Monday, October 31, 2016

The Former Employees, the Company-Issued Laptops and “Computer Crime”

This post examines an opinion from the Colorado Court of Appeals:  People v. Stotz, 2016 WL 611726 (2016).  The court begins the opinion by explaining that “[d]efendants Matthew Stotz and Gustav Eicher, appeal the judgments of conviction entered on jury verdicts finding them guilty of computer crime.” People v. Stotz, supra.
The court goes on to explain how, and why, the prosecution arose:
Until their resignations in July 2012, defendants worked for the Denver office of Electric Power Systems (EPS), a nationwide company that performs electrical testing for utilities and industrial and commercial clients. Stotz was the regional operations manager, and Eicher was the sales manager for industrial and commercial clients.

In the spring of 2012, defendants became unhappy with some circumstances of their employment with EPS. Along with three other Denver EPS employees, they resigned on July 23, 2012, after accepting job offers from EPC, a competitor of EPS. . . .

Sometime after defendants returned their company-issued laptops and left the company, EPS realized that information it needed on past, current, and potential jobs was missing from the laptops. Such information included data from the tests EPS performed on its customers' power equipment, reports on the test results that EPS prepared for its customers, the individual `test macros’ or models EPS designed for each facility before testing it, bids and quotes for potential jobs, and equipment inventory and scheduling for upcoming jobs.

EPS employees testified that this information should have been stored on defendants' laptops for every job they had worked on at EPS. However, Eicher's laptop contained no such information for any job, and an EPS employee testified that Stotz's laptop had incomplete information regarding some jobs. Also missing from defendants' laptops were the manuals issued by the manufacturers of the equipment being tested, which detailed the equipment's specifications, its intended use, how to install it, and when and how to maintain it.

Manuals were issued for each equipment model and year, and there was evidence presented at trial to support a conclusion by the jury that they were essential for performing the testing. Electrical engineers like defendants collected and kept the manuals that they used for work; for instance, Stotz testified that he uploaded over 7000 manuals to his EPS laptop when he started working there.

EPS hired a computer forensic company to determine what had been deleted from defendants' laptops and to recover, if possible, the deleted documents. Evidence at trial showed that Stotz and Eicher had first copied files from their EPS laptops onto USB hard drives and then deleted the files from the laptops. Along these lines, the owner of the forensic computer company testified that he recovered 3700 deleted files and 1800 deleted e-mails from Stotz's computer and 8200 deleted files and 25,000 deleted e-mails from Eicher's computer.
People v. Stotz, supra.
The opinion then explains that
[b]oth Stotz and Eicher testified at trial. Neither disputed that they copied files from their company laptops onto personal external hard drives and then deleted the files from their laptops before leaving EPS.

Stotz testified that he copied files so that he would have information relating to the projects he had worked on at EPS in case he needed it to protect himself from liability if a problem arose in the future with one of the projects. He testified that he downloaded onto his external hard drive over 24,000 EPS files before he resigned, including 7000 manuals.

Stotz denied deleting any testing data or other data regarding any EPS projects from the laptop, although he admitted to deleting the 7000 manuals. He testified that he did not believe deleting the manuals would hurt EPS because he had brought with him or obtained all the manuals himself, and he had made sure that the remaining EPS employees had copies of all the manuals he had before deleting them. He testified that most of the other files that he deleted were personal music, photo, and video files.

Eicher testified that only about 20% of the documents he copied and then deleted from his company laptop were EPS materials, and the remaining 80% were documents from his prior employment that he had loaded onto his EPS laptop. He claimed that he copied the EPS documents so that he would have a personal copy of his quotes and projects for his own reference in the future.

Regarding the deletions, Eicher testified that his understanding was that after his resignation the laptop would go to EPS's IT department and all the files on it would be erased to prepare the laptop for use by another EPS employee. He testified that he thus believed that it was not improper to erase all of the laptop's files and software other than Microsoft Word and Excel, which was the condition in which he had received the laptop when he was hired. He testified that the manuals that he deleted consisted primarily of manuals he had uploaded to the computer when he began working for EPS. He denied that he was trying to hurt EPS by deleting them; rather, he believed that there was no need to leave the manuals on the laptop because he believed it would be wiped clean after he left.

