This post examines an opinion from the Colorado Court of Appeals: People v. Stotz, 2016 WL 611726 (2016). The court begins the opinion by explaining
that “[d]efendants Matthew Stotz and Gustav Eicher, appeal the judgments of
conviction entered on jury verdicts finding them guilty of computer crime.” People v. Stotz, supra.
The court goes on to explain how, and why, the prosecution
arose:
Until their resignations in July 2012,
defendants worked for the Denver office of Electric Power Systems (EPS), a
nationwide company that performs electrical testing for utilities and
industrial and commercial clients. Stotz was the regional operations manager,
and Eicher was the sales manager for industrial and commercial clients.
In the spring of 2012, defendants
became unhappy with some circumstances of their employment with EPS. Along with
three other Denver EPS employees, they resigned on July 23, 2012, after
accepting job offers from EPC, a competitor of EPS. . . .
Sometime after defendants returned
their company-issued laptops and left the company, EPS realized that information
it needed on past, current, and potential jobs was missing from the laptops.
Such information included data from the tests EPS performed on its customers'
power equipment, reports on the test results that EPS prepared for its customers,
the individual `test macros’ or models EPS designed for each facility before
testing it, bids and quotes for potential jobs, and equipment inventory and
scheduling for upcoming jobs.
EPS employees testified that this
information should have been stored on defendants' laptops for every job they
had worked on at EPS. However, Eicher's laptop contained no such information
for any job, and an EPS employee testified that Stotz's laptop had incomplete
information regarding some jobs. Also missing from defendants' laptops were the
manuals issued by the manufacturers of the equipment being tested, which
detailed the equipment's specifications, its intended use, how to install it,
and when and how to maintain it.
Manuals were issued for each equipment
model and year, and there was evidence presented at trial to support a
conclusion by the jury that they were essential for performing the testing.
Electrical engineers like defendants collected and kept the manuals that they
used for work; for instance, Stotz testified that he uploaded over 7000 manuals
to his EPS laptop when he started working there.
EPS hired a computer forensic company
to determine what had been deleted from defendants' laptops and to recover, if
possible, the deleted documents. Evidence at trial showed that Stotz and Eicher
had first copied files from their EPS laptops onto USB hard drives and then
deleted the files from the laptops. Along these lines, the owner of the
forensic computer company testified that he recovered 3700 deleted files and
1800 deleted e-mails from Stotz's computer and 8200 deleted files and 25,000
deleted e-mails from Eicher's computer.
People v. Stotz,
supra.
The opinion then explains that
[b]oth Stotz and Eicher testified at
trial. Neither disputed that they copied files from their company laptops onto
personal external hard drives and then deleted the files from their laptops
before leaving EPS.
Stotz testified that he copied files so
that he would have information relating to the projects he had worked on at EPS
in case he needed it to protect himself from liability if a problem arose in
the future with one of the projects. He testified that he downloaded onto
his external hard drive over 24,000 EPS files before he resigned, including
7000 manuals.
Stotz denied deleting any testing data
or other data regarding any EPS projects from the laptop, although he admitted
to deleting the 7000 manuals. He testified that he did not believe deleting the
manuals would hurt EPS because he had brought with him or obtained all the
manuals himself, and he had made sure that the remaining EPS employees had
copies of all the manuals he had before deleting them. He testified that most
of the other files that he deleted were personal music, photo, and video files.
Eicher testified that only about 20% of
the documents he copied and then deleted from his company laptop were EPS
materials, and the remaining 80% were documents from his prior employment that
he had loaded onto his EPS laptop. He claimed that he copied the EPS documents
so that he would have a personal copy of his quotes and projects for his own
reference in the future.
Regarding the deletions, Eicher
testified that his understanding was that after his resignation the laptop
would go to EPS's IT department and all the files on it would be erased to
prepare the laptop for use by another EPS employee. He testified that he thus
believed that it was not improper to erase all of the laptop's files and
software other than Microsoft Word and Excel, which was the condition in which
he had received the laptop when he was hired. He testified that the manuals
that he deleted consisted primarily of manuals he had uploaded to the computer
when he began working for EPS. He denied that he was trying to hurt EPS by
deleting them; rather, he believed that there was no need to leave the manuals
on the laptop because he believed it would be wiped clean after he left.
Eicher testified that he deleted bids
and quotes from his laptop because `deleting bids was a normal thing’ for him
and he deleted them as he `went along.’ He testified that he filed a hard copy
of every bid and quote, and the information relating to every job or project,
in paper folders that remained in the EPS office after he resigned. He also
testified that a spreadsheet he had prepared and given to other EPS employees
before leaving EPS showed every current job he was involved in and its status.
He thus denied that he intended to harm EPS by deleting all his quotes, bids,
and project files from the laptop because he believed that the hard copies of
all the information relating to outstanding bids and past and in-progress jobs
were in the office's paper files.
People v. Stotz,
supra.
The court then summarized the evidence the prosecution
presented at trial:
Although Eicher testified that he left
the office's paper quote and job files organized, complete, and intact, some of
the EPS employees who testified at trial disputed his assertion. For instance,
Thomas Reed, who owned EPS along with his brother Steven and their father,
testified that the Denver office was missing information relating to quotes. He
testified that employees consequently were not always aware of upcoming jobs
and sometimes failed to show up at job sites for scheduled jobs. He also testified
that because the office was missing some of the reports for jobs that had
already been completed, EPS could not provide them to their customers, as
required by their contracts.
Steven Reed likewise testified that
after the resignations, Denver employees frequently did not know what jobs or
quotes were pending, and they (embarrassingly) had to ask their customers to
forward EPS quotes to them so that they could determine what needed to be
done. And employee Michael Benitez testified that employees often did not
know when and where they were scheduled to work and the specifics of the work
that needed to be done, in part because the spreadsheet Eicher had provided was
missing critical information. Other EPS employees gave similar testimony.
People v. Stotz,
supra.
The Court of Appeals then explained that
EPS filed a civil suit against the five
employees, including defendants, who had resigned on July 23, 2012. EPS sought
to enforce the noncompete agreements each employee had entered into with EPS
and to obtain money damages. Following a preliminary injunction hearing in
October 2012, the district court mainly denied relief to EPS, concluding that
the noncompete agreements were probably unenforceable. The court also
determined that EPS probably could not establish that any data or documents in
the possession of the civil defendants had been provided to EPC to the
detriment of EPS.
People v. Stotz,
supra.
The opinion then addresses the filing of criminal charges,
noting that in November of 2012,
EPS submitted a formal complaint to the
Economic Crime Unit of the Denver District Attorney's (DA's) office, seeking
criminal prosecution of defendants. The DA's office filed criminal charges
against defendants in January 2013. . . .
Defendants were charged with computer
crime, causing loss of $1000 or more but less than $20,000; conspiracy to
commit computer crime; conspiracy to commit theft; theft of trade secrets; and
conspiracy to commit theft of trade secrets. A jury convicted defendants of
felony computer crime but acquitted them of the other charges. The trial
court sentenced defendants to a two-year suspended prison sentence, imposed two
years' probation, and awarded EPS $104,920.26 in restitution, for which
defendants are jointly and severally liable.
People v. Stotz,
supra.
On appeal, Stotz and Eicher argued, among other things, that
“the computer crime statute under which they were convicted is unconstitutional
on its face and as applied to them because it . . . provides inadequate
guidance regarding what conduct is prohibited and thus is void for vagueness”. People
v. Stotz, supra. The Court of Appeals began its analysis of their argument
by explaining that
[w]e review de novo a constitutional challenge to a statute. People v.
Cisneros,2014 COA 49, 356 P.3d 877. Statutes are presumed to be
constitutional, and the party challenging the statute has a heavy burden to
establish that it is unconstitutional. See People v. Cisneros, supra.
People v. Stotz,
supra.
