez asked what to do if FiberWAN went down and he was asked to support it, Childs responded that Ybanez was to call him.

9 All dates refer to the 2008 calendar year unless otherwise indicated.

Childs also told Ybanez that FiberWAN's password recovery feature was set up so that if Tong or other managers—whom he deemed to be unauthorized users—tried to reboot the system, it would erase the configurations, which were stored only in VRAM. Ybanez thought this was crazy; if there was a power failure, FiberWAN would cease to function, resulting in significant downtime. For his part, Tong knew that Childs had sought to run some configurations on VRAM. He instructed Childs not to do so because of the risk that the network would lose its configurations and because the practice inhibited password recovery. Tong did not know that Childs had placed all FiberWAN configurations in VRAM.

Tong instructed Childs to give him the FiberWAN passwords; again, Childs refused, fearing that Tong would pass it along to his manager. He opined that he was the only person capable of administering the network. He also cited another reason for his “refusal”: because he had copyrighted the city-owned FiberWAN configurations as his own intellectual property.

By this time, Tong had a different view of the wisdom of Childs's sole access to the FiberWAN network. Initial implementation of FiberWAN to city departments was nearing completion, while Childs was becoming more uncooperative and unpredictable. At Tong's request, Cisco was asked for technical support about obtaining administrative access to FiberWAN.

Tong also notified Robinson that a decision had to be made about their principal engineer. By then, Robinson knew that Childs had not passed his background check. He sought out more information about the engineer's criminal history. Reviewing the reports that Childs gave during the hiring process, Robinson saw the discrepancy between his initial job application reflecting no prior convictions and his time-of-hiring forms in which he admitted that he had once been convicted as an adult. Tong believed that Childs had suffered a juvenile conviction, but Robinson learned that Childs had been convicted of a criminal offense as an adult. The adult conviction and the perjured filing of personnel records were both grounds for dismissal.

Meanwhile, in March 2008, a fire at the Department of Public Works resulted in a power loss at secondary DTIS sites. Both core routers went down, but traffic was taken up by other core routers. In the past, Childs had asked DTIS to purchase terminal servers for both secondary DTIS sites. Those requests were denied on the ground that these additional devices were unnecessary and insecure. After the fire, Childs installed his own terminal servers at these locations. He also connected modems and telephone lines to these servers. Together, these links allowed him to have “out-of-band” management of those core devices, so that remotely, he could restore the configurations from another location—even from his home. This connection also allowed him to enter the FiberWAN system undetected. The terminal servers were password-protected; only Childs knew those passwords. In the One Market Plaza main data center, Childs often worked in a locked laboratory. No one else worked in the laboratory unless he was present.

By March, Childs had intentionally configured the core FiberWAN devices so that if a power outage occurred, the configurations stored in VRAM would be lost and these core devices would be offline until he physically uploaded a backup configuration. If the configurations had been stored to NVRAM instead, they would have automatically reloaded onto the devices shortly after power was restored. The same result would occur if someone attempted a password recovery or if an unauthorized user attempted to enter the system.

By May, DTIS employees had been notified about the possibility of layoffs. Childs was unconcerned. “They can't screw with me,” he told a coworker. “I have the keys to the kingdom.”

¹⁰ D. Workplace Violence Concerns Arise

10 Childs admitted saying this, but said that this was a joking reference to his superior skill level.

In June, concerns about Childs's conduct came to a head. DTIS was moving its One Market Plaza data center to a new location. Its new security manager—Jeana Pieralde—sought to inventory FiberWAN's devices at the data center in preparation for the move. This inventory required a computer scan of the network in order to generate a report of what devices were on the network and their configurations. If a computer was turned off, she had to turn it on in order to complete the scan. In the late afternoon on Friday, June 20, Pieralde came to the data center to conduct the inventory, having obtained keys to enter any locked areas.

Childs had not been notified of Pieralde's plan to conduct this inventory. He was very upset by her presence, ranting at her in an agitated manner. He confronted her, taking photographs of her with his cell phone. Concerned by his aggressive response, Pieralde locked herself inside an office and called Robinson to report this incident. At least one DTIS staffer left the site, fearing the potential for violence.

Childs called Tong to complain about Pieralde. When Tong did not share his concern, Childs said angrily “This means war and I am ready.” Later, Tong reported this statement to police. Childs also called the city's chief information officer to complain.

In response to Pieralde's complaint, Robinson made his own call to Childs. He told him to stop interfering with her work. Childs challenged Robinson's authority to conduct an inventory, accusing him of creating a hostile work environment. Angrily, he said: “ ‘I know what you are up to. I am ready for you.’ ” In a loud and combative tone, he threatened to come to Robinson's office. Robinson ordered Childs to leave the data center and said that he would revisit the issue on Monday.

This incident left DTIS management concerned about Childs's potential for workplace violence. In the next few weeks, the issue was discussed at several meetings. Robinson talked about this with his supervisor, with representatives of the city's Human Resources (HR) Department, and the city attorney's office and—because of his employee safety concerns—with police.

¹¹

11 Pieralde had also filed a police report about the incident.

At this point, Robinson learned that Childs was the only person with administrative access to FiberWAN. He consulted Cisco officials about ways to allow the city to recover control of the network.

Meanwhile, an HR representative sought to meet with Childs about this matter. He did not respond to her requests until July 3, when he indicated that his issues had been resolved. On July 7, the HR representative replied that concerns raised by other employees still needed to be addressed.

In early July, it was decided that Childs was to be reassigned. At July 7 and July 8 meetings, representatives of DTIS, HR, the city attorney's office, and the police department discussed about how best to obtain administrative access from Childs. A union representative was advised of a planned July 9 meeting at which Childs would be informed of the reassignment. The representative was advised that the meeting would not be a disciplinary matter, but that it could become one if Childs refused to disclose the user ID and password. The union representative declined to participate in the planned July 9 meeting, concluding that DTIS had a right to know this information. E. Reassignment

On July 9, Childs and Ybanez went to the Hall of Justice's data center to connect the police department's computer system to FiberWAN. Childs used the city laptop he removed from his backpack to do some of this work. A coworker called him on his cell telephone to tell him that he would be reassigned and removed as the FiberWAN network engineer. Soon, the police department's acting chief information officer escorted him to another room for a meeting. Childs brought the laptop and his backpack with him.

