Opinion
No. 1 CA-CR 08-0230.
January 14, 2010.
Appeal from the Superior Court, Maricopa County, Edward O. Burke, J.
Terry Goddard, Attorney General by Kent E. Cattani, Chief Counsel, Criminal Appeals/Capital Litigation Section, and Craig W. Soland, Assistant Attorney General, Phoenix, Attorneys for Appellee.
Bruce Peterson, Legal Advocate by Thomas J. Dennis, Deputy Legal Advocate, Phoenix, Attorneys for Appellant.
OPINION
¶ 1 Clifton Bert Young was convicted by a jury on one count of computer tampering, a violation of A.R.S. § 13-2316(A)(7) and a class six undesignated felony. The trial court suspended sentencing and placed Young on probation for eighteen months. On appeal, Young argues that the evidence presented at trial was insufficient to support his conviction. We agree and reverse.
¶ 2 A.R.S. § 13-2316(A)(7) (2001) prohibits a person from acting without or in excess of authority to obtain any "records that are not public records" from a state computer. The evidence presented at trial was sufficient to show that Young acted without authority when he accessed certain data on a government computer. But we hold that the statute's description of "records that are not public records" unambiguously refers to those records that do not fall within the public records law — not merely to records that might be exempt from disclosure under the public records law. Because the data that Young obtained are subject to the public records law, we conclude that there was insufficient evidence that Young obtained the type of information described by the plain language of the subsection under which he was charged.
FACTS AND PROCEDURAL HISTORY
¶ 3 Young was employed by the Arizona Department of Transportation ("ADOT") as a member of the server management team. The seven-person team administered ADOT's computer server infrastructure. As a member of the team, Young had elevated domain administrator privileges, which provided him access to all computer servers on the ADOT computer network. Among the computer servers on the ADOT network was a server that hosted the personnel files for ADOT employees.
¶ 4 Employees of ADOT are subject to annual reviews of their work performance. As part of the review process, employees are given an Employee Performance Appraisal System ("EPAS") score. The scores range from 1 to 5, with a score of 3 representing acceptable performance and a score of 5 indicating superior performance. The EPAS scores become a permanent part of an employee's official personnel file and are considered confidential by ADOT.
¶ 5 In 2006, the Chief Information Officer at ADOT decided that EPAS scores in the IT department had become inflated over the years and directed department managers to recalibrate the scoring of their subordinates to establish a more realistic scoring baseline. The supervisor of the server management team complied with this directive. Young's EPAS score, which historically had been no lower than 4, dropped to 3.3.
¶ 6 The EPAS recalibration became a subject of discussion among the server management team. The members of the team were unhappy with their reduced scores and were concerned that the downgraded EPAS scores might be the first step toward outsourcing their jobs. The supervisor met with the team members and explained that the scores were lowered as part of a general realignment of scores in the IT department and that they were not being individually penalized.
¶ 7 Young subsequently showed another member of the team an Excel spreadsheet displayed on a computer in his cubicle that included the names and EPAS scores for the entire IT department. The information on the spreadsheet indicated that the server management team was the only group in the IT department to have its EPAS scores reduced. Young contacted the team supervisor and informed him of the spreadsheet. When the supervisor asked for a hard copy of the spreadsheet, Young left and returned with a printout. The supervisor informed Young that he would take the spreadsheet to his superior and ask if he could rescore the team given the failure of other supervisors to comply with the EPAS recalibration directive.
¶ 8 After the team supervisor spoke to his superior about his request to rescore his team, ADOT began an internal investigation to discover the source of the unauthorized disclosure of the EPAS scores. As part of the investigation, a forensic examination was performed on the computers of the server management team. The examination revealed that the EPAS spreadsheet, which was stored on the server in question, had been accessed from one of Young's work computers by a person using his user ID and password. The examination also revealed that Young's computer had been used to access other Human Resource documents on the server during the same time frame, including a "grievance tracking Excel spreadsheet, a position action database, some FLSA [Fair Labor Standards Act] control documents . . . . [and] some disciplinary action databases." Young had no business need to access the EPAS spreadsheet or other Human Resource documents.
