Opinion
2021-SC-0254-DG
09-22-2022
COUNSEL FOR APPELLANT: Daniel J. Cameron, Attorney General of Kentucky, Michael Robert Wajda, Assistant Solicitor General. COUNSEL FOR APPELLEE: Steven Jared Buck, Assistant Public Advocate.
COUNSEL FOR APPELLANT: Daniel J. Cameron, Attorney General of Kentucky, Michael Robert Wajda, Assistant Solicitor General.
COUNSEL FOR APPELLEE: Steven Jared Buck, Assistant Public Advocate.
OPINION OF THE COURT BY JUSTICE HUGHES
Chasity Shirley used the self-scanner at the Walmart in Somerset to purchase two items, paying $80.80 less than she should have paid based on the prices at which the items were offered for sale. She accomplished this by exchanging the barcodes on the two items she purchased with barcodes on two less expensive items. While Shirley clearly committed a criminal act, the novel issue before us is whether her conduct justifies conviction for unlawful access to a computer in the first degree, a Class C felony. Kentucky Revised Statute (KRS) 434.845 sets forth the elements necessary to establish unlawful access to a computer in the first degree. One of the elements is that the person must not have the "effective consent" of the owner when accessing the computer. While a person may have "effective consent" to begin with, it is lost if the consent is "[u]sed for a purpose other than that for which the consent is given." KRS 434.840(9)(d). In this case of first impression, this Court is required to construe "purpose" in KRS 434.840(9)(d) and more specifically whether purpose refers to an unauthorized computer-related purpose or a broader fraudulent purpose. Based upon our conclusion that KRS 434.840(9)(d) refers to a computer-related purpose, we ultimately conclude, like the Court of Appeals, that the circuit court improperly denied Appellee Chasity Shirley a directed verdict on the unlawful access to a computer in the first-degree charge. Accordingly, we affirm the Court of Appeals’ reversal of the circuit court's denial of the directed verdict and remand this case to the Pulaski Circuit Court for proceedings consistent with this Opinion.
FACTUAL AND PROCEDURAL BACKGROUND
On October 5, 2018, Chasity Shirley shopped at a Walmart store in Somerset, Pulaski County, Kentucky, with her mother and daughter. Shirley checked out using a self-checkout register. Loss prevention personnel, using security cameras, observed Shirley using the register. Specifically, they observed Shirley moving a rug and a couch slipcover across the register's scanner. However, the computer monitoring the register indicated that Shirley was purchasing other less expensive items, a toothbrush or toothbrush holder. The total difference in the price was $80.80.
As Shirley left the store, the loss prevention personnel approached Shirley and escorted her to a nearby office to discuss her purchases. Shirley remained in the office for a short period after her mother left with Shirley's restless child. When Shirley later left, she allegedly pushed and elbowed the loss prevention manager as she hurriedly exited the store.
Shirley was charged with unlawfully accessing a computer in the first degree and second-degree robbery. The robbery charge was amended to fourth-degree assault prior to trial. The jury found Shirley not guilty on the assault charge but guilty of first-degree unlawful access to a computer.
At trial, Shirley moved for a directed verdict on the charge that she unlawfully accessed a computer in the first degree. She argued that the Commonwealth failed to show that she lacked effective consent to access Walmart's self-checkout register, an undisputed computer. Shirley argued that she had effective consent to use Walmart's self-checkout register and despite scanning a barcode not reflective of the item with which it was paired and thus engaging in theft behavior, effective consent was maintained because she did not use the register for a purpose other than that for which consent was given—she scanned barcodes and while not paying full price for the items, paid something. The Commonwealth responded that Walmart invites and gives consent to customers to scan and pay for all items, not to scan and pay for some items, and Walmart cannot consent for someone to commit a crime as Shirley did when she paid less than the full price. The circuit court denied Shirley's motion for a directed verdict.
After the jury found Shirley guilty of first-degree unlawful access to a computer, a Class C felony with a minimum sentence of five years, Shirley waived jury sentencing, accepting the Commonwealth's recommendation of a five-year sentence pending presentence investigation. After spending 203 days in jail, Shirley was sentenced to five years in prison, but the sentence was suspended, and Shirley was placed on conditional discharge for a period of thirty days.
