The Queen v Hayes

IN THE COURT OF APPEAL OF NEW ZEALAND

CA197/06

THE QUEEN

v

MARK HAYES

Hearing:30 August 2006

Court:O'Regan, Williams and Heath JJ

Counsel:P J Kaye for Appellant

M A Corlett for Crown

Judgment:24 November 2006 at 11 am

JUDGMENT OF THE COURT

THE APPEAL AGAINST SENTENCE IS DISMISSED.

____________________________________________________________________

REASONS OF THE COURT

(Given by Heath J)

Introduction

[1]       Mr Hayes was convicted and sentenced in the District Court at Auckland on 26 May 2006, having pleaded guilty to 91 charges of accessing computer systems for dishonest purposes and 23 charges of dishonestly using a document, brought under ss 249(1)(a) and 228(b) of the Crimes Act (the Act) respectively.  Of the “accessing” charges, 80 were brought summarily while 11 were laid indictably.

[2]       An effective sentence of two years eleven months imprisonment was imposed.  In addition, Mr Hayes was ordered to pay reparation to various complainants.  The total amount of reparation ordered was $16,271.81.  Reparation was to be paid at the rate of $25 per week, with the payments commencing 30 days after Mr Hayes’ release from custody.  Mr Hayes appeals against the sentence imposed.

[3]       The sentencing Judge imposed cumulative sentences on the basis that some of the offending was unconnected.  The decision to accumulate is not challenged.  Rather, the appeal is put on the basis that the end sentence imposed, having regard to the totality of the offending, was manifestly excessive.

[4]       This is the first occasion on which this Court has had to consider sentencing levels for specific computer based offences introduced by enactment of the Crimes Amendment Act (No 3) 2003 (the 2003 Amendment).  While this judgment is not a guideline judgment of the type given in cases such as R v Taueki [2005] 3 NZLR 372 (CA) and R v Fatu [2006] 2 NZLR 72 (CA), it is intended to provide some assistance on the approach to sentencing in cases of this type.

[5]       For that reason, we will discuss the mischief that the offences seek to meet and the relevant aggravating and mitigating factors more fully than would otherwise be necessary.

The facts

(a)   The first set of “accessing” offences

[6]       Between 11 November and 23 December 2004, Mr Hayes, then aged 17 years, accessed Internet on-line auction accounts through the “Trade Me” website.

[7]       “Trade Me” is the largest on-line Internet auction site operating out of New Zealand.  Anyone wishing to offer something for sale by auction on that site applies for and obtains a trading account.  Once an account has been secured, that person can advertise his or her items for sale, either with a reserve price or a “buy now” price.  Those who hold accounts with “Trade Me” are provided with “user names” and a password to access the account.

[8]       Mr Hayes assumed the identity of six individuals in order to make 120 purchases at the “buy now” price listed by the seller.  Those items were, primarily, computer equipment and clothing.  The total cost of those purchases was $40,241.

[9]       Between 19 November and 24 December 2004, (roughly the same period during which the purchases were made), Mr Hayes accessed eight Internet online banking accounts of seven bank customers.  Having entered the relevant computer database, Mr Hayes diverted money from the true owner’s account to meet the cost of acquiring the 40 items purchased. 

[10]     In effect, Mr Hayes brought about a direct electronic transfer of funds from the customer to the account of the person selling the goods on “Trade Me”.  The total amount of the funds transferred in this way was $17,456.50.

[11]     Mr Hayes made arrangements for the items to be delivered to one of two addresses in Avondale.  The two addresses provided for delivery purposes were both vacant but were in the vicinity of 100 metres from Mr Hayes’ residential address.

[12]     On 25 January 2005, a search warrant was executed at Mr Hayes’ home.  In his bedroom the Police located a computer, connected to a “Woosh” wireless Internet connection.  In other rooms, two computers were discovered, both of which had the capacity to access the Internet through Mr Hayes’ personal connection.

