Most digital forensics examiners think about authorization in terms of client consent. If the client signs an engagement letter and says “examine these devices,” you’re covered.

In California, that’s only half the story.

California Penal Code § 502 — the state’s primary computer crime statute — creates liability for unauthorized access to computer systems that can apply even when you have your client’s permission, if the systems you’re examining belong to someone else or contain data beyond the scope of what your client can legally authorize you to access.

Understanding § 502 isn’t just about avoiding criminal liability (though that matters). It’s about being able to advise clients on what’s legally possible, structure engagements that produce admissible evidence, and recognize when an investigation is heading into territory that requires court authorization.

What California Penal Code § 502 Actually Prohibits

Section 502 is one of California’s broadest computer crime statutes. It prohibits a range of conduct involving unauthorized access to computer systems, but the provisions most relevant to forensic examiners are:

§ 502(c)(1): Knowingly accessing and without permission altering, damaging, deleting, destroying, or otherwise using any data, computer, computer system, or computer network to execute a scheme or fraud, or deceive, extort, or wrongfully control or obtain money, property, or data.

§ 502(c)(2): Knowingly accessing and without permission taking, copying, or making use of any data from a computer, computer system, or computer network, or taking or copying any supporting documentation, whether existing or residing internal or external to a computer.

§ 502(c)(7): Knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network.

The phrase “without permission” is doing most of the work here, and it’s where the legal complexity lives.

“Without Permission” Under § 502

California courts have interpreted “without permission” broadly in some respects and narrowly in others.

The baseline: If you have no authorization from anyone with authority to grant access to a system, you’re acting without permission. Accessing a stranger’s computer, a competitor’s server, or an estranged spouse’s personal device without consent is clearly within § 502’s scope.

The scope limitation: Permission to access a system for one purpose doesn’t automatically extend to access for all purposes. Courts have applied this principle — borrowed from the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) — to find that employees who accessed employer systems for unauthorized purposes violated § 502 even though they had general authorization to use those systems.

For forensic examiners, this means: your client can authorize you to access systems your client controls. They cannot authorize you to access systems controlled by third parties. And even within systems your client controls, access that exceeds the scope of what the client authorized may create § 502 exposure.

The employer-employee dimension: Corporate clients frequently want forensic examinations of employee devices and accounts. The employer’s authorization to examine company-owned devices is generally sufficient for § 502 purposes. But if the examination extends to an employee’s personal accounts, personal cloud storage, or personal device — even one connected to the company network — the client’s authorization doesn’t reach that far.

When Examination Crosses Legal Lines

Let me give you the scenarios that most commonly create § 502 problems for forensic examiners.

Scenario 1: The Over-Broad Corporate Investigation

An employer hires you to investigate a suspected data theft. They want to know what the departing employee took. You image the company laptop — clean. The employer then says, “We think she also used her personal Gmail. Can you get into that?”

The answer is no — not without the employee’s consent or legal process. The employer can provide company-owned systems. They cannot authorize access to a personal email account. If you access the Gmail account on the employer’s instruction, you’ve potentially violated both § 502 and the federal SCA, regardless of whether your client asked you to.

Scenario 2: The Shared Family Device

In a domestic matter, your client is a spouse in a divorce proceeding. The family iPad is community property. Your client authorizes you to examine it. The examination reveals an iCloud account that auto-synced with the other spouse’s personal iPhone.

The iPad access is probably fine — it’s community property and your client authorized the examination. But the iCloud data that synced from the personal iPhone is from a system your client doesn’t control. Accessing that data without a court order crosses into § 502 territory even though it appeared on a device your client owns.

Scenario 3: Network Access During Examination

You’re examining a device and it’s connected to a network. The examination inadvertently — or intentionally — accesses other systems on the network. Even if those systems are within the client’s organization, access to systems not specified in your engagement authorization may exceed your permission.

This is why scope definitions in engagement letters matter, and why you should disconnect devices from networks before examination unless network forensics is specifically within scope.

Safe Harbor Provisions

Section 502 has several safe harbors that protect legitimate forensic activity.

§ 502(h)(1): The statute does not apply to any person who accesses his or her employer’s computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment.

This protects corporate security teams doing internal investigations, but it doesn’t protect outside contractors unless they’re properly authorized agents of the employer and acting within a clearly defined scope.

§ 502(h)(2): The statute does not apply to any person or entity who provides computer services, and who accesses or causes to be accessed any computer, computer system, or computer network in the course of providing those services with the permission of the owner.

This is the closest thing to a forensic examiner safe harbor in the statute. The key requirement is “with the permission of the owner.” The “owner” is the person who owns or leases the system being accessed — not just anyone with some connection to it.

Practical implication: The safest path for forensic examiners is obtaining written authorization from the legal owner or authorized administrator of each system to be examined, specifying the scope of access, and maintaining that documentation throughout the engagement.

Client Authorization Requirements: What You Need in Writing

A proper engagement letter for California forensic examinations should address:

Identify the client and their authority. The signing party should have actual legal authority to authorize the examination. For corporate clients, that’s typically a C-level executive, general counsel, or IT director with delegated authority. For individual clients, it should be the person who owns or controls the devices and accounts to be examined.

Specify the devices and accounts. List every device by make, model, and serial number if known. List every account by platform and account identifier. Be specific. “All devices associated with [person]” is not specific enough if some of those devices belong to third parties.

Define the scope of examination. What are you looking for? What time period? What categories of data? An over-broad scope creates both legal risk (you may access data your client can’t authorize) and evidentiary risk (courts may question whether your examination was fishing rather than focused).

Document third-party limitations. Explicitly acknowledge in the engagement that access is limited to systems your client controls, and that access to third-party systems requires separate authorization or legal process.

Address cloud-synced data. Specifically address what happens if examination reveals cloud-synced data from accounts not owned by your client. Your protocol should be: document the existence of the data, stop accessing it, and advise counsel to seek appropriate legal process if the data is needed.

§ 502 Civil Liability

Beyond the criminal provisions, § 502(e) creates a private right of action for any owner or lessee of a computer system who suffers damage or loss from unauthorized access. Damages include compensatory damages, injunctive relief, and — importantly — punitive damages.

This means that in a divorce case where you access the opposing spouse’s accounts without authorization, or in a corporate investigation where you access an employee’s personal systems without consent, you’re not just looking at criminal exposure. The opposing party can sue your client — and potentially you — for civil damages.

The civil liability dimension makes the authorization question a practical business risk, not just an abstract legal concern. Forensic examiners who don’t get proper authorization paperwork aren’t just taking personal risks — they’re creating liability for the clients who hired them.

Frequently Asked Questions

Can my client authorize me to access a former employee’s work email account?

Yes, if it’s a company-managed email account on a company server or under a company-administered cloud domain. The company is the account owner or administrator and can authorize examination. If the former employee also used a personal email account — Gmail, Yahoo, personal domain — for work communications, accessing that account requires the former employee’s consent or legal process, regardless of what the company authorizes.

What if I discover evidence of a crime during a lawfully authorized examination? Am I required to stop?

You’re not required to stop the examination, but you should immediately notify your client and advise them to consult counsel before you proceed further. If you continue examining without that consultation, you risk either contaminating the criminal evidence chain or — if law enforcement later becomes involved — converting your private examination into a government search under the state action doctrine. Document everything about when and how you discovered the potential criminal evidence.

Does § 502 apply to remote forensic examinations?

Yes. The statute applies to unauthorized access regardless of whether it’s local or remote. Accessing a computer system remotely over a network without permission is covered. Remote forensic examinations need the same authorization documentation as on-site examinations — arguably more, because the access pathway may be harder to prove was authorized.