Recent Disqualification Precedent Raises Interesting Questions About Computer Access and Data Rights

by

RECENT DISQUALIFICATION PRECEDENT RAISES INTERESTING QUESTIONS ABOUT COMPUTER ACCESS AND DATA RIGHTS

Robert Uriarte

The California Court of Appeal’s March decision in Militello v. VFARM 1509, 89 Cal. App. 5th 602 (2023) holds that if a client "improperly obtained (or maintained) possession of written or digital copies of an adverse party’s confidential information and provided them to counsel for use in litigation," the attorney may be disqualified from serving as trial counsel if they "read purloined documents any more closely than is necessary to determine" that they should not be used.1 Militello involved company emails protected by the spousal communications privilege that one co-owner used as evidence against another in litigation over their jointly owned business. Militello is a significant development in California’s disqualification jurisprudence, as it resolves an apparent conflict between prior Court of Appeals decisions on the question of whether disqualification is ever appropriate where a lawyer receives the adverse party’s privileged communications from their own client."2

But Militello also raises a bunch of other interesting questions.

To what extent are email communications protected by the spousal communication privilege if the communications constitute the conduct of the corporation’s affairs? Might disqualification have been proper if the subject materials were merely confidential, rather than privileged? In a dispute between joint owners of a corporation, who has the authority to grant or deny permission to use corporate systems and data?

The latter question is the most interesting to longtime fans of digital trespass jurisprudence, as it implicates the meaning of an important statutory phrase that has not yet been construed by any California court of appeal: "without permission" as used in California Penal Code § 502. Although it does not squarely address the issue, Militello provides insight into how California courts are likely to construe the notion of "permission" under § 502 and brings into focus several practical issues regarding computer and data access that practitioners should keep in mind.

[Page 75]

THE FACTS

The fact pattern in Militello reads like a great law school exam. Militello (a lawyer), Lawrence (also a lawyer) and Manek co-owned and operated Cannaco Research Corporation (CRC), a licensed manufacturer and distributor of Cannabis products. Militello, Lawrence, and Manek also owned or operated a number of other cannabis-related businesses that had relationships with CRC to varying degrees. In September 2020, with her co-owners’ consent, Militello migrated CRC’s email system from Microsoft to Google’s G-Suite platform. As the person who set up the company G-Suite account for CRC, Militello had "super-administrator" rights enabled by login credentials that gave her control over all the email accounts in CRC’s G-Suite environment. The G-Suite account Militello set up for CRC also included email accounts for other CRC-related business, including one owned solely by Militello.

A few months after CRC’s G-Suite migration, the parties’ business relationship became very uncool, resulting in Militello’s ouster as an officer and director of CRC by March 2021. Militello nevertheless remained a co-owner of CRC. After removing Militello from her positions, Militello’s co-owners (through CRC) sued Militello alleging, among other claims, violation of the California Comprehensive Computer Data Access and Fraud Act, Cal. Pen. Code, § 502. These § 502 claims were based on allegations that Militello used her super-administrator rights to search for emails, delete entire email accounts, divert CRC emails to alias accounts, and block her business partners’ access to various electronic systems necessary for CRC to conduct its business.

In response, Militello filed her own lawsuit, in her personal capacity and derivatively on behalf of CRC, alleging breach of contract, breach of fiduciary duty, and fraud against Lawrence, Manek, and Lawrence’s husband Athey. In the course of prosecuting that lawsuit, Militello provided to her attorney emails that Militello downloaded from the CRC G-Suite account using her super-administrator powers. Among the emails Militello provided to her counsel were private communications between Lawrence (wife) and Athey (husband). Oh, did I mention that Athey (also a lawyer) allegedly served as Militello’s counsel in "difficult contract negotiations" with Lawrence and Manek? This case was always destined to make its mark on California law. Which brings us to the fun part.

The Court of Appeal did not have an occasion to pass on the merits of the § 502 claims against Militello in resolving the parties’ privilege dispute, but the Court’s reasoning and conclusion indicate that California’s concept of "permission" to access computers and data may be broad—far broader than the concept of "authorization" under the federal computer crimes statute, the Computer Fraud and Abuse Act ("CFAA").

CFAA AND CAL. PENAL CODE § 502

The CFAA is a computer trespass statute that imposes civil and criminal liability on a person who accesses a computer "without authorization" or "exceeding authorized access."3 The CFAA does not define "without authorization," but it does define "exceeding authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."4

For several years, there was a circuit split over whether the concepts of "without authorization" or "exceeding authorized access" under the CFAA incorporate purpose-based limits on computer usage, such as, for example, limitations contained in a website’s terms of service, employment contracts, or workplace policies.5 But in 2021, the Supreme Court held in Van Buren v. United States that "liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system."6 After Van Buren, the general rule is that "alleged misuse of accessible data in violation of other (non-CFAA) laws

[Page 76]

or duties no longer makes out a viable CFAA claim."7Today, federal courts tend look to whether or not a defendant "hacked" or otherwise improperly bypassed technological access barriers in deciding whether conduct violates the CFAA.8 In other words, if a defendant’s threshold access to a computer was authorized, unauthorized use of data obtained through that access cannot violate the CFAA.

Unlike the CFAA, which is primarily concerned with whether a person’s initial access to a computer is authorized or not, offenses under California Penal Code § 502 do not generally require unauthorized access.9 Instead, the focus of most § 502 offenses is on use of computers or data "without permission." This phrase has not yet been construed by the California Supreme Court or courts of appeal, but it is clear that violations of contractual use restrictions and even certain acts taken "against [an] employer’s wishes" are within the scope of § 502.10 Thus, while "circumventing technical barriers may be sufficient to show that a person acted ‘without permission’… it is [not] necessary for a person to circumvent technical barriers to act ‘without permission.’"11Importantly, however, in order to violate § 502, a defendant must be aware of facts establishing their lack of permission.12

GATE’S UP, THUMBS DOWN

Did Militello have "authorization" to access to the CRC email servers? Did she act "without permission" by downloading CRC emails for use in litigation?

Under the federal gates-up-or-down inquiry, because Militello was the administrator of the G-Suite account, the gate to CRC’s email servers within that G-Suite account appears to have been up (at least based on the facts described in the court’s opinion).13 Militello, with the corporation’s authorization and on its behalf, created CRC’s G-Suite account. That act required Militello to create a login and password used to administer and control access to the G-Suite account. Although it is unclear from the record whether Militello downloaded the subject emails before or after she was removed as one of CRC’s directors, there is no indication that she accessed the emails after her permission "ha[d] been revoked explicitly," which courts generally look for in assessing revocation of authorization under CFAA.14 In fact, it is not even clear what would have been required to effect a valid revocation of Militello’s access under these circumstances, which involve a dispute among all owners of a closely held corporation over a multi-company G-Suite account.15Because the CFAA is concerned with unauthorized access to computers, in general, whether the owner of the computer has granted (or revoked) access is the key inquiry.16 Here, Militello was an owner of the subject computers, using valid login credentials to access them.

But even if Militello had "authorized access" to CRC’s email servers for purposes of the CFAA, that would not necessarily preclude a finding that Militello acted "without permission" in carrying out some of the alleged conduct. Using authorized computer access to do something to data on that computer (like downloading private emails) without permission can violate § 502.17 The fact pattern in Militello begs an important question though: "whose permission matters?"

WHOSE (SUBJECT) LINE IS IT ANYWAY?

The data in Militello consisted of emails downloaded from CRC’s corporate email servers. CRC has various property rights in such data, including for example rights to confidential business information. Officers, directors, and employees of CRC, in both their professional and personal capacities, also have certain rights related to CRC email data. For example, CRC’s directors have the right under California Corporations Code § 1602 to inspect all CRC books and records, and Lawrence has a right under California Evidence Code § 917 to prevent her CRC emails from being entered into evidence in violation of her spousal privilege.18 Whose permission, then, did Militello need to stay on the right side of § 502?