[13]     Computer equipment was located which met the description of the products purchased through the “Trade Me” account.  Mr Hayes declined to make a statement to Police.

[14]     To reflect the individual nature of specific transactions, 80 informations were laid against Mr Hayes in respect of these events.

(b)   The second set of “accessing” offences

[15]     On 24 and 25 June 2005, after he had turned 18 years, Mr Hayes accessed a bank account of a named complainant without permission or authority.  Through the use of a “key stroke logger” virus which he inserted, he was able to transfer $10,000 from the complainant’s bank account into another bank account.  As a result the bank suffered a loss of $10,000.

[16]     Similar offending, in respect of different bank customers, occurred on 2, 7 and 8 September 2005.  On some occasions, Mr Hayes offended more than once on the same day.  The total amount misappropriated through those transactions was $10,400.

[17]     On 27 September 2005, the Police executed another search warrant at Mr Hayes’ home.  They located a Compaq Laptop computer.  Forensic computer analysis revealed “key logger” output files, containing the Internet banking access codes and passwords for the respective customers.

(c)   Dishonestly using document offences

[18]     During September 2005, three companies offering on-line DVD and games rental in New Zealand suffered losses when a person (subsequently identified as Mr Hayes) joined as a member and used false names to order DVD films and games.  The goods ordered were directed to be delivered to addresses in the Avondale area.

[19]     Between 1 and 19 September 2005, Mr Hayes, used various pseudonyms in order to gain rights to participate in services offered by the three companies.  In some cases, products were forwarded and have subsequently been returned.  In other cases, while steps were taken to join the schemes operated by the companies, no goods were ordered before the offending was detected. 

[20]     The “dishonestly using documents” charges relate to the use of false names to gain membership of the programmes offered by the various companies.

The sentencing process

(a)   Background

[21]     On 6 April 2006, Mr Hayes appeared before Judge David Harvey in the District Court at Auckland and, following a sentence indication, entered pleas of guilty to the initial 80 charges.  At the time of the sentence indication, Mr Hayes had not disclosed, either to his counsel or to the Court, that he had been arrested on other charges.

[22]     Six days after the sentence indication, Mr Hayes was brought back before the Court and pleaded guilty to the remaining charges. 

[23]     Mr Hayes had previously appeared in the Youth Court on charges of accessing computer systems for dishonest purposes and obtaining money or services by false pretences.  Five offences were dealt with on 5 July 2004 and three on 14 October 2004.  On all of those charges, the Youth Court Judge admonished and discharged Mr Hayes.

(b)   The District Court Judge’s approach to sentencing

[24]     The Judge expressed concern that, when he had come before the Court on a sentence indication, Mr Hayes had not disclosed the additional offending which, in fact, had been committed while on bail on the initial 80 charges.  The Judge regarded that conduct as “a severely aggravating circumstance”.

[25]     After discussing the first set of charges the Judge referred to the later charges involving access to bank accounts and diversion of customers’ money.  The Judge regarded this offending as “sinister”.  The Judge pointed out that to install the “key stroke logger” programme on each customer’s computer Mr Hayes needed to use the Internet to transfer the viruses and to obtain the particular customer’s details before dishonestly misappropriating money from their bank accounts.

[26]     On the charges of using documents to obtain property, the Judge referred to the fact that Mr Hayes had used other people’s credit card details to obtain DVDs and computer games.

[27]     The Judge was familiar with Mr Hayes’ past offending.  He was the Youth Court Judge who had dealt with Mr Hayes.  He described the way in which Mr Hayes was dealt with by that Court as “lenient and rehabilitative”.  Yet, soon after, Mr Hayes was re-offending.  Some of that offending occurred while he was on bail, awaiting trial on the initial 80 charges.  The Judge said:

The impression that one could justifiably gain from that course of behaviour, Mr Hayes, is that you are a serious recidivist computer criminal.

