The Ohio Court of Appeals, in State v. Wolf, No. 08-16, slip op. (Ohio Ct. App. 5d April 28, 2009), recently upheld application of Ohio’s computer crime law to an employee who used his work computer to engage in criminal conduct (solicitation of a dominatrix-prostitute). While this holding may seem uncontroversial, another aspect of the decision might open the door to imposing criminal liability on employees for violating employer computer use policies.
Wolf was a Shelby City Wastewater Treatment Plant employee. The plant superintendent discovered nude photographs on Wolf’s work computer while performing routine maintenance. The superintendent notified police, who discovered that Wolf used the city-owned computer to solicit a prostitute, visit pornographic websites and upload nude photographs of himself during work hours. At trial, the jury found him guilty of soliciting prostitution, theft in office and unauthorized use of a On appeal, Wolf challenged the trial court decisions overruling his motion for acquittal on both the charge of theft in office and the charge of unauthorized access to a computer. The Court of Appeals agreed that the trial court should have acquitted on the theft in office charge, but ruled that Wolf’s use of the office computer was unauthorized under Ohio law.
Theft In Office
Ohio Rev. Code § 2913.02 (A) (2009), reads, in part, “no person, with the purpose of depriving the owner of property or services, shall knowingly obtain or exert control over either the property or services.” Upon review, the Court of Appeals found that Wolf’s actions did not constitute the crime of theft in office. Specifically, the court found that while there was evidence Wolf spent nearly 100 hours viewing websites unrelated to his job, nothing suggested that his job performance suffered or that he failed to perform his job duties. Furthermore, the court noted that even if evidence showed Wolf had failed to perform his job duties, such evidence could only serve as a basis for his termination and not as the basis for a criminal theft in office charge. In this instance, surfing websites at work was not a theft of services under § 2913.02(A).
Unauthorized Use
Wolf did not fare as well in his appeal regarding conviction under the unauthorized use law. The statute, Ohio Rev. Code § 2913.04(B) (2009), reads in relevant part:
(B) No person… shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer… without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer… or other person authorized to give consent.
At trial, the State argued that Wolf acted outside the scope of authorization by engaging in criminal conduct. The Court agreed that the State’s unauthorized use charge was “based upon sufficient evidence,” i.e., Wolf’s use of the city computer to solicit prostitution, and that such use was “beyond the scope of the express or implied consent.” State v. Wolf, slip op. at 12.
Notably, the Ohio statute applies not only to outsiders who infiltrate computer systems, but also to insiders such as Wolf, i.e., those who would otherwise have legal access but whose on-the-job activities go “beyond the scope of the express or implied consent” of their employers. Neither the statute nor the Wolf holding expressly limits the coverage of § 2913.04(B) to criminal activity.
This uncertainty parallels that surrounding the Computer Fraud and Abuse Act (CFAA), a criminal statute designed to prevent unauthorized access to, and use of, computers. There is a split in authority regarding whether the CFAA can be applied to insiders authorized to use a computer or computing service in addition to outsiders. See, e.g., Condux Int’l Inc. v. Haugum, No. 08-4824, 2008 WL 5244818, at *4 & n.3 (D. Minn. Dec. 15, 2008) (collecting cases); US Bioservices Corp. v. Lugo, No. 08-2342, 2009 WL 151577, at *4 (D. Kan. Jan. 21, 2009) (narrowly construing CFAA and holding it applies only to outsiders).
It remains to be seen how the Ohio statute, and others like it, will be applied in this developing area of law.
Proskauer summer associate Kyler Scheid contributed to this post.