THRIFTY-TEL, INC., Plaintiff and Respondent, v. Myron BEZENEK et al., Defendants and Appellants.
A telephone long distance carrier prevailed on fraud and conversion theories against Myron and Susan Bezenek—whose teenage sons 1 employed computer technology in their efforts to crack plaintiff's access and authorization codes and make long distance phone calls without paying for them—garnering a judgment, including attorney fees, just shy of $50,000. Defendants challenge the court's determination that causes of action for fraud and conversion lie on these facts and complain of plaintiff's failure to mitigate and prove damages. They also contend that the court erred in calculating damages based on the company's own tariff on file with the Public Utilities Commission (PUC). Finally, defendants argue Civil Code section 1714.1 precludes damages based on conduct by a minor who is not their child and, in any event, limits damages to no more than $10,000.
Thrifty–Tel, Inc. provides long-distance telephone services. Subscribers' telephones are programmed with a confidential access code and a six-digit authorization code that directs calls into Thrifty–Tel's computerized switching network.2 An unauthorized user who knows both an access and an authorization code can make long-distance calls without being charged for them.
A friend of the Bezeneks' children knew a confidential Thrifty–Tel access code. During a three-day period in November 1991, Ryan, Gerry and some friends, using the Bezeneks' home computer and modem, gained entry into Thrifty–Tel's system with the code and conducted manual random searches for a six-digit authorization code. They made approximately 90 calls, consuming roughly 24 minutes of telephone time during the first two days. On the following day, Ryan and Gerry continued the search alone, making 72 manual attempts to identify an authorization code over an almost 16–minute period.
Through its internal security system, Thrifty–Tel learned of the computer hacking almost immediately. And by late November, the carrier identified the Bezeneks' home as the source. Although Thrifty–Tel had the Bezeneks' address and telephone numbers, it failed to contact them concerning the matter.
After a three-month hiatus, the Bezenek children resumed manual searches for an authorization code. After several days and apparently some frustration with the slow pace, Ryan acquired computer software to expedite the quest. On February 18, 1992, he used the program to access Thrifty–Tel's system and conducted rapid-fire random number searches. He ran the program between six and seven hours, generating over one thousand three-hundred calls. Because Thrifty–Tel is a small carrier with relatively few telephone lines, Ryan's automated calling overburdened the system, denying some subscribers access to phones lines.
Still, Thrifty–Tel did not contact or complain to the Bezeneks. Instead, it filed this action on April 1, 1992, seeking damages for conversion, fraud, and reasonable value of services. The April Fools' Day lawsuit provided the Bezeneks' first notice of their sons' computer hijinks. In a trial to the court, defendants unsuccessfully sought judgment on the conversion and fraud causes of action, arguing those remedies were not available on these facts. (Code Civ. Proc., § 631.8.)
Thrifty–Tel offered no explanation for its failure to complain to the Bezeneks after the November 1991 hacking episode. It presented no evidence of any actual losses, either. Rather, plaintiff simply relied on the “unauthorized usage” tariff in its PUC-approved rate schedule to establish damages. That tariff, in effect, liquidates Thrifty–Tel's damages for computer hacking by imposing a $2,880 per day surcharge, a $3,000 “set up fee,” and a $200 per hour labor fee. It also provides for attorney fees and costs incurred to collect the tariff.3 Based upon this tariff, the trial court awarded plaintiff $33,720 in damages and nearly $14,000 in attorney fees and costs.
Defendants first contend the unauthorized use of confidential codes to gain computer access does not give rise to a cause of action for conversion. They rely on the historical underpinnings of the tort, which provided a remedy for the loss of intangible property interest, but only if those interests are reflected in something tangible that can be physically taken. (Moore v. Regents of the University of California (1990) 51 Cal.3d 120, 134, 271 Cal.Rptr. 146, 793 P.2d 479.) For example, the value of a stock certificate is not the cost of the paper, but the intangible interest it represents. When the certificate is stolen or placed in another's name without the owner's permission, the value of the loss is not the cost of the paper—a tangible—but the worth of the stock—an intangible. (Payne v. Elliot (1880) 54 Cal. 339.) Similarly, an individual who misappropriates a floppy disk which contains trade secrets, protected formulas, or customer lists can be liable for conversion. And the damages are the value of the information on the disk, not the de minimis price of the disk. (See, e.g., Prosser and Keeton on Torts (5th ed.1984) § 15, pp. 91–92 and Schneider v. Union Oil Company of California (1970) 6 Cal.App.3d 987, 993, 86 Cal.Rptr. 315.)