[28]     In approaching sentencing the Judge made the following observations:

a)The ease with which computer crime can be committed is a particular problem.  Further, the usual disinhibiting factor of being “caught in the act” is rarely present as the crime can be committed in the privacy of one’s own home, far removed from the people whose lives and property are in jeopardy.  This tends to insulate an offender from the consequences likely to flow from his or her actions.

b)Protection of the community and computer crime are closely associated.  The Judge said that:

Over the last 16 years or so, since the Internet has gone commercial, society has become to depend more and more upon computer based and network technology.  In some respects, we are learning as we go, finding out about how insecure or secure these systems may be. … For a long period of time, there was no prohibition against accessing a computer for a dishonest purpose – that law came into effect in 2003 and you were one of the early victims and were caught up in that.

c)Special computer crimes exist because of a perception that the existing law would not counter computer crime adequately.  The Judge emphasised the need for the law to be clear in ensuring that those who embark upon the utilisation of digital and network systems will receive protection for their legitimate and lawful enterprises.  The Judge regarded a commercial organisation like “Trade Me” as a paradigm example of that type of enterprise.

d)The Judge also referred to increased use of Internet banking, with the consequential recognition that compromises were required in respect to security.  That added to the need for a sentence designed (in part) to deter others from committing offences of this type.

[29]     The sentencing Judge then considered the principles and purposes of sentencing set out in ss 7 and 8 of the Sentencing Act 2002.  He placed particular emphasis on the gravity of the offending, the seriousness of the offending, the need for consistency in sentencing and the obligation to impose the least restrictive outcome having regard to the circumstances and background of the offender.

[30]     As aggravating factors, the Judge took into account premeditation, repetitious offending, the harm caused to victims, previous convictions for offending of this type and offending while on bail.  We infer that, in referring to harm caused to victims, the Judge took account of both financial and emotional harm to individual victims, as well as the opportunity costs to the business enterprises affected by the offending.

[31]     As relevant mitigating factors, the Judge took account of the age of the offender (under 20) and the guilty pleas.  While the pleas were entered on the initial 80 counts somewhat belatedly, acknowledgement was given for the early guilty pleas on the balance of the charges.  The Judge also took account of the sentencing indication he had given, notwithstanding the circumstances in which that arose. 

[32]     Mr Hayes was fortunate that the Judge took account of the sentence indication.  In our view, the Judge was not required to have regard to it: see Sipa and Edwards v R [2006] NZSC 52, a judgment delivered after sentencing in the District Court. In Sipa and Edwards, the Solicitor-General appealed, on the grounds of manifest inadequacy, in relation to a sentence imposed after an indication had been made.  Blanchard J, delivering the judgment of the Supreme Court, said:

[8] A Court hearing an appeal by the Solicitor-General against a sentence given after a sentence indication should in future be provided with an affidavit from the respondent (a) attesting to his or her reliance upon the sentence indication in electing to enter a plea of guilty and (b) confirming that, if the Court considers the sentence should be increased, he or she would seek to have the conviction quashed and the matter remitted to the sentencing Court for the guilty plea to be vacated and a plea of not guilty entered.

[9] Upon a successful appeal by the Solicitor-General a sentence is adjusted by no more than the minimum extent necessary to remove the element of manifest inadequacy. Those advising a respondent should appreciate that this practice will not influence the level of sentence imposed if, after a conviction is set aside and the matter remitted to the sentencing Court, there is a further change of mind and a plea of guilty is again entered. That could have had significance in the present case where the Court of Appeal was of the view that the starting point for sentencing was properly in the region of five years and that it was difficult to see how a discount of more than 20% could have been appropriate for a guilty plea.

[33]     Having regard to the aggravating circumstances, the Judge fixed a starting point for sentence of 21 months imprisonment on the first set of charges.  In fixing that term he had regard to the number of offences, the value of the property involved, prior convictions and the other aggravating circumstances to which he had referred. 