Former Justice Venters, serving as a special judge after the prior judge left the circuit court, entered the final judgment and sentence.
On Shirley's appeal, the Court of Appeals in a 2-1 decision reversed the circuit court's denial of the directed verdict. This Court granted the Commonwealth's motion for discretionary review.
ANALYSIS
Kentucky Revised Statutes Chapter 434, titled "Offenses Against Property by Fraud," contains a section dealing with unlawful access to a computer. This section includes: 1) KRS 434.840 Definitions (codified in 1984 and revised in 2002); 2) KRS 434.845 Unlawful access to a computer in the first degree (same); 3) KRS 434.850 Unlawful access to a computer in the second degree (same); 4) KRS 434.851 Unlawful access in the third degree (codified in 2002); 5) KRS 434.853 Unlawful access in the fourth degree (codified in 2002); 6) KRS 434.855 Misuse of computer information (codified in 1984 and revised in 2002); and 7) Venue (same). See 2002 Ky. Acts ch. 350 §§ 1-7; 1984 Ky. Acts ch. 210 §§ 1-5. The 2002 revisions and newly-enacted statutes followed the Court of Appeals’ decision in Commonwealth v. Cocke , 58 S.W.3d 891 (Ky. App. 2001). In Cocke , the Court of Appeals affirmed the Jefferson Circuit Court's decision declaring then KRS 434.845(1)(c) void for vagueness.
When codified in 1984, KRS 434.845 stated:
(1) A person is guilty of unlawful access to a computer in the first degree when he knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof, for the purpose of:
(a) Devising or executing any scheme or artifice to defraud; or
(b) Obtaining money, property, or services for themselves or another by means of false or fraudulent pretenses, representations, or promises; or
(c) Altering, damaging, destroying, or attempting to alter, damage, or destroy, any computer, computer system, or computer network, or any computer software, program, or data.
(2) Accessing, attempting to access, or causing to be accessed any computer software, computer program, data, computer, computer system, computer network, or any part thereof, even though fraud, false or fraudulent pretenses, representations, or promises may have been involved in the access or attempt to access shall not constitute a violation of this section if the sole purpose of the access was to obtain information and not to commit any other act proscribed by this section.
(3) Unlawful access to a computer in the first degree is a Class C felony.
When codified in 1984, KRS 434.850 stated:
(1) A person is guilty of unlawful access to a computer in the second degree when he without authorization knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof.
(2) Unlawful access to a computer in the second degree is a Class A misdemeanor.
KRS 434.850 currently states:
(1) A person is guilty of unlawful access to a computer in the second degree when he or she, without the effective consent of the owner, knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof which results in the loss or damage of three hundred dollars ($300) or more.
(2) Unlawful access to a computer in the second degree is a Class D felony.
KRS 434.851 states:
(1) A person is guilty of unlawful access in the third degree when he or she, without the effective consent of the owner, knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof, which results in the loss or damage of less than three hundred dollars ($300).
(2) Unlawful access to a computer in the third degree is a class A misdemeanor.
KRS 434.853 states:
(1) A person is guilty of unlawful access in the fourth degree when he or she, without the effective consent of the owner, knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof, which does not result in loss or damage.
(2) Unlawful access to a computer in the fourth degree is a class B misdemeanor.
Unless context indicates otherwise, "computer" is used to refer to "computer software, computer program, data, computer, computer system, computer network, or any part thereof," which all four degrees of unlawful access to a computer identify as accessible.
Note 2, supra , contains the text of KRS 434.845, codified in 1984, at issue in Cocke . In Cocke , the defendant, a computer programmer, after his employment terminated and he had no authority to do so, allegedly used the modem on his home computer to access his former employer's computer system and then to delete certain data from the system, stop an accounting program in progress, and change a password. Id. at 892. The defendant argued primarily that KRS 434.845(1)(c) was too broad in that a prosecutor could indict any person for most normal activities that are conducted on a computer. Id. The Court of Appeals concluded: "Clearly, the statute is void for vagueness as an authorized user cannot, from a reading of the statute, ascertain specifically what alteration, damage or destruction is prohibited." Id. at 894.
