Employment Law Daily Use of work computer to steal lottery tickets did not violate state computer fraud provision
News
Tuesday, July 26, 2016

Use of work computer to steal lottery tickets did not violate state computer fraud provision

By Brandi O. Brown, J.D. A Tiger Mart employee who was convicted of theft and computer crime for using a computer terminal at work to print and steal lottery tickets successfully appealed her conviction under ORS 164.377(4) at the Oregon Supreme Court. She persuasively argued that the construction applied to the term "without authorization" was too broad. Rather than construe the term as criminalizing authorized access of a computer with an impermissible purpose, the court ruled that the text, context, and legislative history of the subsection made clear that the phrase applied only to unauthorized use of a computer, e.g., someone who hacks into a computer. The decision of the appeals court was reversed and the judgment of the circuit court was affirmed in part (State of Oregon v. Nascimento, July 21, 2016, Balmer, T.). Theft of lotto tickets. In 2009, the corporate owners of a Tiger Market discovered that at the same time the store was experiencing higher-than-average cash shortages, it was also showing an unusually large number of sales of Keno lottery tickets. Between November 2008 and February 2009 the losses exceeded $16,000. With some investigation, the employer determined that a deli worker was printing and pocketing lottery tickets without paying for them. She was prosecuted and convicted of theft and computer crime after a jury trial. One complicating factor with the prosecution, however, was that although the indictment cited ORS 164.377(2) in the caption, the body of the indictment charged conduct that tracked subsection (4) of that section instead. Subsection (4) included the "without authorization" language, whereas subsection (2) did not. Because of its failure to recognize this error, the prosecution conceded that the employee had authority to access the lottery machine. However, although the employee filed a motion for judgment of acquittal on the computer crime count, arguing that she was "authorized" to use the computer terminal in question and therefore had not violated ORS 164.377(4), that motion was denied and she was convicted. Prosecution's mistakes. After her unsuccessful appeal of the computer crime conviction, she again appealed to the Oregon Supreme Court, which noted that the prosecutor had apparently been confused about how the offense had been charged in the indictment and that this error led to further errors in how she approached the employee's motion for acquittal. Thus, while she could have argued that the employee did not, in fact, have authorization to access the computer (based on one witness's testimony), the prosecution instead had relied upon arguments focused on subsection (2) and had conceded that the employee had authorization. Therefore, on appeal, the state was confined to the argument that the employee's conduct violated subsection (4) because she had accessed the computer that she was authorized to use, but for an impermissible purpose. Interpretation does not fit. That interpretation of subsection (4), however, did not comport with the text, the context, or the legislative history of that subsection, the high court ruled. Although not defined by the statute, the terms "authorization" or "without authorization" would take on an overly broad meaning if accorded the meaning proposed by the state. The state argued that any time an individual uses or access a computer for a purpose not allowed by the owner of the computer, that use is "without authorization" and constitutes a computer crime. In other words, the state argued that the employee's use of the employer's computer, although otherwise authorized, became unauthorized and a crime once it violated the employer's personnel and computer use policies. Amicus urged narrow interpretation. On the other hand the employee noted that subsection (4) was enacted by the Legislative Assembly as a result of concerns about remote "hacking" of computers by individuals without any right to access those computers. She argued that the state's use in her situation was not the intended use. Amicus curiae also argued that the state's reading of the statute was "unworkably broad" because it would essentially allow private entities the ability to decide what conduct in the workplace was criminal and what was not. Instead, amicus argued, a narrow construction should be applied—similar to what has been applied to similar provisions in the federal Computer Fraud and Abuse Act. The meaning of the terms in question "are not obscure," the court explained, and the court agreed with the employee that she had been authorized by her employer to use the lottery terminal to print lottery tickets. Although the state countered by arguing that the authorized use became an unauthorized use when she chose to print tickets for herself without paying for them, the court found it "difficult to square the state's position with the text of ORS 164.377(4)." That subsections sets out a straightforward "binary division" between individuals who have the authorization to use a computer and those who do no. It does not, however, "distinguish between use that is authorized for certain purposes (such as those permitted by employer policies) and use that otherwise would be authorized but that is inconsistent with those policies." In fact, that subsection is unconcerned with "the purpose or manner of use at all[.]" Applying the interpretation requested by the state requires "adding words to the text of the statute that the legislature did not use." Legislative history. The conclusion that the employee's use of the machine was authorized found further support in the legislative history of that subsection, the court explained, because the provision was introduced based on concerns about the theft of cable television services, among other things, by hacking. The history showed that the provisions were intended to address unauthorized access by "hackers" or other individuals without any authority "whatsoever" to access a computer and not an individual such as the defendant in this case. Concluding that no reasonable juror could find that the employee had accessed the machine "without authorization," the court found that the trial court erred in denying her motion for judgment of acquittal on that count.

Interested in submitting an article?

Submit your information to us today!

Learn More