[Page 77]

In opposing the disqualification motion, Militello argued that Lawrence had no reasonable expectation of privacy when using her CRC email account. Militello pointed to evidence that Lawrence knew that Militello could access and review Lawrence’s emails, including Lawrence’s knowledge of Corporations Code § 1602 and CRC’s bylaws, which grant "[e]very director" the "absolute right" to "inspect all books, records, and documents of every kind," which inspection "may be made in person or by an agent or attorney" and "includes the right to copy and make extracts of documents."19 Militello also pointed to an email message from Google providing notice that the G-Suite administrator has access to all data in G-Suite. The court rejected Militello’s arguments, distinguishing prior cases which held that employee had no reasonable expectation of privacy in emails sent using their company email accounts. Relying on the text of Evidence Code § 917(b), the court held that Militello’s evidence was insufficient to meet her burden of defeating the presumption of privilege. Implicit in the court’s analysis are the notions that it was reasonable for Lawrence to believe that Militello would not search Lawrence’s emails, and that it was improper for Militello to do so. The court’s finding on the privilege issue does doesn’t necessarily mean that Militello acted "without permission" for purposes of § 502, but the court’s reasoning suggests she may have.

First, the court suggested that a director’s right to inspect corporate books and records is limited to doing so for fiduciary purposes and does not include "the surreptitious review of another director’s individual email." Second, the court noted that there was no evidence that Lawrence had ever agreed to permit monitoring of her emails. Third, and perhaps most importantly, the court the suggested that Militello "improperly obtained" the subject documents and analogized Militello’s situation to cases involving "stolen" documents. The court’s statements support the view that Militello acted "without permission" under § 502. And the court’s reasoning suggests that it is not only the computer owner’s permission that matters. Militello hints that for some types of data, the data subject’s permission may also be required in order to avoid liability under § 502.

WHAT WE CAN LEARN FROM MILITELLO

Some of the facts that created problems in Militello are more common that you’d expect, and there are some important lessons to learn from this case. First, Militello highlights the importance of having good IT governance policies in place. Disputes between co-owners of a business frequently give rise to litigation over who has the right to control or access company computer systems and data. Particularly in the context of early-stage companies, where it is common for company founders or other early employees to be the people setting up things like email, document sharing, and source code management services, a business may be just one bad employee break-up away from getting locked out of its systems or deprived of its intellectual property. Making sure that multiple appropriate people have the right passwords and administrative privileges for the company’s IT systems and establishing clear written guidelines on who can do what with which systems mitigates the risk of such problems.

Second, Militello underscores the importance of ensuring that, where appropriate, employees consent in writing to clearly articulated email monitoring policies. Strict compliance with the express language of Militello is advisable: employees should be put on clear notice that (1) "[company computers and services may] be used only for company business," (2) "that emails [are] not private," and (3) that the company [] randomly and periodically monitor[s] its technology resources to ensure compliance with [company IT] policy."20 And even where such consents have been obtained, a company should consider whether there are any third-party rights that might implicate the company’s "permission" to use that data in a particular context. Of course, there is a lesson here for employees, too: don’t use company channels for personal communications.

[Page 78]

Third, Mitilello counsels attorneys to act with extreme caution when a client provides materials that they may not have permission to possess or maintain and should act ethically in the face of any potential privilege issues. But that’s nothing new.

Finally, Militello suggests that § 502 may reach a class of offenses for which data subjects, not just computer owners, have a say in whether conduct is "without permission." Notably, § 502 is just one (albeit the most frequently litigated one) of several state computer trespass statutes that criminalize conduct that is legal under the CFFA.

In light of Van Buren’s limitation on the scope of CFAA liability, the federal "gates-up-or-down" inquiry is likely to become less important as companies and individuals shift away from the CFAA towards state statutory protections for their computers and data. Last year, a federal district court in Montana refused to apply Van Buren’s gates-up-or-down framework to Montana’s computer trespass statute that, like the CFAA, proscribes accessing a computer "without authorization," and there are more examples of cases from all around the country in which courts have found state computer trespass statutes to be broader than the CFAA.21 For this reason, it is important for attorneys to understand the who, what, where, why, and how of their clients particular computer and data usage issues in order to properly advise them regarding digital trespass risk.

The views expressed in this article are personal to the author and do not necessarily represent or reflect the views of the author’s firm, the Executive Committee of the Intellectual Property Law Section, the California Lawyers Association, or any colleagues, organization, or client.

© 2023 Robert Uriarte

Robert Uriarte is an intellectual property litigator with a practice focused on software, data, and digital crimes.

——–

Notes:

1. Militello v. VFARM 1509, 89 Cal. App. 5th 602, 306 Cal. Rptr. 3d 200 (2023).

2. E.g., Roush v. Seagate Technology, LLC, 150 Cal.App.4th 210 (2007).

3. 18 USC § 1030(a).

