State v. Thompson

WIGLER, P.J.Cr.

INTRODUCTION

In the above-captioned matter, defendant Michael Thompson (“Thompson”) filed a motion to dismiss Essex County Complaint No. 0706-S-2013-003175 and all charges as to himself under this complaint. Defendant Tiffany Tucker (“Tucker”) orally moved to join in Thompson’s motion.

PROCEDURAL HISTORY

On September 26, 2013, Thompson and Tucker (collectively “defendants”) were arrested and served with complaint-summons*623es charging them with one count each of computer theft, contrary to N.J.S.A. 2C:20-25(a), and conspiracy to commit computer theft, contrary to N.J.S.A. 2C:5-2(a)(l) and N.J.S.A. 2C:20-25(a). Defendants entered pleas of not guilty. On February 24, 2014, defense counsel filed a brief and notice of Thompson’s motion seeking a dismissal of Essex County Complaint No. 0706-S-2013-003175 for failure to state a prima facie case. Copies of the complaint-summonses were attached to the brief. On March 27, 2014, the State submitted a letter-brief opposing Thompson’s motion. Oral arguments were heard on May 8, 2014.

FACTUAL HISTORY

In July 2013, Marco Flores of the Information Technology (“I.T.”) Division of the East Orange Police Department (“EOPD”) reported to Inspector Wells of the EOPD that he had overheard a conversation between I.T. Supervisor Tiffany Tucker and I.T. Technician Michael Thompson wherein they allegedly discussed accessing department emails through the Administration account. According to the subsequent investigation, all I.T. personnel possessed an administrative login and password that permitted them access to the email system for the purpose of conducting maintenance or correcting problems within the email system.

On July 23, 2013, the Essex County Prosecutor’s Office, Professional Standards and Corruption Bureau, responded to a complaint from the EOPD that defendants Thompson and Tucker had engaged in misconduct by tampering with work computers. Specifically, defendants were alleged to have utilized their administrative passwords to open and read the emails of several high-ranking employees without authorization. An examination of the Department’s computer and email system indicated that between April 26, 2013, and July 22, 2013, defendants had viewed the message contents and attachments of executive staff, including Jillian Barrick, City Administrator, William Robinson, EOPD Chief of Police, Tracey Haeket, First Assistant Corporate Counsel, Antonia Cruz, Accountant/Budget Officer for EOPD, Zackery *624Tamer, Vendor for East Orange Security Cameras, Donna Little-john, Barrick’s Administrative Assistant, and Monica Reed, Human Resources Manager, among other accounts. According to the investigation, Tucker is accused of reading emails without authorization between April 26, 2013, and July 22, 2013, and Thompson is accused of reading emails without authorization between July 10, 2013, and July 22, 2013. During this relevant time period, defendants were plaintiffs in a pending lawsuit against the City of East Orange involving work-related issues.

LEGAL ANALYSIS

Whether an indictment should be dismissed lies within the discretion of the court. State v. N.J. Trade Waste Ass’n, 96 N.J. 8, 18, 472 A.2d 1050 (1984). “A trial court ... should not disturb an indictment if there is some evidence establishing each element of the crime to make out a prima facie case.” State v. Morrison, 188 N.J. 2, 12, 902 A.2d 860 (2006). Dismissal of an indictment is a “last resort because the public interest, the rights of victims, and the integrity of the criminal justice system are at stake.” State v. Ruffin, 371 N.J.Super. 371, 384, 853 A.2d 311 (App.Div.2004) (holding that “criminal cases should ordinarily be decided on the merits after a full and impartial trial”); N.J. Trade Waste Ass’n, supra, 96 N.J. at 18-19, 472 A.2d 1050 (holding that dismissal of an indictment is a “draconian remedy” that “should not be exercised except on the clearest and plainest ground”).

In order to withstand dismissal, the State must present “some evidence” as to each element of the charged offenses sufficient to establish that there is prima facie evidence that a crime has been committed and that the defendant committed it. Id. at 27, 472 A.2d 1050; State v. Schenkolewski, 301 N.J.Super. 115, 137, 693 A.2d 1173 (App.Div.), certif. denied, 151 N.J. 77, 697 A.2d 549 (1997). The quantum of evidence, however, “need not be great.” Ibid. The critical inquiry is “whether [the indictment] contains elements of the offense intended to be charged and gives the accused reasonable notice of the act or acts he is called upon *625to defend.” State v. Ball, 268 N.J.Super. 72, 120, 632 A.2d 1222 (App.Div.1993); State v. M.L., 253 N.J.Super. 13, 19, 600 A.2d 1211 (App.Div.1991), certif. denied, 127 N.J. 560, 606 A.2d 371 (1992).

