Virginia Computer Crimes Act Violation

Author: LegalEase Solutions

QUESTION PRESENTED

Whether plaintiff violated the Virginia Computer Crimes Act by logging into or viewing defendant’s email?

 SHORT ANSWER

Maybe. Under Va. Code Ann. § 18.2–152.4, computer trespass, it appears unlikely that Elizur or Ren committed computer trespass because Ren did not act with a malicious intent.

Further, Va. Code Ann. § 18.2-152.5, computer invasion of privacy, would seem a more fitting provision to these facts.  However, even there it would seem that Ball has no cause of action here because Elizur owned the computer station Ball used to access his email, and because he saved his log in information to that station. However, it is possible the Ren’s subsequent actions may have crossed a line that the courts have not yet examined.

Finally, it seems that Defendant cannot claim relief under § 18.2–152.12 because he failed to show that he suffered any injury.

RESEARCH FINDINGS

  1. Computer Trespass

The Virginia Computer Crimes Act § 18.2–152.4 of deals with computer trespass. Under this section, “it is “unlawful for any person, with malicious intent, to . . . make or cause to be made an unauthorized copy . . . or computer data, computer programs or computer software residing in . . . a computer or computer network[.]’” Tryco, Inc. v. U.S. Med. Source, L.L.C., 80 Va. Cir. 619, 2010 WL 7373703, at *6 (2010).

Further, “[t]he Virginia Computer Crimes Act prohibits, inter alia, any person ‘without authority’ to use a computer or computer network to make . . . an unauthorized copy . . . of computer data . . . .” McGladrey & Pullen LP v. Shrader, 62 Va. Cir. 401, 2003 WL 22203709, at *6 (2003) (internal citation and quotation omitted). “The term ‘without authority’ is a person who uses a computer without permission or if the person has some right to use the computer ‘uses a computer . . . in a manner exceeding such right or permission.’” Id. (quoting § 18.2-152.2).

Therefore, a person is held liable for computer trespass only if the acts mentioned under § 18.2–152.4 is committed with a malicious intention. In the instant case, it appears that Plaintiff did not login to Defendant’s e-mail account with a malicious intention. Plaintiff while trying to login to his account accidently accessed Defendant’s e-mail as the login information was already saved in it. Here, Plaintiff lacked the knowledge that he was logging into Defendant’s e-mail account. Further, Plaintiff being the President of the firm has the authority to use the computer at his workstation.

  1. Computer Invasion of Privacy

The Virginia Computer Crimes Act § 18.2–152.5 of deals with computer invasion of privacy. Id. Under this code:

A person is guilty of the crime of computer invasion of privacy when he uses a computer or computer network and intentionally examines without authority any employment, salary, credit or any other financial or identifying information, as defined in clauses (iii) through (xiii) of subsection C of § 18.2-186.3, relating to any other person. “Examination” under this section requires the offender to review the information relating to any other person after the time at which the offender knows or should know that he is without authority to view the information displayed.

Id.

It appears that there is little in the way of authority around this particular provision of the code, none of it binding.  It was briefly examined in Glob. Policy Partners, LLC v. Yessin, 686 F. Supp. 2d 631 (E.D. Va. 2009).  In that case a husband and wife, both managers in the corporate entity were involved in divorce proceedings.  Id. at 633. During that time, husband and another manager viewed wife’s business email. Id. Wife sued for, among other things, computer invasion of privacy. Id.

The court held that wife failed to state a claim for computer invasion of privacy. Id. at 640.  The court reasoned that because wife failed to “allege any facts concerning the content of the e-mail messages in issue other than that they contained sensitive information regarding Mrs. Yessin’s legal strategy in the pending divorce proceeding,” and because “legal strategy does not fall into any of the statute’s enumerated categories,” the allegations failed to state a claim. Id.

The court did enumerate the elements of computer invasion of privacy, which require that a person “(i) used a computer or computer network (ii) without authority, (iii) with the intent to examine another’s records, (iv) without authority, and (v) the records contained employment, salary, credit, or other financial or identifying information as defined by the statute.” Id.

Similarly, in Walsh v. Logothetis, No. 3:13CV401-JAG, 2014 WL 229588 (E.D. Va. Jan. 21, 2014) aff’d, 578 F. App’x 227 (4th Cir. 2014), the court held that a state university did not violate the act when it accessed the plaintiff’s personal information that he stored on the university-issued computer. Id. at *13.

Virginia courts have examined this provision as well. In Stultz v. Virginia Dep’t of Motor Vehicles, No. 7:13CV00589, 2015 WL 4648001 (W.D. Va. Aug. 5, 2015), the court found that plaintiff failed to state a claim against his state DMV supervisors when they used agency computers to access his personal information on the agency database. Id. at *12.

Based on the foregoing, it would seem that because Elizur owned the computer Ball used to access his email with NPR, and because he saved his log-in information such that it would automatically open his email, Ren would not have the requisite intent to examine Ball’s records when he accessed the computer.  Even assuming a court were to so find, one might argue that by saving his log-in information to enable automatic log-in, Ball gave his implicit consent to anyone acting on behalf of Elizur to access his NPR email.  This would be similar to Walsh, where the university officials owned the computer on which the plaintiff in that case stored his personal information.  And like Yessin, Ball has failed to plead any allegations regarding the contents of the emails Ren viewed. Thus, the statute may be inapplicable to this claim.

However, because of the statutory definition of “examination” in this section, it’s possible that a court may find that Ren violated the act once he realized he was inadvertently viewing Ball’s NPR email.  In that situation, the analysis may revolve around what information Ren saw regarding Ball’s theft and at what point in time he realized he was viewing Ball’s personal email with another employer.  If Ren had to dig through Ball’s email before finding evidence of the theft, it is possible a court may find that Ren both lacked authorization to access those emails, and developed the requisite intent in deciding to root through a personal email account, notwithstanding the fact that he initially accessed it inadvertently.

  • Proof of Harm Required in Civil Case

Finally, in a civil case, “Va.Code Ann. § 18.2–152.12 requires [the aggrieved party] to prove resulting injury . . . in order to be actionable.” Tryco, Inc., 80 Va. Cir., 619, 2010 WL 7373703, at *6 (2010). In the instant case, Defendant has neither suffered nor has he proved any injury. The information that Plaintiff accessed were the private information of Plaintiff that Defendant disclosed to Plaintiff’s competitor. Hence, it seems that Plaintiff has not committed the act of computer trespass.

CONCLUSION

Based on the forgoing, it appears that Plaintiff has not committed a computer trespass because he did not with malicious intent. Further, should a claim of computer invasion of privacy arise, it appears unlikely (although not impossible) a court would find a lack of authority or the required intent. Finally, in order to claim civil relief under § 18.2–152.12, Defendant has to prove that he has suffered injury from Plaintiff’s act. However, here it seems that Defendant has not proved any injury. The information accessed by Plaintiff was the private information relating to his company.  Therefore, Ren and Elizur arguably have not violated the act.