At different times, management attempted to retrieve network passwords, which Childs refused to provide. He claimed certain network configurations were his intellectual property, and he claimed that there would be a risk of disclosure of the passwords. He also stored the passwords in such a way that they would be erased if the network had a power outage, resulting in the need to entirely reconfigure the system.
By the time Childs was fired, he had assumed total control of the network. He became threatening and combative when another employee came to his offices to conduct an inventory. After many meetings, the city
The city was locked out of its own computer system for several weeks. Childs ultimately returned the correct passwords via his attorney, directly to the Mayor at the time.
Childs eventually was convicted under California Penal Code Section 502. As told by the Court,
Section 502, subdivision (c)(5) makes it a crime for any person who “[k]nowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.”
One of Childs's many arguments was that he was an authorized user because the City employed him. Therefore he was not acting "without permission." The Court of Appeal affirmed the conviction:
It appears that subdivision (c)(5) may properly be applied to an employee who uses his or her authorized access to a computer system to disrupt or deny computer services to another lawful user.
The opinion contains details about how the employee was able to take over the city's computer system. Employers: don't let this happen to you. Ensure you have outside help to create secure "back doors" and fail safe ways of accessing the system. The employment law upshot is: employers should ensure there are policies for IT engineers defining what is authorized and unauthorized access / permission. Then, if an IT employee goes off the rails, it is easier to raise the issue of criminal prosecution.
Criminal Background Check
Here's another interesting part of this case. I say interesting because of all the negative attention the government is giving to employers conducting criminal background checks. Perhaps this case will serve as a reminder that criminal background checks could be a good idea for positions such as Childs's.
Childs lied on his employment application, because he had been convicted of several crimes out of state but did not list the convictions.
More than once during his employment, Childs was asked to undergo a background check:
In February 2005, a San Francisco County sheriff told Childs that he needed to undergo a criminal background check. Childs offered both his California and Kansas driver‟s licenses to the sheriff, prompting an out-of-state inquiry. The sheriff discussed his findings about Childs‟s criminal history with his supervisor, who agreed that Childs could work on the project. Months later, the sheriff acknowledged to Childs that he knew of this criminal history when he praised the network engineer for “turning his life around.”
Oops. Then,
By the end of 2007, the city was planning how to connect the city‟s law enforcement functions on FiberWAN. The combined system would allow users access to state and federal databases. For security reasons, all DTIS employees had to pass a criminal background check in order to have access to the law enforcement system. Childs had adult felony convictions that he had not revealed when he applied to work for the city.8 When asked to submit to a voluntary background check, Childs balked. Instead, he made a temporary arrangement with Tong and law enforcement officials to have Ybanez—who had passed his background check—escort him when Childs was required to work on the law enforcement network. This procedure continued to be used through July 9, 2008.
So, he said "no background check" for me - and they went for it.
Long after Childs refused to provide the passwords to his supervisor, and after there were discussions about how to rein in Childs, a manager pondered...
Robinson knew that Childs had not passed his background check. He sought out more information about the engineer‟s criminal history. Reviewing the reports that Childs gave during the hiring process, Robinson saw the discrepancy between his initial job application reflecting no prior convictions and his time-of-hiring forms in which he admitted that he had once been convicted as an adult. Tong believed that Childs had suffered a juvenile conviction, but Robinson learned that Childs had been convicted of a criminal offense as an adult. The adult conviction and the perjured filing of personnel records were both grounds for dismissal.
And they still did not fire him for lying or because the convictions rendered him unfit. Anyway, that's a slice of personnel management in San Francisco.
The case is People v. Childs and the opinion is here.
