Virginia Supreme Court Strengthens Protection Against Computer Crimes

The case turned on the question of whether the accused used a computer “without authority” under Virginia’s computer fraud statute in a series of check forging crimes. However, the interpretation of what constitutes using a computer or computer network “without authority” has broad implications for a wide variety of improper activities involving computers and networks, as the statute is a basis for both criminal and civil actions. In short, Wallace strengthens the protection of computers and computer networks, and the information stored on them, against unauthorized access and use—and gives litigants in Virginia an additional tool against theft of corporate information.

The Supreme Court’s Wallace Decision
The Supreme Court decision itself is remarkable for its brevity. Rather than issue an opinion explaining its reasoning, the Court issued an order that reversed an en banc Court of Appeals decision by adopting “the reasons stated in dissenting opinion of the en banc Court of Appeals, see Wallace v. Commonwealth, 79 Va. App. 455, 476-84 (2024),” thus affirming the trial court’s conviction of Taylor Amil Wallace for computer fraud. Three justices dissented, also without writing an opinion and simply citing the reasoning of the en banc Court of Appeals majority. In essence, the Court of Appeals decision became the Supreme Court’s decision, with the majority and dissenting opinions switched.

Wallace had been found guilty of multiple charges, including computer fraud, obtaining money by false pretenses, uttering forged checks, and failing to appear in court. The Court of Appeals en banc decision was limited to the computer fraud charge. Specifically, the alleged conduct was Wallace’s deposit of forged checks into her bank account using a drive-through ATM (the computer at issue). The Court of Appeals’ majority held that Wallace had authority to use the ATM—despite the fact that she was using it for the plainly illegal purpose of cashing fraudulent checks. Thus, the Court of Appeals originally held the statute was not violated because the “without authority” language in the statute related to whether she had the right to use the ATM in general, rather than to the specific purpose for which she used it. If the Court of Appeal’s decision was adopted, it would have severely restricted the reach of the Virginia Computer Crimes Act, as that court’s interpretation of when a computer or network was used “without authority” essentially exonerated anyone from wrongdoing under that Act if that person had some legitimate access to the computer or network at issue.

The dissenting opinion—which was adopted by the Supreme Court—reached the opposite conclusion and focused on whether the conduct for which the ATM/computer was used was authorized, rather than whether general access to the ATM was authorized. Specifically, the dissent stated that “Wallace ‘use[d]’ the ‘computer’ ‘without authority’ because when she used the computer to obtain property by false pretenses, she knowingly acted in a manner exceeding her right or permission to use the ATM[.]” In analyzing the statute and its history, the dissent (now the Supreme Court’s position) stated that determining when computer or network access is “without authority” is “based on the rights and permissions of a given user in using a computer.”

From a commonsense standpoint, the dissent’s reasoning adopted by the Supreme Court is straightforward and focuses on the conduct alleged and the rights/permissions given to the computer/network user of the computer. There was no suggestion that Wallace’s bank authorized her to use an ATM to commit computer fraud by depositing forged checks. Everyday commonsense would dictate that Wallace had no such permission—no bank in its right mind would approve that conduct.

Wallace’s Broader Implications for Computer Crimes and Civil Actions
So, what does a case involving check fraud mean in practice for corporate enterprises with valuable computer data? The answer is that the same Virginia section of the Virginia Computer Crimes Act that led to Wallace’s conviction covers a wide array of illegal usage of computers and networks, including theft of corporate information, and the Act also has a civil enforcement provision creating a private cause of action. In short, the broader scope of use “without authority” strengthens protection against all prohibited computer or network usage in Virginia.

In today’s nearly entirely digital age, numerous trade secret cases and other causes of action for taking of corporate information are based on the illicit copying of computer data, files, manuals, financial reports, etc. Thus, in Virginia, a company considering filing suit for trade secret misappropriation, or a similar cause of action based at least in part on theft of computer files/data, has other tools available to it, namely the civil enforcement of the Virginia Computer Crimes Act, to recover for any damages—which is now clarified and strengthened by Wallace. That approach provides an additional path to success, which may be especially valuable in the event there are concerns about the potential for establishing the elements of a trade secret claim and the associated costs. And, of course, the company has the option of considering enlisting the assistance of the Commonwealth’s Attorney’s Office to bring a criminal proceeding.