When amending KRS 434.845 and KRS 434.850 and enacting KRS 434.851 and KRS 434.853 in 2002, the General Assembly made the lack of effective consent by the computer's owner an element of each degree of unlawful access to a computer. Thus in addressing this case we are required to determine whether Shirley acted without the effective consent of Walmart when she accessed the Walmart self-scan register.
Along with revising KRS 434.845 by omitting subsection (1)(c) and then section (2), see n.2, supra , but maintaining the other prohibited purposes in subsections (1)(a) and (b), the General Assembly distinguished unlawful access to a computer in the first degree from unlawful access in the second, third, and fourth degree by not including within the lesser degrees the fraudulent purpose requirement described in KRS 434.845(1)(a) and (b) and respectively defining the amount of loss or damage (KRS 434.840(12) defines "loss or damage") caused by the unlawful access to a computer as three hundred dollars or more (a Class D felony), less than three hundred dollars (a Class A misdemeanor), and no loss or damage (a Class B misdemeanor). See nn. 3-5, supra.
As amended in 2002 and unchanged since, KRS 434.845 reads:
(1) A person is guilty of unlawful access to a computer in the first degree when he or she, without the effective consent of the owner,[ ] knowingly and willfully, directly or indirectly accesses,[ ] causes to be accessed, or attempts to access any computer software,[ ] computer
KRS 434.840(13) defines "owner."
KRS 434.840(1) defines "access" as "to approach, instruct, communicate with, manipulate, store data in, retrieve or intercept data from, or otherwise make use of any resources of, a computer, computer system, or computer network." The General Assembly amended KRS 434.840(1) in 2002 by adding "manipulate" to the definition. 2002 Ky. Acts ch. 350 § 1.
KRS 434.840(5) defines "computer software."
program,[ ] data,[ ] computer,[ ] computer system,[ ] computer network,[ ] or any part thereof, for the purpose of:
(a) Devising or executing any scheme or artifice to defraud; or
(b) Obtaining money, property, or services for themselves or another by means of false or fraudulent pretenses, representations, or promises.
(2) Unlawful access to a computer in the first degree is a Class C felony.
KRS 434.840(4) defines "computer program."
KRS 434.840(7) defines "data."
KRS 434.840(2) defines "computer."
KRS 434.840(6) defines "computer system."
KRS 434.840(3) defines "computer network."
(Emphasis added.)
"Effective consent" is defined as "consent by a person legally authorized to act for the owner." KRS 434.840(9). The statute further states, however, that consent is not effective if it is:
(a) Induced by deception or coercion;
(b) Given by a person who the actor knows is not legally authorized to act for the owner;
(c) Given by a person who by reason of age, mental disease or defect, or intoxication is known by the actor to be unable to make responsible property or data dispositions; or
(d) Used for a purpose other than that for which the consent is given.
Id.
This case presents us with the first statutory interpretation issue for KRS 434.845 since its amendment in 2002. Given the facts presented, we focus particularly on the "used for a purpose other than that for which the consent is given" language used in KRS 424.840(9)(d), part of the definition of "effective consent."
Since KRS 434.845 ’s amendment, prior to this case, it has only been considered by the Court of Appeals in the context of whether a conviction both for first-degree robbery and for first-degree unlawful access to a computer violates double jeopardy. See Day v. Commonwealth , 367 S.W.3d 616 (Ky. App. 2012).
The Commonwealth contends that the Court of Appeals incorrectly interpreted "effective consent" as defined in KRS 434.840 when it concluded that Shirley retained the effective consent of Walmart when she used the self-checkout register for its intended purpose, i.e., to scan barcodes and to buy items. The Commonwealth argues that the Court of Appeals expanded the definition of "effective consent" to include not only Walmart's consent to use self-checkout registers to purchase items at the listed price, but also for sales as a result of admitted retail fraud. As before the trial court, Walmart emphasizes that it cannot and does not consent to customers using self-checkout registers to commit fraud and steal merchandise.