Courts have traditionally refused to recognize as conversion the unauthorized taking of intangible interests that are not merged with, or reflected in, something tangible. (Adkins v. Model Laundry Co. (1928) 92 Cal.App. 575, 583, 268 P. 939 [business goodwill]; Olschewski v. Hudson (1927) 87 Cal.App. 282, 286–288, 262 P. 43 [competitor's customer route]; Faircloth v. A.L. Williams & Associates (1992) 206 Ga.App. 764, 426 S.E.2d 601, 604–605 [unpaid commissions not evidenced by a receipt or certificate]; Matzan v. Eastman Kodak Co. (1987) 134 A.D.2d 863, 521 N.Y.S.2d 917, 918 [no protected interest in an idea].) And Dean Prosser has cautioned against scuttling conversion's tangibility requirement altogether, recommending instead the use of other remedies to protect intangible interests. (Prosser, supra, § 15, p. 92.) 4
Whether the intangible computer access code, which was never reduced to paper or reflected on a computer disk, and the tie-up of Thrifty–Tel's system could be the subjects of conversion presents an issue of first impression in California—and apparently most everywhere else as well.5 However, it is not necessary to resolve the question because the evidence supports the verdict on a trespass theory.
This very point was argued in the trial court, where defense counsel essentially conceded Ryan and Gerry trespassed, but maintained the mislabeling of the cause of action as one for conversion was fatal. Not so: “It has long been recognized that this court has the power to modify the conclusion of the court below, where the record supports it.” (Fredericks v. Filbert Co. (1987) 189 Cal.App.3d 272, 279, 234 Cal.Rptr. 395.) Thrifty–Tel pleaded and proved a claim for trespass to personal property, and the defendants are properly liable under that label.
Trespass to chattel, although seldom employed as a tort theory in California (indeed, there is nary a mention of the tort in Witkin's Summary of California Law), lies where an intentional interference with the possession of personal property has proximately caused injury.6 (See, e.g., Itano v. Colonial Yacht Anchorage (1968) 267 Cal.App.2d 84, 90, 72 Cal.Rptr. 823.) Prosser notes trespass to chattel has evolved considerably from its original common law application—concerning the asportation of another's tangible property—to include even the unauthorized use of personal property: “Its chief importance now,” according to Prosser, “is that there may be recovery ․ for interferences with the possession of chattels which are not sufficiently important to be classed as conversion, and so to compel the defendant to pay the full value of the thing with which he has interfered. Trespass to chattels survives today, in other words, largely as a little brother of conversion.” 7 (Prosser, supra, § 14, pp. 85–86; see also Zaslow v. Kroenert (1946) 29 Cal.2d 541, 551, 176 P.2d 1 [“Where the conduct complained of does not amount to a substantial interference with possession or the right thereto, but consists of intermeddling with or use of ․ the personal property, the owner has a cause of action for trespass” to chattel, but not for conversion].) 8
Plaintiff's cyber-fraud cause of action also applies a hoary common law theory to computer-age facts. The Bezeneks maintain they cannot be liable for fraud because the computer machinations did not constitute a misrepresentation and there was no evidence of reliance by Thrifty–Tel. Au contraire, asserts plaintiff: Ryan and Gerry's use of the confidential access code was the legal equivalent of a misrepresentation that they were authorized users of its services, and plaintiff relied to its detriment on that misrepresentation when its computer automatically granted them access to the network. Plaintiff's point is well taken.
A misrepresentation need not be oral; it may be implied by conduct. (See, e.g., Universal By–Products, Inc. v. City of Modesto (1974) 43 Cal.App.3d 145, 151, 117 Cal.Rptr. 525 and Prosser, supra, § 106, p. 736.) We are aware of no decision holding the unauthorized use of a telephone access code constitutes misrepresentation. But decisions in analogous circumstances support that conclusion. For example, in State v. Hamm (Mo.Ct.App.1978) 569 S.W.2d 289, the defendant used the bank card and personal identification number (PIN) of another person to steal cash at an automatic teller machine. Rejecting the assertion he made no misrepresentation, the court noted defendant's use of the card and confidential PIN was an implied misrepresentation as to his identity. (Id. at pp. 290–291.) 9 The same logic applies here.
