ANNAPOLIS – Alarmed by a recent appeals court ruling, Maryland lawmakers are already drawing up legislation to close a loophole that could let employees tamper with their company’s computer systems.
The Thursday decision by the Maryland Court of Appeals overturned Terry Dewain Briggs’ conviction on a criminal charge of unauthorized access to computers.
The Scarborough Group Inc. said that two days before he left his job as a computer programmer and system administrator in 1995, Briggs changed passwords and put them in a subdirectory named “ha-ha he-he.”
Briggs was convicted in 1996 of the criminal charge of unauthorized access to the computers. But the appeals court said the current law only covers unauthorized access and that, because Briggs was authorized to get into Scarborough’s computers at the time, he was not guilty.
The ruling brought an immediate reaction from lawmakers.
“This is something we would want to deter by making it a criminal act,” said Del. Samuel Rosenberg, D-Baltimore, a sponsor of the 1984 law under which Briggs was charged.
Del. Nancy Kopp, D-Montgomery, another sponsor of the 1984 bill, was surprised the issue had not arisen earlier and said it must be changed to prohibit similar actions in the future.
“I think it is a void that ought to be addressed,” said Kopp, who was having a new bill drafted Friday to deal with the problem.
Briggs’s attorney, Bradley A. Thomas, said the existing law is designed to combat outside computer “hackers,” not persons who are granted access to a system.
“The law was not designed for the actions for which Mr. Briggs was prosecuted,” said Thomas.
Gary Bair, chief of criminal appeals for the Attorney General’s Office, said that the court ruling still allows outside hackers to be prosecuted. But he agreed with Kopp that the law needs to be changed.
“I think what the Court of Appeals is saying is that the law is too narrow,” said Bair.
Briggs was hired by the Scarborough Group Inc. in 1994 as a computer programmer. The management of the whole computer system was entrusted to him and his duties included entering data into the system and placing passwords on the files to secure the data.
Briggs quit in 1995 in a dispute over the terms of his contract.
Shortly after he left Scarborough, the company found some of the computer files were secured with passwords only known to Briggs. The company called Anne Arundel County police and Briggs was charged with theft of computers and unauthorized access to computers.
Briggs said he put passwords on the company files months earlier as part of his job and that someone had changed the computer date on “ha-ha he-he” subdirectory to incriminate him. He said in court documents that the charges were an attempt to discredit him as a witness in a Securities and Exchange Commission probe of Scarborough that he instigated.
An Anne Arundel County jury acquitted Briggs of theft, but convicted him of unauthorized access and sentenced him to a year in prison, with all but two days suspended, and two years supervised probation. He was also fined $500, ordered to perform 150 hours of community service and told to cooperate with Scarborough in retrieving the locked computer files.
Briggs appealed to the Court of Special Appeals, but the higher Court of Appeals stepped in and took the case.
The high court ruled that since Briggs’ access to the system was authorized, his purpose or motive in accessing the computer, “whether there is any intent to alter or damage the computer or the data on it – is irrelevant.”
The decision, written by Judge Irma Raker, said the court only interprets the law and does not make it.
“If the law is to be broadened to include Briggs’s conduct, it should be modified by the legislature, not by this court,” wrote Raker.