[34]     On the first set of charges, the Judge took account of mitigating factors, including the guilty plea, and reached an end point of one year three months imprisonment.  That meant that six months credit was given for mitigating factors.

[35]     In relation to the subsequent offending, a higher starting point (two years six months) was fixed.  Credit was given for an early guilty plea and for Mr Hayes’ age.  He was convicted and sentenced to 20 months imprisonment (one year eight months) with that sentence being cumulative on the earlier sentence.

[36]     Therefore, the outcome was an effective term of imprisonment of two years eleven months and the reparation orders to which we have referred.

Competing submissions

[37]     In support of the appeal, Mr Kaye commented on the absence of any guidance on sentencing levels for offences of this type created by the 2003 Amendment.  However, referring to a wide range of authority from other jurisdictions, Mr Kaye submitted that the addition of twenty months imprisonment for the subsequent offending made the totality of the sentence manifestly excessive.

[38]     Mr Kaye submitted that, taking into account subsequent offending, an additional term of six to nine months imprisonment would have been sufficient, when accumulated to the sentence of one year three months imprisonment, to reflect the overall offending.

[39]     Mr Corlett, for the Crown, submitted that the sentence imposed was within the boundaries available to the Judge, having regard to the aggravating factors and, in particular, the recidivist nature of Mr Hayes’ offending.  Mr Corlett also referred to the lack of any remorse demonstrated clearly by comments made to a probation officer when the pre-sentence report was being prepared. 

[40]     As Mr Corlett submitted, the pre-sentence report provided ample support for the Judge’s conclusion that Mr Hayes was a “serious recidivist computer criminal”, “the archetypal computer criminal” with a “complete lack of understanding of the consequences” of his offending.

[41]     While accepting that the sentence was likely to be regarded as at the higher end of the range available to the Judge, Mr Corlett submitted that a stern sentence was justified.  Mr Corlett submitted that the appeal ought to be dismissed.

Analysis of competing submissions

(a)   How should computer crimes be approached?

[42]     Changes to the law dealing with electronic transactions and computer crime were made following an extensive review undertaken by the Law Commission from 1997: generally, see Electronic Commerce Part One: A Guide for the Legal and Business Community (NZLC R 50, 1998), Dishonestly Procuring Valuable Benefits (NZLC R 51 1998), Computer Misuse (NZLC R 54, 1999), Electronic Commerce Part Two: A Basic Legal Framework (NZLC R 58, 1999) and Electronic Commerce Part Three: Remaining Issues (NZLC R 68, 2000).

[43]     The Law Commission reports informed subsequent legislation, particularly the Electronic Transactions Act 2002 and the 2003 Amendment.  However, not all of the Commission’s recommendations were adopted.

[44]     The Commission recommended changes to the law to reflect the increasing use of computers in commerce and the problems caused by the application of legislation, designed to deal with paper based communications, in the electronic environment.  Its recommendations were based on the Model Law on Electronic Commerce adopted by the United Nations’ Commission on International Trade Law (UNCITRAL) in 1996. 

[45]     The core principle underpinning the Model Law is “functional equivalence”.  “Functional equivalence” is described in UNCITRAL’s Guide to Enactment of the Model Law on Electronic Commerce (1999) as follows:

16.[The functional equivalence approach] … is based on an analysis of the purposes and functions of the traditional paper based requirement with a view to determining how those purposes or functions could be fulfilled through electronic commerce techniques. …

[46]     In developing its work on electronic commerce, the Law Commission developed four “guiding principles”, two of which are particularly relevant for present purposes.  One concerns the ability for business people to choose whether to do business through the use of paper based or electronic means, without any avoidable uncertainty arising out of the use of electronic means of communication: Electronic Commerce Part One 30 at 14.  Another, following the lead of the Model Law, was one of “technological neutrality” see 41, at 17, of Electronic Commerce Part One.  The Commission said: 

Technology has advanced with great speed in recent years.  It is likely to continue to do so.  Unlike technology, the law tends to develop slowly, usually by reacting to situations only as they arise.  It is therefore vital that any reform of the law be drafted so as to take account not only of the technology currently available, but also that which has yet to be developed.

