Judgment of Acquittal: Breach of Computer Security
In 2021, our firm took on the defense of a software engineer from Houston. He was charged in Montgomery County, Texas with breach of computer security. More pointedly, the state was accusing our client of trespassing on his employer’s computer network and causing significant damage to company assets.
With Brian Hobson as lead counsel, the case went to trial in January of 2025. Following a week of testimony, the Court entered a judgment of acquittal finding the state had not proven the client accessed the network without the consent of the employer. This blog post will review the facts and law underlying the verdict in this case while pointing out the lessons we learned during this process. Ultimately, this case ended as it should. However, the capital required to prove the defense was extensive. Defendants without access to significant resources face an uphill battle under a vague statute and likely complicated factual narratives.
The Breach of Computer Security Statute in Texas
Under the Texas penal code, a person commits an offense if they meet the following elements:
- The actor knowingly accesses a computer, computer system, or computer network;
- The access is done without the effective consent of the owner; and,
- The access is done with the intent to damage, alter, or delete property.
If these three elements are met, the offense is graded on the monetary damages suffered by the owner. The damages calculation is not limited to damages to owner assets or networks; it includes the amount of money spent by the owner to assess the systems after the unlawful entry. If the damages exceed $30,000, the offense is a third-degree felony. If the damages exceed $300,000, the offense is a first-degree felony with a punishment range from five years to life in prison.
At first glance, this statute appears straight forward. It contains multiple mens rea elements and criminalizes a knowing trespass onto another’s computer or network. Like many other offenses, the grade is determined by monetary damage. This structure is seen across criminal law, including theft, criminal mischief, and fraud statutes.
The danger of this statute derives from the state legislature’s attempt to apply old criminal elements to a complicated computer network environment. Unlike classic trespass or theft, computer networks and systems are often shared spaces. In the computer engineering world, these networks and systems are complex mazes of data and repositories. Many of the owner’s assets will be held on virtual machines or online repositories disconnected from their physical devices. While it is simple for a lay person to analyze ownership and trespass on real property (someone’s home or land), it is a different animal when the playing field is a computer network built by elite software engineers. This latter world can only be reviewed by competent experts who understand the intricacies of the system. Even great experts will need assistance from the network’s creator to obtain a full understanding.
Common Procedures Become Criminal Episodes
The inefficiencies of the statute are seen when applying the elements to real world situations. Let’s assume a paralegal has been working for a law firm for five years. Based on a new job opportunity, the paralegal puts in a resignation that is effective immediately. The paralegal returns to her computer and begins removing personal photos from the computer in her office. In addition, she organizes various files in the firm’s cloud computing server for easy review by the attorneys. Later that afternoon, the paralegal exits the building and does not return to the office.
The paralegal’s steps seem quite innocent. In fact, these steps seem reasonable for an employee who wants to isolate their personal data from the computers and touch up a few projects for easy review. However, these acts easily meet the elements of the breach of computer security statute. If bad blood exists or certain files were altered, the law firm could wrap the paralegal in criminal litigation. Here’s how:
First, the paralegal accessed both a computer and cloud network without the overt consent of the owner. Second, the entry into the computer and network was accomplished with the intent to delete property (the personal photographs) and alter property (organize client files). Importantly, the statute does not differentiate between property owned by the accessor and property owned by the complainant. It is the location of the property on the complainant’s computer or network that triggers liability.
In this simple case, there is no doubt that an aggressive DAs office could bring misdemeanor charges against the paralegal. If the law firm spent $30,000 to evaluate the damage, the offense could elevate to a felony.
The above example is straightforward and serves as a launch pad for a more complicated application of the law.
The Complexities of Software Development Systems and Breach of Computer Security
From 2013-2019, our client worked as the sole software engineer for his employer. The employer was a small startup company that hoped to develop data security applications for private and government institutions. To limit costs and improve efficiency, the company established a lab at the client’s home. All software development occurred on three company computers in the client’s residence
Over the course of seven years, our client came up with multiple iterations for software and hardware packages to achieve specific goals. They followed a similar structure: 1) create specifications for a software deployment, 2) write extensive code for the implementation of the concept, 3) compile the code into a prototype, 4) demonstrate the prototype to the company, and 5) fix bugs or pivot concepts as needed. This process was followed for four separate software developments during his time at the company.
Each software package was marketed to end users with limited success. If one iteration failed, the client improved on the foundation in hopes of deploying a marketable product. After five years of work, the startup ran low on funds. The company was forced to cut costs.
During this time, the client’s salary payments went dry. After two years of minimal pay, the client sent in his letter of resignation to the company. The company responded to this letter by requesting the client “prepare their digital assets in an online repository or physical device.” Though this command seems straightforward, the ambiguity in the order left room for criminal allegations.
Standard Procedures When Transferring Software Deployments
The client started his software engineering career in the 1990’s. He was involved in numerous software projects prior to this venture. He understood additional work must be conducted following a resignation to ensure the efficient transfer of knowledge and data between teams. Unlike his prior ventures, this employment did not involve a team of software engineers. There were no additional engineers who assisted in the creation or implementation of the data security models. The client was the only person who knew the following:
- The location and structure of the file repositories that held company assets;
- The location and content of source code underlying various prototypes;
- The structure of the hardware which made up the company’s network;
- The contents and structure of company assets in Microsoft Azure;
- The role of hardware within the employer’s network;
- The content and specifications of virtual machines and gateways running in Microsoft Azure;
- Literally, every technical aspect of the company.
When the company asked the client to prepare digital assets in an online repository or physical device, the client understood his mission. In line with past projects, his job was to ensure the efficient transfer of assets to the employer/next team of engineers. The client entered the computers and began cleaning up the system. This clean up included organizing file repository assets, removing outdated code, removing personal information, removing code related to personal projects, and removing backup data for personal computers. Once the network and systems were cleaned up, the client created a large PDF document chronicling the hardware being returned and how to access relevant digital assets. The equipment and assets were returned to the company.
The Company Had Insufficient Funds to Review the Systems and Data
Once the property was returned to the company, the company was responsible for recreating the network and reviewing the file repositories. This required the company to 1) set up the three physical devices in a network and 2) review file repositories for digital assets. This process was troublesome as the company did not have funds to retain a software engineer within the same stratosphere as our client. Instead, they employed interns and other unqualified IT professionals to evaluate the systems.
The task of recreating the lab environment was a tall one. The computers, networks, file repository structures, and source code contents were all created by one man. Even a seasoned engineer would have struggled to recreate everything as it was in our client’s home. However, this job was impossible for an IT professional or college intern. The system was far too complicated, and the documents too sophisticated, for proper review or reconstruction by existing company personnel.
The Company is Required to Find a Fall Guy for Investors
Within months of the client’s resignation, it became obvious the company would not be able to recreate the network, understand the existing code structures, or move forward with any projects. The company lacked funds to even analyze their data; let alone pick up and run with it. In short, the company was insolvent, and they lacked the team to pull themselves out of the hole.
The company’s failure had significant implications for existing stockholders. The company had multiple large investors who were promised a return on their investment via the data security products our client developed. These guarantees were made by executives at the company. The investors consisted of friends and family of the executive team. Often these guarantees were based on an unwarranted optimism on the market; some investors were advised that sales were imminent.
With the company failing, the employer’s CEO had a decision to make: 1) come clean to investors that the company failed or 2) blame the failure on our client. As should be obvious, the CEO chose the latter route. Instead of being honest with investors about the failure of the startup, the CEO sent emails to investors a month after the equipment was returned advising them our client had “sabotaged” their work, “stolen” company assets, and otherwise sunk the company.
Every single action taken after this communication served one purpose – build a criminal case against our client. Instead of retaining a legitimate development team to assess their systems, the CEO retained a criminal defense attorney and forensics expert to review the information. With a little money, and lack of expertise, the company’s attorneys were happy to write a report alleging a crime had been committed. Amazingly, that initial report was drafted after reviewing 1% of the available information. The unreviewed information included two of the three computers in the network, the virtual drives that held all company assets, the company’s Microsoft Azure portal, and copious email communications that showed the CEO was lying about key details.
The company’s attorneys took the easy route and simplified the facts to fit the statute. To them, the client had no right to be on the computer and changes were made to files upon entry. It was that cut and dry. There was no thought given to the company’s request that the client enter the system (clear consent) or the details of any changes that were made.
While it is common for a retained attorney to cut corners to prove their client’s case, the system requires the state of Texas to take a less haphazard approach. Unfortunately, the state offered no obstacle to the company’s wishes. They allowed the company’s lawyers to dictate their movements. Instead of hiring competent experts, the state relied on the company’s IT person, a college intern, the company’s forensic expert (who reviewed 1% of the material), and an in-house forensic expert to build their case. Not once did the state attempt to challenge the narrative being spun by the company. They served as a rubber stamp.
At no point did the state come close to understanding the pivotal questions in the case. Based on their inexperience and lack of knowledge, they tried to simplify the case – our client did not have permission to enter the system. After entry, he did something to the network or computers. That something, whatever it was, caused over $30,000 in damages.
In our next post, we will dig into the claims the state made in their case-in-chief. We will walk through the actions the state relied upon to build their case. Each one was easily disprovable with a competent expert and an understanding of the systems.