State v. Young

• Decision Date: 14 January 2010
• Docket Number: No. 1 CA-CR 08-0230.,1 CA-CR 08-0230.
• Citation: 224 P.3d 944
• Parties: STATE of Arizona, Appellee, v. Clifton Bert YOUNG, Appellant.
• Court: Arizona Court of Appeals

224 P.3d 944

STATE of Arizona, Appellee, v. Clifton Bert YOUNG, Appellant.

No. 1 CA-CR 08-0230.

Court of Appeals of Arizona, Division 1, Department A.

January 14, 2010.

Terry Goddard, Attorney General by Kent E. Cattani, Chief Counsel, Criminal Appeals/Capital Litigation Section, and Craig W. Soland, Assistant Attorney General, Phoenix, Attorneys for Appellee.

Bruce Peterson, Legal Advocate by Thomas J. Dennis, Deputy Legal Advocate, Phoenix, Attorneys for Appellant.

OPINION

SWANN, Judge.

¶ 1 Clifton Bert Young was convicted by a jury on one count of computer tampering, a violation of A.R.S. § 13-2316(A)(7) and a class six undesignated felony. The trial court suspended sentencing and placed Young on probation for eighteen months. On appeal, Young argues that the evidence presented at trial was insufficient to support his conviction. We agree and reverse.

¶ 2 A.R.S. § 13-2316(A)(7) (2001) prohibits a person from acting without or in excess of authority to obtain any "records that are not public records" from a state computer. The evidence presented at trial was sufficient to show that Young acted without authority when he accessed certain data on a government computer. But we hold that the statute's description of "records that are not public records" unambiguously refers to those records that do not fall within the public records law — not merely to records that might be exempt from disclosure under the public records law. Because the data that Young obtained are subject to the public records law, we conclude that there was insufficient evidence that Young obtained the type of information described by the plain language of the subsection under which he was charged.

FACTS AND PROCEDURAL HISTORY

¶ 3 Young was employed by the Arizona Department of Transportation ("ADOT") as a member of the server management team. The seven-person team administered ADOT's computer server infrastructure. As a member of the team, Young had elevated domain administrator privileges, which provided him access to all computer servers on the ADOT computer network. Among the computer servers on the ADOT network was a server that hosted the personnel files for ADOT employees.

¶ 4 Employees of ADOT are subject to annual reviews of their work performance. As part of the review process, employees are given an Employee Performance Appraisal System ("EPAS") score. The scores range from 1 to 5, with a score of 3 representing acceptable performance and a score of 5 indicating superior performance. The EPAS scores become a permanent part of an employee's official personnel file and are considered confidential by ADOT.

¶ 5 In 2006, the Chief Information Officer at ADOT decided that EPAS scores in the IT department had become inflated over the years and directed department managers to recalibrate the scoring of their subordinates to establish a more realistic scoring baseline. The supervisor of the server management team complied with this directive. Young's EPAS score, which historically had been no lower than 4, dropped to 3.3.

¶ 6 The EPAS recalibration became a subject of discussion among the server management team. The members of the team were unhappy with their reduced scores and were concerned that the downgraded EPAS scores might be the first step toward outsourcing their jobs. The supervisor met with the team members and explained that the scores were lowered as part of a general realignment of scores in the IT department and that they were not being individually penalized.

¶ 7 Young subsequently showed another member of the team an Excel spreadsheet displayed on a computer in his cubicle that included the names and EPAS scores for the entire IT department. The information on the spreadsheet indicated that the server management team was the only group in the IT department to have its EPAS scores reduced. Young contacted the team supervisor and informed him of the spreadsheet. When the supervisor asked for a hard copy of the spreadsheet, Young left and returned with a printout. The supervisor informed Young that he would take the spreadsheet to his superior and ask if he could rescore the team given the failure of other supervisors to comply with the EPAS recalibration directive.

¶ 8 After the team supervisor spoke to his superior about his request to rescore his team, ADOT began an internal investigation to discover the source of the unauthorized disclosure of the EPAS scores. As part of the investigation, a forensic examination was performed on the computers of the server management team. The examination revealed that the EPAS spreadsheet, which was stored on the server in question, had been accessed from one of Young's work computers by a person using his user ID and password. The examination also revealed that Young's computer had been used to access other Human Resource documents on the server during the same time frame, including a "grievance tracking Excel spreadsheet, a position action database, some FLSA [Fair Labor Standards Act] control documents .... [and] some disciplinary action databases." Young had no business need to access the EPAS spreadsheet or other Human Resource documents.