Robinson and an HR representative were waiting for Childs. A speaker phone

¹² was connected to the DTIS data center, where Tong, DTIS workers and Cisco personnel listened in. They could test whether the passwords Childs might provide would allow DTIS to obtain administrative access to the system.

12 Three experts testified that it was unwise to give an administrative password and user ID over a speaker phone.

Robinson told Childs that he was being reassigned. He asked Childs for user IDs and passwords to FiberWAN's core devices. At first, Childs said that he no longer had administrative access to FiberWAN; Robinson knew this was untrue.

¹³ Later, Childs knowingly provided incorrect passwords that did not allow access to FiberWAN. He also told Robinson that DTIS management was not qualified to have the FiberWAN user IDs and passwords.

13 Childs later admitted that he had changed the password on the morning of the meeting.

¹⁴ When asked for backup configurations, Childs said that there were none.

14 A defense expert testified that it was not a best practice to give management access to network devices. Generally, management does not require administrative access to its computer network.

¹⁵ Robinson ordered Childs to reveal them, to no avail.

15 At trial, Childs admitted that this was untrue.

After 40 to 60 minutes, San Francisco Police Inspector James Ramsey joined the meeting. He advised Childs that his failure to cooperate could be a violation of Penal Code section 502.

¹⁶ Childs made no response to this statement. Ramsey pleaded with him for cooperation, but he was not able to obtain the desired information from Childs, either.

16 Ramsey did not advise Childs of his Miranda rights at any time during this July 9 meeting.

¹⁷

17 At one point during this meeting, Childs asked for an ambulance, saying that he did not feel well. He later testified that he experienced chest pains, but witnesses testified that his demeanor did not change noticeably before he made this request. He was offered an ambulance but later declined that offer. He admitted that he never consulted a doctor after these pains arose.

It became apparent to Robinson that Childs would not provide FiberWAN access. Childs was placed on administrative leave for failure to do so. Robinson accepted Childs's city identification, keys, pager, and cell telephone, but the engineer did not offer the city-owned laptop that was inside his backpack. Childs left the meeting with Ramsey.

¹⁸ After receiving a receipt for the city property he relinquished, Childs left the building.

18 About this time, Ramsey also gave Childs a written copy of section 502. He testified that he recalled making specific mention of violating subdivision (c)(5).

Childs later admitted that when he was at the meeting, he had the FiberWAN access codes and a backup of its configurations on a DVD in his city-owned laptop inside his backpack.

¹⁹ With this DVD—which was itself password-protected and encrypted—and his laptop, Childs could have remotely connected with the network if he had Internet access. F. July 9–July 21 Events

19 Childs testified that he always had these backup configurations with him.

Back at the data center, DTIS staff searched Childs's workspace and locked laboratory looking for FiberWAN configurations. In his laboratory, they were surprised to find two filing cabinets, each secured by a cabinet lock and two padlocks. Each cabinet had a hole manually cut out of the side, through which cables had been fed leading to a computer device. These active devices could permit someone without physical access to the data center to access the FiberWAN network. The possibility that Childs might have undetected remote access to FiberWAN heightened security concerns and led to a more intensive response than merely recovering administrative access.

²⁰ The devices were physically disconnected from the network but were left running. By July 11, new devices monitored any unauthorized FiberWAN intrusions.

20 On July 10, Childs contacted police to say that he would not attempt to access FiberWAN.

DTIS had no administrative access to the FiberWAN network. Outside consultants and DTIS employees began intensive efforts to recover control of the FiberWAN network. No configurations could be found.

Meanwhile, on July 10, Childs received a letter advising him that he had been placed on paid administrative leave until an administrative hearing planned for July 14 would be conducted. If it was determined that he had refused to give DTIS management access to FiberWAN, his administrative leave would then be unpaid.

²¹ He contacted HR and arranged to have the review hearing postponed to July 18. Childs also asked police for return of his terminal servers located at the two secondary DTIS sites.

21 Ultimately, Childs would be suspended without pay.

Childs drove to Nevada, taking his city-owned laptop and the backup configurations with him. Needing money and an attorney to assist him at the July 18 administrative review hearing, he withdrew almost $10,000 from his bank account on July 11 and 12. This left less than $200 in his account. On his return to his Pittsburg home on the night of July 12, he was arrested. He had more than $10,000 on his person at that time. This money was seized. Questioned after his arrest, Childs invoked his privilege against self-incrimination.

At first, DTIS efforts focused on obtaining FiberWAN access without interrupting city computer service. Once DTIS's lack of administrative access to its computer network became publicly known, pressure increased to restore that access. By July 17, it became clear that non-disruptive efforts would not soon succeed and efforts to recover access became more aggressive, even at the risk of disrupting ongoing computer service to city departments.

Before his suspension, Childs knew that a July 19 power outage was scheduled at the data center, to allow maintenance work to be done on the building's main power supply. Technicians realized that losing network power before first regaining administrative control of FiberWAN risked the loss of the configurations, which could severely disrupt city computer services. DTIS postponed the planned power outage.

On July 21, Childs—through his attorney—gave the correct FiberWAN passwords and backup configurations to then-Mayor Gavin Newsom.

²² After an initial attempt at access failed, Childs provided additional information that allowed DTIS to regain administrative access to FiberWAN through a specific device.

22 Childs testified that because the access issue had become public knowledge, he wanted to provide FiberWAN access in a manner that could be proven.