Next, the Court of Appeals outlined what is involved in
bringing a void for vagueness challenge to a criminal statute:
Due process `requires that a penal
statute define [a] criminal offense with sufficient definiteness that ordinary
people can understand what conduct is prohibited and in a manner that does not
encourage arbitrary and discriminatory enforcement.’ Kolender v. Lawson, 461 U.S. 352 (1983). . . . A statute is unconstitutionally
vague under the void-for-vagueness doctrine if it `fail[s] to provide the kind
of notice that will enable . . . . the ordinary citizen to conform his or her
conduct to the law,’ City of Chicago v. Morales, 527 U.S. 41 (1999), or “its standards are so ill-defined as to create a danger of arbitrary
and capricious enforcement,’ People v. Shell, 148 P.3d 162, 172
(Colorado Supreme Court 2006).
Thus, in addressing a void for vagueness
challenge, we must determine `whether the statute “forbids or requires the
doing of an act in terms so vague that persons of ordinary intelligence must
necessarily guess as to its meaning and differ as to its application.”’ People v. Gross, 830 P.2d 933, 937
(Colorado Supreme Court 1992) (quoting People v. Becker, 759
P.2d 26, 31 (Colorado Supreme Court 1988)).
A statute may be challenged as
unconstitutionally vague either on its face or as applied to particular
conduct. People v. Devorss, 277 P.3d 829, 835 (Colorado Court
of Appeals 2011). A statute is unconstitutionally vague on its face if it is
incomprehensible in all of its applications. People v. Shell, supra. A statute is unconstitutionally vague as
applied if it does not, with sufficient clarity, prohibit the conduct against
which it is enforced. People v. Devorss, supra. If a defendant's conduct is clearly proscribed
by the statute—that is, the statute is not vague as applied to the defendant's
conduct—the defendant cannot successfully challenge the vagueness of the law on
its face or as applied to the conduct of others. See People
v. Perea, 74 P.3d 326, 332 (Colorado Court of Appeals 2002).
We apply familiar principles of
statutory interpretation in analyzing a vagueness challenge. Our primary task
is to ascertain and give effect to the intent of the legislature. Whimbush
v. People, 869 P.2d 1245, 1249 (Colo. 1994). `To determine legislative
intent, we begin with the language of the statute itself and interpret
statutory terms in accordance with their commonly accepted meanings.’ Whimbush
v. People, supra. If the plain language of the statute is clear and
unambiguous, we must apply it as written. People v. Goodale, 78
P.3d 1103, 1107 (Colo. 2003). `Only when the statute is unclear or ambiguous
may we look beyond the words of the statute to legislative history or rules of
statutory construction.’ People v.
Goodale, supra.
People v. Stotz,
supra.
The Court of Appeals began its analysis of the defendants’
arguments as to why their convictions should be reversed, explaining that the section
of the computer crime statute under which defendants were convicted provides:
`A person commits computer crime if the
person knowingly: ... (e) Without authorization or in excess of authorized
access alters, damages, interrupts, or causes the interruption or impairment of
the proper functioning of, or causes any damage to, any computer, computer
network, computer system, computer software, program, application,
documentation, or data contained in such computer, computer network, or
computer system or any part thereof.’
People v. Stotz,
supra.
The opinion goes on to explain that the
terms `authorization,’ `in excess of
authorized access,’ and `damage’ are defined by statute:
(1) `Authorization’ means the express
consent of a person which may include an employee's job description to use said
person’s computer, computer network, computer program, computer software,
computer system, property, or services as those terms are defined in this
section. . . .
(6.3) `Damage’ includes, but is not
limited to, any impairment to the integrity of availability of information,
data, computer program, computer software, or services on
or via a computer, computer network,
or computer system or
part thereof.
(6.7) `Exceed authorized access’ means to access a computer with authorization and
to use such access to
obtain or alter information, data, computer program,
or computer software
that the person is not entitled to so obtain or alter.
People v. Stotz,
supra.