4. 18 USC § 1030(e)(6).

5. See Van Buren v. United States, 141 S. Ct. 1648, 1659 (2021) (answering question in the negative); compare Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (now-overruled holding that use of a computer system may become unauthorized when an employee breaches duty of loyalty to his employer).

6. Van Buren, 141 S. Ct. at 1650.

7. Welter v. Med. Prof’l Mut. Ins. Co., 2023 U.S. Dist. LEXIS 70304, at *18 (D. Mass. Feb. 23, 2023).

8. See, e.g., hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1199 (9th Cir. 2022) ("if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down"); Dac v. Booking Holdings Inc., 2022 U.S. Dist. LEXIS 193027, at *27 (D. Del. Oct. 24, 2022) ("[Van Buren] strongly suggests that the operative question is whether a technological or code-based limitation exists to prevent access to a computer by those who do not have proper authorization"); GateGuard, Inc. v. Amazon.com Inc., 2023 U.S. Dist. LEXIS 26905, at *16 (S.D.N.Y. Feb. 16, 2023) (piggybacking loT hardware is unauthorized access).

9. United States v. Christensen, 828 F.3d 763, 789 (9th Cir. 2016); People v. Childs, 220 Cal. App. 4th 1079, 1102, 164 Cal. Rptr. 3d 287, 304 (2013).

10. Childs, 220 Cal. App. 4th at 1105; People v. Lawton, 48 Cal. App. 4th Supp. 11, 15 (1996).

11. Cti III, Ltd. Liab. Co. v. Devine, 2022 U.S. Dist. LEXIS 94820, at *13 (E.D. Cal. May 25, 2022).

12. See, e.g., People v. Hawkins, 98 Cal. App. 4th 1428, 1438, 121 Cal. Rptr. 2d 627, 634 (2002).

13. Pable v. Chi. Transit Auth. & Clever Devices, Ltd., 615 F. Supp. 3d 842, 845 (N.D. Ill. 2022) ("he accessed the system through gates that were ‘up’ to him…once inside, he took actions prohibited by …rules, regulations, and policies…That claim falls squarely within Van Buren’s purview").

14. Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016); United States v. Nosal, 844 F.3d 1024, 1038 (9th Cir. 2016) (former employee "whose computer access was categorically revoked" violated CFAA by surreptitiously accessing former employer’s data"); but see Zap Cellular, Inc. v. Weintraub, 2022 U.S. Dist. LEXIS 168735, at *18 (E.D.N.Y. 2022) (inferring, at the pleading phase, that termination of status as CEO implied revocation of access).

15. Compare LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) ("It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer") (emphasis added) with Christie v. Nat’l Inst. for Newman Studies, 2019 U.S. Dist. LEXIS 72175, at *18 (D.N.J. Apr. 30, 2019) ("Without having ownership, Plaintiff cannot, as a legal matter, exert control, such that he can exclude others from accessing the devices…[the corporation] is the rightful owner of those machines, consistent with its ownership rights, NINS has the authority to decide who has access").

16. Power Ventures, 844 F.3d at 1067 ("The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission").

17. Hawkins, 98 Cal. App. 4th at 1433.

18. Evidence Code § 917(a) creates a presumption that confidential communications between spouses are privileged, and § 917(b) states that such communication does not lose its "privilege character for the sole reason that it is communicated by electronic means or because persons involved in the delivery, facilitation, or storage of electronic communication may have access to the content of the communication." Nevertheless, "presumptively confidential communications sent from and received on a company-owned computer will not be protected from disclosure as privileged if the computer-user had been ‘warned that it was to be used only for company business, that emails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy.’" Militello v. VFARM 1509, 89 Cal. App. 5th 602, 615 n.8, 306 Cal. Rptr. 3d 200 (2023)

19. Militello, 89 Cal. App. 5th at 615 n.8.

20. Id. at 615.

21. Foley Indus. v. Nelson, 2022 U.S. Dist. LEXIS 78841, at *14 (W.D. Mo. May 2, 2022); see also Sw. Airlines Co. v. BoardFirst, L.L.C., 2007 U.S. Dist. LEXIS 96230, at *48-50 (N.D. Tex. Sep. 12, 2007).

[Page 79]