During the period from July 9 through July 21, DTIS was effectively locked out of the FiberWAN network. Neither DTIS employees nor other computer experts were able to obtain administrative access to the network until Childs revealed the access codes. There were no network service outages, but in the next two weeks, neither DTIS employees nor computer experts hired by the City were able to access the network in order to administer it. They could not diagnose problems, maintain the network, review or change its configurations, or update it to serve the more than 65 city departments then on the network. In addition to postponing the power outage, plans to add two city departments to the network in mid-July had to be postponed. The city was unable to add new city departments to FiberWAN, nor could it remove Childs as system administrator and appoint a new one.

Within days of the city's recovery of administrative access to FiberWAN, the network became a team project. By the time of trial, a new principal engineer and other network engineers had administrative access to FiberWAN. A backup copy of the configurations was again stored on a server that could be accessed by several DTIS engineers. Network recovery work continued through late November. The city paid outside consultants $646,000 for evaluation of FiberWAN. DTIS staff time spent to regain access to FiberWAN was worth $220,000. An expert testified that if administrative access had not been recovered, rebuilding the FiberWAN configurations would have cost the city $300,000. G. Charges and Pretrial Matters

In mid-July, Childs was charged with one count of disrupting and denying the use of the city's computer network. He was also charged with three counts of illegally providing access to the network through the modems. The complaint alleged an enhancement based on the loss of property worth more than $200,000. (§§ 502, subd. (c)(5)-(6), 12022.6, subd. (a)(2).) He was held on $5 million bail. Childs pled not guilty and was held to answer on all charges after a preliminary hearing. His motion to suppress evidence of his July 9 statements was denied in December.

In January 2009, an information was filed charging Childs with the same four offenses and the one enhancement. (§§ 502, subd. (c)(5)-(6), 12022.6, subd. (a)(2).)

²³ Later that month, Childs demurred to the three modem counts and renewed his motion to suppress evidence obtained as a result of his July 9 statement, without success.

23 .Sections 502 and 12022.6 have been amended since July 2008. (See former §§ 502, subds. (c)(5), (6), (h)(1) [Stats.2000, ch. 635, § 2, pp. 4147–4149]; 12022.6, subd. (a)(2) [Stats.2007, ch. 420, § 1, p. 3675].) As the current versions of these subdivisions are identical to those in effect on the date of the offense, we do not make repeated references to the 2008 versions of the statutes that we apply. (See §§ 502, subd. (c)(5), (6), (h)(1) [Stats.2011, ch. 15, § 378]; 12022.6, subd. (a)(2) [Stats.2010, ch. 711, § 5].)

Childs also moved to set aside the information on the ground, inter alia, that there was insufficient evidence to support the charges. (§ 995.) The prosecution opposed the motion. In August 2009, after hearing, the trial court dismissed the three modem counts.

²⁴

24 Each side challenged aspects of this ruling by writ petition. We denied both petitions in October 2009. The People also appealed this order, but after Childs was convicted of the remaining charge, the appeal was abandoned and we dismissed it on the People's request. At Childs's request, we took judicial notice of the record in this earlier appeal in 2011, without making an initial determination of relevance. As this record contains crucial documents that we did not find in our record on appeal, we now find the prior record to be relevant to our determination of the issues in the current appeal.

H. Trial and Sentencing

1. Prosecution Case

Childs was tried on the remaining charge of disrupting or denying computer services to an authorized user. The prosecution's theory of the case was that Childs acted as if he—not the city—owned the FiberWAN network and that he believed that his sole access to the computer system gave him job security. It put on evidence that by preventing anyone else from having administrative access to the FiberWAN network, Childs sought to keep from being laid off or from having his work outsourced. He knew he could not pass a criminal background check that threatened to force his removal from the FiberWAN work. He also developed means to have undetected access to the network.

Much of the six-month trial was devoted to understanding the technical capabilities of the FiberWAN network and the manner in which Childs modified them. The prosecution put on evidence that by failing to reveal his administrative password, Childs deprived the city of part of its network. By locking the city out of the FiberWAN network, he disrupted the city's computer services. Besides the evidence of sole administrative control and running the FiberWAN configurations on non-stored VRAM, the jury heard other evidence of Childs's conduct:

Disabling Console Ports. The jury learned that if the console port—the physical means of access to the network on the device itself—is disabled, then the administrator cannot login to the system using what is regarded as the “port of last resort.” On July 8—the day before he was placed on administrative leave—Childs disabled the console ports on all five core devices, preventing the possibility of any password recovery.

Applying Access Controls. Childs also applied access controls to core devices that required that all administrative access had to be achieved by means of one particular computer, even if the access codes were known. He set up these access controls on core devices on the morning of July 9.

²⁵ After regaining control of FiberWAN on July 21, DTIS learned that all CE devices also had these access controls applied to them. All FiberWAN core devices had been set up to inform the network administrator if anyone other than Childs tried to logon to one of them and from what specific location the attempt was being made. According to a prosecution expert, that information could allow the administrator to deny DTIS access to the network merely by changing the password.

25 Childs testified that he did this because he knew he would be working at the Hall of Justice that day and wanted FiberWAN access while he was there.

Filing Copyright Documents. In July 2007, Childs applied to copyright a slightly sanitized version of city's FiberWAN design and configurations as his own intellectual property. In January 2008, he filed an updated submission. He did so despite having acknowledged that these configurations were the city's intellectual property and were protected from disclosure by federal Homeland Security considerations. The design and configurations that Childs provided with his application showed the physical locations of some network devices that were not publicly known. That information was deposited with the Library of Congress where it was available for public inspection.

²⁶ The publication of this confidential information made the FiberWAN network more vulnerable to intrusion.

26 Childs testified that he was unaware that the documents would be available to the public.

The jury heard expert testimony that DTIS had no administrative access to FiberWAN if the sole person with administrative access refused to give network management access to network devices, the configurations were not on the device, backup configurations were unavailable, the console port has been password-protected and the devices were run on VRAM. If power to the system was lost, the configurations would be wiped out and would need to be completely rebuilt, denying access to the computer system for a significant time. In the view of prosecution witnesses, Childs's refusal to reveal the access codes caused a denial of services because DTIS was unable to add new city departments to FiberWAN.