[47]     The criminal law implications of the proposed changes to the law assumed some prominence following the decision of a Full Court of this Court in R v Wilkinson [1999] 1 NZLR 403. Mr Wilkinson had been found guilty on ten counts of obtaining by false pretences and five counts of using a document with intent to defraud. The allegation was that he had falsely represented that machinery was the unencumbered property of a partnership in order to persuade a financier to advance funds against that security. That money consisted of a credit entered in, or a facility made available from, a bank account operated by the partnership. The sole question was whether Mr Wilkinson had obtained anything capable of being stolen. The Court held he had not and his convictions were set aside.

[48]     Wilkinson prompted the Law Commission report entitled Dishonestly Procuring Valuable Benefits.  The Commission, at 6 (at 3-4), described the judgment as pointing to “a yawning gap in the criminal law” requiring urgent attention.  The Commission said:

… It was pointed out by the Court of Appeal in Wilkinson that the facts of that case would have supported a charge under s 229A which deals with using a document with intent to defraud.  But this is of no help in other cases; consider the dishonest person who obtains a financial benefit by means of oral misrepresentations or the use of someone else’s Personal Identification Number.  There is an increasing readiness on the part of banks and other financial institutions to transfer funds in reliance on telephoned instructions conveyed either by voice or by using telephone dial numbers (subject of course to various identification protocols).  We are advised by the Financial Services Federation of the increasing preference for direct debiting or electronic crediting over paper-based payments, and that “[a] number of members have indicated that they could not longer handle loan payments on any other basis”.  We were advised by the New Zealand Bankers’ Association that the proportion of non-cash payments made by Magnetic Ink Encoded Paper (mainly cheques) fell from 54 percent in 1993 to 27 percent in 1997.

The potential for problems arising from Wilkinson was assuaged by the subsequent decision in R v Misic [2001] 3 NZLR 1 (CA).

[49]     In its Computer Misuse report, the Commission considered what adaptation to the criminal law was required to address computer based crime.  The Commission (48, at 15) explained its view that “computer misuse” encompassed four categories of activity: “the unauthorised interception, accessing, use, and damaging of data stored in a computer”.  For a detailed discussion of the types of conduct that could give rise to offending of that type, see Computer Misuse 12-23, at 5-9.

[50]     The 2003 Act introduced specific provisions dealing with crimes involving computers: see ss 248-254 of the 2003 Amendment.  Section 249 of the Act creates the offence of accessing a computer system for a dishonest purpose.  For the purposes of ss 248, 249 and 250 of the Act the terms “access” and “computer system” are defined by s 248.

[51]     In addition, crimes of damaging or interfering with a computer system, making, selling, distributing or possessing software for the purpose of committing a crime and accessing computer systems without authorisation were created by the 2003 Amendment: ss 250-252 of the Act.  Qualified exemptions from prosecution exist, if the access to the computer were authorised under the New Zealand Security Intelligence Service Act 1969 or the Government Communications Security Bureau Act 2003: ss 253 and 254.

[52]     The Commission recommended that a single maximum penalty should be introduced for all four categories, with the sentencing Judge exercising a discretion that would take into account the gravity of the particular case.  At 94, at 30, the Commission said:

A case could involve a person intentionally gaining access to a computer system operated by a national security or law enforcement agency with major damage occurring through a careless or reckless act.  Accordingly, we believe that the maximum penalty must be set at a high level.  We would suggest a period of 10 years imprisonment.  The Court can reflect appropriate penalties to fit the circumstances of particular cases within that maximum limit.

[53]     Rather than creating a single maximum penalty, Parliament decided to fix maximum terms by reference to the specific offence created.  The offence with which Mr Hayes was charged under s 249(1)(a) of the Act carries a maximum term of imprisonment of seven years.  A lesser offence is created by s 249(2) with a maximum penalty of five years imprisonment.

