Violating Company Computer Rules Is Not a Crime in Oregon
Many companies have rules (for example, in employee handbooks) that govern what workers can do on the job.
For example, companies may prohibit workers from using company computers — or even company WiFi — for personal reasons.
An employee who violates such rules risks getting fired. But should violating company computer rules be a crime?
Not according to the Oregon Supreme Court.
As reported by Ars Technica, the case of State v. Nascimento involved a deli clerk at a convenience store. The vice president of the store's parent company discovered that there were unexplained cash shortages at the store — sometimes over $1000 per day, and totaling $16,000 in a three-month period.
The VP also discovered that the store sold an unusual number of lottery tickets. He found that the cash shortages and the high rates of lottery ticket sales occurred when the deli clerk was working.
Video recordings revealed that the clerk printed out and pocketed lottery tickets.
The clerk had been trained to use the cash register and lottery terminal, but was obviously not supposed to print free lottery tickets for herself. In fact, the store's policy was that employees were not supposed to even buy or redeem lottery tickets for themselves while on duty.
The clerk was charged with aggravated first-degree theft, as well as with computer crime.
She was convicted of using the computer "without authorization."
On appeal, the Oregon Supreme Court noted that "without authorization" wasn't defined by the statute:
As to the meaning of “without authorization,” the state proposes an extremely broad definition, arguing that any time a person uses or accesses a computer for a purpose not permitted by the computer’s owner, the person does so “without authorization” and commits computer crime. For that reason, the state contends, even though defendant was authorized to physically use the terminal to print Keno tickets, because she violated her employer’s policy by using it to print Keno tickets for her own use (and also by not paying for them), her use was “without authorization,” in violation of ORS 164.377(4). In short, the state’s argument is that an employee’s otherwise authorized use of an employer’s computer is “without authorization”—and therefore a computer crime under ORS 164.377(4)—whenever the employee’s access or use violates the employer’s personnel or computer use policies.
Check a Score, Go to Jail?
The Electronic Frontier Foundation (EFF) filed an amicus brief that the court cited, noting that
the state’s reading of the statute—which arguably criminalizes any computer use in violation of an employer’s personnel or computer use policies—is unworkably broad because it gives private entities the power to decide what conduct in the workplace is criminal and what is not.
The EFF contended that the computer crime statute could turn employees into criminals for reading a personal email or checking baseball scores on the job, if those things violated the employer's policies.
The EFF has also successfully argued that violating corporate policy is not a computer crime under the federal Computer Fraud and Abuse Act.