Childs made himself to be a single point of failure for the FiberWAN network, creating the possibility that the network could collapse without him in a system that was intended to have backups and redundancy to prevent disruption of the network. Prosecution witnesses told the jury that it was in the city's best interest to have more than one person with administrative access to FiberWAN in case one person was unavailable. DTIS's inability to access its network meant that something within FiberWAN was “radically wrong,” posing a very difficult problem to resolve. It was also unusual—less than 1/10th of 1 percent of all Cisco networks worldwide required the kind of intervention that FiberWAN did. At the close of the prosecution's case-in-chief, Childs's moved for acquittal without success. (§ 1118.1.)

2. Defense

Childs testified in his own defense. He admitted much of the conduct that formed the basis of the prosecution. He admitted that he had exclusive administrative access to the FiberWAN network, that he lied to his managers when he said that he did not, and that he sought to copyright its configurations. On July 9, the network was encrypted with a password that only he knew. He had control of the backup configurations, which were not available to DTIS and which had been encrypted. He had disabled the password recovery feature on the CE devices and had disabled the console ports on all devices. He admitted that he ran FiberWAN core devices on VRAM. If an engineer attempted a password recovery of a core device, he knew that the device would shut down, and when it was rebooted, it would be blank.

Childs testified that he acted as he did to protect the security of the FiberWAN network. He believed that DTIS management was too lax about network security.

The prosecution put on evidence to undermine this defense. It noted the risk to the city from his copyright application, which Childs admitted filing. He had failed to cite network security reasons for his decisions at the time that he made them. He did not mention security concerns on July 9 when he refused to reveal the FiberWAN password and user ID. Instead, he refused to give Robinson FiberWAN access because he did not believe that Robinson was authorized to have administrative access to the network.

3. Argument and Verdict

The prosecution reasoned that Childs's conduct had damaged the city in several ways. He made the network vulnerable to intrusion; he precluded DTIS from maintaining, troubleshooting or adding new city departments onto the network; and he required the city to spend large sums of money to regain administrative access to its network.

For his part, Childs urged the jury to conclude that his dispute with the city was an employment matter, not a criminal act. He claimed that he acted within the scope of his employment, a defense to the charge. (See § 502, subd. (h)(1).)

He also argued that he did not knowingly disrupt or deny computer services to an authorized user because other DTIS officials such as Robinson lacked the skills needed to implement the FiberWAN network. Childs argued that after he was reassigned, no one at DTIS was a qualified user. The city brought the problem on itself by threatening him after the June 20 incident, by ambushing him at the July 9 meeting, and by failing to respect his professional stature. Childs claimed that his conduct was reasonably necessary to protect the FiberWAN network from unauthorized intrusion because no one else at DTIS was competent to administer it.

Childs also disputed having denied computer services to the city because FiberWAN continued to operate during the July 9–21 period. He reasoned that no harm was done. He did not believe that he denied or disrupted computer services; if he was mistaken, he argued that his reasonable mistake negated the required criminal intent to find him guilty of violating subdivision (c)(5) of section 502.

The jury found Childs guilty of the charge and found the enhancement allegation to be true. (§§ 502, subd. (c)(5), 12022.6, subd. (a)(2).) His motion for arrest of judgment was denied, as was his motion for new trial.

In August 2010, Childs was sentenced to four years in state prison—a midterm of two years for the offense and a two-year consecutive enhancement term for excessive taking. Based on his prior convictions, the trial court rejected his claim for additional presentence conduct credit.

²⁷ The issue of restitution was reserved.

27 Childs challenged this presentence credit determination in his opening brief, but—as he has already completed his prison term and his rights are no longer affected—he concedes that the issue is moot. (See DeFunis v. Odegaard (1974) 416 U.S. 312, 316, 94 S.Ct. 1704, 40 L.Ed.2d 164; Keefer v. Keefer (1939) 31 Cal.App.2d 335, 337, 87 P.2d 856; see also 9 Witkin, Cal. Procedure (2008) Appeal, § 326, p. 375.)

In May 2011, Childs was ordered to pay $1,485,791 in restitution to DTIS.

²⁸ His motion for return of $10,744

28 The City Attorney's separate request for $32,933.71 in restitution was denied.

²⁹ seized from him at the time of his arrest was denied and that sum was applied toward the amount of restitution owed.

29 The record suggests some confusion about whether this amount was $10,744 or $10,774. We assume that $10,744—the amount ordered to be credited against Childs's restitution order—is correct.

³⁰

30 In this consolidated appeal, we have considered the records in both of these pending appeals. Thus, we need not also take judicial notice of the record on appeal from his conviction in the appeal of the restitution order, as Childs requested.

II. HACKING

A. Employment Dispute

Several challenges that Childs raises to his conviction turn on a single argument: that subdivision (c)(5) of section 502 was meant to apply only to unauthorized computer users—hackers—and not to an employee who was authorized to use the computer system but did so in a manner that vexed the employer. (See pts. III.A.2, III.C.1.b.i, III.C.2, III.E., IV.B, post.) He asserts that his acts fell within the scope of employment defense set out in subdivision (h)(1) as a matter of law. As this underlying issue is pivotal to so many interrelated question, we address it first.

When analyzing statutory language, we are charged to examine the language itself, the legislative history of the provision and case law construing the crucial language, in that order. (People v. Heitzman (1994) 9 Cal.4th 189, 200, 37 Cal.Rptr.2d 236, 886 P.2d 1229; see In re Noreen G. (2010) 181 Cal.App.4th 1359, 1375, 105 Cal.Rptr.3d 521.) We conduct those inquiries below. B. Evolution of Offense

Childs reasons that the charged offense is inapplicable to him as a matter of law because no employee has yet been convicted for refusing to reveal a computer user name and password to an employer on demand. The correct inquiry is not whether an employee has ever been convicted of the charged offense on the basis of similar conduct in the past, but whether the legislature intended to hold criminally liable one who acted as Childs did.