Eicher testified that he deleted bids and quotes from his laptop because `deleting bids was a normal thing’ for him and he deleted them as he `went along.’ He testified that he filed a hard copy of every bid and quote, and the information relating to every job or project, in paper folders that remained in the EPS office after he resigned. He also testified that a spreadsheet he had prepared and given to other EPS employees before leaving EPS showed every current job he was involved in and its status. He thus denied that he intended to harm EPS by deleting all his quotes, bids, and project files from the laptop because he believed that the hard copies of all the information relating to outstanding bids and past and in-progress jobs were in the office's paper files.
People v. Stotz, supra.
The court then summarized the evidence the prosecution presented at trial:
Although Eicher testified that he left the office's paper quote and job files organized, complete, and intact, some of the EPS employees who testified at trial disputed his assertion. For instance, Thomas Reed, who owned EPS along with his brother Steven and their father, testified that the Denver office was missing information relating to quotes. He testified that employees consequently were not always aware of upcoming jobs and sometimes failed to show up at job sites for scheduled jobs. He also testified that because the office was missing some of the reports for jobs that had already been completed, EPS could not provide them to their customers, as required by their contracts.

Steven Reed likewise testified that after the resignations, Denver employees frequently did not know what jobs or quotes were pending, and they (embarrassingly) had to ask their customers to forward EPS quotes to them so that they could determine what needed to be done. And employee Michael Benitez testified that employees often did not know when and where they were scheduled to work and the specifics of the work that needed to be done, in part because the spreadsheet Eicher had provided was missing critical information. Other EPS employees gave similar testimony.
People v. Stotz, supra.
The Court of Appeals then explained that
EPS filed a civil suit against the five employees, including defendants, who had resigned on July 23, 2012. EPS sought to enforce the noncompete agreements each employee had entered into with EPS and to obtain money damages. Following a preliminary injunction hearing in October 2012, the district court mainly denied relief to EPS, concluding that the noncompete agreements were probably unenforceable. The court also determined that EPS probably could not establish that any data or documents in the possession of the civil defendants had been provided to EPC to the detriment of EPS.          
People v. Stotz, supra.
The opinion then addresses the filing of criminal charges, noting that in November of 2012,
EPS submitted a formal complaint to the Economic Crime Unit of the Denver District Attorney's (DA's) office, seeking criminal prosecution of defendants. The DA's office filed criminal charges against defendants in January 2013. . . .

Defendants were charged with computer crime, causing loss of $1000 or more but less than $20,000; conspiracy to commit computer crime; conspiracy to commit theft; theft of trade secrets; and conspiracy to commit theft of trade secrets. A jury convicted defendants of felony computer crime but acquitted them of the other charges. The trial court sentenced defendants to a two-year suspended prison sentence, imposed two years' probation, and awarded EPS $104,920.26 in restitution, for which defendants are jointly and severally liable.
People v. Stotz, supra.
On appeal, Stotz and Eicher argued, among other things, that “the computer crime statute under which they were convicted is unconstitutional on its face and as applied to them because it . . . provides inadequate guidance regarding what conduct is prohibited and thus is void for vagueness”.  People v. Stotz, supra. The Court of Appeals began its analysis of their argument by explaining that
[w]e review de novo a constitutional challenge to a statute. People v. Cisneros,2014 COA 49, 356 P.3d 877. Statutes are presumed to be constitutional, and the party challenging the statute has a heavy burden to establish that it is unconstitutional. See People v. Cisneros, supra.
People v. Stotz, supra.
Next, the Court of Appeals outlined what is involved in bringing a void for vagueness challenge to a criminal statute:
Due process `requires that a penal statute define [a] criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.’ Kolender v. Lawson, 461 U.S. 352 (1983). . . . A statute is unconstitutionally vague under the void-for-vagueness doctrine if it `fail[s] to provide the kind of notice that will enable . . . . the ordinary citizen to conform his or her conduct to the law,’ City of Chicago v. Morales, 527 U.S. 41 (1999), or “its standards are so ill-defined as to create a danger of arbitrary and capricious enforcement,’ People v. Shell, 148 P.3d 162, 172 (Colorado Supreme Court 2006).

Thus, in addressing a void for vagueness challenge, we must determine `whether the statute “forbids or requires the doing of an act in terms so vague that persons of ordinary intelligence must necessarily guess as to its meaning and differ as to its application.”’ People v. Gross, 830 P.2d 933, 937 (Colorado Supreme Court 1992) (quoting People v. Becker, 759 P.2d 26, 31 (Colorado Supreme Court 1988)).

A statute may be challenged as unconstitutionally vague either on its face or as applied to particular conduct. People v. Devorss, 277 P.3d 829, 835 (Colorado Court of Appeals 2011). A statute is unconstitutionally vague on its face if it is incomprehensible in all of its applications. People v. Shell, supra. A statute is unconstitutionally vague as applied if it does not, with sufficient clarity, prohibit the conduct against which it is enforced. People v. Devorss, supra.  If a defendant's conduct is clearly proscribed by the statute—that is, the statute is not vague as applied to the defendant's conduct—the defendant cannot successfully challenge the vagueness of the law on its face or as applied to the conduct of others. See People v. Perea, 74 P.3d 326, 332 (Colorado Court of Appeals 2002).