But misrepresentation is only one element of a fraud cause of action; the plaintiff must also have relied on the misrepresentation to its detriment. True, no human at Thrifty–Tel received and acted on the misrepresentation. But California courts recognize indirect reliance. (Geernaert v. Mitchell (1995) 31 Cal.App.4th 601, 605–606, 37 Cal.Rptr.2d 483.) Moreover, the notion that reliance by an agent may be imputed to the principal, even though the misrepresentation was never communicated to the principal, is ensconced in California law. (See, e.g., Grinnell v. Charles Pfizer & Co. (1969) 274 Cal.App.2d 424, 441, 79 Cal.Rptr. 369; Toole v. Richardson–Merrell Inc. (1967) 251 Cal.App.2d 689, 707, 60 Cal.Rptr. 398.)
We view Thrifty–Tel's computerized network as an agent or legal equivalent. In this regard, State v. Hamm, supra, 569 S.W.2d 289 is again persuasive. There, the defendant argued a bank did not detrimentally rely on his misrepresentation to an automatic teller machine via the unauthorized use of someone else's bank card and PIN. Rejecting this contention, the court noted, “The machine was so programmed that no money would be paid out without the insertion of the appropriate card and the corresponding personal identification numbers. When those items were supplied, the response was programmed so as to pay out the money. No difference can be perceived whether the bank gave approval after the presentation of those identification items or whether it programmed its acceptance upon those conditions in advance. In either case, the bank equally relied upon the presentation of the card and personal identification.” (Id. at p. 291.) 10 Here, Thrifty–Tel depended on the access code to identify the boys as authorized users of the system. That reliance was detrimental because their access, in effect, permitted them to steal plaintiff's services.
At least four months before Thrifty–Tel sued, it knew the hacking occurred in the Bezenek home. But plaintiff neither notified the Bezeneks nor attempted to prevent a recurrence. Myron Bezenek's testimony that he would have stopped it immediately had he been advised of his children's activities was, not surprisingly, unrebutted. Accordingly, the Bezeneks complain plaintiff failed to mitigate its damages and insist they should not be liable for any losses suffered in the February 1992 escapade. We agree.
A plaintiff has a duty to mitigate damages and cannot recover losses it could have avoided through reasonable efforts. (Shaffer v. Debbas (1993) 17 Cal.App.4th 33, 41, 21 Cal.Rptr.2d 110.) Citing Service v. Trombetta (1963) 212 Cal.App.2d 313, 320, 28 Cal.Rptr. 68, Thrifty–Tel's only response is that mitigation does not “ ‘require a complex series of doubtful acts and expenditures.’ ” Picking up the telephone to reach out and touch the Bezeneks or sending them a letter was complex, doubtful, or expensive? Based on Myron Bezenek's unchallenged testimony, we must presume that simple expedient would have averted the second hacking episode. Accordingly, Thrifty–Tel is not entitled to recover damages for the February, 1992 event.
Because the judgment presumably included damages attributable to the February, 1992 incident, the judgment must be reversed and the matter remanded for a new trial on damages. But, as mentioned in Part I, Thrifty–Tel presented no evidence at trial of actual damages. (Civ.Code, § 3333.) It simply placed the unauthorized-use tariff in evidence and demonstrated it spent a certain number of labor hours to track down the invasion of its system. Defendants insist this falls short of a plaintiff's burden to prove actual damages. (Fields v. Riley (1969) 1 Cal.App.3d 308, 313, 81 Cal.Rptr. 671.)