To determine the legislative intent, we first review the evolution of section 502. There have been many revisions to state law banning computer crimes since a predecessor statute was first enacted in 1979.

³¹ That provision made two types of computer use criminal—accessing a computer system to commit fraud or theft; and accessing, altering, deleting, damaging or destroying a computer system. (See Stats.1979, ch. 858, § 1, pp. 2968–2969 [adding prior version of § 502].) In 1985, the prior version of section 502 added a third computer offense—unauthorized accessing of a computer—and amended another offense to ban the malicious destruction or disruption of a computer system. (See Stats.1985, ch. 571, § 1, pp. 2076–2077.) In all of these early versions of computer crimes, accessing the computer system was a key element of the offense.

31 .Section 502 has been enacted, amended, repealed, added anew, and amended again—both before and since the date of the 2008 charged crime. For convenience, we refer to the predecessor statute as “prior section 502,” and the statute in effect at the time of the offense as “new section 502.”

In 1987, when the prior statute was repealed and a new version of section 502 was added, the law set out seven distinct computer offenses. One made the knowing and unpermitted disruption or denial of computer services a public offense—the same offense with which Childs was later charged. (See Stats.1987, ch. 1499, §§ 2–3, pp. 5782–5786.) Two more offenses—introducing a contaminant into a computer system and using another's Internet domain name to send damaging email messages—were added in 1989 and 1998, which brings the total of computer crimes to nine. (See Stats.1998, ch. 863, § 3, pp. 5484–5488; Stats.1989, ch. 1357, §§ 1.3, pp. 5736–5740.) In 2008 at the time of the offense charged against Childs, some of the nine computer offenses specifically required unpermitted access as an element. (See § 502, subd. (c)(5); compare § 502, subds. (c)(1)-(2), (4), (7) [access]; see also § 502, subds. (c)(3) [use], (6) [providing access].) Some did not—the charge against Childs among them. (See § 502, subds. (c)(5) [disruption], (8), [contamination], (9) [sending false email].)

In 1987, section 502 explained the purpose of the statute. By its express terms, the Legislature intended “to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. [The] proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. [¶][The] protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.” This statement of legislative intent was unchanged in 2008, when Childs allegedly violated subdivision (c)(5). (§ 502, subd. (a) [Stats.2000, ch. 635, § 2, pp. 4144–4145]; see Stats.1987, ch. 1499, §§ 2–3, pp. 5782–5783.) C. Evolution of Defense

The prior statute enacted in 1979 was silent on the applicability of the computer crimes statute in an employment context. (See Stats.1979, ch. 858, § 1, pp. 2968–2969.) By 1985, one of the three computer offenses then codified—unauthorized computer access—specifically provided that it did not apply to one who accessed an employer's computer within the scope of employment. (See prior § 502, subd. (d) [Stats.1985, ch. 571, § 1, pp. 2076–2077].) The 1987 enactment of the new statute set out an employment defense applicable to all section 502 offenses if an employee acted within the scope of his or her lawful employment.

³² (See § 502, subd. (i)(1) [Stats.1987, ch. 1499, §§ 2–3, pp. 5782–5786]; now § 502, subd. (h)(1).) In 1999, the Legislature first defined the scope of employment defense. “For purposes of this section, a person acts within the scope of his or her employment when he or she performs acts which are reasonably necessary to the performance of his or her work assignment.” (See § 502, subd. (h)(1) [amended Stats.1999, ch. 254, § 3, p. 2292].) The same statutory language was in effect in 2008, when Childs was charged with the current offense. (See § 502, subd. (h)(1) [Stats.2000, ch. 635, § 2, pp. 4144–4150].)

32 The statute also provided a defense for employees acting outside the scope of employment, but that defense is not at issue in the case before us. (See § 502, subd. (h)(2).)

D. Statutory Construction

1. Subdivision (c)(5) Offense

Childs contends that the language of subdivision (c)(5) must be read in light of the legislative purpose set out in subdivision (a) stating that the law was intended to protect against unauthorized access to computer systems. He reasons that subdivision (c)(5)—which contains no express requirement of access—must be read to imply one in order to be consistent with the legislative intent behind section 502.

This claim of error requires us to apply basic rules of statutory construction. The interpretation of a statute and its applicability pose questions of law for us to determine on appeal. (People v. Cole (2006) 38 Cal.4th 964, 988, 44 Cal.Rptr.3d 261, 135 P.3d 669; Estate of Madison (1945) 26 Cal.2d 453, 456, 159 P.2d 630.) The overriding goal of statutory construction is to ascertain the legislative intent behind the statute, in order to give effect to that intent. (People v. Mejia (2012) 211 Cal.App.4th 586, 611, 149 Cal.Rptr.3d 815.) In this analysis, the text of the statute is the best indicator of legislative intent. (Tonya M. v. Superior Court (2007) 42 Cal.4th 836, 844, 69 Cal.Rptr.3d 96, 172 P.3d 402; People v. Johnson (2006) 38 Cal.4th 717, 723–724, 42 Cal.Rptr.3d 887, 133 P.3d 1044.) When interpreting statutes, we begin with the plain, commonsense meaning of the language that the Legislature used. If that language is unambiguous, then the plain meaning of the statute controls. (People v. Mejia, supra, 211 Cal.App.4th at p. 611, 149 Cal.Rptr.3d 815; Surfrider Foundation v. California Regional Water Quality Control Bd. (2012) 211 Cal.App.4th 557, 575, 149 Cal.Rptr.3d 763.)