Specifically, in addition to its version of the Uniform Trade Secrets Act, Virginia’s Computer Crimes Act also makes it unlawful to engage in “computer fraud,” governed by Va. Code 18.2-152.3 (the statute under which Wallace was convicted), and “computer trespass,” governed by Va. Code 18.2-152.4. Computer fraud is defined as “[a]ny person who uses a computer or computer network, without authority and: 1. Obtains property or services by false pretenses; 2. Embezzles or commits larceny; or 3. Converts the property of another[.]” Computer trespass covers a wider variety of acts, but relevant to the facts that typically trigger misappropriation claims “[i]t is unlawful for any person, with malicious intent, or through intentionally deceptive means and without authority, to: … 6. Use a computer or computer network to make or cause to be made an unauthorized copy, in any form, including, but not limited to, any printed or electronic form of computer data, computer programs or computer software residing in, communicated by, or produced by a computer or computer network[.]”

In short, each of these criminal code sections prohibit the unauthorized taking of computer data, files, software, etc., which overlaps with the same type of conduct that often gives rise to a trade secret misappropriation and NDA breach claims. Thus, an employee that copies the files for the company’s secret sauce and customer sales information onto a thumb drive (or uploads it to his own server, emails it to an external address, etc,) is not just civilly liable for stealing trade secrets, he may also be criminally and civilly liable for (1) computer fraud by embezzling or converting the files/data and (2) computer trespass for making unauthorized copies of computer data.

Of particular interest in terms of litigation strategy is the fact that the criminal code sections do not require the subject matter stolen to meet the test of what constitutes a trade secret, or even be confidential. To establish trade secret misappropriation, the plaintiff must prove the information has “economic value, actual or potential from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use.” In addition, the plaintiff also must prove that the information is “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” These are often hard-fought issues, and trade secret cases can often be lost on these grounds (or, at the very least, much more expensive to establish, often requiring extensive expert testimony and proof of efforts to maintain confidentiality).

In contrast, the computer trespass provision of the criminal code on its face applies to unauthorized copying of any “computer data, computer programs or computer software.” Likewise, the computer fraud provision prohibits embezzlement and conversion of property—which is expressly defined as including “computer data, computer programs, [and] computer software” (Va. Code 18.2-152.2), with no requirement of establishing the status of confidentiality or trade secret status.

Of course, care must be taken in developing a litigation strategy to avoid preemption, as at least one Fourth Circuit case has held that aspects of the Virginia Computer Crimes Act are preempted by federal copyright law when the conduct alleged is not “qualitatively different” from a copyright infringement claim. However, certain forms of computer data are not eligible for copyright protection, such as data generated by a computer itself with no “author,” data reflecting mere uncopyrightable information and facts, etc. Thus, presentation of alternative theories for relief should be considered as early as possible, and preferably at the pleading stage.

One critical point from Wallace is that the opinion adopted by the Supreme Court stated that determining when computer or network access is “without authority” is “based on the rights and permissions of a given user in using a computer.” Applying this to the corporate business standpoint, the question for companies concerned with the risk of employees taking computer files/data is: do your policies or terms of use for company computers/networks have restrictions on what an employee is authorized to do with his/her computer access?

The best practice is for companies to have a clear policy, and even better clear language in employment agreements or employee handbooks, that restricts the manner of access and bars access to computer files/data, etc. for any purpose other than for the sole benefit of the company. Such policies should also make clear that copying data onto unauthorized devices, transmission to unauthorized or personal emails, storage on personal drives, etc. is not permitted—to avoid any argument that such activities were not expressly prohibited. A clear policy will strengthen any cause of action brought under the Computer Crimes provision and bolster the ability to recover damages in corporate information theft cases above and beyond traditional trade secret remedies.