Updated Friday July 27, 2012
The employee named in the court case referred to in the article below (see under Original article), Kevin Le Roy, has forwarded Computerworld two High Court judgements which were published a year after this opinion piece was originally published in 2007.
In the first judgement by Justice Mackenzie, issued on July 31, 2008, Le Roy was discharged without conviction and an appeal was allowed.
“The rehearing application was, I was informed from the bar by Mr Ewen [Le Roy’s lawyer], held by way of a telephone conference with the Judge. He issued a written ruling on 6 September 2007 in which he indicated that he was satisfied that, in the new circumstances disclosed, the consequences of a conviction outweighed the gravity of the offending so that the test for a discharge without conviction was now met,” the judgement reads.
In the second judgement by Justice Dobson, issued on August 25, 2008, Le Roy’s appeal was dismissed.
“On appeal, this argument was cast rather as a claim that Mr Le Roy believed he was entitled to access it [the email account] because emails might have been sent to him there, so he could go into it for the purposes of checking his own emails. I do not consider this makes a material difference to the factual finding which was, in essence, that the appellant did not genuinely believe he had authority or the necessary consent to surreptitiously access this email account, without it being cleared, by some means, with the complainant in advance.”
Original article
As computer systems become integral to the way businesses operate, the increasing amount of information — particularly personal information — that is stored electronically means the scope for misuse of both systems and information has increased greatly.
Unauthorised access, as well as inappropriate use of information and computer systems, raises concerns not only about confidential and commercially sensitive information, but also about the potential for criminal behaviour, even “cyberstalking” — the use of the internet, email or other electronic communications devices to stalk another person.
Businesses need to be aware of the risks of unauthorised access and inappropriate use of information, and the impact such could have on their computer systems and on their business.
For example, the High Court recently heard a case concerning unauthorised email access. Kevin Le Roy was employed as an E-Services Coordinator by TelstraClear. His job gave him access to TelstraClear’s computer system, allowing him to access customer email accounts. Le Roy obtained the user password of a TelstraClear customer through unauthorised means, and then accessed and read the customer’s emails. At the time, the customer had a protection order in place against Le Roy.
Le Roy had no work reasons for accessing the customer’s account and admitted that he should not have obtained the password or accessed the account via TelstraClear’s computer system.
Prior to the passing of the Crimes Amendment Act 2003, New Zealand was one of the few Western countries that did not have a law against committing computer-related offences. Amongst other things, the amendment act introduced four new criminal offences into the Crimes Act. These are: accessing a computer system for dishonest purposes; damaging or interfering with a computer system; making, selling, distributing or possessing software for committing crime; and accessing a computer system without authorisation.
If convicted, a cyber-criminal can be jailed for up to 10 years.
Accessing a computer system for a dishonest purpose is covered by section 249. It includes actions such as masquerading (the theft of a person’s identity or the forgery of documents and messages); password-cracking; spoofing (forging packet addresses so that the message appears to have originated from a “trusted” source); unauthorised use of valid passwords; and unauthorised employee access.
The key issue in the Le Roy’s case was whether by accessing the customer’s emails and using her password he had obtained a benefit in the context of section 249(1)(a). The District Court held that the word “benefit” means a benefit that could help advance a person’s material situation, so deemed benefits to be solely of a financial nature.
On appeal, however, Justice Gendall in the High Court held that the term “benefit” was not restricted to financial benefits and so could include advantages such as acquiring knowledge or information to which one would not otherwise be entitled; the invasion of another’s privacy, or acquiring knowledge or information that could be used to exploit another person.
While the cybercrime provisions in the Crimes Act are broad, they address only some of the risks of computer misuse to businesses. Other risks include breaches of confidentiality and privacy obligations owed by a business to its customers, the generation of bad publicity and the loss of commercially sensitive information.
A comprehensive information technology policy can help mitigate these risks. Such a policy would apply to all those authorised to access the company’s computer systems and also set out what activities are acceptable and what are not, and the consequences of failing to comply with the policy.
Ngan is a partner at Simpson Grierson
Te is a solicitor at Simpson Grierson