¶ 9 Young was terminated from his position at ADOT and charged with one count of computer tampering in violation of A.R.S. § 13-2316(A)(7) (2001). A jury trial commenced and Young was convicted of the offense charged and placed on probation for eighteen months.
¶ 10 Young timely appeals. We have jurisdiction pursuant to Article 6, Section 9 of the Arizona Constitution and A.R.S. §§ 12-120.21(A)(1) (2003), 13-4031, and 13-4033(A)(1) (Supp. 2009).
DISCUSSION
¶ 11 A.R.S. § 13-2316(A) provides:
A person who acts without authority or who exceeds authorization of use commits computer tampering by:
. . . .
(7) Knowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision of this state or a medical institution.
Young challenges his conviction on the ground that the State failed to present sufficient evidence to support the jury's verdict of guilt. We review a claim of insufficient evidence de novo. State v. Bible, 175 Ariz. 549, 595, 858 P.2d 1152, 1198 (1993).
¶ 12 A conviction will not be reversed for insufficient evidence "unless there is no substantial evidence to support the jury's verdict." State v. Scott, 187 Ariz. 474, 477, 930 P.2d 551, 554 (App. 1996) (citing State v. Hallman, 137 Ariz. 31, 38, 668 P.2d 874, 881 (1983)). "Substantial evidence is more than a `mere scintilla' and is that which reasonable persons could accept as sufficient to support a guilty verdict beyond a reasonable doubt." State v. Hughes, 189 Ariz. 62, 73, 938 P.2d 457, 468 (1997) (citing State v. Mathers, 165 Ariz. 64, 67, 796 P.2d 866, 869 (1990)). In considering a claim of insufficient evidence, we determine whether, "viewing the evidence in the light most favorable to the prosecution, a rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt." State v. Montano, 204 Ariz. 413, 423, ¶ 43, 65 P.3d 61, 71 (2003) (quoting State v. Tison, 129 Ariz. 546, 552, 633 P.2d 355, 361 (1981)).
¶ 13 The elements of the species of computer tampering charged in this case are: (1) without authority or in excess of authority; (2) knowingly obtaining; (3) information required by law to be kept confidential or records that are not public records; (4) by accessing any computer, computer system or network operated by the State. A.R.S. § 13-2316(A)(7). Young contends that the evidence was insufficient to permit the jury to find the existence of the first and third elements of this offense beyond a reasonable doubt.
A. Authority
¶ 14 With regard to the first element, Young notes that the indictment described the offense as having been committed "without lawful or administrative authority" and that the jury instructions defined the offense in the same manner. He therefore reasons that the State was required to establish that he acted without authority rather than merely in excess of authority. Young argues that because he had "elevated domain administrator" privileges that gave him the ability to access the server, no reasonable person could conclude that he acted without authority when he accessed the Human Resource documents on that server.
¶ 15 Young cites several federal district court decisions construing the federal Computer Fraud and Abuse Act in support of his contention that the violation of accessing "without authorization" only occurs where the initial access to the computer is not permitted. See, e.g., Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D.Ariz. 2008). These federal cases are inapposite because the federal statute they apply defines the offense simply in terms of "intentionally access[ing] a computer without authorization or exceed[ing] authorized access." 18 U.S.C. § 1030(a)(2) (2008). In contrast, the essence of the offense with which Young was charged is the obtaining of specific information or records, not the act of accessing the computer. Accordingly, the issue of authority for purposes of A.R.S. § 13-2316(A)(7) turns on whether a person has authority to obtain the information or records that are the object of the offense — not on whether the person has authority to access the computer. We therefore reject Young's argument that the indictment and jury instructions constrained the State to prove facts not supported by the evidence.
A different subsection of A.R.S. § 13-2316 proscribes unlawful access of a computer. A.R.S. § 13-23 16(A)(8) prohibits a person from acting without or in excess of authority to "knowingly access[] any computer, computer system or network or any computer software, program or data that is contained in a computer, computer system or network." Young was not charged under this subsection of the statute.