[54]     The crime of damaging or interfering with a computer system carries a maximum term of ten years imprisonment – a penalty which reflects the Commission’s recommendation. 

[55]     Intentional or reckless unauthorised damage or interference with a computer system (s 250(2)) carries a maximum penalty of seven years imprisonment.  The crime of making, selling, distributing or possessing software for the purpose of committing a crime has a maximum penalty of two years imprisonment, as does the crime of accessing a computer system without authority but with no dishonest intent: see ss 251 and 252.

[56]     Save for those computer crimes expressly created by the 2003 Amendment, remaining offences of dishonesty will apply, in appropriate circumstances, to electronically generated documents.  For example, in this case Mr Hayes was charged under s 228 of the Act.  That section is expressed in more technologically neutral language than its predecessor, with the term “document”, now defined by s 217 of the Act, expressly including electronic data.

(b)   Relevant criteria for sentencing for computer based crime

[57]     As this Court made clear in Taueki at [8], the modern starting point for sentencing takes account of all aggravating and mitigating factors relating to the offence, with appropriate credits and uplifts then given to reflect mitigating and aggravating factors, personal to the offender. The assessment of an appropriate sentence is undertaken against the background of ss 7 and 8 of the Sentencing Act 2002 which outline the purposes and principles of sentencing.

[58]     There is a public interest in encouraging the use of computers for business activity.  In a country like New Zealand, the ability to communicate and, in some cases, to distribute products (eg software) by electronic means tends to minimise the impact of the twin problems of distance and time.  In other words, the costs and delays inherent in dealing with business enterprises in the countries that comprise our major trading partners and the difficulties in communicating across time zones are ameliorated significantly by the instantaneous delivery of communications and products electronically.  It follows that there is a public interest in providing strong sanctions against reprehensible conduct which, if unchecked, is likely to inhibit the use of computer technology. 

[59]     For those reasons, sentencing for computer related offences is likely to require particular emphasis on the need to hold an offender accountable for harm done both to victims and the community by his or her offending, to denounce the conduct in which the offender was involved and to deter the offender or others from committing similar offences in the future: s 7(1)(a), (e) and (f) of the Sentencing Act.  In some cases, particularly where recidivist offending is involved, there will be a need to protect the community from the offender: s 7(1)(g) and R v Rose [1990] 2 NZLR 552 (CA), at 556, which explains the circumstances in which protection of the community arises in fraud cases. In all cases, the Court will need to provide for the interests of the victim and reparation for harm done by the offending: s 7(1)(c) and (d).

[60]     The aggravating factors set out in s 9(1) of the Sentencing Act are expressed in generic terms and not specifically directed to the types of problems that can arise from particular offences.  So there are no factors referring specifically to problems arising from computer based fraud.

[61]     However, a number of the factors specified in s 9(1) are likely to be relevant in cases of computer based fraud.  The extent of any loss, damage or harm resulting from the offence, the abuse of a position of trust or authority and  premeditation on the part of the offender will be relevant aggravating factors relating to the offence: see s 9(1)(d), (f) and (i).  Aggravating factors relating to the offender may include the number, seriousness, date and relevance of previous convictions: see s 9(1)(j).

[62]     Section 9(4)(a) of the Sentencing Act makes it clear that nothing prevents the Court from taking into account any other aggravating or mitigating factor that the Court thinks fit. 

[63]     We now turn to particular factors arising in the context of offending involving the misuse of computers.  Some of these factors can be linked directly to the principles and purposes of sentencing identified in ss 7 and 8 of the Sentencing Act, while others may be seen as aggravating factors.  Some specific examples highlight these issues.

[64]     First, we emphasise the need arising in all cases of fraud for general deterrence, having regard to the effect such fraud can have upon individual victims.  That harm can be both financial and emotional.  The turmoil into which the lives of citizens of modest means can be thrown by fraud of relatively small amounts cannot be underestimated.  The sum of $500 is a great deal of money to many New Zealanders.