While review of a directed verdict decision often only entails reviewing the evidence to determine if it would be clearly unreasonable for a jury to find guilt, Commonwealth v. Benham , 816 S.W.2d 186, 187 (Ky. 1991), this case first requires the Court to determine as a matter of law the meaning of statutory language, a de novo review. See Commonwealth v. Montaque , 23 S.W.3d 629, 631 (Ky. 2000) ; Neurodiagnostics, Inc. v. Kentucky Farm Bureau Mut. Ins. Co. , 250 S.W.3d 321, 325 (Ky. 2008). Specifically, we must discern the meaning of KRS 434.840(9)(d), the provision the Commonwealth relied on as establishing that Shirley acted "without the effective consent" of Walmart when she used the store's self-checkout register.
While the Commonwealth's brief suggests that KRS 434.840(9)(a) is another basis for finding Shirley did not have effective consent to access Walmart's self-checkout register, KRS 434.840(9)(a) has not been at issue in this case.
When dealing with a question of statutory construction, we begin with the plain text. "The cardinal rule in construing statutes is, if possible, to ascertain the meaning of the Legislature from the language used, and if that be plain, clear, and unambiguous, resort to collateral rules of construction is unnecessary." Mills v. City of Barbourville , 273 Ky. 490, 117 S.W.2d 187, 188 (1938). "Our ultimate goal when reviewing and applying statutes is to give effect to the intent of the General Assembly. We derive that intent from the language the General Assembly chose, either as defined by the General Assembly or as generally understood in the context of the matter under consideration." Commonwealth v. Wright , 415 S.W.3d 606, 609 (Ky. 2013). When a statute is plain and unambiguous on its face, we are not at liberty to construe the language otherwise. Whittaker v. McClure , 891 S.W.2d 80, 83 (Ky. 1995). "The statute must be read as a whole and in context with other parts of the law. All parts of the statute must be given equal effect so that no part of the statute will become meaningless or ineffectual." Lewis v. Jackson Energy Co-op. Corp. , 189 S.W.3d 87, 92 (Ky. 2005). We presume the legislature did not intend an absurd result. Commonwealth, Cent. State Hosp. v. Gray , 880 S.W.2d 557, 559 (Ky. 1994). With these principles in mind, we consider the meaning of KRS 434.840(9)(d).
When reading KRS 434.840(9)(d) alone, the language "used for a purpose other than that for which the consent is given" appears ambiguous. Shirley advocates that the meaning of "purpose" is limited to a computer context and in this case refers to using the computer to scan barcodes and pay for merchandise—the purpose for which Walmart made the self-scanner available to shoppers. The Commonwealth advocates that "purpose" refers to the purpose for which the defendant used the scanner—fraudulent activity. The meaning of "purpose" within KRS 434.840(9)(d) becomes clearer when considering the "effective consent" definition in KRS 434.840(9)(d) within the context of KRS 434.845(1) as a whole.
Incorporating KRS 434.840(9)(d) into KRS 434.845 results in KRS 434.845(1) reading as follows:
A person is guilty of unlawful access to a computer in the first degree when he or she, without the effective consent of the owner [due to the computer being "used for a purpose other than that for which the consent is given"], knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer, computer system, computer network, or any part thereof, for the purpose of:
(a) Devising or executing any scheme or artifice to defraud; or
(b) Obtaining money, property, or services for themselves or another by means of false or fraudulent pretenses, representations, or promises.
(Emphasis added.)
The incorporation of KRS 434.840(9)(d) ’s text into KRS 434.845(1) highlights the two express instances in which "purpose" is relevant to proving that a person is guilty of unlawful access to a computer in the first degree—one being the computer-related purpose consented to by the owner (part of the concept of "effective consent") and the other being the fraudulent purpose intended by the criminal actor (the second use of "purpose" in the above quote, the purpose of devising or executing a scheme or obtaining something of value by false or fraudulent means). With the parties to this case focusing on "purpose" in KRS 434.840(9)(d), the "purpose" described in KRS 434.845(1), the fraudulent purpose for which a person must access a computer in order to be found guilty of unlawful access to a computer in the first degree, has been largely ignored. Shifting our attention back to consideration of the statute as a whole brings the Commonwealth's argument into proper perspective.
