CACI No. 1812. Comprehensive Computer Data and Access Fraud Act - Essential Factual Elements (Pen. Code, § 502)

Judicial Council of California Civil Jury Instructions (2023 edition)

Download PDF
1812.Comprehensive Computer Data and Access Fraud
Act - Essential Factual Elements (Pen. Code, § 502)
[Name of plaintiff] claims that [name of defendant] has violated the
Comprehensive Computer Data and Access Fraud Act. To establish this
claim, [name of plaintiff] must prove all of the following:
1. That [name of plaintiff] is the [owner/lessee] of the [specify
computer, computer system, computer network, computer program,
and/or data];
2. That [name of defendant] knowingly [specify one or more prohibited
acts from Pen. Code, § 502(c), e.g., accessed [name of plaintiff]’s
data on a computer, computer system, or computer network];
[3. That [name of defendant]’s [specify conduct from Pen. Code,
§ 502(c), e.g., use of the computer services] was without [name of
plaintiff]’s permission;]
[4.] That [name of plaintiff] was harmed; and
[5.] That [name of defendant]’s conduct was a substantial factor in
causing [name of plaintiff]’s harm.
New May 2020
Directions for Use
Give this instruction for a claim under the Comprehensive Computer Data Access
and Fraud Act (CDAFA). CDAFA makes civil remedies available to any person who
suffers damage or loss by reason of the commission of certain computer-related
offenses. (Pen. Code, § 502(c), (e)(1).)
For element 1, the court may need to define the technology (e.g., “computer
network,” “computer program or software,” “computer system,” or “data”) or other
statutory term depending on the facts and circumstances of the particular case. (See
Pen. Code, § 502(b) [defining various terms].) For a definition of “access,” see
CACI No. 1813, Definition of “Access.”
Some of the prohibited acts for element 2 may also require that the defendant do
something specific with the access or that the defendant have a specific purpose. For
example, if the defendant allegedly deleted or used plaintiff’s computer data, it must
have been done without permission and either to (a) devise or execute any scheme
or artifice to defraud, deceive, or extort, or (b) wrongfully control or obtain money,
property, or data. (See Pen. Code, § 502(c)(1).) Modify the instruction to include
these elements where required.
Include element 3 regarding lack of permission depending on the violation(s)
alleged. Lack of permission is a required element for violations of subdivisions
(c)(1)-(7) and (c)(9)-(13), but not for violations of subdivisions (c)(8) and (c)(14).
Modify element 3 accordingly. Delete element 3 for violations of the latter
If plaintiff’s claim involves a “government computer system” or a “public safety
infrastructure computer system” and there is a factual dispute about the type of
computer system involved, this instruction should be modified to add that issue as
an element. (See Pen. Code, § 502(c)(10), (11), (12), (13), and (14).)
Sources and Authority
Comprehensive Computer Data Access and Fraud Act. Penal Code section 502.
“Penal Code section 502, subdivision (e)(1) permits a civil action to recover
expenses related to investigating the unauthorized computer access.” (Verio
Healthcare, Inc. v. Superior Court (2016) 3 Cal.App.5th 1315, 1321 fn. 3 [208
Cal.Rptr.3d 436].)
“Four of the section 502, subdivision (c) offenses include access as an element.
The provision under which [defendant] was charged does not. When different
words are used in adjoining subdivisions of a statute that were enacted at the
same time, that fact raises a compelling inference that a different meaning was
intended. The Legislature’s requirement of unpermitted access in some section
502 offenses and its failure to require that element in other parts of the same
statute raise a strong inference that the subdivisions that do not require
unpermitted access were intended to apply to persons who gain lawful access to
a computer but then abuse that access.” (People v. Childs (2013) 220
Cal.App.4th 1079, 1102 [164 Cal.Rptr.3d 287], internal citations omitted.)
“[The CDAFA] does not require unauthorized access. It merely requires knowing
access. What makes that access unlawful is that the person ‘without permission
takes, copies, or makes use of data on the computer. A plain reading of the
statute demonstrates that its focus is on unauthorized taking or use of
information.” (United States v. Christensen (9th Cir. 2015) 828 F.3d 763, 789,
original italics, internal citations omitted.)
“Because [defendant] had implied authorization to access [plaintiff]’s computers,
it did not, at first, violate the [CDAFA]. But when [plaintiff] sent the cease and
desist letter, [defendant], as it conceded, knew that it no longer had permission
to access [plaintiff]’s computers at all. [Defendant], therefore, knowingly
accessed and without permission took, copied, and made use of [plaintiff]’s
data.” (Facebook, Inc. v. Power Ventures, Inc. (9th Cir. 2016) 844 F.3d 1058,
“[T]aking data using a method prohibited by the applicable terms of use, when
the taking itself generally is permitted, does not violate the CDAFA.” (Oracle
USA, Inc. v. Rimini Street, Inc. (9th Cir. 2018) 879 F.3d 948, 962, reversed in
part on other grounds by Rimini Street, Inc. v. Oracle USA, Inc. (2019) - U.S.
- [139 S.Ct. 873, 881, 203 L.Ed.2d 180], original italics.)
Secondary Sources
5 Witkin, California Criminal Law (4th ed. 2012) Crimes Against Property, § 229 et
31 California Forms of Pleading and Practice, Ch. 349, Literary Property and
Copyright, § 349.41[5] (Matthew Bender)

© Judicial Council of California.