On its face, subdivision (c)(5) is unambiguous. (See, e.g., People v. Albillar (2010) 51 Cal.4th 47, 55, 119 Cal.Rptr.3d 415, 244 P.3d 1062.) Its plain meaning seems to be that Childs—who was given authorized access to the FiberWAN network—may be convicted under its terms. However, he contends that subdivision (c)(5) contains a latent ambiguity when read together with the “unauthorized access” language in subdivision (a) in the statement of legislative purpose behind section 502. A latent ambiguity exists when a literal interpretation of a statute would frustrate the purpose of the statute. (Varshock v. Department of Forestry & Fire Protection (2011) 194 Cal.App.4th 635, 644, 125 Cal.Rptr.3d 141.) When faced with a latent ambiguity, we must determine which interpretation of the statute is most consistent with the legislative intent. We infer that the Legislature intended an interpretation producing practical, workable results, not one producing mischief or absurdity. (Gattuso v. Harte–Hanks Shoppers, Inc. (2007) 42 Cal.4th 554, 567, 67 Cal.Rptr.3d 468, 169 P.3d 889.)

For many reasons, we reject Childs's claim that the Legislature intended that unauthorized access is an implied element of subdivision (c)(5). We find his focus on the “unauthorized access” language of subdivision (a) to be too narrow. When determining legislative intent, our analysis does not turn on a single word or phrase. We must construe the language in the context of the statute as a whole, giving meaning to every part of it. (Tonya M. v. Superior Court, supra, 42 Cal.4th at p. 844, 69 Cal.Rptr.3d 96, 172 P.3d 402; People v. Zeigler (2012) 211 Cal.App.4th 638, 650, 149 Cal.Rptr.3d 786.) Subdivision (a) sets out a series of evils deserving of protection, of which unauthorized computer access is one. The Legislature expressly stated its intent to protect against “tampering, interference, damage, and unauthorized access” to computers. (§ 502, subd. (a).) Disrupting or denying computer services to an authorized user could reasonably be read to fall within “interference” with computers, even without a showing of unauthorized access.

Childs's related argument—that the reference in subdivision (a) to the need to combat “computer crime and other forms of unauthorized access” to computers requires us to read an unauthorized access element into all subdivision (c) offenses—is somewhat more plausible. However, as we shall explain, other principles of statutory construction lead us to reject this argument, too.

Significantly, Childs's interpretation of section 502 fails to acknowledge differences among the wording of subdivision (c) offenses. Four of the section 502, subdivision (c) offenses include access as an element. (See § 502, subds. (c)(1)-(2), (4), (7).) The provision under which Childs was charged does not. (See § 502, subd. (c)(5).) When different words are used in adjoining subdivisions of a statute that were enacted at the same time, that fact raises a compelling inference that a different meaning was intended. (People v. Albillar, supra, 51 Cal.4th at p. 56, 119 Cal.Rptr.3d 415, 244 P.3d 1062; Metropolitan Water Dist. v. Superior Court (2004) 32 Cal.4th 491, 502, 9 Cal.Rptr.3d 857, 84 P.3d 966; Yao v. Superior Court (2002) 104 Cal.App.4th 327, 333, 127 Cal.Rptr.2d 912.) The Legislature's requirement of unpermitted access in some section 502 offenses and its failure to require that element in other parts of the same statute raise a strong inference that the subdivisions that do not require unpermitted access were intended to apply to persons who gain lawful access to a computer but then abuse that access. (See Arden Carmichael, Inc. v. County of Sacramento (2001) 93 Cal.App.4th 507, 516, 113 Cal.Rptr.2d 248 [every word excluded from a statute is presumed to have been excluded for a reason].)

2. Subdivision (h)(1) Defense

We are also persuaded the Legislature did not intend to imply an access element into every subdivision (c) offense because the legislative history of the employment defense codified in subdivision (h)(1) is inconsistent with this reading of subdivision (c). The unlawful access of an external hacker is inherently inconsistent with the permitted access of an employee, making the scope of employment defense relevant to this issue. When statutory language is ambiguous, we may consult extrinsic aids such as legislative history to help us interpret the statute. (People v. Cole, supra, 38 Cal.4th at p. 975, 44 Cal.Rptr.3d 261, 135 P.3d 669; People v. Mejia, supra, 211 Cal.App.4th at p. 611, 149 Cal.Rptr.3d 815; see People v. Rodriguez (2002) 28 Cal.4th 543, 549–550, 122 Cal.Rptr.2d 348, 49 P.3d 1085.)

When the Legislature defined the “scope of employment” defense in 1999, this was intended to “[close] a loophole that allows disaffected employees to maliciously tamper with a company's database” and to discourage “a malicious employee's victimization of an employer.” (See Assem. Com. on Public Safety, Rep. on Assem. Bill 451 (1999–2000 Reg. Sess.) Apr. 6, 1999, p. 6; Sen. Com. on Public Safety, Rep. on Assem. Bill 451 (1999–2000 Reg. Sess.) June 22, 1999, p. 9 [same].) These legislative sources make clear that one effect of the 1999 amendments to the employment defense now set out in subdivision (h)(1) was to broaden its application beyond external hacking and to encompass employee misconduct. Since the amendments took effect in 2000, the scope of employment defense no longer shield employees from prosecution for acts that were not reasonably necessary to the performance of the employee's work assignment. (See § 502, subd. (h)(1).) This conclusion is also supported by the legislature's 2000 expansion of the definition of “injury” to a computer network to include the denial of access to a legitimate user. (§ 502, subd. (b)(8) [Stats.2000, ch. 635, § 2, pp. 4144–4150].)

3. Subdivision (e)(1) Remedies

Childs also argues that the 2000 amendment of the scope of employment defense in subdivision (e)(1) supports his conclusion that section 502 was not intended to punish any employee. In fact, the legislative history supports a contrary view. At one time, subdivision (e) of section 502 required that a criminal conviction be obtained before a victim of computer crime could seek the civil remedy provided in that provision. In 2000, the Legislature amended section 502 to allow a private civil action “regardless of whether a criminal conviction has been obtained.” (Sen. Rules Com., Off. of Sen. Floor Analyses, 3d reading analysis of Assem. Bill 2727 (1999–2000 Reg. Sess.) as amended August 25, 2000, p. 5.) If section 502 banned Childs's conduct, the statutory language is clear that the prosecution had lawful authority to charge him with a criminal offense, regardless of whether his actions could also constitute the insubordinate employee conduct.

