By Pavel Kolmogorov, California Business Litigation Attorney (State Bar No. 321018). Founder of Kolmogorov Law, P.C., recognized in Chambers and Partners 2026 Spotlight Guide for Litigation: General Commercial in Orange County. Last reviewed: May 2026.
An ex-employee logs in the day after they quit and downloads the customer database. A competitor pays your bookkeeper for read-only access to your QuickBooks. A former contractor uses a credential that was never deactivated to scrape your project files. These scenarios are not hypothetical — they are the most common fact patterns in California computer-fraud cases. And California Penal Code section 502, the Comprehensive Computer Data Access and Fraud Act (CDAFA), gives the victim business a powerful civil cause of action with real teeth: compensatory damages, attorneys' fees, and injunctive relief.
This guide explains who can sue under Penal Code § 502, what conduct is covered, the elements of the civil claim, the available remedies, and how the statute fits with related claims like trade secret misappropriation and breach of fiduciary duty.
What CDAFA (Penal Code § 502) Prohibits
Although Penal Code § 502 is a criminal statute, subdivision (e) creates a private right of action for any person harmed by a violation. The statute lists thirteen kinds of prohibited conduct, including:
- Knowingly accessing and without permission altering, damaging, deleting, destroying, or using any data, computer, computer system, or computer network (§ 502(c)(1)).
- Knowingly accessing and without permission taking, copying, or making use of any data from a computer or system (§ 502(c)(2)).
- Knowingly and without permission using or causing to be used computer services (§ 502(c)(3)).
- Knowingly accessing or without permission causing the access of any computer, system, or data with intent to defraud or extort, or to wrongfully control or obtain money, property, or data (§ 502(c)(4)).
- Knowingly and without permission disrupting or causing the disruption of computer services or denying or causing the denial of computer services to an authorized user (§ 502(c)(5)).
- Providing or assisting in providing means of access to a computer, system, or network knowing it is in violation of this section (§ 502(c)(6)).
- Knowingly and without permission accessing or causing to be accessed any computer, system, or network (§ 502(c)(7)).
The “Without Permission” Element
The single most-litigated word in CDAFA is “permission.” California courts apply two key principles:
First, a former employee's authorization terminates when employment ends. Continuing to use a credential after termination — even one that the company forgot to disable — can constitute access “without permission” under § 502. The technical ability to log in does not equate to legal permission.
Second, an authorized user who exceeds the scope of permission can violate § 502. A bookkeeper authorized to use QuickBooks for company business who downloads the customer list to take to a competitor has accessed the data outside the scope of authorization. People v. Childs (2013) 220 Cal.App.4th 1079 (criminal context).
The federal counterpart, the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), narrowed this concept in Van Buren v. United States (2021) 593 U.S. 374. California state-law CDAFA cases continue to recognize that exceeding authorized scope can violate § 502, and California decisions have not adopted Van Buren's narrower reading wholesale.
Civil Remedies Under § 502(e)
Subdivision (e) authorizes a private right of action with the following remedies:
- Compensatory damages. The full amount of actual loss caused by the violation, including the cost of investigating and remediating the breach.
- Injunctive relief. Including a temporary restraining order, preliminary injunction, and permanent injunction prohibiting further unauthorized access and requiring return or destruction of misappropriated data.
- Attorneys' fees. The court may award reasonable attorneys' fees to a prevailing plaintiff under § 502(e)(2). This is a significant lever in employee-departure and competitor-access cases.
- Punitive or exemplary damages. When the violation is willful and the conduct is oppressive, fraudulent, or malicious under Civ. Code § 3294.
Importantly, § 502 does not require the plaintiff to prove the value of the data accessed or any damage to the system. Loss of confidentiality, even without quantifiable financial harm, is sufficient to support a claim.
How § 502 Fits With Related Causes of Action
Computer-fraud claims rarely travel alone. The same underlying conduct — an ex-employee taking customer data, for example — typically supports multiple overlapping claims:
- Trade secret misappropriation under the California Uniform Trade Secrets Act (Civ. Code § 3426 et seq.). See our trade secret misappropriation guide.
- Breach of fiduciary duty if the actor was a corporate officer, director, or partner. See our breach of fiduciary duty guide.