[65]     In addition, business enterprises will also be confronted by systemic problems that result from detection of offending.  Leaving aside questions of opportunity cost, the undoubted truth is that consumers end up paying for the effect of the fraud as, generally, the cost of the risk is passed on by the commercial enterprise to its customers. 

[66]     In R v Raad [2006] VSCA 67 at [34], Callaway JA, in the Court of Appeal of Victoria, said:

Criminal conduct of this kind strikes at the heart of the way in which ordinary commercial transactions are now conducted.  When it is carefully planned and engaged in on a large number of occasions, it often requires stern punishment in which general deterrence plays a large part.

While separate judgments were delivered by Maxwell P, Buchanan, Vincent and Eames J A, all agreed with Callaway JA on this point.  The separate judgments were delivered on a distinct procedural issue.

[67]     Raad was a case of credit card fraud, the offenders using skimmed information from credit cards to purchase, or attempt to purchase, goods from a variety of retail traders.  Either counterfeit cards would be produced by skimming electronic data from genuine cards and re-encoding it on the counterfeit cards or through the unauthorised use of credit card numbers and expiry dates skimmed from genuine cards.  That type of offending is not dissimilar to the offending committed by Mr Hayes in this case.  An effective sentence of two years imprisonment was upheld on appeal.

[68]     Second, where a skilled computer operator is hacking into a computer which he or she has no authority to enter, with the intention of causing harm to the entity concerned or its customers, the extent of the damage suffered, the duration of the offending and the malicious motivation will all constitute significant aggravating features: R v Stevens [1999] NSWCCA 69.

[69]     In Stevens, the prisoner was an Internet consultant who, without authority, used the password and user account of the technical director of a computer network company to gain access to the company’s home page.  Having gained access, he altered information and displayed a threatening message on the home page.  He also used the accounting password to gain access to data held by the computer network company, including credit card details. 

[70]     The judgment records the impact on the business of the computer network company, which was receiving a large number of telephone calls from angry customers in relation to approximately 1225 customer credit cards.  The company’s own bank lost confidence in the credit facilities it offered and cancelled its agreement as a result of the hack.  About 30 to 40 customers complained that their credit cards had been used in the United States without their authority.

[71]     At [54], Studdert J, delivering the principal judgment of  the New South Wales Court of Appeal (with whom Stein JA and Smart AJ agreed) said:

Computer technology plays an important role in modern society.  The potential for harm by computer abuse of the type that occurred in this case, in a society which is becoming increasingly dependent upon computers, requires that considerations of deterrence, not only of the offender but of others who might be tempted to offend in a similar way, should be adequately reflected when it comes to sentence.

[72]     In a short concurring judgment, Stein JA, at [1], referred to the offences having been carried out with “conscious malice” and with an intention “to cause significant harm” to the company and its customers.  Stein JA referred to the maximum penalty of ten years imprisonment being indicative of the seriousness with which the Legislature viewed such crime and emphasised the crucial role played by computer technology in today’s society.  Considerations of deterrence were required “both for the offender and other hackers who might be tempted, not always for reasons of monetary gain but sometimes sheer maliciousness”.

[73]     Finally, we refer to the United States of America v O’Brien 435 F 3d 36 (2006). This was a decision of the United States Court of Appeals for the First Circuit. The prisoner was found guilty on one charge of intentionally causing damage to a computer used for inter-state commerce. He was a computer consultant for a travel wholesaler which sold tickets to customers through a secure website. He made unauthorised changes to the computer system and caused several airline reservations to be cancelled.