The court explains that the
jury was instructed on the statutory
definitions of these terms and the elements of computer crime.
First, we conclude that the term
`knowingly’ in section 18–5.5–102(1)(e) applies to every element of the
offense. `When a statute defining an offense prescribes as an element thereof a
specified culpable mental state, that mental state is deemed to apply to every
element of the offense unless an intent to limit its application clearly appears.' § 18–1–503(4), Colorado Revised Statutes 2015. Because the term `knowingly’
in section 18–5.5–102(1)(e) is placed immediately before a colon
establishing the elements of the crime, we must assume that the General
Assembly intended the term to modify every element of the offense; no contrary
legislative intent clearly appears. Accordingly, a person commits computer
crime under the statute if he knowingly commits one of the statute's proscribed
acts knowing that he does so `[w]ithout authorization or in excess of
authorized access.’ See § 18–5.5–102(1)(e).
People v. Stotz,
supra.
The Court of Appeals then began its analysis of the issues,
and the arguments, in the appeal. It
divided the analysis into two categories: (i) the facial challenge to the
statutes and (ii) an as applied challenge to the statutes. The court addressed the two challenges in this
order.
It began with the facial challenge, explaining that the
defendants argued that
Colorado Revised Statutes §
18–5.5–102(1)(e) is void on its face because the phrase `causes any damage
to . . . data contained in [a] computer’ is not adequately concrete to
reasonably forewarn persons of ordinary intelligence of what is prohibited. We
disagree.
`A law is unconstitutionally vague only
if it specifies no standard of conduct at all, and not if it requires a person
to conform his or her conduct to an imprecise, but comprehensible normative
standard.’ People v. Perea, 74 P.3d
(Colorado Court of Appeals 2002).
The deletion of thousands of documents
from one's employer's laptop clearly falls within the statutory definition of
`damage.’ Colorado Revised Statutes § 18–5.5–101(6.3). The definition of damage
is specific enough to provide a person of ordinary intelligence notice that the
deletion of documents from a computer may cause damage to data contained in a
computer. See People v. Shell, supra. Therefore, defendants have
not established that the statute is incomprehensible in all of its
applications. . . .
People v. Stotz,
supra.
The opinion goes on to explain that
the Defendants express doubts regarding
whether an individual actually `damaged’ data under the statute when the data
was placed on the computers by the individuals themselves and hard copies of
the deleted information were stored in a physical location. However, this was a
factual issue for the jury to resolve; the plain language of the statute gives
sufficient fair warning that `impairing the integrity of availability of
information [or] data’ covers deleting documents from a company laptop such `that
persons may guide their actions accordingly.’ See People v. Gross, supra.
Defendants also worry that because
there is no malicious intent requirement in section 18–5.5–102(1)(e), if
the statute is permissibly applied to a situation like theirs, any keystroke
knowingly made by an employee on a company computer that alters content on that
computer could form the basis for criminal charges. But in interpreting a
statute, it must `be considered and read as a whole.’ People v.
Randolph, 852 P.2d 1282, 1284 (Colo. App. 1992). The statute
interpreted as a whole does not proscribe any keystroke that changes or deletes
content on a computer; it only proscribes such an act if it is done knowingly
without authorization or in excess of authorized access and with
knowledge that it will impair `the integrity of availability of information,
data, computer program, computer software, or services on or via a computer,
computer network, or computer system or part thereof.’ See §§
18–5.5–101, 18–5.5–102(6.3).
Accordingly, defendants' facial
challenge to section 18–5.5–102(1)(e) based on the term `damage’
fails.
People v. Stotz,
supra.
The Court of Appeals then took up the defendants’ argument
that the “statute is vague as applied to their actions because. . . they had full authority over their own
laptops, and management neither exercised any control, nor promulgated any
rules or guidelines, over the placement, retention, or deletion of the content
of their laptops”. People v. Stotz, supra. The court began its analysis of this
argument by explaining that
[m]uch of defendants' vague-as-applied
argument focuses on the fact that EPS's employee handbook provided that `[l]ocal
administrative rights and support of standard EPS hardware or software shall be
granted to all employees,’ and testimony by defendants and other former and current
EPS employees that EPS employees had full authority over the content of their
laptops.
