Cai v R

JUDGMENT OF THE COURT

A        The appeal is dismissed. 

BWe direct that the appellant is to attend the home detention address, 504/47 Wakefield Road, Auckland City, at 2.00 pm on 2 December 2011 and there await the arrival of the probation officer and representative of the alarm monitoring firm.

____________________________________________________________________

REASONS OF THE COURT

(Given by Miller J)

Introduction

1. Lishan Cai appeals her conviction for accessing a computer system and thereby dishonestly and without claim of right causing loss to any other person.[1]  The sole question on appeal is whether loss was caused.

The facts

1. The computer system in question was that of Westpac Banking Corporation.  On 27 August 2009 an employee of the bank, Anthony Simmons, accessed a customer profile for Clive Bish.  Mr Bish was authorised to operate an account for Featherston Investments Ltd.  When Mr Simmons accessed Mr Bish’s profile he was able to obtain information about that account together with confidential information which might be used to authorise a change of password.

2. On 31 August 2009 a Mr Chan, who had arrived in New Zealand from China two days earlier, opened an account at Westpac in his own name.  Mr Chan knew Ms Cai, and she, a former Westpac employee, was a friend of Mr Simmons.

3. On 1 September 2009 an unknown male rang Westpac from a public payphone and changed Mr Bish’s password using information from his profile.  Several hours later, an internet device located at a café was used to transfer $80,000 from the Featherston Investments account into Mr Chan’s Westpac account as a “one-time bill payment”.  Mr Bish did not authorise this transaction.  Ms Cai was in the café about the time of the transfer.

4. Westpac monitors online password changes and funds transfers, and it thought this transfer sufficiently suspicious to block Mr Chan’s account so he could not withdraw money from it.  When he tried to do so on 2 September 2009 the automatic teller machine confiscated his card.  He immediately left the country for Hong Kong.

5. On 2 September the transfer from the Featherston Investments account to Mr Chan’s account was reversed.

The conviction

1. Ms Cai was charged as a party to an offence under s 249(1)(b) of the Crimes Act 1961, which provides:

   249     Accessing computer system for dishonest purpose

   (1)Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—

   (a)obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration;  or

   (b)      causes loss to any other person.

   ...

2. Ms Cai was convicted at trial, the jury having been instructed by Judge Mathers that the unauthorised transfer of money from Featherston Investments’ account into that of Mr Chan was a loss to Featherston Investments even if the money was later recovered.  She was sentenced to six months home detention and 150 hours community work.[2]

The appeal

1. On appeal, Mr Soondram argues that the Judge’s direction was wrong.  Because the transfer was reversed Featherston Investments suffered no loss.  It would not suffice to point to some indirect loss resulting from its temporary inability to access the money, and in any event there was no evidence of such indirect loss.[3]  The Court need not strain the statutory language, for s 249(2) criminalises an attempt by creating a parallel offence, punishable by not more than five years imprisonment, of dishonestly accessing a computer system with intent to obtain something or value or to cause loss to another.

   [3]Morley v R [2009] NZCA 618, [2010] 2 NZLR 608 (CA).

2. Mr Lillico responds that there was a loss to Featherston Investments for the period between the unauthorised transfer and its reversal.  $80,000 actually went into Mr Chan’s account, and he would have been able to withdraw it had Westpac not frozen the account.  A simple “parting with money” suffices for s 249(1)(b).

Discussion

1. The relationship between Featherston and Westpac was that of creditor and debtor,[4] and Westpac’s obligation to repay the $80,000 to Featherston Investments was unaffected by the fraud, for Westpac was not authorised to debit the account and there is no suggestion that Mr Bish or Featherston Investments breached an obligation to Westpac to maintain the security of an internet banking password. The issue, then, is whether Featherston Investments suffered loss for the purposes of s 249(1)(b) when its account with Westpac was debited in circumstances which did not relieve Westpac of its obligation to repay the money to Featherston Investments on demand. (Featherston Investments might have suffered an indirect loss had it sought to use the money during the period while its account had been fraudulently debited, but there is no suggestion of that here. Nor is it suggested that Westpac suffered a loss.)

   [4]Foley v Hill (1848) 2 HL Cas 28 (QB).

2. “Loss” is not defined in s 249, which is one of several provisions dealing with computer crime.  However, causing loss to another is an element of other offences in Part 10 of the Act, notably s 240 (obtaining something, or causing loss, by deception).  That element of the offence was discussed in R v Morley, which both counsel relied upon before us.  In that case, the accused agreed to purchase four properties.  The Crown alleged that he did so knowing he could not complete the transactions, for he had no means.  The vendors were said to have suffered financial losses in the form of wasted expenditure and loss of bargain or expectation losses.  In one case the property was re-sold at a lower price.