Every reasonable inference is to be given to the State in determining the sufficiency of the evidence to sustain the indictment. N.J. Trade Waste Ass’n, supra, 96 N.J. at 27, 472 A.2d 1050. Specifically, the defendant bears the burden of proving that “the evidence is clearly lacking to support the charge.” State v. McCrary, 97 N.J. 132, 142, 478 A.2d 339 (1984); State v. Graham, 284 N.J.Super. 413, 417, 665 A.2d 769 (App.Div.1995), certif. denied, 144 N.J. 378, 676 A.2d 1092 (1996).

In the present matter, the court will first discuss the analysis of the applicable statutory language, before examining the legislative history, as well as relevant case law.

I. The Statutory Language Supports Criminal Culpability Where Authorization Previously Exists in the Scope of Ordinary Employment

Defendants argue that they cannot be held criminally liable for their unauthorized access to other employees’ emails under N.J.S.A. 2C:20-25(a) because the term “unauthorized access” in computer crime law does not reach employees who already possess password-protected access in the scope of their employment. Relying on the analysis set forth in State v. Riley, 412 N.J.Super. 162, 988 A.2d 1252 (Law Div.2009), defendants urge the court to adopt the Riley statutory interpretation and dismiss the complaint.

N.J.S.A. 2C:20-25 provides that “[a] person is guilty of computer criminal activity if the person purposely or knowingly and without authorization, or in excess of authorization,” commits one of the enumerated offenses outlined in subsections (a) through (f) (emphasis added). In the present ease, defendants had password access to the electronic mail system of their employer, the EOPD, in their capacity as employees of the I.T. Division. According to *626the complaint, defendants utilized their administrative login to read the emails of certain executive personnel, between April 26, 2013, and July 22, 2013, for the purpose of obtaining information relating to lawsuits that the defendants had against the City of East Orange.

Statutory analysis begins with deference to the language chosen by the Legislature in enacting the statute, in accordance with the ordinary meaning, unless technical terms are used, which should be construed “in accordance with those [technical] meanings.” Marino v. Marino, 200 N.J. 315, 329, 981 A.2d 855 (2009) (internal citation omitted); see also N.J. Div. of Youth & Family Servs. v. T.B., 207 N.J. 294, 302, 24 A.3d 290 (2011); State v. Hupka, 203 N.J. 222, 231-32, 1 A.3d 640 (2010). A court must “look first to the plain language of the statute, seeking further guidance only to the extent that the Legislature’s intent cannot be derived from the words that it has chosen.” Pizzullo v. N.J. Mfrs. Ins. Co., 196 N.J. 251, 264, 952 A.2d 1077 (2008). A court may not rewrite the statute or “presume that the Legislature intended something other than that expressed by way of the plain language.” O’Connell v. State, 171 N.J. 484, 488, 795 A.2d 857 (2002). Significantly, the New Jersey Supreme Court has stated that “[i]t is a cardinal rule of statutory construction that the intention of the Legislature is to be derived from a view of the entire statute ... so that the auxiliary effect of each individual part of a section is made consistent with the whole.” Febbi v. Bd. of Review, Div. of Emp’t Sec., 35 N.J. 601, 606, 174 A.2d 481 (1961) (citations omitted).

In drafting N.J.S.A. 2C:20-25, the Legislature utilized the disjunctive term “or” before the phrase “in excess of authorization.” “Generally, courts presume that ‘or’ is used in a statute disjunctively unless there is clear legislative intent to the contrary.” Norman J. Singer & J.D. Shamble Singer, Sutherland Statutory Construction § 21:14 (7th ed.2009). Principles of statutory construction prescribe that the Legislature does not utilize “any unnecessary or meaningless language” during drafting, Patel *627v. N.J. Motor Vehicle Comm’n, 200 N.J. 413, 418-19, 982 A.2d 445 (2009); therefore a court “should try to give effect to every word of [a] statute ... [rather than] construe [a] statute to render part of it superfluous.” Med. Soc’y of N.J. v. N.J. Dep’t of Law & Pub. Safety, Div. of Consumer Affairs, 120 N.J. 18, 26-27, 575 A.2d 1348 (1990) (citations omitted). Therefore, “[w]e must presume that every word in a statute has meaning and is not mere surplusage.” Cast. Art Indus., LLC v. KPMG LLP, 209 N.J. 208, 222, 36 A.3d 1049 (2012) (quoting In re Attorney General’s “Directive on Exit Polling: Media & Nonr-Partisan Pub. Interest Grps.”, 200 N.J. 283, 297-98, 981 A.2d 64 (2009)).