The Commonwealth argues that effective consent is lost under KRS 434.840(9)(d) when one's "purpose" is to commit fraud when accessing a computer because a retailer cannot consent for a person to commit crime. The Commonwealth's point that a retailer cannot consent for a person to commit crime, stemming from the foundational criminal law principle that the government decides whether to punish an individual for an act or omission in violation of the law, is undisputed. Indeed, as expressed in KRS 434.845(1), the General Assembly decided to punish an individual who, with the prescribed mental state, the method of access—directly or indirectly—being of no consequence, accesses or attempts to access a computer without the effective consent of the owner for a fraudulent purpose as prescribed in KRS 434.845(1)(a) and (b). While the Commonwealth views KRS 434.840(9)(d) as encompassing the fraudulent purpose to which the owner cannot consent, a full reading of KRS 434.845(1) reveals that KRS 434.845(1)(a) and (b) codify that fraudulent purpose plainly. KRS 434.840(9) speaks to the purpose for which the user was granted access to the computer, e.g., a shopper granted access to scan items, an inventory clerk granted access to monitor inventory, or an accounting office employee granted access to maintain accounts receivable.
Statutory construction principles direct that if there is an ambiguity, "purpose" within KRS 434.845(1) and KRS 434.840(9)(d) should be read as not creating a redundancy or an absurdity. Lewis , 189 S.W.3d at 92 ; Gray , 880 S.W.2d at 559. The context of this unlawful access to a computer statute leads to the conclusion that KRS 434.840(9)(d) ’s language, "used for a purpose other than that for which the consent is given," requires determining the computer access purpose consented to by the owner. Although a computer owner cannot consent to the fraudulent purpose prohibited by statute, and an interpretation otherwise may be considered an absurdity itself, the owner can consent to another person accessing, or making use of, see KRS 434.840(1), his computer. The focus of KRS 434.840(9)(d), then, is the purpose for which consent to use the computer was given.
While the General Assembly's use of the term "purpose" within KRS 434.845(1) aids in bringing proper perspective to the arguments presented, even if the term "purpose" were not used within KRS 434.845(1) to introduce subsections (a) and (b) (the prohibited fraud), the Commonwealth's point that one cannot consent to fraud would lead to the same conclusion. So the owner's consent must necessarily be related to a purpose for which consent could be given. With the context of the statute being computer access, the owner's consent would be related to that, not the fraudulent purpose a bad actor desires to achieve. Consequently, if the individual accesses or makes use of the computer in a computer-related manner not consented to, effective consent is lost. With the determination that KRS 434.840(9)(d) does not refer to whether the individual is accessing a computer to commit fraud but does refer to whether the individual is accessing a computer in the way consented to by the owner, we must conclude that Shirley was entitled to a directed verdict on the charge of unlawful access to a computer in the first degree. Shirley accessed Walmart's self-checkout register by scanning barcodes and making payment, access specifically created and intended for Walmart shoppers. Changing the barcodes on certain merchandise prior to scanning it did not result in Shirley accessing Walmart's self-checkout register in a way to which Walmart did not consent. She used the scanner as intended and consented to by its owner.
Our close reading of the unlawful computer access statute is not unprecedented. Although the language in similar statutes around the country varies, the principle we have identified—for what purpose has the computer owner consented to its use—has surfaced in several jurisdictions. For example, in State v. Nascimento , 360 Or. 28, 379 P.3d 484 (2016), the Supreme Court of Oregon addressed an unlawful computer access statute that used the language "without authorization" rather than our "without effective consent." The defendant was convicted of theft and computer crime for using a terminal located at her convenience store workplace and connected to the Oregon State Lottery system to print lottery tickets for which she did not pay. In reversing the unlawful computer access conviction, the Court stated:
[T]he text supports defendant's assertion that her use of the lottery terminal to print Keno tickets—as she was trained and permitted by her employer to do—was "authorized" use. The fact that she printed the tickets for her own use and did not pay for them may have violated company policies and other parts of the computer crime statute (in addition to the theft statute), but her use was not "without authorization" as that term is used in ORS 164.377(4) .... When defendant physically accessed and used the terminal to print Keno tickets, that access and use was authorized by her employer. Moreover, there was, for example, no evidence that defendant circumvented any computer security measures, misused another employee's password, or accessed any protected data.