[74]     Counsel for Mr O’Brien had submitted that, to take account of special skill, amounted to “double counting” because the ability to use a computer was an integral part of the offence itself.  That submission was rejected, the Court of Appeals holding that special skill could be taken into account as an aggravating factor.  Delivering the opinion of the Court, Chief Judge Boudin concluded, at 42:

We think it is enough to say here that the use of special computer skills is certainly not an element of the statutory offense and that O’Brien was plausibly found to have had such skills beyond those possessed by an ordinary computer user.  O’Brien also fits the rationale behind the enhancement, which is the special danger posed by one whose training magnifies or facilitates the potential for harm.

[75]     In our view the various factors and emphasis given in the judgments we have cited from Australia and the United States are equally applicable in New Zealand and ought to be taken into account on sentencing for computer based offending. 

[76]     In summary, we identify below a number of factors which are relevant to the assessment of an appropriate sentence for offending of this type.  Some of these are factors arising in fraud cases generally, and some are particular to computer based fraud.  The factors are:

a)The reason for the offending: 

i)Was it carried out deliberately to cause significant harm? 

ii)Was it carried out solely out of malicious motives? 

iii)Was it carried out simply to demonstrate to the offender that he could inflict the type of harm that results?

The reason identified in a particular case and weight given to it on sentencing will be a matter of degree for the sentencing Judge.

b)The resulting harm:

i)What loss has actually been suffered by a business enterprise as a result of the offending? 

ii)What financial and emotional harm has been suffered by individual victims?

Not only direct losses should be brought to account.  The Court will need to take account of additional costs which may be incurred to respond to security and risk management concerns.  Those costs will likely be driven by insurance requirements.  Further, the loss of confidence in a business enterprise caused by offending which affects its customers should not be underestimated.

c)Is the offending likely to cause a loss of confidence in computer systems generally?  Is it likely to undermine the use of computers in commerce?

d)Is there a possibility of harm continuing after apprehension of the offender?  This will be particularly important in cases involving the insertion of a virus which has the potential to replicate exponentially and continue to do harm well after the original offender has been arrested and dealt with by the Courts.

[77]     Applying the principles of functional equivalence and technological neutrality, the approach to sentencing for computer based crime should start by reference to penalties that would have been imposed had the crime been committed through paper based means. 

[78]     This approach is particularly relevant to technologically neutral provisions of the Act, such as s 228.  R v Singh (2003) 20 CRNZ 158 (CA) provides a useful collection of sentencing decision on offending of that type.  Where computer offending is involved, the sentence will need to take account of the factors to which we have referred earlier in this judgment.

[79]     Sentencing for offences that relate solely to computer based activity will need to be assessed by reference to the maximum penalty for each offence and appropriate aggravating features of the type we have discussed.

(c)   Was the sentence imposed manifestly excessive?

[80]     Having dealt at some length with the approach to sentencing in a case such as this, we return to consider the sentence imposed by Judge Harvey in this case.

[81]     In our view the sentence imposed was open to the sentencing Judge,  particularly given Mr Hayes’ recidivist conduct. 

[82]     From what we have already said, it will be clear that we agree with the observations made by the Judge which preceded his assessment of the appropriate sentence. Those observations are summarised at [28] above.

[83]     In our view, the starting points assessed by the Judge for the two sets of offending were within the range available, having regard to the maximum penalty of seven years imprisonment involved.  The aggravating factors identified by the Judge were appropriate in fixing the starting point for each group of offences. 

[84]     Notwithstanding Mr Hayes’ youth, having regard to his recidivist conduct, we consider he was fortunate to receive the credit he did for, at least, the second group of offences.

[85]     Mr Kaye’s main criticism related to the application of the totality principle.  No criticism was made of the decision to accumulate sentences.  Nor did Mr Kaye attack of the sentences that were imposed for the two distinct periods involved.

[86]     We are satisfied that, having regard to the factors the Judge took into account and the more general considerations which we have discussed, that the Judge was right to emphasise the need for both specific and general deterrence.  On that basis, the effective sentence imposed was open to the Judge and there is no reason to interfere with it on appeal.

Result

[87]     For the reasons given, the appeal against sentence is dismissed.

Solicitors:
Crown Law Office, Wellington