Applying these principles, the court interprets that the Legislature drafted three distinct situations in which each individually constitutes criminal activity. In the first instance, a person may “purposely” commit computer criminal activity. In the alternative, a person may commit computer criminal activity “knowingly and without authorization.” Finally, this court concludes that the Legislature contemplated that a person may commit computer criminal activity if he or she acts “in excess of authorization,” which had already been granted. This interpretation posits a scenario where an employee with password-protected access utilizes this access in a way that exceeds the scope of his employment. In the present case, defendants were in possession of an administrative login and password in their scope as I.T. employees, for the purpose of conducting maintenance or correcting errors in the email system. However, defendants utilized their login to gain access to specific emails of selected personnel, allegedly to obtain information regarding their personal lawsuit.

The access at issue was unrelated to defendants’ role as I.T. employees. Instead, defendants were using the login to access personal information beyond their purview as employees. A different interpretation of this statutory construction would render the final clause, “in excess of authorization,” as superfluous. This court does not agree with defendants that only a civil remedy is *628available under the circumstances, rather than criminal culpability-under N.J.S.A. 2C:20-25(a).

II. The Legislative History Indicates an Effort to Address Employee Authorization and New Technologies in the Workplace

As the Riley court lays out, in 2003, the Legislature significantly amended the computer crime law that was first enacted in 1984. Riley, supra, 412 N.J.Super. at 176, 988 A.2d 1252 (citing L. 2003, c. 39, amending L. 1984, c. 184). “This bill would update the State law with regard to computer crime to reflect various technological changes ... that have occurred since enactment of the computer crime law in 1984.... ” Sponsor’s Statement to S. 1355 (2002). Significantly, the 2003 amendment included the concept of acting “in excess of authorization” in section 25. L. 2003, c. 39, § 3. The term was not formally defined by the Legislature. See Riley, supra, 412 N.J.Super. at 177, 988 A.2d 1252. However, the Legislature did address the term of “authorization,” clarifying that “authorized access in the ordinary course of business is not intended to be reached by the criminal provisions of the bill.” Senate Judiciary Committee Statement to S. 1355 (2002) (emphasis added).

Defendants argue that the Legislature’s definition of “authorization” without a definition of “in excess of authorization” creates an ambiguity within the interpretation of the statute. However, this court is inclined to agree with the State in concluding that the Legislature intended to hold criminally liable those individuals who abuse the privilege of access beyond “the ordinary course of business.” In the course of their employment with the I.T. Division, defendants had access to the email systems of other employees for the limited purpose of maintaining the systems and correcting errors. Subsequently, defendants allegedly exceeded their authorized access by reading the emails of specific employees for personal reasons, which surpassed defendants’ employment objectives with the EOPD.

*629III. Existing State and Federal Law Highlights Uncertainty and Requires a Careful and Fad^Specific Analysis

The New Jersey Legislature has closely tracked the development of federal computer crime law, specifically the Computer Fraud and Abuse Act (“CFAA”), which was passed in 1986. 18 U.S.C. § 1080. Under the CFAA, Congress defined the term “exceeds authorized access,” as accessing “a computer with authorization and [using] such access to obtain or alter information in the computer that the accessed is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). Although, as previously noted, the Legislature did not define the term, “in excess of authorization,” the Senate Judiciary Committee stated that the definition of “ ‘authorization’ is to be consistent with federal law (Senate Judiciary Committee Statement to S. 1855 (2002) (emphasis added)). Together with the Legislature’s 2003 amendment, simple access became a third degree crime regardless of the existence of monetary loss. See N.J.S.A. 2C:20-25(g). The shift away from a disorderly persons offense, under the original 1984 statute, to a third degree crime and an indictable offense suggests the Legislature’s intent to criminalize inappropriate access, such as access held by an employee who utilizes it “in excess of authorization.”

The court notes that there has been divergence among the federal circuits regarding the interpretation of the term “exceeds authorized access.”1 While ambiguity in the law, both state as well as guiding federal principles, encourages caution in interpret*630ing legislative purpose, it does not necessarily create “arbitrary or unpredictable law enforcement,” as warned by the Riley court and argued by defendants. Certainly, “[e]riminal law should not be some pliable material that the State may bend and mold at will to fit an unwarned defendant,” as warned in Riley, supra, 412 N.J.Super. at 187, 988 A.2d 1252. However, the law must retain the flexibility required for a fact- and technology-sensitive analysis. Today, the 2003 amendment to N.J.S.A. 2C:20-25 is over a decade old. The limitations of employee access to computer data shift continuously, as workplace information and communication move into electronic form. In the present case, defendants allegedly used their employee access to obtain information that had applicability to a non-workplace issue, specifically their personal lawsuit. Although the EOPD granted defendants access so that they could maintain the email systems as an I.T. employee, defendants were able to use this access for an unintended purpose. Placing narrow limitations on the concept of “authorization,” handicaps future analysis of employees’ workplace computer access, as evidenced by the present case.