Id. at 491-92. The Oregon legislative history also reflected that the statute was intended to criminalize use of a computer by someone with no authority to use it, use by unauthorized third parties commonly referred to as "hackers." Id. at 492. The Court concluded that Nascimento's impermissible use of the computer could lead to other criminal charges but not the unlawful access charge. Id. at 493. Notably, her companion theft conviction for the lottery ticket misconduct was not even challenged on appeal. See also State v. Thompson , 444 N.J.Super. 619, 135 A.3d 166 (N.J. Super. Ct. Law Div. 2014) (defendants subject to computer theft statute because they acted "without authorization or in excess of authorization" when they used their lawful access to police department computer system as IT specialists, granted for the purpose of conducting maintenance and correcting problems within email system, for a different purpose, namely accessing and reading private emails of executive staff against whom they had pending litigation).
"When presented with a motion for a directed verdict, a court must consider the evidence as a whole, presume the Commonwealth's proof is true, draw all reasonable inferences in favor of the Commonwealth, and leave questions of weight and credibility to the jury." Acosta v. Commonwealth , 391 S.W.3d 809, 816 (Ky. 2013) (citing Benham , 816 S.W.2d at 187–88 ). A trial court should deny a directed verdict when the "Commonwealth has produced ... more than a scintilla [of evidence] and it would be reasonable for the jury to return a verdict of guilty based on it." Id. "On appellate review, the standard is slightly more deferential; the trial court should be reversed only if ‘it would be clearly unreasonable for a jury to find guilt.’ " Id.
Here, the evidence reflected that Shirley scanned barcodes, albeit barcodes which did not reflect the items with which they were paired. The Commonwealth did not present proof that Shirley accessed Walmart's self-checkout register beyond the consented-to barcode scanning for completion of a self-checkout sales transaction. Without that proof, it was clearly unreasonable for the jury to find Shirley guilty of unlawful access to a computer in the first degree. The circuit court erred by denying Shirley's motion for a directed verdict of acquittal.
Finally, we agree with the Court of Appeals that our Penal Code has other possibly appropriate charges for Shirley's unlawful actions at Walmart that day including theft by deception, KRS 514.040(1)(a), or theft by unlawful taking, KRS 514.030(1)(a). The "fit" with both of those crimes is easily seen. As the appellate court also noted, considering the value of property taken in this case (less than $500) either charge would constitute a misdemeanor, a level of criminal offense far more in keeping with the offending conduct than a Class C felony.
As noted above, Shirley admitted to the jury that her behavior constituted a theft.
CONCLUSION
For the foregoing reasons, the Court of Appeals’ decision reversing the Pulaski Circuit Court's denial of a directed verdict on the unlawful access to a computer in the first degree charge is affirmed. This case is remanded to the Pulaski Circuit Court for proceedings consistent with this Opinion.
Because we affirm the Court of Appeals upon consideration of the primary issue advanced in favor of a directed verdict, whether Shirley maintained effective consent to use Walmart's self-checkout register despite replacing the barcodes on more expensive items with barcodes of less expensive items, we do not reach the alternative issue Shirley advanced. She also presented the argument that the crime of unlawful access to a computer in the first degree does not apply to cases in which the harms are under three hundred dollars. Shirley argued that with the crimes of unlawful access to a computer in the second, third and fourth degree being dependent on the dollar amount of harm involved, see nn. 3-5, the first-degree charge should only apply where the lesser offenses do not. Shirley argued that unlawful access to a computer in the third degree, a Class A misdemeanor, applies when the loss or damage is less than three hundred dollars.
All sitting. All concur.