We apply familiar principles of statutory interpretation in analyzing a vagueness challenge. Our primary task is to ascertain and give effect to the intent of the legislature. Whimbush v. People, 869 P.2d 1245, 1249 (Colo. 1994). `To determine legislative intent, we begin with the language of the statute itself and interpret statutory terms in accordance with their commonly accepted meanings.’ Whimbush v. People, supra. If the plain language of the statute is clear and unambiguous, we must apply it as written. People v. Goodale, 78 P.3d 1103, 1107 (Colo. 2003). `Only when the statute is unclear or ambiguous may we look beyond the words of the statute to legislative history or rules of statutory construction.’ People v. Goodale, supra.
People v. Stotz, supra.
The Court of Appeals began its analysis of the defendants’ arguments as to why their convictions should be reversed, explaining that the section of the computer crime statute under which defendants were convicted provides:
`A person commits computer crime if the person knowingly: ... (e) Without authorization or in excess of authorized access alters, damages, interrupts, or causes the interruption or impairment of the proper functioning of, or causes any damage to, any computer, computer network, computer system, computer software, program, application, documentation, or data contained in such computer, computer network, or computer system or any part thereof.’

People v. Stotz, supra.
The opinion goes on to explain that the
terms `authorization,’ `in excess of authorized access,’ and `damage’ are defined by statute:

(1) `Authorization’ means the express consent of a person which may include an employee's job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this section. . . . 

(6.3) `Damage’ includes, but is not limited to, any impairment to the integrity of availability of information, data, computer program, computer software, or services on or via a computer, computer network, or computer system or part thereof.

(6.7) `Exceed authorized access’ means to access a computer with authorization and to use such access to obtain or alter information, data, computer program, or computer software that the person is not entitled to so obtain or alter.

People v. Stotz, supra.
The court explains that the
jury was instructed on the statutory definitions of these terms and the elements of computer crime.

First, we conclude that the term `knowingly’ in section 18–5.5–102(1)(e) applies to every element of the offense. `When a statute defining an offense prescribes as an element thereof a specified culpable mental state, that mental state is deemed to apply to every element of the offense unless an intent to limit its application clearly appears.' § 18–1–503(4), Colorado Revised Statutes 2015. Because the term `knowingly’ in section 18–5.5–102(1)(e) is placed immediately before a colon establishing the elements of the crime, we must assume that the General Assembly intended the term to modify every element of the offense; no contrary legislative intent clearly appears. Accordingly, a person commits computer crime under the statute if he knowingly commits one of the statute's proscribed acts knowing that he does so `[w]ithout authorization or in excess of authorized access.’ See § 18–5.5–102(1)(e).
People v. Stotz, supra.
The Court of Appeals then began its analysis of the issues, and the arguments, in the appeal.  It divided the analysis into two categories: (i) the facial challenge to the statutes and (ii) an as applied challenge to the statutes.  The court addressed the two challenges in this order.
It began with the facial challenge, explaining that the defendants argued that
Colorado Revised Statutes § 18–5.5–102(1)(e) is void on its face because the phrase `causes any damage to . . . data contained in [a] computer’ is not adequately concrete to reasonably forewarn persons of ordinary intelligence of what is prohibited. We disagree.

`A law is unconstitutionally vague only if it specifies no standard of conduct at all, and not if it requires a person to conform his or her conduct to an imprecise, but comprehensible normative standard.’ People v. Perea, 74 P.3d (Colorado Court of Appeals 2002).

The deletion of thousands of documents from one's employer's laptop clearly falls within the statutory definition of `damage.’ Colorado Revised Statutes § 18–5.5–101(6.3). The definition of damage is specific enough to provide a person of ordinary intelligence notice that the deletion of documents from a computer may cause damage to data contained in a computer. See People v. Shell, supra. Therefore, defendants have not established that the statute is incomprehensible in all of its applications. . . .
People v. Stotz, supra.
The opinion goes on to explain that
the Defendants express doubts regarding whether an individual actually `damaged’ data under the statute when the data was placed on the computers by the individuals themselves and hard copies of the deleted information were stored in a physical location. However, this was a factual issue for the jury to resolve; the plain language of the statute gives sufficient fair warning that `impairing the integrity of availability of information [or] data’ covers deleting documents from a company laptop such `that persons may guide their actions accordingly.’ See People v. Gross, supra.