We know of no authority—and Thrifty–Tel cites none—suggesting a plaintiff may satisfy this burden merely by producing a formula or figure that in the abstract purports to represent the average damages suffered as a consequence of similar torts. Indeed, to assess damages based on a statistical average might be unfair. For example, the facts here indicate the actual damages resulting from hacking may vary dramatically depending upon the hacker's method: The damage flowing from the boys' manual efforts were likely modest compared to that caused by the automated barrage in February, 1992. Thus, a damage award based on this relatively draconian tariff might produce a windfall in instances of de minimis hacking. (Cf. Smith v. County of Los Angeles (1989) 214 Cal.App.3d 266, 292, 262 Cal.Rptr. 754 [“the award of damages should be sufficient to make the [plaintiff] whole but not result in a windfall”].) Nor can Thrifty–Tel claim actual damages were not readily calculable: If it is able to determine an average loss for computer trespass, then surely it is able to produce evidence showing with reasonable certainty any damages caused by Ryan and Gerry in November 1991.
Nevertheless, Thrifty–Tel claims we must apply the PUC-approved tariff, insisting that to do otherwise would “interfere with the commission in the performance of its official duties” in violation of Public Utilities Code section 1759. We were troubled enough by this contention to solicit additional briefing and an amicus brief from the PUC.
The PUC's submission was particularly helpful and, perhaps surprisingly, did not support Thrifty–Tel. There we were told, “The [ ]PUC respectfully submits that its procedure for reviewing rates proposed by a non dominant interexchange carrier (NDIEC) does not assure that its unauthorized-use tariff bears a reasonable relationship to damages actually sustained by the company and would not, in every case, be a proper measure of liquidated damages.” The PUC explained, “In 1984, the [ ]PUC authorized firms to compete against AT & T in the long-distance (interexchange) telephone market. The new competitors were deemed to lack sufficient market share to maintain unreasonably high rates. Accordingly, their proposed initial tariff rates would be effective one day after filing and subsequent tariff revisions would become effective five days after filing. Complaints about the terms and conditions of the service of these carriers would be subject to the jurisdiction of the Commission.”
From these facts the PUC reached the following conclusion, with which we agree: “It cannot be held, as a matter of law, that the unauthorized use tariff represents the result of a reasonable endeavor by the NDIEC and consumers to estimate a fair average compensation for any loss that may be sustained by a customer's bypass of the telephone company's billing mechanism. If the amount calculated pursuant to the tariff is disproportionate to the anticipated damages, it will be defined as a ‘penalty.’ A contractual provision imposing a penalty is ineffective, and the wronged party can collect only the actual damages sustained. (Perdue v. Crocker National Bank (1985) 38 Cal.3d 913, 930, 216 Cal.Rptr. 345, 702 P.2d 503.) Whether the tariff collects fair average compensation or constitutes a penalty should be determined by the trier of fact.”
Thus, we need not pass on whether the PUC properly approved Thrifty–Tel's tariff or whether the tariff is reasonable; we merely hold the superior court erred in awarding contract or tort damages based on that tariff instead of requiring plaintiff to prove actual damages. A suit to collect a tariff is in the nature of a breach of contract action. (South Bay Transportation Co. v. Gordon Sand Co. (1988) 206 Cal.App.3d 650, 660–661, 253 Cal.Rptr. 753.) Whether Thrifty–Tel's hacking tariff is a valid liquidated damages provision for a breach of contract claim is not before us: The trial court ruled against Thrifty–Tel on its quasi-contract cause of action, and Thrifty–Tel did not pursue a protective appeal.
We also note that even if the PUC intended unauthorized-use tariffs to apply to tort claims against third parties, and it tells us it did not, that would only be true of AT & T for the reasons noted above. Also, the courts might well have jurisdiction notwithstanding Public Utilities Code section 1759. Although we need not, and do not purport to, decide that issue because the discussion in the previous section seems equally applicable here, section 1759 deprives the courts of jurisdiction only as to acts undertaken by the commission “in the performance of its official duties” and not acts in excess of its jurisdiction. (Stepak v. American Tel. & Tel. Co. (1986) 186 Cal.App.3d 633, 641–642, 231 Cal.Rptr. 37; see also Cellular Plus, Inc. v. Superior Court (1993) 14 Cal.App.4th 1224, 1245–1247, 18 Cal.Rptr.2d 308.) And the PUC does not have jurisdiction over all matters that simply have some bearing upon regulated utilities. (Masonite Corp. v. Pacific Gas & Electric Co. (1976) 65 Cal.App.3d 1, 7, 135 Cal.Rptr. 170.)