¶ 16 The evidence at trial was undisputed that Young did not have authority to obtain the EPAS score spreadsheet from the server: testimony established that the server team members typically operated at the system level, not the file level; that EPAS scores were treated as confidential; that employees were prohibited from accessing another person's data without the owner's permission; and that the Human Resource department had not asked Young to access the EPAS scores. Moreover, Young testified that he knew the EPAS scores were confidential and that he had no need for the information to do his work. Therefore, the situation was not one in which Young merely had authority to obtain the information for certain work purposes but did so for an improper reason. By obtaining the EPAS scores from the server, Young acted wholly "without authority," not merely in excess of authority.
¶ 17 There is likewise no merit to Young's claim that his supervisor's actions should be viewed as a ratification of his prior conduct. When the supervisor made the request for a hard copy of the spreadsheet, he was not aware that Young had obtained the EPAS scores from the server. Indeed, Young testified that he told his supervisor that he had discovered the spreadsheet on a floppy diskette left on his desk. Absent knowledge of the misconduct, there can be no ratification. See Smith v. Am. Express Travel Related Servs. Co., 179 Ariz. 131, 138, 876 P.2d 1166, 1173 (App. 1994) (finding no ratification when supervisor did not have knowledge of sexual misconduct).
B. The Nature of the Information Obtained
¶ 18 A.R.S. § 13-2316(A)(7) addresses two distinct categories of information. The first is "information that is required by law to be kept confidential." The second is "records that are not public records." The State and Young disagree on the meaning of the second category.
¶ 19 The goal of statutory interpretation is to ascertain and effectuate the intent of the Legislature. State v. Dixon, 216 Ariz. 18, 20, ¶ 7, 162 P.3d 657, 659 (App. 2007). To accomplish that goal, we first look to the language of the statute. In re Adam P., 201 Ariz. 289, 291, ¶ 12, 34 P.3d 398, 400 (App. 2001). "When `a statute's language is clear and unambiguous, we must give effect to that language and need not employ other rules of statutory construction.'" State v. Wood, 198 Ariz. 275, 277, ¶ 7, 8 P.3d 1189, 1191 (App. 2000) (quoting State v. Riggs, 189 Ariz. 327, 333, 942 P.2d 1159, 1165 (1997)). Unless otherwise defined, we give words and phrases their ordinary meaning unless it appears from their context that another meaning is intended. State v. Reynolds, 170 Ariz. 233, 234, 823 P.2d 681, 682 (1992).
¶ 20 The phrase "information that is required by law to be kept confidential" is easily understood. The State concedes that the EPAS score spreadsheet does not fall within the scope of this category because there is no statute requiring that such information be kept confidential. The State argues, however, that the jury could find that Young obtained information within this category based on the evidence that Young's computer was used to access other Human Resource documents.
¶ 21 The problem with this argument is that no substantial evidence was presented at trial regarding the contents of these documents. None of the documents were admitted in evidence and testimony regarding them was limited to general descriptions. While there was testimony that there were files on the server that included social security numbers as well as personal medical information and other matters subject to state and federal confidentiality laws, that testimony was never tied to the specific files that Young accessed. Absent evidence that the documents Young obtained actually contained information protected by state or federal law, any finding that Young obtained such information would be pure speculation.
¶ 22 We further conclude that the evidence is insufficient to support a finding that Young obtained "any records that are not public records" from the server. Like the first category, this second phrase is clear and unambiguous.
¶ 23 There are two types of records that may be in the State's custody: "public records" and records "of a purely private or personal nature." Griffis v. Final County, 215 Ariz. 1, 4, ¶ 10, 156 P.3d 418, 421 (2007). "Arizona law defines `public records' broadly and creates a presumption requiring the disclosure of public documents." Id. at ¶ 8 (citing Carlson v. Pima County, 141 Ariz. 487, 489-90, 687 P.2d 1242, 1244-45 (1984)); see also A.R.S. § 39-121 (2001) ("Public records and other matters in the custody of any officer shall be open to inspection by any person at all times during office hours.").
