Security Breaches and New York's Computer Crimes Act
Saint Nick a/k/a Santa came early this year for cyber crime practitioners in the form of the Appellate Division, First Department decision in People v. Puesan.1 In affirming the conviction after a jury trial, the First Department explained several sections of New York's Computer Crimes Act2 that heretofore had not been specifically addressed by any appellate court in New York state. This article will address the decision in light of New York state and federal law.
The essential allegations in Puesan concerned a computer breach at a Manhattan office of Time Warner Cable. Specifically, the defendant, while on leave from his job as a field technician for Time Warner Cable, and therefore unauthorized to enter its offices or use its computers, entered a Manhattan office of the company and installed a keystroke logger computer program on three of the company's computers, enabling the defendant to access another company program that stored confidential customer information including customer accounts containing address, phone number, subscription, service call records, billing and payment information, as well as complaint and service calls.
Defendant was charged with nearly the full array of New York's Computer Crimes Act, Article 156 of the Penal Law (P.L.), and was convicted after trial of three counts of computer trespass (Penal Law §156.10), three counts of computer tampering in the third degree (Penal Law §156.25), one count of unlawful duplication of computer-related material in the first degree (Penal Law §156.30), and one count of criminal possession of computer-related material (Penal Law §156.35). On appeal, defendant alleged that his acts did not fall within the statutory prohibitions of each crime, and that the prosecution failed to establish the elements of each of the crimes.
The court's opinion authored by Judge David B. Saxe provides the details of the case. Specifically, on Nov. 9, 2007, defendant was placed on disability leave from his job as a field technician for Time Warner Cable. The state's evidence demonstrated that an employee who is placed on work leave is not considered an active employee; his or her access card is disabled and thus cannot be used to gain access to the company's offices. The policy is published in employee handbooks provided to employees, and the company's human resources department notifies all personnel on leave regarding the policy. Additionally, there is no public access to the company's Manhattan office where the crime occurred, and security guards are stationed outside the premises to ensure that only those with valid employee credentials are permitted entry to the building.
After defendant was seen in the building at the computers, and engaged in an incriminating conversation with a coworker on Feb. 10, 2008, Time Warner analysts examined the company computers the next day, and discovered that a program, Winvestigator, had been installed on the desktop computer on the same date. It was also determined that Winvestigator's settings were set to log keystrokes, user sign-ons, and the times that programs opened and closed. Additionally, Winvestigator was programmed to self-encrypt, and not warn others that the program was running, so that anyone without the programmed password would be unable to look at the Winvestigator log file, because it would display only incomprehensible text. Winvestigator had started to log keystrokes on Feb. 10, 2008.
The court analyzed the evidence for each of the charges for which defendant was convicted. Computer trespass under Penal Law §156.10, requires the state prove the individual "knowingly use[d] … or accesse[d] a computer or computer network without authorization and … knowingly gain[ed] access to computer material." Defendant contended that he could not be convicted of accessing "computer material" because he did not gain access to the types of materials defined in the statute, and that the evidence failed to prove that he lacked authorization to use the three computers accessed.
The term "without authorization"3 is defined as "access of a computer service by a person without permission … or after actual notice to such person, that such access was without permission" as per Penal Law §156.00. While there was apparently no appellate authority on this point, the Appellate Division stated that the question of how to prove that use of a computer was not authorized was previously addressed in a New York City Criminal Court case, People v. Klapper,4 which considered a charge of unauthorized use of a computer (Penal Law §156.05). The Klapper court found that for access to be without authorization, the defendant must have had knowledge or notice that access was prohibited or circumvented some security device or measure installed by the user. On the other hand, the Appellate Division in Puesan stated: "Of course, here, evidence fully supports the finding that defendant gained access to Time Warner's computers when he was unauthorized to do so." As to whether the information defendant gained access to constituted "computer material" for purposes of Penal Law §156.10, the statutory definition of the term includes "any computer data or computer program" that "is not and is not intended to be available to anyone other than the person … rightfully in possession thereof … and which accords or may accord such rightful possessors an advantage over competitors or other persons who do not have knowledge or the benefit thereof" (Penal Law §156.00). Notably, the statute requires only that defendant "knowingly gain access to computer material"; it does not require that he actually make use of the material in any way.5
The Appellate Division reviewed the evidence and found it sufficient to establish that with the information defendant obtained by the illicit installation of the Winvestigator program, he gained access to confidential Time Warner customer information. Moreover, the testimony of a Time Warner employee concerning incriminating statements by defendant, that is, that defendant asked him for his personal login and password for access to the customer account program and when the witness refused to supply same, defendant said he might use a keylogger to get the password to gain access, supported that defendant's actions were purposefully geared toward gaining access to information in that system. Therefore, the court found that all the elements of computer trespass6 were established.
It should also be noted that proof of lack of authorization is aided by a presumption, that is, a permissible inference, of the lack of authorization if the defendant "used or accessed a computer, computer service, or computer network through the knowing use of a set of instructions, code or computer program that bypasses, defrauds or otherwise circumvents a security measure installed or used with the user's authorization on the computer, computer service or computer network."7
Moreover, the statutory defense to a specified computer crime, P.L. §156.50, was unavailable. The provision permits a defendant who acts without authorization in fact to be absolved from criminal liability if the defendant had reasonable grounds to believe that he or she was authorized to so act. "Reasonable grounds" imports an objective element in the determination of whether the defendant's belief that he or she was authorized to engage in the specified conduct would be one a reasonable person, in the defendant's situation and circumstances, would have had.8