In a related argument, Childs reasons that his conduct was merely insubordinate and should have been resolved by civil means as an employment dispute, rather than by a criminal prosecution. (See § 502, subd. (e).) His reasoning is unpersuasive. It assumes wrongly that if a civil action is proper, insubordinate employee behavior can never be so grievous that it might also justify the filing of criminal charges. It also fails to appreciate the role of the separation of powers in this issue. The prosecution—as part of the executive branch of our government—ordinarily has sole discretion to conduct criminal cases, including determinations of whom to charge and what charges to file. (Manduley v. Superior Court (2002) 27 Cal.4th 537, 117 Cal.Rptr.2d 168, 41 P.3d 3; Dix v. Superior Court (1991) 53 Cal.3d 442, 451, 279 Cal.Rptr. 834, 807 P.2d 1063; Gananian v. Wagstaffe (2011) 199 Cal.App.4th 1532, 1540, 132 Cal.Rptr.3d 487.) A prosecutor's decision about filing criminal charges arises from complex law enforcement considerations that are not generally subject to judicial supervision. (Manduley v. Superior Court, supra, 27 Cal.4th at p. 552, 117 Cal.Rptr.2d 168, 41 P.3d 3.)

4. Conclusion

These principles of statutory construction combine to convince us that the Legislature did not intend that subdivision (c)(5) could only be applied to external hackers who obtain unauthorized access to a computer system. It appears that subdivision (c)(5) may properly be applied to an employee who uses his or her authorized access to a computer system to disrupt or deny computer services to another lawful user. E. Analysis of Case Law

Despite the statutory language, Childs asserts that case law lends support to his claim that subdivision (c)(5) was not intended to apply to an employee as a matter of law. Case law is significant to statutory construction because once a statute is construed by the courts, we presume that the Legislature is aware of that construction. If the Legislature does not alter that construction by subsequent legislation, we presume that it approved of the judicial construction. (People v. Hallner (1954) 43 Cal.2d 715, 719, 277 P.2d 393.) We have conducted a careful review of the cases that Childs cites, but none of them persuade us that subdivision (c)(5) may not lawfully be applied to an employee who misuses the grant of authorized access he was given to his employer's computer system. We conclude that each case is distinguishable from the situation before us in a significant manner.

In Mahru v. Superior Court (1987) 191 Cal.App.3d 545, 237 Cal.Rptr. 298, an employee—acting at the behest of his employer—took steps to ensure that a third party user of the employer's computer system could not use it any longer. The employee was charged with maliciously altering a computer system under a statutory predecessor to section 502. (See Stats.1979, ch. 858, § 1, pp. 2968–2969 [adding prior version of § 502]; Stats.1985, ch. 571, § 1, pp. 2076–2077 [subd. (c) as charged in Mahru ], Stats.1987, ch. 1499, §§ 2–3, pp. 5782–5786 [repealing prior version and adding current version of § 502].) The term “maliciously” is defined as a wish to vex, annoy or injure a third party. (§ 7, subd. 4.) The appellate court ruled that the predecessor statute did not apply, because the computer system allegedly altered was not owned by the third party, but by the employer. (Mahru v. Superior Court, supra, 191 Cal.App.3d at pp. 548–549, 237 Cal.Rptr. 298; see Facebook, Inc. v. Power Ventures, Inc.(N.D.Cal. July 20, 2010, No. C08–05780) 2010 WL 3291750, p. 8.)

³³ This case is clearly distinguishable from the one before us. Unlike Mahru, Childs acted against his employer's wishes in a manner affecting the employer's computer system.

33 Since the Mahru decision, the Legislature amended section 502 to specifically provide that acts taken at an employer's request are not criminal. (See § 502, subd. (c)(1)-(9); compare with prior § 502, subd. (c) [Stats.1985, ch. 571, § 1, pp. 2076–2077].)

In dicta, the Mahru court went on to assert its view that the Legislature “could not have meant, by enacting section 502, to bring the Penal Code into the computer age by making annoying or spiteful acts criminal offenses whenever a computer is used to accomplish them. Individuals and organizations use computers for typing and other routine tasks in the course of their affairs, and sometimes in the course of these affairs they do vexing, annoying, and injurious things. Such acts cannot all be criminal.” (Mahru v. Superior Court, supra, 191 Cal.App.3d at p. 549, 237 Cal.Rptr. 298; see Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29, 36–37, 65 Cal.Rptr.3d 701 [echoing this dicta] (Chrisman ); People v. Gentry (1991) 234 Cal.App.3d 131, 141, fn. 8, 285 Cal.Rptr. 591 [same].) Childs reasons that this language supports his conclusion that section 502 was not intended to apply to employees at all, as a matter of law.

We accept the underlying logic of Mahru and the cases that cite it that the Legislature did not intend that all employee misuse of a computer is criminal. However, we do not apply this logic as broadly as Childs does. This dicta raises doubts about criminalizing routine computer misuse, but his case involves employee computer misconduct that is anything but routine. The cited principle cannot reasonably be read to decriminalize the acts of a system administrator who used his computer expertise to lock out every other potential user and to wipe out system data if anyone other than him attempted to access his employer's computer system.

Childs also cites us to Chrisman, supra, 155 Cal.App.4th at pp. 33–39, 65 Cal.Rptr.3d 701. In that case, a police officer was terminated from employment for using a police department computer to obtain non-duty related information. The termination was based on a violation of a provision prohibiting unpermitted access to a computer system. (§ 502, subd. (c)(7).) The appellate court reversed, finding that the department had given the officer access to its computer. Subdivision (c)(7) applied only to those who hack into the computer system from without, not to an authorized user who misused that authority. (Chrisman, supra, 155 Cal.App.4th at pp. 34–35, 65 Cal.Rptr.3d 701.) As subdivision (c)(5) does not contain an access requirement, the gravamen of Chrisman does not apply to Childs's case.