¶ 9 Young was terminated from his position at ADOT and charged with one count of computer tampering in violation of A.R.S. § 13-2316(A)(7) (2001). A jury trial commenced and Young was convicted of the offense charged and placed on probation for eighteen months.

¶ 10 Young timely appeals. We have jurisdiction pursuant to Article 6, Section 9 of the Arizona Constitution and A.R.S. §§ 12-120.21(A)(1) (2003), 13-4031, and 13-4033(A)(1) (Supp.2009).

DISCUSSION

¶ 11 A.R.S. § 13-2316(A) provides:

A person who acts without authority or who exceeds authorization of use commits computer tampering by:

....

(7) Knowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision of this state or a medical institution.

Young challenges his conviction on the ground that the State failed to present sufficient evidence to support the jury's verdict of guilt. We review a claim of insufficient evidence de novo. State v. Bible, 175 Ariz. 549, 595, 858 P.2d 1152, 1198 (1993).

¶ 12 A conviction will not be reversed for insufficient evidence "unless there is no substantial evidence to support the jury's verdict." State v. Scott, 187 Ariz. 474, 477, 930 P.2d 551, 554 (App.1996) (citing State v. Hallman, 137 Ariz. 31, 38, 668 P.2d 874, 881 (1983)). "Substantial evidence is more than a `mere scintilla' and is that which reasonable persons could accept as sufficient to support a guilty verdict beyond a reasonable doubt." State v. Hughes, 189 Ariz. 62, 73, 938 P.2d 457, 468 (1997) (citing State v. Mathers, 165 Ariz. 64, 67, 796 P.2d 866, 869 (1990)). In considering a claim of insufficient evidence, we determine whether, "viewing the evidence in the light most favorable to the prosecution, a rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt." State v. Montano, 204 Ariz. 413, 423, ¶ 43, 65 P.3d 61, 71 (2003) (quoting State v. Tison, 129 Ariz. 546, 552, 633 P.2d 355, 361 (1981)).

¶ 13 The elements of the species of computer tampering charged in this case are: (1) without authority or in excess of authority; (2) knowingly obtaining; (3) information required by law to be kept confidential or records that are not public records; (4) by accessing any computer, computer system or network operated by the State. A.R.S. § 13-2316(A)(7). Young contends that the evidence was insufficient to permit the jury to find the existence of the first and third elements of this offense beyond a reasonable doubt.

A. Authority

¶ 14 With regard to the first element, Young notes that the indictment described the offense as having been committed "without lawful or administrative authority" and that the jury instructions defined the offense in the same manner. He therefore reasons that the State was required to establish that he acted without authority rather than merely in excess of authority. Young argues that because he had "elevated domain administrator" privileges that gave him the ability to access the server, no reasonable person could conclude that he acted without authority when he accessed the Human Resource documents on that server.

¶ 15 Young cites several federal district court decisions construing the federal Computer Fraud and Abuse Act in support of his contention that the violation of accessing "without authorization" only occurs where the initial access to the computer is not permitted. See, e.g., Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D.Ariz.2008). These federal cases are inapposite because the federal statute they apply defines the offense simply in terms of "intentionally access[ing] a computer without authorization or exceed[ing] authorized access." 18 U.S.C. § 1030(a)(2) (2008). In contrast, the essence of the offense with which Young was charged is the obtaining of specific information or records, not the act of accessing the computer.¹ Accordingly, the issue of authority for purposes of A.R.S. § 13-2316(A)(7) turns on whether a person has authority to obtain the information or records that are the object of the offense — not on whether the person has authority to access the computer. We therefore reject Young's argument that the indictment and jury instructions constrained the State to prove facts not supported by the evidence.

¶ 16 The evidence at trial was undisputed that Young did not have authority to obtain the EPAS score spreadsheet from the server: testimony established that the server team members typically operated at the system level, not the file level; that EPAS scores were treated as confidential; that employees were prohibited from accessing another person's data without the owner's permission; and that the Human...