Although article XII, sections 4 and 6 of the California Constitution authorize the commission to establish rates utilities may charge for their services, it is a debatable question as to whether they empower the PUC to liquidate a utility's tort damages against third parties. (See, e.g., Bondanza v. Peninsula Hospital & Medical Center (1979) 23 Cal.3d 260, 152 Cal.Rptr. 446, 590 P.2d 22.) Our search of the Public Utilities Code for any statute permitting the commission to exercise such a power has been in vain.11 Similarly, we have located no decision that implies such authority.12
The Bezeneks raise the several issues concerning Civil Code section 1714.1, which holds parents vicariously liable for the willful torts of their minor children. They first complain they had no inkling plaintiff intended to rely upon Civil Code section 1714.1 until “after trial.” But section 1714.1 is expressly invoked in plaintiff's trial brief. The Bezeneks' notice of the theory before trial negates the claim that its absence from the complaint prejudiced them. (Robertson v. Wentz (1986) 187 Cal.App.3d 1281, 1292, 232 Cal.Rptr. 634.)
In addition, the Bezeneks claim they are not liable under Civil Code section 1714.1 for the hacking of their children's friends. But they never acted alone. They acted in concert with the Bezenek boys, and whatever losses plaintiff suffered arose from use of the Bezenek computer. The evidence indicates Ryan knowingly permitted his friends to use the Bezeneks' computer to gain access to Thrifty–Tel's computer and Ryan knew this was wrong. Thus, the trial court correctly determined his conduct to be intentional and willful. (Saunders v. Superior Court (1994) 27 Cal.App.4th 832, 845–846, 33 Cal.Rptr.2d 438.)
It is of no consequence that plaintiff did not plead a conspiracy between the Bezenek children and their friends or seek to amend the complaint after trial to conform to proof. A variance between pleading and proof is material only if it “actually misled the adverse party to his [or her] prejudice in maintaining [the] ․ defense upon the merits.” (Code Civ. Proc., § 469; see also Walker v. Belvedere (1993) 16 Cal.App.4th 1663, 1669–1670, 20 Cal.Rptr.2d 773.) That did not occur here: the Bezeneks knew plaintiff sued them based on their sons' conduct; and Myron Bezenek testified he learned from his sons “what had transpired and who was involved and how they went about doing it” well before trial.
Finally, defendants also note section 1714.1 limits parents' damages to $10,000 for each tort committed by their children. They suggest their sons' hacking efforts were all part of a continuous course of conduct amounting to a single tort for which no more than $10,000 may be awarded. Because we have concluded plaintiff did not properly prove damages—let alone damages in excess of $10,000—we decline to reach this issue.13
That portion of the judgment awarding damages is reversed. The cause is remanded to the superior court for a new trial to determine damages based on defendants' children's tortious conduct before February of 1992. In all other respects, the judgment is affirmed. Each side shall bear its own costs.
1. For convenience, we will refer to defendants as “the Bezeneks” and their children, Ryan and Gerry, by their given names.
2. Subscribers also presumably had an assigned set of numbers that permitted access to Thrifty–Tel's long distance network from other phones, but this case does not involve the theft of those numbers or any card or document bearing them.
3. Indeed, the Thrifty–Tel officer primarily responsible for drafting the tariff testified it represents the average cost of identifying computer hackers and lost revenues when customers switch to another long distance system because hacking impeded their phone use.
4. One commentator does recommend dispensing with the tangibility limitation. (Comment, The Conversion of Intangible Property: Bursting the Ancient Trover Bottle with New Wine, 1991 B.Y.U. L.Rev. 1681, 1714–1715.) But even that author notes numerous other legal theories might be employed concerning the misappropriation of or interference with intangibles. (Id. at p. 1700.)
5. In analogous circumstances at least two New York trial courts have held the unauthorized use of a telephone access code, without more, does not amount to the possession of stolen property because the codes are intangible. (See People v. Tansey (N.Y.Supr.1992) 156 Misc.2d 233, 593 N.Y.S.2d 426, 429–430; People v. Molina (N.Y.City Crim.Ct.1989) 145 Misc.2d 612, 547 N.Y.S.2d 546, 549; but see People v. Johnson (N.Y.City Crim.Ct.1990) 148 Misc.2d 103, 560 N.Y.S.2d 238, 243–244.)
6. At early common law, trespass required a physical touching of another's chattel or entry onto another's land. The modern rule recognizes an indirect touching or entry; e.g., dust particles from a cement plant that migrate onto another's real and personal property may give rise to trespass. (See Wilson v. Interlake Steel Co. (1982) 32 Cal.3d 229, 232–233, 185 Cal.Rptr. 280, 649 P.2d 922; Roberts v. Permanente Corp. (1961) 188 Cal.App.2d 526, 529, 10 Cal.Rptr. 519.) But the requirement of a tangible has been relaxed almost to the point of being discarded. Thus, some courts have held that microscopic particles (Bradley v. American Smelting and Refining Co. (1985) 104 Wash.2d 677, 709 P.2d 782, 788–789) or smoke (Ream v. Keen (1992) 314 Or. 370, 838 P.2d 1073, 1075) may give rise to trespass. And the California Supreme Court has intimated migrating intangibles (e.g., sound waves) may result in a trespass, provided they do not simply impede an owner's use or enjoyment of property, but cause damage. (Wilson v. Interlake Steel Co., supra, 32 Cal.3d at pp. 233–234, 185 Cal.Rptr. 280, 649 P.2d 922.) In our view, the electronic signals generated by the Bezenek boys' activities were sufficiently tangible to support a trespass cause of action.
7. Apparently no California decision has applied a trespass theory to computer hacking. But the Indiana Supreme Court has recognized in dicta that a hacker's unauthorized access to a computer was more in the nature of trespass than criminal conversion. (State v. McGraw (Ind.1985) 480 N.E.2d 552, 554.) And the State of Washington, in an effort to curtail hacking, has made unauthorized computer access a criminal offense under the rubric, “computer trespass.” (See, e.g., State v. Riley (1993) 121 Wash.2d 22, 846 P.2d 1365, 1373.)
8. Likewise, the Restatement Second of Torts, section 217 includes in the definition of trespass to chattel the intentional use or “intermeddling” with a chattel in the possession of another. (Id. at § 217(b).)
9. See also In re Berz (Bankr.N.D.Ill.1994) 173 B.R. 159, 162 (use of a credit card is an implied representation to the issuer that the holder has both the intent and the ability to pay the issuer) and Johnson v. State (Ala.Crim.App.1982) 421 So.2d 1306, 1310 (nonsubscriber's unauthorized charging of calls to subscriber's telephone number is an implied misrepresentation).
10. Cf. In re Brawner (Bankr.N.D.Ill.1991) 124 B.R. 762, 765 (use of a credit card implies a representation on which card's issuer reasonably relies in extending credit).
11. Plaintiff suggests Public Utilities Code section 451 somehow authorizes the PUC to liquidate a utility's tort damages. We think not. Section 451 does not mention the commission. Rather, it simply states that utilities' charges for services must be just and reasonable. And Thrifty–Tel here is not seeking payment for services; it is seeking damages on a tort claim.
12. Two California cases have held the PUC can limit the damages a third party may recover from a utility on a tort claim. (See Colich & Sons v. Pacific Bell (1988) 198 Cal.App.3d 1225, 1234, 244 Cal.Rptr. 714; Trammell v. Western Union Tel. Co. (1976) 57 Cal.App.3d 538, 553–554, 129 Cal.Rptr. 361.) But neither case involved the liquidation of a utility's damages against a third party. And they justified their conclusions that a utility's liability may be limited by noting that any large tort judgment ultimately would be passed on to the utility's ratepayers, frustrating the strong public policy favoring uniform and reasonable rates. Those concerns simply have no bearing here: A telephone company damaged by hackers can protect itself and its ratepayers simply by suing the hackers and proving actual damages.
13. The parties cite (and we have found) no cases interpreting section 1714.1's “each tort” language. However, there would appear to be at least three ways to apply that provision here. The boys may have committed a new tort each time they dialed Thrifty–Tel's access code. Alternatively, each episode of hacking—from when they turned the computer on until they switched it off—might be a separate tort. Or, as defendants suggest, the entire course of conduct—including the November 1991 and February 1992 attempts to crack Thrifty–Tel's authorization code—could be viewed as a single tort.
CROSBY, Acting Presiding Justice.
SONENSHINE and RYLAARSDAM, JJ., concur.