In dicta, the Chrisman court added its reflections on the subdivision (h)(1) “scope of employment” defense. Relying on civil tort case law, it stated that “showing that an employee violated an employer's rules does not determine whether the employee acted within the scope of employment.” (Chrisman, supra, 155 Cal.App.4th at p. 36, 65 Cal.Rptr.3d 701; citing Mary M. v. City of Los Angeles (1991) 54 Cal.3d 202, 209, 285 Cal.Rptr. 99, 814 P.2d 1341; Perez v. Van Groningen & Sons, Inc. (1986) 41 Cal.3d 962, 967–971, 227 Cal.Rptr. 106, 719 P.2d 676.) Applying these tort principles, the Chrisman court concluded that “an employer's disapproval of an employee's conduct does not cast the conduct outside the scope of employment.” Otherwise, it reasoned, every employee misstep, mistake or misconduct would be criminal under section 502. (Chrisman, supra, 155 Cal.App.4th at p. 37, 65 Cal.Rptr.3d 701.) As the case before us is a criminal one in which tort allocation of the risks and cost of employment injuries is not relevant, the cited language loses some of its force. (See Mary M. v. City of Los Angeles, supra, 54 Cal.3d at p. 209, 285 Cal.Rptr. 99, 814 P.2d 1341; Perez v. Van Groningen & Sons, Inc., supra, 41 Cal.3d at pp. 967–971, 227 Cal.Rptr. 106, 719 P.2d 676.)

Even if we embrace the logic of the Chrisman dicta that an employer's disapproval of an employee's conduct is not definitive on the issue of whether the employee's conduct was within or outside the scope of employment, that would not compel us to find that no employee could ever be convicted of violating subdivision (c)(5) as a matter of law.

³⁴ The misuse of a employer's computer to make searches without any work-related purpose is not remotely comparable to the computer lockout that Childs accomplished as system administrator of the FiberWAN network.

34 At his request, the trial court in Childs instructed the jury on this language taken from Chrisman.Apparently, the jury found his conduct more egregious than mere misuse of an employee computer.

Childs also calls our attention to People v. Lawton (1996) 48 Cal.App.4th Supp. 11, 56 Cal.Rptr.2d 521. In that case, a criminal defendant convicted of unauthorized access

³⁵ reasoned that permission granted to use a library computer terminal—its hardware—necessarily conveyed permission to access its software—that is, its computer's operating system. The appellate division of the superior court affirmed. ( Id. at pp. 14–15, 56 Cal.Rptr.2d 521; see § 502, subd. (c)(7).) We fail to see how Lawton has any bearing on the scope of employment issue before us. This lack of relevance is even more acute, given the fact that the decision applies a version of the statute that predates the 1999 definition of the scope of employment defense in subdivision (h)(1). That language and its meaning is the crux of Childs's claim of error. (See pt. II.C., ante.)

35 Lawton was also charged with the offense Childs faced—disrupting computer services under subdivision (c)(5)—but his jury did not reach a verdict on this charge. (People v. Lawton, supra, 48 Cal.App.4th Supp. at p. 12, 56 Cal.Rptr.2d 521.)

We also find People v. Gentry, supra, 234 Cal.App.3d 131, 285 Cal.Rptr. 591 unpersuasive. Gentry gained access to confidential files of credit reporting companies and had entered false data to make it more likely that credit would be extended to those who would otherwise be refused. The appellate court affirmed his conviction of a computer crime,

³⁶ concluding that this conduct was “exactly the kind of manipulation of computer data files the statute was designed to prohibit.” ( People v. Gentry, supra, 234 Cal.App.3d at pp. 135, 140–141, 285 Cal.Rptr. 591.) Far from undermining Childs's conviction, this sentiment supports it.

36 Gentry was convicted of an access crime under the prior version of section 502 that has since been repealed and replaced. (People v. Gentry, supra, 234 Cal.App.3d at p. 140, 285 Cal.Rptr. 591; see prior § 502, subd. (b) [Stats.1985, ch. 571, § 1, pp. 2076–2077]; see also Stats.1987, ch. 1499, §§ 2–3, pp. 5782–5786.)

³⁷ F. Conclusion

37 Childs also cites us to two out-of-state cases which are clearly distinguishable from his circumstances. Neither case construes the California law at issue in our case. (See Arizona v. Moran (1989) 162 Ariz. 524, 784 P.2d 730; State v. Olson (1987) 47 Wash.App. 514, 735 P.2d 1362.) The Arizona case turns on the unique wording its statute banning computer damage, which required an act of commission. ( Arizona v. Moran, supra, 784 P.2d at pp. 732–734.) By contrast, Childs was charged with disrupting or denying computer services—an offense that, by its terms, may be committed by omission. (See § 502, subd. (b)(8) [denial of access to legitimate users as injury], (c)(5) [disruption or denial of computer services as criminal offense].) In the Washington case, the defendant was charged with computer trespass, an offense that requires unauthorized access. (State v. Olson, supra, 735 P.2d at pp. 1363–1364 [Washington statute criminalizes entry into computer system].) Childs's offense does not require access as an element.

After careful consideration of the statutory language and the case law that Childs cites, we conclude that the Legislature intended for some parts of section 502, subdivision (c) to apply only to external hackers and for some parts—including subdivision (c)(5)—to apply to users who were given lawful access to the computers. Thus, we reject Childs's contention that an employee may not lawfully be convicted of violating subdivision (c)(5), in appropriate circumstances.

III.–V.^**

** See footnote *, ante.

We concur: RUVOLO, P. J. RIVERA, J.