Defendants also worry that because there is no malicious intent requirement in section 18–5.5–102(1)(e), if the statute is permissibly applied to a situation like theirs, any keystroke knowingly made by an employee on a company computer that alters content on that computer could form the basis for criminal charges. But in interpreting a statute, it must `be considered and read as a whole.’ People v. Randolph, 852 P.2d 1282, 1284 (Colo. App. 1992). The statute interpreted as a whole does not proscribe any keystroke that changes or deletes content on a computer; it only proscribes such an act if it is done knowingly without authorization or in excess of authorized access and with knowledge that it will impair `the integrity of availability of information, data, computer program, computer software, or services on or via a computer, computer network, or computer system or part thereof.’ See §§ 18–5.5–101, 18–5.5–102(6.3).

Accordingly, defendants' facial challenge to section 18–5.5–102(1)(e) based on the term `damage’ fails.
People v. Stotz, supra.          
The Court of Appeals then took up the defendants’ argument that the “statute is vague as applied to their actions because. . .  they had full authority over their own laptops, and management neither exercised any control, nor promulgated any rules or guidelines, over the placement, retention, or deletion of the content of their laptops”.  People v. Stotz, supra. The court began its analysis of this argument by explaining that
[m]uch of defendants' vague-as-applied argument focuses on the fact that EPS's employee handbook provided that `[l]ocal administrative rights and support of standard EPS hardware or software shall be granted to all employees,’ and testimony by defendants and other former and current EPS employees that EPS employees had full authority over the content of their laptops.

For example, Stotz testified that he had never received, nor believed that he needed to receive, prior authorization before downloading, uploading, or deleting documents from his computer, and that EPS never advised him regarding what he could or could not delete from his computer. He testified that, to him, `local administrative rights’ meant that he could do what he wanted with his computer.

Eicher similarly testified that he alone decided what to put on his laptop the entire time he worked for EPS, and there was no direct supervisory input, direction, or oversight from management or anyone else regarding what he should or should not do with his laptop. His understanding was that he had complete autonomy in adding, copying, or deleting material to or from his laptop.

Other former and current EPS employees provided similar testimony about decision-making authority over company laptops. Steven Reed, for example, testified that an employee did not need advance permission to download a document onto an EPS computer, and that no one at EPS supervised employees' day-to-day decisions about what to put on, or delete from, their computers.
People v. Stotz, supra.
The opinion explains that,
[n]evertheless, the prosecution's theory of liability at trial was that defendants knew that they were not authorized to delete the documents they deleted from their laptops at the time that they deleted them. To this end, Steven Reed testified that he had never authorized defendants to delete reports, records, test results, quotes, and the like from EPS's computers or computer networks. Thomas Reed also testified that he had never authorized defendants to delete that type of material from their computers, and that he never would have done so because maintaining that information was critical for EPS's business. During cross-examination, Stotz admitted that nobody authorized him to delete the files at issue, and that he did not ask permission before doing so. Eicher testified that nobody ever authorized him to delete EPS files.

The prosecution also adduced a significant amount of testimony on a data storage program called `SharePoint’ that EPS's Denver office used. Steven Reed testified that in January 2012, EPS management informed all offices that they were to start using a central drive to store their critical data. However, the management group in Denver, including Stotz, told Steven Reed that they were more comfortable using SharePoint for central data storage, and an agreement was reached between EPS management and the Denver office in April 2012 that all managers in Denver would save their information to SharePoint rather than the central drive.

But from April until defendants' resignations in July 2012, no documents from the Denver office were saved to SharePoint. Defendants and other Denver employees testified that SharePoint stopped working in April, and they were unable to save information to it from that point forward. The prosecution presented testimony from EPS employees that would permit the jury to infer that if it was true that SharePoint had not been working, the only reason defendants would have deleted critical information from their laptops was to harm EPS by destroying the only electronic copy of that information.
People v. Stotz, supra.
The opinion goes on to explain that
[w]e conclude that the plain language of section 18–5.5102(1)(e) prohibits, with sufficient clarity, an employee's knowing deletion of the only electronic copies of thousands of computer documents, when the employee knows that such deletion is not authorized by the employer. . . .

Although defendants had authority to access the documents they deleted, the jury necessarily determined that they exceeded such authorized access by deleting information that they were not authorized to delete. Accordingly, defendants' acts fall squarely within the statute's proscription of accessing a computer with authorization and using such access to knowingly damage information on the computer, knowing that they were not entitled to do so. . . .

Defendants' argument essentially boils down to an assertion that, under all the circumstances, they did not know, and reasonably could not have known, that they were not entitled to delete the documents. But the truth of this assertion was a factual question for the jury; it is not a proper basis for us to conclude that the statute does not provide fair notice that it forbids an employee from knowingly deleting files from a company computer, knowing that he did not have authorization to do so.
People v. Stotz, supra.
For these and other reasons, the Court of Appeals ultimately held that the “The judgments of conviction and the restitution orders are affirmed.” People v. Stotz, supra.

-->

No comments: