Friday, October 09, 2009

"Obtaining" versus Asportation

This post deals with one of the crimes created by 18 U.S. Code § 1030, the general federal computer crime statute.

More precisely, it deals with one of the elements of the crime created by 18 U.S. Code § 1030(a)(2)(A). Section 1030(a)(2)(A) makes it a federal crime to (i) intentionally access a computer without authorization or by exceeding the scope of one’s authorized access to a computer and (ii) thereby obtain “information contained in a financial record of a financial institution, or of a card issuer . . . or contained in a file of a credit reporting agency”.

In January, 2008, Regina Tolliver, a former customer service representative at the King of Prussia Mall branch of Citizens Bank, was indicted on one count of violating § 1030(a)(2)(A). She was also indicted on one count of bank fraud and several counts of identity theft, but we’re only concerned with the § 1030(a)(2)(a) charge. You can find the indictment here. She went to trial and, as this new story notes, was convicted on all counts.

After being convicted, she filed a motion with the federal court asking the judge to either enter a judgment of acquittal or grant her a new trial. Tolliver argued that the evidence presented at trial did not prove her guilt beyond a reasonable doubt. U.S. v. Tolliver, 2009 WL 2342639 (U.S. District Court for the Eastern District of Pennsylvania 2009). Here is the court’s summary of the evidence presented at trial:

An investigation revealed that several false checks were cashed against the accounts of seven Citizens Bank customers between March and November of 2007. . . .

All of these false checks . . . were drawn on a bank other than Citizens Bank. Once the foreign banks refused to pay, the customers were charged the face value of the checks. . . . [but] since the customers were . . . victims of fraud, Citizens Bank credited their accounts for the full value of the loss. . . . [amounting] to $181,577.00. . . .

Todd Swoyer, the fraud investigator . . . assigned to this case, testified about the computer systems Citizens Bank utilized at the time . . . The systems contained customers' personal information, including names, addresses, dates of birth, social security numbers, driver's license numbers, Citizens Bank account numbers and the amount of money in those accounts. Bank employees could access this information through two systems-the main frame system and the touch point system-by entering their employee number and password. . . .

When a Citizens Bank employee accesses either system, data concerning that activity is archived into an employee tracking system for six months. This data can be recalled to determine the employee number and password entered to access certain accounts. This is known as the employee's `footprint.’ . . .

Swoyer ran a footprint report for each of the accounts that had been compromised. [His] investigation revealed that Defendant's employee number was the only common employee number that had accessed these seven individuals' account information. [His] searches also revealed that, with one exception, after the account information was looked up, someone called the Citizens Bank automated system to check the balances of those accounts either shortly after [they] were accessed or shortly before the fraudulent checks were cashed against the accounts. All of the victims who testified stated that they had not made those calls.

The Citizens Bank branch at the King of Prussia Mall maintained several universal computer terminals, which any employee could log onto using her employee number and password. Swoyer's investigation revealed that the seven customers' accounts were accessed under Defendant's employee number on February 5th and 8th of 2007 and on March 7th, 8th, and 9th of 2007. The Citizens Bank information technology service was able to determine that the first accounts that were hit were accessed from the King of Prussia Mall branch, where Defendant worked. Defendant's employee number was in use at three different terminals at the same time on that day. However, it was not uncommon for an employee to be logged into multiple terminals at once.

Employee schedules and . . . attendance records revealed that [she] worked on all of the days that her password was used to access the victims' accounts. [Her] employee log book for those dates reflected that she had not contacted any of the seven victims for sales or business purposes. Nor was [she] assigned to contact any of these individuals for sales purposes. Palma Salvucci, the branch manager in 2007, testified that Citizens Bank employees would not be permitted to look at a customer's account and personal information for a reason other than one related to Citizens Bank's business. . . .

Swoyer and Postal Inspector Frank Busch interviewed Defendant on March 15, 2007. [She] told Swoyer she had not given her password to anyone, and stated that she always locked her computer when she walked away from a terminal. . . .