A public record is one "made by a public officer in pursuance of a duty, the immediate purpose of which is to disseminate information to the public, or to serve as a memorial of official transactions for public reference"; a record that is "required to be kept, or necessary to be kept in the discharge of a duty imposed by law or directed by law to serve as a memorial and evidence of something written, said or done"; or any "written record of transactions of a public officer in his office, which is a convenient and appropriate method of discharging his duties, and is kept by him as such, whether required by . . . law or not."
Griffis, 215 Ariz. at 4, ¶ 9, 156 P.3d at 421 (quoting Salt River Pima-Maricopa Indian Cmty. v. Rogers, 168 Ariz. 531, 538-39, 815 P.2d 900, 907-08 (1991)). Unlike public records, purely private documents in the State's custody are not subject to the public records law. Id. at 5, ¶ 12, 156 P.3d at 422.
¶ 24 Based on the limited descriptions provided at trial of the Human Resource documents accessed by Young, all appear to fall within the definition of public records. The State does not dispute that the documents are public records, but asserts that the phrase "any records that are not public records" should be construed to mean public records exempt from disclosure despite the presumption of access under the public records law. See Carlson v. Pima County, 141 Ariz. 487, 491, 687 P.2d 1242, 1246 (1984) (recognizing that an officer may refuse inspection of public records "where the countervailing interests of confidentiality, privacy or the best interests of the State should be appropriately invoked"). According to the State, in light of the testimony that the Human Resource documents were "confidential" and "sensitive," the jury could find that the State had proven an exception to disclosure under the public records law.
¶ 25 The flaw in the State's argument is that it is contrary to the plain language of the statute. The phrase in issue clearly states "records that are not public records" — i.e., private records. The State's interpretation would require that "not public records" be read to mean the exact opposite of the words used by the Legislature. When a statute's language is plain and unambiguous, we must apply the text as written. State v. Derello, 199 Ariz. 435, 439, ¶ 21, 18 P.3d 1234, 1238 (App. 2001).
¶ 26 There is no validity to the State's contention that interpreting the second category of A.R.S. § 13-2316(A)(7) in accordance with its plain language contravenes the rule that "courts should give the statute a sensible construction which will accomplish legislative interest and purpose, and which will avoid absurd results." State v. Flores, 160 Ariz. 235, 239, 772 P.2d 589, 593 (App. 1989) (citing Lake Havasn City v. Mohave County, 138 Ariz. 552, 557, ( 575 P.2d 1371, 1376 (App. 1983); State v. Schoner, 121 Ariz. 528, 530, 591 P.2d 1305, 1307 (App. 1979)). Given the presumption that public records are open to inspection, the Legislature could reasonably decide to limit the scope of the statute to information and records that are not subject to the public records law: information that must be kept confidential by law and private records.
¶ 27 We also find no merit in the State's argument that limiting the second category to private records allows a person to access any and all public records, including confidential documents not subject to disclosure under the public records law, that are maintained on the State's computers with criminal impunity. That argument ignores that A.R.S. § 13-2316(A)(7) describes only one of eight forms of computer tampering. See A.R.S. § 13-2316(A)(1), (7). The State could easily have charged Young with computer tampering under A.R.S. § 13-2316(A)(8). The State's failure to establish the elements of the offense it elected to charge does not provide a basis for construing the statute in a manner directly contrary to its plain language.
That section prohibits a person from exceeding authorization by "[k]nowingly accessing any computer, computer system or network or any computer software, program or data that is contained in a computer, computer system or network."
CONCLUSION
¶ 28 When the evidence is lacking, the conviction must be reversed. Young did not have authority to obtain the EPAS score spreadsheet on the server. The State, however, failed to prove that Young obtained information or records from the ADOT server within either of the two categories that are the subject of A.R.S. § 13-2316(A)(7). Accordingly, the evidence is insufficient to support Young's conviction for that offense, and we reverse the conviction and order the charge dismissed.
CONCURRING: JOHN C. GEMMILL and PATRICIA A. OROZCO, Judges.