By H. Michael Steinberg Colorado Theft Crimes Criminal Defense Lawyer
Employees who are assigned laptop computers upon leaving their employment should be aware of a 2016 Colorado case that addresses what they should do and not do with their employer’s laptop.
Known to some as the Colorado Computer Hacking Law, Colorado’s Computer Crime “Act” was actually two separate laws that are read together – C.R.S. § 18-5.5-101 and C.R.S. Section 18-5.5-102.
The purpose of this article is to alert the reader to a trap for the unwary former employee who has been assigned a “company computer.”
Bottom line Colorado criminal law:- Colorado’s Computer Crime Law C.R.S. Section 18-5.5-102(1)(a) prohibits knowingly accessing or using a computer, computer network, or computer system without authorization or exceeding authorized access.
The behavior punishable by this law is very broad in scope.
“A person also commits Computer Crime in Colorado if the person knowingly: . . .
(e) Without authorization or in excess of authorized access alters, damages, interrupts, or causes the interruption or impairment of the proper functioning of, or causes any damage to, any computer, computer network, computer system, computer software, program, application, documentation, or data contained in such computer, computer network, or computer system or any part thereof.”
At least THREE definitions found in Section 18-5.5-101, C.R.S. are critically important in these cases: Those three defined terms are “authorization,” “in excess of authorized access,” and “damage” are defined in the law (Section 18-5.5-101, C.R.S.)
“Authorization” means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this section.”
“Damage” includes, but is not limited to, any impairment to the integrity of availability of information, data, computer program, computer software, or services on or via a computer, computer network, or computer system or part thereof.”
“Exceed authorized access” means to access a computer with authorization and to use such access to obtain or alter information, data, computer program, or computer software that the person is not entitled to so obtain or alter.”
The 2016 Colorado Computer Crime Case Of People v. Stotz
In the Colorado case of People v. Stotz, the reach of the Colorado Computer Crime law was extended mightily.
The Colorado Court of Appeals issued its opinion in People v. Stotz on Thursday, February 11, 2016. In Stotz, three employees from a Colorado corporation resigned to work for a competitor. But, when they returned their company laptops, there were thousands of files missing including bids that were directed at new business.
A forensic computer concern did an analysis of the deleted files but could not recover the missing data. A complaint was filed with the Denver District Attorney’s Economic Crimes unit felony criminal charges were filed against the former employees.
After a jury trial – the Defendant’s were convicted under the Colorado Computer Crime statutes and were sentenced under those laws.
The Judge And Jury Heard, And Rejected The Defense Of No “Damages”
The trial court held and the appellate court sustained the evidence that:
“…the deletion of thousands of documents from an employer’s computer clearly falls within the statutory definition of “damage,” and that (the law’s definition of damage) is specific enough to provide notice to a person of ordinary intelligence that the deletion of thousands of documents may cause damage to the computer’s data.”
The Defendant’s in Stotz argued that they had the right to do whatever they wanted with their employer-owned laptops. The jury disagreed. Because these Defendants knowingly destroyed the data on their computers without their former employer’s permission, their conduct fell within the State’s computer crime laws.
“We conclude that this provision is constitutional as applied to employees who a jury determined had deleted thousands of documents from their company-issued laptops, knowing that they acted without authorization or in excess of authorized access in doing so.”