COMMONWEALTH of Kentucky, Appellant, v. Douglas R. COCKE, Appellee.
This is an appeal from an opinion and order entered by the Jefferson Circuit Court dismissing several counts of an indictment and declaring KRS 434.845(1)(c), the statute under which appellee Douglas R. Cocke was charged, to be void for vagueness. On appeal, the Commonwealth contends that the court erred by finding that the statute at issue is unconstitutional. We are constrained to disagree. Hence, we affirm.
Appellee was employed by Universal Uniforms, Inc. in 1991 as a computer programmer. He had access to all of the company's computers, both at work and at home. Several times after appellee notified his employer that he had decided to terminate his employment, Universal's computer system was accessed and data, software and computer programs were altered, damaged and destroyed. Specifically, it was alleged that after his employment terminated and he had no authority to do so, appellee used the modem on his home computer to access Universal's computer system, and then to delete certain data from the system, stop an accounting program in progress, and change a password. Shortly after these events occurred, a search warrant was issued for appellee's residence and police seized appellee's personal computer as well as certain documents, programs, and disks.
On October 15, 1998, a five-count indictment was returned against appellee. Three counts of the indictment charged that in January 1998 appellee committed the felony offense of first-degree unlawful access to a computer by knowingly and willfully accessing Universal's computer, as well as related data, programs and systems, for the purpose of altering, damaging or destroying them. KRS 434.845(1)(c). Subsequently, appellee made a motion to dismiss these counts on the ground that KRS 434.845(1)(c) is unconstitutional as being void for vagueness. The trial court granted appellee's motion, reasoning as follows:
The allegations are basically that Defendant used the modem on his home computer to access Universal's computer system on the three occasions in question, resulting in certain data being deleted, an accounting program in progress being stopped and a password being changed. As said alleged conduct falls under the prohibition in subsection (1)(c) of KRS 434.845, the vagueness analysis will focus on the language of this subsection.
Defendant maintains that KRS 434.845(1)(c) has too broad a sweep in that a prosecutor could indict any person for most normal activities that are conducted on a computer. Defendant argues that this is so because the statute lacks the essential requirement that the crime be committed without authorization. Defendant gives the example that any time information is added or deleted from a computer, the person has accessed the computer with the intent to alter its data or one of its programs, and thus could be charged with violating KRS 434.845(1)(c). Defendant further argues that the statute's lack of guidelines as to its application makes possible criminal prosecutions by employers as retribution against an employee.
The Commonwealth argues that while KRS 434.850 (Unlawful Access to a Computer in the Second Degree) contains the language that the access or attempt must be “without authorization,” the legislature intended to leave said language out of KRS 434.845, so it would apply across the board to all persons regardless of whether or not they are authorized users. Defendant, however, is not questioning whether the access to the computer must be “without authorization.” His argument as to “without authorization” relates to the conduct in subsection (1)(c), i.e., altering, damaging, destroying or attempting same.
If an employee with proper access to a work computer accesses it for the purpose of altering a computer program, which for example occurs when an updated version of a program is installed, or for the purpose of destroying data stored in the computer, which occurs for example when an e-mail message is deleted, has KRS 434.845(1)(c) been violated? The conduct of altering, damaging, destroying or attempting same listed in subsection (1)(c) must be considered “unauthorized” or without permission of the owner before it can reasonably [be] said that a violation of the subsection has occurred. The indictment or bill of particulars does not allege that defendant's conduct under subsection (1)(c) was unauthorized by Universal.
As stated in Commonwealth v. Foley, Ky., 798 S.W.2d 947 (1990):
“We reject the argument that a criminal statute facially unconstitutional can be ‘authoritatively construed’ by the courts to render it constitutional, if this is taken to mean the court can introduce an additional concept not present in the statute as written by the Legislature.” Musselman v. Commonwealth, Ky., 705 S.W.2d 476, 478 (1986).
While our decisions require construction in favor of constitutionality (citations omitted), an oft-quoted admonition from Hatchett v. City of Glasgow, Ky., 340 S.W.2d 248 (1960), remains a guiding principle:
“But where a statute on its face is intelligible, the courts are not at liberty to supply words or insert something or make additions which amount, as sometimes stated, to providing a casus omissus, or cure an omission, however just or desirable it might be to supply an omitted provision.” Id. at 251.
The court finds that the language in KRS 434.845(1)(c), without any differentiation between authorized and unauthorized altering, etc., does not provide explicit standards for the people who must apply the statute (i.e., police officers, prosecuting attorneys, juries and judges), see Foley, 798 S.W.2d at 951, nor does it provide sufficient notice or warning about what conduct is prohibited. An ordinary person could not determine with reasonably [sic] certainty whether his or her contemplated conduct would amount to a violation of subsection (1)(c) of the statute. “Unquestionably, criminal statutes must be sufficiently specific that an individual has fair notice of what conduct is forbidden.” Kash, 967 S.W.2d at 43. Consequently, the Court holds KRS 434.845(1)(c) to be unconstitutionally vague.
The court denied appellee's pending motion to dismiss the remaining two counts of the indictment, and this interlocutory appeal followed.
First, the Commonwealth argues that the trial court erred by agreeing with appellee's contention that the statute, as enacted, lacks an essential requirement mandating that the offense of unlawful access to a computer cannot occur unless the alteration, damage or destruction at issue is committed without authorization. The Commonwealth urges that the legislature intentionally omitted a requirement that the access be without authorization, and that such a requirement in any event is not necessary. We disagree with the Commonwealth's arguments.
True enough, as the Commonwealth notes, KRS 434.845(1)(c) states that the unlawful access must be for the purpose of altering, damaging, or destroying a computer and/or related property, while the statute creating the offense of second-degree unlawful access, KRS 434.850, requires that the access be “without authorization.” However, we find no merit in the Commonwealth's argument that this basic difference in the language of the two statutes was legislatively intended to ensure that authorized users of computers and related systems can nevertheless be prosecuted for first-degree unlawful access if they violate their positions of trust.
Upholding the Commonwealth's argument would result in a situation in which both authorized and unauthorized persons could be prosecuted for first-degree unlawful access as a result of the alteration, damage, or destruction of a computer and/or related components and systems, even though the alteration, damage or destruction may have been caused by an authorized person with the permission or at the request of the computer's owner. Indeed, as noted by the trial court, absent a requirement that the actor's alteration, damage or destruction must occur without authorization, the statute literally permits the prosecution of an authorized user for an alteration as innocuous and innocent as the deletion of an e-mail message. We decline to interpret the statute in such a manner. Clearly, the statute is void for vagueness as an authorized user cannot, from a reading of the statute, ascertain specifically what alteration, damage or destruction is prohibited.
Moreover, we are not persuaded by the Commonwealth's argument that the statute is intended only to criminalize the act of altering, damaging, or destroying the computer after access is gained, rather than the act of accessing the computer for the purpose of obtaining information. Contrary to the Commonwealth's argument, the language of subsection (2) of KRS 434.845, clarifying the fact that obtaining access to a computer does not amount to a violation if its sole purpose is to obtain information rather than to commit an act proscribed by that section, does not somehow remedy the deficiency in subsection (1)(c) of the statute. Obviously, there is a difference between merely obtaining information, and altering, damaging or destroying a computer and related systems. Nothing in subsection (2) prevents an authorized user from being prosecuted under subsection (1)(c) for innocent alterations made in good faith.
The court's judgment is affirmed.
GUDGEL, Chief Judge.