As I noted in an earlier post, the federal criminal code and various state statutes let someone who’s been the (alleged) victim of certain types of computer crime bring a civil suit seeking damages for the “harm” resulting from that crime. This post is about a Georgia gentleman – Larry Sitton -- who brought such a suit, under Georgia law, after his employer terminated his employment.
The case is Sitton v. Print Direction, Inc., __ S.E.2d __, 2011 WL 4469712 (Georgia Court of Appeals 2011), and this is how it arose:
[Print Direction, Inc. (`PDI’)] operated a commercial printing business and [William S.] Stanton was responsible for PDI's operations. PDI hired Sitton as an exclusive outside sales person in January 2005 and employed him as an at-will employee until he was discharged in September 2008. As an outside sales person, Sitton sold PDI's printing services and was required to bill all sales through PDI's accounting department, in order for the commission to be shared between PDI and Sitton.
When he was first hired, Sitton received a copy of PDI's Employee Manual, which provided that `[e]mployees may not take an outside job . . . with a customer or competitor of PDI.’ Nonetheless, during his employment by PDI, and without informing PDI or Stanton, Sitton brokered more than $150,000 in print jobs through Superior Solutions Associates LLC (`SSA’), a print brokerage business which Sitton's wife started in October 2007 and of which Sitton served as manager.
PDI provided Sitton with a laptop computer for use in connection with his work for PDI. However, Sitton chose to use his own computer, which he brought to his office at PDI, connected to PDI's system network, and used for PDI work. Sitton also used this computer for SSA work.
When Stanton `caught wind’ that Sitton was competing with PDI, he entered Sitton's office, moved the computer's mouse, clicked on the email listing which appeared on the screen, and printed certain emails from Sitton relating to a job for Apex Printing Company. These emails, which were on a separate email address from Sitton's PDI-issued email address, confirmed that Sitton was using SSA to compete with PDI. Stanton subsequently terminated Sitton as an employee of PDI.
Sitton v. Print Direction, Inc., supra.
After being discharged by PDI, Sitton sued the company and Stanton “for invasion of privacy and for computer theft and trespass in violation of Georgia Code § 16-9-93.” Sitton v. Print Direction, Inc., supra. The first three subsections of § 16-9-93 create the three causes of action Sitton asserted in his suit. Sitton v. Print Direction, Inc., supra.
Section 16-9-93(a) criminalizes computer theft, which consists of (i) using a computer or computer network “with knowledge that such use is without authority and with the intention of” (ii) “[t]aking or appropriating any property of another,” “[o]btaining property by any deceitful means” or “[c]onverting property to such person’s use in violation of an agreement or other known legal obligation”.
Section 16-9-93(b) criminalizes computer trespass, which consists of (i) using a computer or computer network “with knowledge that such use is without authority and with the intention of” (ii) “[d]eleting or in any way removing . . . any computer program or data from a computer or computer network”, “[o]bstructing, interrupting, or in any way interfering with the use of a computer program or data” or “[a]ltering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program”.
And § 16-9-93(c) criminalizes computer invasion of privacy, which consists of using “a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority”.
As this opinion notes, “[f]ollowing a two-day bench trial,” the trial court entered judgment against Sitton”, i.e., he lost. He appealed, claiming the trial judge “erred in rejecting his claims under” Georgia Code § 16-9-93, i.e., his claims for computer trespass, computer theft and computer invasion of privacy. Sitton v. Print Direction, Inc., supra.
In addressing his arguments on appeal, the Court of Appeals noted that
Sitton contends that the trial court erred in determining that Stanton's viewing and printing the incriminating emails found on Sitton's personal computer did not constitute computer theft, computer trespass, or computer invasion of privacy under Georgia Code § 16-9-93. The court found that Stanton's use of Sitton's computer was not `without authority’ within the meaning of the statute.
Sitton v. Print Direction, Inc., supra.