- Conversion for the wrongful taking of company data with monetary value.
- Tortious interference with customer or vendor relationships if the data is used to poach.
- Unfair competition under Business and Professions Code § 17200.
- Federal CFAA claims under 18 U.S.C. § 1030 when there is a sufficient interstate or jurisdictional hook.
Pleading multiple theories preserves remedy options and increases settlement leverage. The § 502 attorneys'-fees provision is often the most important driver of settlement value.
Investigation and Evidence Preservation
The forensic case in a § 502 matter typically rises or falls on log data. Steps to take immediately on discovery:
- Preserve logs. Authentication logs (Active Directory, Okta, Google Workspace, Microsoft 365), application access logs, VPN connection logs, file-server audit logs, and cloud-storage access logs all decay quickly. Issue a litigation hold to IT the same day.
- Image affected systems. Forensic copies of the suspect's work computer, phone, and any removable media should be made before normal business operations overwrite forensic artifacts.
- Document the access. Capture timestamps, IP addresses, and the specific files or records accessed. Without this, the “without permission” case is much harder.
- Engage a digital-forensics expert. An expert can establish chain of custody and prepare evidence that will hold up in motion practice and at trial. For broader investigation framework see our employee-theft remedies guide.
Statute of Limitations
Civil claims under § 502 are governed by Code of Civil Procedure § 338 (three-year limitations period for statutory torts). The discovery rule applies: the period runs from the date the plaintiff knew or reasonably should have known of the violation. Our California civil litigation deadlines quick guide walks through related limitation periods that often run alongside § 502 claims.
Frequently Asked Questions
Q: My ex-employee still has their old login credentials. They have not used them yet. Do I have a § 502 claim?
A: Not yet. The statute requires actual access “without permission.” Mere possession of credentials does not violate § 502. However, you should disable the credentials immediately and consider seeking an injunction or a temporary restraining order if you have evidence the ex-employee intends to use them.
Q: My contractor signed an NDA. Does that give me extra rights under § 502?
A: An NDA does not change the § 502 analysis directly, but it strengthens the case in two ways. First, the NDA helps establish what was “authorized” access — conduct outside the NDA is more clearly “without permission.” Second, breach of the NDA is a parallel cause of action that may carry its own contractual fee-shifting clause.
Q: Can a former officer or partner be sued under § 502?
A: Yes. The “without permission” element applies regardless of the actor's former title. Once a partner or officer's authority terminates (departure, removal, expulsion), continuing access to the company's systems can violate § 502. Such cases also typically include breach-of-fiduciary-duty claims.
Q: Do I need to involve law enforcement?
A: No. The civil cause of action under § 502(e) is independent of any criminal prosecution. Many businesses pursue civil remedies without filing a criminal report. That said, in egregious cases a parallel criminal referral can be useful: criminal subpoenas may produce evidence not available in civil discovery, and a conviction can be used as collateral estoppel in the civil case.
Q: Can I get attorneys' fees if I win?
A: Yes, the court may award reasonable fees to a prevailing plaintiff under § 502(e)(2). The award is discretionary, not mandatory, but courts in business-fraud cases routinely grant fees when the violation is established.
About the author
Pavel Kolmogorov is the founder of Kolmogorov Law, P.C., a California business-litigation boutique in Irvine. He earned his LL.M. from the University of California, Berkeley School of Law and is licensed in California (SBN 321018), the District of Columbia, and the U.S. District Courts for the Northern, Southern, and Central Districts of California. He represents California businesses in breach of contract, fraud, UCL/B&P 17200, Penal Code 502, conversion, intentional and negligent interference, trade secrets, and partnership/shareholder disputes. Chambers and Partners 2026 recognized him in the Spotlight Guide for Litigation: General Commercial in Orange County.
This guide is general legal information, not legal advice for your specific situation. California law changes, and the facts of every dispute differ. To discuss how the principles in this article apply to your matter, contact our office at (909) 235-6116 or visit our contact page.
Need help? Contact Kolmogorov Law, P.C. at (909) 235-6116 or visit our contact page to schedule a consultation with our California business litigation team in Irvine, California.
Comments
There are no comments for this post. Be the first and Add your Comment below.
Leave a Comment