Busch, the Government's expert on financial crimes, testified. . . . that . . . bank fraud schemes involve . . . a ring leader who heads the operation; a second in command who . . . recruits individuals to assist in the operation; individuals who . . . create counterfeit documents; drivers who take check runners to the bank to cash the false checks; check runners who . . . cash the checks; and individuals, such as employees at banks . . ., who access personal information to be used in the scheme. . . .

Busch also explained that . . . a bank employee will access personal information, write it down or print it out, and then pass it along to be used in the scheme. It is common, as was the case here, for someone in the scheme to call the automated system to confirm that the targeted accounts are active and functioning properly.

U.S. v. Tolliver, supra.

Tolliver’s primary argument as to why she should get a new trial on or be acquitted of the § 1030(a)(2)(A) count was that the prosecution did not prove beyond a reasonable doubt that “the accessed [account] information was recorded or possessed” by her. U.S. v. Tolliver, supra. The federal judge rejected this argument.

He explained that to convict Tolliver of violating § 1030(a)(2)(A), “the Government was required to establish that she `intentionally access[ed] a computer without authorization or exceed[ed] authorized access and thereby obtain[ed] . . . information contained in a financial record of a financial institution”. U.S. v. Tolliver, supra [emphasis added]. The judge reviewed the legislative history of § 1030(a)(2)(A) (e.g., what Congress said in adopting the statute) and found it “makes clear `that “`obtaining information’ in this context includes mere observation of the data.’” U.S. v. Tolliver, supra (quoting U.S. Senate Report No. 99-432 (1986)). The 1986 Senate Report says “`[a]ctual asportation, in the sense of physically removing the data from its original location or transcribing the data, need not be proved . . . to establish a violation of” what is now § 1030(a)(2)(A). (The provision had a different number when the Senate Report was drafted.)

The Senate Report included that observation because the U.S. Department of Justice had “expressed concerns” that the use of the phrase “obtains information” in what is now § 1030(a)(2)(A) “might require the prosecution to prove asportation of the data in question”. Senate Report No. 99-432, supra. As Wikipedia notes, asportation (carrying away) has historically been an element of larceny (theft) crimes; indeed, asporation is inherent in the dynamic of real-world theft crimes. To commit theft, the thief must take the property that is to be stolen from the victim and carry it away, since the whole purpose of theft is to transfer possession and control of property from the rightful owner to the thief.

The Senate Report explains that asportation is not an element of the § 1030(a)(2)(A) crime because “the premise of this subsection is privacy protection”, not theft, as such. Senate Report, supra. In a 1996 report issued on legislation that amended § 1030, the Senate expanded on the reasoning behind not including an asportation requirement in the § 1030(a)(2)(A) crime. Senate Report No. 104-357 (1996).

`Information’ as used in this subsection includes information stored in intangible form. Moreover, the term `obtaining information’ includes merely reading it. There is no requirement that the information be copied or transported. This is critically important because, in an electronic environment, information can be `stolen’ without asportation, and the original usually remains intact.

Senate Report No. 104-357, supra.

You may be wondering if any of this makes sense in the real world . . . because Tolliver must have written down or printed out the account information she allegedly accessed without being authorized to do so. It’s unlikely that she was able to memorize it and recall it without making notes at some point.

That, though, is not what was at issue in the § 1030(a)(2)(A) charge. Tolliver committed that crime when she looked at the account information in the bank's computer systems without being authorized to do so or by exceeding the scope of her authorized access to the systems. The asportation of the account information (by writing it down and carrying it away or by remembering it and later writing it down or repeating it to one of the participants in the fraud scam) was relevant when it came to the identity theft and bank fraud charges. Those charges concerned how the information, once obtained, was used. The gravamen of the § 1030(a)(2)(A) charge was Tolliver's violating the privacy of the information being held in the bank's computer systems by accessing it without being authorized to do so.

1 comment:

Anonymous said...

Fascinating article. In my opinion, this Postal Inspector Frank Busch should win the Law Enforcement Officer of The Year award!