When Wrongful Access of a Computer is Not a Crime: Unauthorized Use of a Computer – NY PL 156.05

With prosecutors seeking to protect proprietary and “secret scientific” information of financial, research, medical and other commercial institutions, it should come as no surprise to criminal defense lawyers regularly practicing in New York courts or those accused of crimes involving computers that Unauthorized Use of a Computer is potential crippling offense. The “lowest” of all New York’s computer crimes, Unauthorized Use of a Computer, an “A” misdemeanor pursuant to New York Penal Law 156.05, occurs when you knowingly use, cause to be used, or accesses a computer, computer service, or computer network without permission. Again, while NY PL 156.05 is not as significant as other New York computer crimes, it is likely one that if convicted would result in not merely your termination from your current employer (assuming it involved an employer-employee relationship), but would be a red flag on any future employment.

Defined in the New York Penal Law, computer service and network are critical terms to analyze in a Unauthorized Use of a Computer arrest. However, equally important is to these elements is whether or not your use of the computer was authorized. In People v. Klapper 2009NY032282 (Crim. Ct. New York County, Decided April 28, 2010), a Manhattan Criminal Court judge issued a surprising decision that puts into question what we all believe is the basis or foundation of permission and authority.

The facts are fairly straightforward in Klapper. The defendant, an employer, installed keystroke-tracking software onto a business computer owned by his company. The defendant then instructed the employee to use that computer – of which the employee used it for work-related purposes, “including to access and use a personal e-mail account.” Once the employee accessed his email, the keystroke-tracking software recorded the password, which the defendant subsequently used to log into the employee’s email. The defendant printed computer data, as well as emailed an “electronic document containing portions of emails generated from the employee’s email account.” The employee then brought a charge alleging that defendant had no permission/authority to access or use any information contained in the employee’s email account and that the employee was entitled to a reasonable expectation of privacy. The court dismissed this charge, ruling in favor of the defendant.

Addressing the subject of privacy expectations, the court found that emails are “more akin to a postcard”, as opposed to a postal letter, because postcards are less secure and can be viewed by any passerby. In addition, the court delved into the technological processes behind transmitting an email, personal or not, from a work computer, and accordingly, these processes essentially “diminish an individual’s expectation of privacy in email communications” because the transmitted email is stored on the employer’s server, and, thus can be read by the employer (see, Scott v. Beth Israel Med. Ctr., 17 Misc. 3d 934 (Sup. Ct. NY County 2007)). Similarly, PL 156.05 was intended to criminalize computer intrusions where protections and policies were breached in order to gain unauthorized access (see, People v. Angles, 180 Misc. 2d 146 (Crim. Ct. NY County 1999)). “Mere use or access” was not intended to be criminalized; only knowing intrusions (id.).

As noted above, in the case at hand, the court bypassed the first element as it was uncontested that defendant owned the computer; and, instead, addressed the “without authorization” component. The term “without authorization” is defined as “the use or access of a computer, computer service or computer network without the permission of the owner… where such person (1) knew that access was without permission or (2) had actual notice that he or she did not have permission from the owner of the computer or computer service, or (3) by proof that the user knowingly circumvented a security measure installed or use by the owner of the computer or computer service” (see, Penal Law 156.00(8)). According to the court, “where a defendant…has some authority over the computer or computer services, to sufficiently establish the element of ‘without authorization’ the factual allegations must clearly set forth facts to support the defendant had knowledge or actual notice that the particular access was prohibited or that defendant circumvented some security device or measure installed by the user.” (See, People v. Katakam, 172 Misc. 2d 943 (Sup. Ct. NY County 1997)). The court, in applying the facts to the law, concluded that although there was keystroke-tracking software installed on the computer, the allegations fail to support the claim that that defendant’s access was without authorization, as defendant a) owned the computer, b) had no notice of any limitation regarding access set forth by the employee, c) did not circumvent any security protections installed by the employee, and d) the email ownership was unstated.

Although the allegations of Unlawful Use of a Computer were dismissed against this defendant, each case is unique. While Crotty Saland PC has handled cases involving arrests and indictments for various felonious New York computer crimes and those that were resolved prior to reaching the desk of a detective or prosecutor, a careful assessment of the facts in your case are essential to determining whether this or other legal decisions can benefit your defense. To learn about these cases, criminal statutes and recent cases in the news, review the links above to the Crotty Saland PC website as well as the the NewYorkCriminalLawyerBlog.Com (linked below).

Crotty Saland PC is a New York criminal defense firm established by two former Manhattan prosecutors. The New York criminal lawyers at Crotty Saland PC represent clients in all computer crime allegations throughout the New York City and suburban region.

Updated: