2016 COA 16
Colo. Ct. App.2016Background
- Stotz and Eicher were Denver EPS employees who resigned in July 2012 to join a competitor and returned company laptops to EPS; forensic analysis later recovered thousands of deleted files and emails from their machines.
- EPS claimed deleted items included test data, reports, quotes, equipment manuals, and scheduling/inventory data critical to operations; forensic recovery was incomplete and some recovered data were corrupted or disorganized.
- Defendants admitted copying company files to personal external drives and deleting files from company laptops; they claimed reasons ranging from personal recordkeeping to believing laptops would be wiped after resignation.
- EPS sued civilly (later dismissed) and separately referred the matter to the Denver DA; defendants were criminally charged, convicted by a jury of computer crime (felony) under Colorado’s computer crime statute, and ordered to pay restitution of roughly $104,920 jointly and severally.
- On appeal defendants challenged the statute as unconstitutionally vague and overbroad, argued impermissible delegation under People v. Vinnola, and contested the restitution amount; the court affirmed convictions and restitution.
Issues
| Issue | People’s Argument | Defendants’ Argument | Held |
|---|---|---|---|
| Vagueness (facial) — does § 18‑5.5‑102(1)(e) give fair notice that deleting data can be "damage"? | Statute’s definition of "damage" (impairing integrity/availability) is specific; deleting thousands of files fits the definition. | Phrase "damage to data" is insufficiently concrete; statute could criminalize innocuous deletions. | Statute is not facially vague; deletion of thousands of files constitutes "damage." |
| Vagueness (as-applied) — does statute give notice when employees have administrative control over laptops? | The statute requires acting knowingly "without authorization or in excess of authorized access"; jury found defendants knew deletions were unauthorized. | Employees had local admin rights and no explicit prohibitions; statute was intended for hackers, not ordinary employee decisions. | Not vague as applied: jury could find defendants exceeded authorization and knowingly damaged data. |
| Overbreadth — does the statute criminalize legitimate employee discretion? | Company property provision and the statute target knowing damage to employer property; protecting property is a valid state interest. | Criminalizes routine workplace decisions and lawful discretionary acts by employees. | Not overbroad as applied to defendants; statute permissibly reaches knowingly damaging employer data. |
| Vinnola/delegation — does conviction rest on post‑hoc employer discretion so that guilt depends on third‑party action? | Authorization is an objective fact at the time of deletion; EPS testimony concerns preexisting facts, not a post‑hoc discretionary trigger. | EPS’s later characterization of deletions as "unauthorized" lets a third party decide criminality. | Vinnola inapplicable: criminality depended on facts at deletion time, not later discretionary acts by EPS. |
Key Cases Cited
- Kolender v. Lawson, 461 U.S. 362 (constitutional vagueness standard)
- People v. Gross, 830 P.2d 933 (Colo. 1992) (void‑for‑vagueness principles)
- People v. Perea, 74 P.3d 326 (Colo. App. 2002) (vagueness and notice analysis)
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (CFAA employee‑access limitation line)
- Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (termination of agency/duty of loyalty theory)
- People v. Vinnola, 494 P.2d 826 (Colo. 1972) (invalidating statute that conditioned guilt on third‑party discretion)