For example, Stotz testified that he
had never received, nor believed that he needed to receive, prior authorization
before downloading, uploading, or deleting documents from his computer, and
that EPS never advised him regarding what he could or could not delete from his
computer. He testified that, to him, `local administrative rights’ meant that
he could do what he wanted with his computer.
Eicher similarly testified that he
alone decided what to put on his laptop the entire time he worked for EPS, and
there was no direct supervisory input, direction, or oversight from management
or anyone else regarding what he should or should not do with his laptop. His
understanding was that he had complete autonomy in adding, copying, or deleting
material to or from his laptop.
Other former and current EPS employees
provided similar testimony about decision-making authority over company
laptops. Steven Reed, for example, testified that an employee did not need
advance permission to download a document onto an EPS computer, and that no one
at EPS supervised employees' day-to-day decisions about what to put on, or
delete from, their computers.
People v. Stotz,
supra.
The opinion explains that,
[n]evertheless, the prosecution's
theory of liability at trial was that defendants knew that they were not
authorized to delete the documents they deleted from their laptops at the time
that they deleted them. To this end, Steven Reed testified that he had never
authorized defendants to delete reports, records, test results, quotes, and the
like from EPS's computers or computer networks. Thomas Reed also testified that
he had never authorized defendants to delete that type of material from their
computers, and that he never would have done so because maintaining that
information was critical for EPS's business. During cross-examination, Stotz
admitted that nobody authorized him to delete the files at issue, and that he
did not ask permission before doing so. Eicher testified that nobody ever
authorized him to delete EPS files.
The prosecution also adduced a
significant amount of testimony on a data storage program called `SharePoint’
that EPS's Denver office used. Steven Reed testified that in January 2012, EPS
management informed all offices that they were to start using a central drive
to store their critical data. However, the management group in Denver,
including Stotz, told Steven Reed that they were more comfortable using SharePoint
for central data storage, and an agreement was reached between EPS management
and the Denver office in April 2012 that all managers in Denver would save
their information to SharePoint rather than the central drive.
But from April until defendants' resignations
in July 2012, no documents from the Denver office were saved to SharePoint.
Defendants and other Denver employees testified that SharePoint stopped working
in April, and they were unable to save information to it from that point
forward. The prosecution presented testimony from EPS employees that would
permit the jury to infer that if it was true that SharePoint had not been
working, the only reason defendants would have deleted critical information
from their laptops was to harm EPS by destroying the only electronic copy of
that information.
People v. Stotz,
supra.
The opinion goes on to explain that
[w]e conclude that the plain language
of section 18–5.5102(1)(e) prohibits, with sufficient clarity, an employee's
knowing deletion of the only electronic copies of thousands of computer
documents, when the employee knows that such deletion is not authorized by the
employer. . . .
Although defendants had authority to
access the documents they deleted, the jury necessarily determined that they exceeded
such authorized access by deleting information that they were not authorized to
delete. Accordingly, defendants' acts fall squarely within the statute's
proscription of accessing a computer with authorization and using such access
to knowingly damage information on the computer, knowing that they were not
entitled to do so. . . .
Defendants' argument essentially boils
down to an assertion that, under all the circumstances, they did not know, and
reasonably could not have known, that they were not entitled to delete the
documents. But the truth of this assertion was a factual question for the jury;
it is not a proper basis for us to conclude that the statute does not provide
fair notice that it forbids an employee from knowingly deleting files from a
company computer, knowing that he did not have authorization to do so.
People v. Stotz,
supra.
For these and other reasons, the Court of Appeals ultimately
held that the “The judgments of conviction and the restitution orders are
affirmed.” People v. Stotz, supra.
No comments:
Post a Comment