3. For the Court, Randerson J noted that part 10 had been amended to broaden the scope of the former offence of obtaining by false pretences.[5]  The amendments introduced a requirement that actual loss be caused.  Generally, loss flowing from a deception is assessed under s 240 as being “the extent to which the complainant’s position prior to the deception has been diminished or impaired.”[6]  The nature of the necessary loss is not defined.  While the offence of obtaining something of value by deception can be committed “directly or indirectly”, those words are not used in connection with the offence of causing loss to another by deception, indicating that a direct loss must be shown in that case.  An expectation loss did not qualify.  But parting with money did qualify, as would incurring wasted expenditure or out of pocket costs.

   [5]At [6].

   [6]At [46].

4. Section 249 is drafted in a similar way.  A computer system may be accessed “directly or indirectly”, but that phrase is not used in connection with causation or loss.  However, the issue in this case is not one of indirectness, as it was in Morley.  If the debiting of Featherston Investments’ account was a loss at all, it could scarcely be more direct.

5. The Oxford English Dictionary defines loss as:[7]

   Diminution of one’s possessions or advantages; detriment or disadvantage in being deprived of something, or resulting from a change of conditions; an instance of this.

   [7]James McCracken (ed) Oxford English Dictionary (September 2011 online ed, Oxford University Press).

6. As that definition suggests, loss need not involve something tangible.  That was recognised by this Court in R v Wilkinson, a well-known judgment in which it was held that credit extended by a bank was not something capable of being stolen by false pretences for the purposes of the former s 246 of the Crimes Act, which was confined to movable property.[8]  The Court also reasoned that the offender did not obtain something belonging to the lender when his account was credited with the loan proceeds;  rather, a new chose in action was brought into existence.  The legislation was amended in response to the judgment, establishing that property capable of being stolen includes money.  For present purposes, however, the significance of Wilkinson lies in the majority’s acceptance that funds standing to a person’s credit in a bank account are a chose in action, a form of property which can be extinguished by a transfer from the account.[9]

   [8]R v Wilkinson [1999] 1 NZLR 403 (CA).

   [9]At 408, following R v Preddy [1996] AC 815 (HL) at 834.

7. It follows that loss was caused to Featherston Investments when its account was debited by the transfer to Mr Chan’s account.  It suffered a disadvantage or detriment in that as between itself and Westpac it could not use as of right the funds which formerly stood to its credit in the account. 

8. We emphasise that the question posed by s 249(1)(b) is whether the offender caused loss to any other person by accessing a computer system.  To say that Westpac was liable in civil proceedings to compensate Featherston Investments for the loss suffered when the funds were transferred away is not to deny that the offender caused the loss.  It is merely to point to a different remedy against a different person, acquired in consequence of the loss that the offender caused. 

9. We reject Mr Soondram’s alternative formulation of the argument, that by reinstating the funds Westpac eliminated the loss to Featherston Investments.  To approach s 249(1)(b) in that way is to impose an obligation on the Crown to prove that loss continued, ultimately until trial, and to admit the possibility of arguments that loss has not been proved because civil remedies against other parties have still to be exhausted.  We can see no policy reason why such arguments should be available to the person who was criminally and immediately responsible for the loss.  

10. On the contrary, we observe that s 249 was introduced when the legislature modernised the Crimes Act to address the judgment in Wilkinson and to reflect the increased use of computer systems such as online banking.[10]  The Select Committee noted that the amendments met or exceeded the relevant offences in the 2001 Budapest Convention on Cybercrime, which was designed to combat the criminal misuse of computer networks.[11]  The Convention obliges Parties to adopt legislation criminalising the dishonest use of computer systems to cause loss.[12]  Although New Zealand has yet to adopt the Convention, the legislative history suggests that s 249 should be interpreted in a way which aims to preserve the integrity of electronic banking systems.

Decision

1. The appeal is dismissed. 

2. Ms Cai was bailed pending appeal, suspending her sentence of home detention.  The community work sentence was suspended by operation of law but will resume on delivery of this judgment.  She must now complete her sentence.  We direct that the appellant is to attend the home detention address, 504/47 Wakefield Road, Auckland City, at 2.00 pm on 2 December 2011 and there await the arrival of the probation officer and representative of the alarm monitoring firm. 

Solicitors:
Crown Law Office, Wellington, for Respondent