The court began its analysis by explaining that under Georgia Code § 16-9-93,
[c]omputer theft is committed by one `who uses a computer or computer network with knowledge that such use is without authority and with the intention of’ taking, obtaining, or converting property of another. Similarly, a person commits computer trespass when he `uses a computer or computer network with knowledge that such use is without authority and with the intention of’ deleting any computer program or data; obstructing or interfering with use of a computer program or data; or altering, damaging, or causing to malfunction a computer, computer network, or computer program. A person commits computer invasion of privacy when he uses a computer or computer network `with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority.’
It can be seen that these three computer offenses include at least the following elements: that the proscribed actions be taken `with knowledge’ that the use of the computer or the examination of the other person's data was `without authority’ and that the actions be taken with the requisite intent.
Sitton v. Print Direction, Inc., supra.
The Court of Appeals then found that Sitton had not proven Stanton acted with the requisite intent:
[T]he evidence fails to show that Stanton's use of Sitton's computer was `with the intention of’ performing any of the acts forbidden by the statute. Stanton did not, nor did he intend to: take, obtain, or convert Sitton's property (computer theft); delete any computer program or data, obstruct or interfere with a computer program or data, or alter or damage a computer, computer network, or computer program (computer trespass); or examine Sitton's personal data (computer invasion of privacy). Thus, Stanton's actions do not fall within the scope of subsections (a), (b), or (c) of [Georgia Code § 16-9-93].
Sitton v. Print Direction, Inc., supra.
The court also found that another element of the § 16-9-93
offenses -- lack of authority -- is also absent. The term `without authority’ is defined to include “the use of a computer or computer network in a manner that exceeds any right or permission granted by the owner of the computer or computer network.” [Georgia Code § 16-9-92(18)]. In the case at bar, Stanton found the incriminating emails on the computer Sitton used to conduct business for PDI. This computer was located in PDI's offices but was actually owned by Sitton. The trial court found that Stanton had authority to inspect this computer pursuant to the computer usage policy contained in PDI's Employee Manual, which Sitton had agreed to abide by when he started work with PDI.
Contrary to Sitton's contention, PDI's computer usage policy was not limited to PDI-owned equipment. The policy adverted to the necessity for the company `to be able to respond to proper requests resulting from legal proceedings that call for electronically-stored evidence’ and provided that for this reason, its employees should not regard `electronic mail left on or transmitted over these systems’ as `private or confidential.’
The trial court, acting as finder of fact, found that Stanton looked at an email on the screen of Sitton's computer at PDI. Whether the email was stored there permanently or only temporarily, the email was subject to review under the company's computer usage policy. Even if the email was `stored’ elsewhere, the company's policy also stated that `PDI will . . . inspect the contents of computers, voice mail or electronic mail in the course of an investigation triggered by indications of unacceptable behavior.’
Sitton v. Print Direction, Inc., supra.
In an effort to establish that Stanton acted without authority, Sitton relied on Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (U.S. District Court for the Southern District of New York 2008). Sitton v. Print Direction, Inc., supra. In that case, a former employee sued his former employer, arguing, among other things, that the ex-employer’s accessing his emails was unauthorized and violated a federal statute, the Stored Communications Act. Pure Power Boot Camp v. Warrior Fitness Boot Camp, supra.
The Georgia Court of Appeals found that Sitton’s reliance on the Pure Power Boot Camp case was
misplaced. In that case, a former employer hacked into its former employee's email accounts without authorization. In the case before us, the trial court did not find evidence of hacking. Instead, the court found that, when Stanton moved the mouse, the email account appeared on the screen of Sitton's computer. Sitton challenges this finding, but because there is evidence to support it, we will not disturb it on appeal.
Because Stanton's actions were not taken `without authority,’ the trial court did not err in denying Sitton's claim under [Georgia Code § 16-9-93].
Sitton v. Print Direction, Inc., supra.
The Court of Appeals therefore affirmed the trial court’s judgment, which included an award of $39,257.71 in damages to PDI, which filed a counterclaim after being sued by Sitton. Sitton v. Print Direction, Inc., supra. The counterclaim was apparently based on the argument that Sitton violated his “duty of loyalty or fiduciary duty” to PDI, a duty which apparently derived from provisions of PDI’s Employee Manual. Sitton v. Print Direction, Inc., supra.