Just as the United States Supreme Court recently restricted the scope of the federal Computer Fraud and Abuse Act (“CFAA”) in the Van Buren v. United States case, the Georgia Supreme Court now has the counterpart of the Georgia state CFAA restricted.
background
In Kinslow v. State, No. S20G1001 (June 21, 2021), the defendant was a Norcross City IT worker. The defendant allegedly changed the city’s computer network settings to copy his boss’s incoming emails and forward them to the defendant’s personal email account. The jury found the defendant guilty of state computer theft and the defendant appealed.
The Georgia trespassing law partially defines the offense as “us.”[ing] a computer or computer network with the knowledge that such use is being made without authority and with the intent of. . . [o]to interrupt, interrupt or interfere in any way with the use of a computer program or data. ”OCGA § 16-9-93 (b) (2) (emphasis added).
No “hindrance” or “disruption” when copying e-mails
There was no question that the defendant in Kinslow lacked authorization to access and forward his boss’s emails. However, the majority concluded that the evidence at the trial failed to prove that the defendant “acted with intent to obstruct or interfere with the use of data”.
Relying on dictionary definitions of the words “obstruct” and “interfere” and using the rules of construction, the court interpreted the law as requiring evidence that the accused “obstructed” the use of data in some way. According to the court, the evidence revealed at most that the defendant had a copy of computer data flow to another recipient. Because “[t]here [was] no proof of that [the defendant] has acted obstructing the flow of data to an intended recipient or otherwise obstructing the use of data, ”the court overturned the Georgia statute conviction of computer theft.
The majority decision resulted in a sharp contradiction. The dissent would have determined that the defendants’ actions to “manipulate” the data stream and “interfere” with data to be passed on to others had fulfilled the “in any way disruptive” provision of the law. The dissent justified: “[T]respass does not require the theft of data from its intended recipient – it just requires that one access this data from a location where one is not authorized. ”(This interpretation would have followed the CFAA, which merely prohibits“ obtain ”[ing]”Information without authorization.)
Takeaways
The dissent warned that this decision “educates sinners that, from both a detection and prosecution standpoint, they will be better off simply copying data rather than blocking its transmission.” For the application of the Georgia trespassing law, at least, this point is difficult to argue. However, the defendant’s alleged conduct here could have violated a variety of other laws, including the CFAA and possibly trade secret laws.
Employers should keep in mind that many states have computer violation laws that don’t necessarily go up and down with the CFAA. Some can be wider and others, like Georgia’s, narrower. Whenever an employee accesses information that the employee is not authorized to access or misuses information that the employee is authorized to access, employers should work with legal counsel to carefully analyze the possible legal ramifications of such behavior.
