The law that he broke was a section CA Penal Code 502, specifically that he disrupted or denied computer service to an authorized user and he did so without permission.
Refusing to provide a password is absolutely not a denial of service. That's like claiming losing keys to a rack in a data center is a denial of service.
However, he made one of the biggest mistakes then that he could have. While under police surveillance, he decided then to leave the state and make cash withdrawals of over $10,000. He was arrested, and that's where it became a criminal matter instead of simply an employment matter.
How this is a criminal act? Was he under court order to stay within the state of California and not touch his money?
This whole case was never a criminal matter.
Please re-read all the replies before that post. The problem wasn't the refusal of providing a password, but the refusal of providing ANY access at all. Combine that with the attempt to leave the state and it looks likely that he was going for a Denial Of Service in the most literal sense of the word. That's what got him convicted, not a refusal to hand over a password.
To rephase the issue, the city accused him of Denial of Service. His actions support that accusation. There are penalties for DOS-attacks and he got hit with 'em. Now, the DOS-attack would never have taken place if the city management had not been completely incompetent - that is very clear. But if I had been a juror on this, and with the explanations given above, I would have considered him guilty too.
That said, I might still have hesitated to actually vote that way, given the circumstances. But it looks like he did a Denial of Service on the city and yes, that carries a stiff penalty.
"The trouble with doing something right the first time is that nobody appreciates how difficult it was." -- Walt West