IV. Broader Interpretation of the Statute is Required to Properly Address Computer Crime

In their argument, defendants rely heavily on Riley,2 where “unauthorized access” was not held to be applicable to an employee who entered a video database with a current password in violation of departmental regulations. See comment to N.J.S.A. 2C:20-25. This court respectfully disagrees.

The Riley court noted that the Legislature did not define “in excess of authorization.” Riley, supra, 412 N.J.Super. at 177, 988 A.2d 1252. The court concluded that “the Committee expressed *631the intent not to reach access authorized in the ordinary course of business.” Ibid. However, as discussed earlier, an analysis of the statutory language does not support this conclusion. The language of N.J.S.A. 20:20-25 assigns criminal culpability to a person who commits one of the enumerated acts either purposely, knowingly and without authorization, or in excess of authorization. The latter disjunctive term, “in excess of authorization,” one of three terms separated out by the legislature, anticipates an actor with existing authorization such as defendants who allegedly engaged in criminally culpable activity. To allow defendants to escape culpability because they were not outsiders breaking into the computer system suggests a limit on computer crime that does not exist in reality. It is important to recognize that computer criminal activity may be perpetuated by insiders within an organization such as the EOPD.

The Riley court briefly noted that “the Legislature has expressly required the State to prove that a reasonable person — as distinct from the defendant — would not believe he was authorized to access the computer-based object.”3 Riley, supra, 412 N.J.Super. at 171 n. 1, 988 A.2d 1252 (emphasis added). Therefore, a reasonable person must understand that he or she is not authorized to access a particular set of computer data in order to satisfy this element of the crime. In the present matter, a reasonable person employed by the I.T. Department of the EOPD would understand that he was not authorized to access private emails of specific personnel, absent an error or maintenance issue that required his or her professional expertise. In fact, the accompanying investigation specifically noted that defendant Tucker had created a system in which a ticket was generated by the computer system to alert I.T. employees of an issue that required their attention. I.T. personnel would subsequently address that ticket and thereby access the relevant computer information in response to the issue. Furthermore, any reasonable person would under*632stand that he or she was not authorized to gain access to personal emails for the purpose of culling private information that was relevant to an ongoing lawsuit. It is a stretch of the imagination to argue that such fundamentals of privacy are beyond the understanding of a reasonable person.

Certainly, the risk of “arbitrary enforcement of the computer crime law,” as contemplated in Riley, supra, 412 N.J.Super. at 186, 988 A.2d 1252, is a serious consideration that should not be taken lightly. The prevalence of computers in the workplace has introduced a new and growing set of issues that task existing legislation with the burden of reshaping itself in acknowledgement of these changes. However, violations of employee access to internal computer data is a step beyond the use of social networking sites in the workplace. Such violations constitute a breach of the agreement between the employer and the employee that dictates the terms of appropriate access at work. Allowing an employee who breaches this agreement to escape criminal culpability under the statute creates a safe haven for violators who happen to function from within an organization. Furthermore, arbitrary enforcement can be safely curtailed by sound prosecutorial discretion. See State v. Wilmouth, 302 N.J.Super. 20, 694 A.2d 584 (App.Div.1997).4 Such discretion is capable of distinguishing between an insignificant violation, such as Internet access to a social networking site, and the circumstances in the present ease.

Ultimately, the court finds that the State has satisfied its burden to present a prima facie cause of action under N.J.S.A. 2C:20-25(a) and N.J.S.A. 2C:5-2(a)(l) with sufficient evidence that defendants have committed the alleged violations.

*633 CONCLUSION

For the foregoing reasons set forth by this court, the motion to dismiss the complaint is hereby denied.

The First, Fifth, Seventh, and Eleventh Circuits have supported a broader interpretation that assigns criminal culpability to employees who exercise excessive access. See United States v. John, 597 F.3d 263 (5th Cir.2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006); E.F. Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir.2001); United States v. Cave, No. 8:12CR417, 2013 U.S. Dist. LEXIS 99149 (D.Neb. July 16, 2013). On the other hand, the Fourth and Ninth Circuits have taken a more narrow position, limiting criminally culpable access to individuals who do not have permission to access the information. See WEC Carolina Energy Sols., LLC v. Miller, 687 F.3d 199, 206 (4th Cir.2012); United States v. Nosal, 676 F.3d 854 (9th Cir.2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009).

The Riley court found that the State could not prosecute a Princeton Borough Police Department detective, who had utilized his department-issued password in order to gain access in the departmental computer system to view a video of a traffic stop conducted by another sergeant. Allegedly, he did so for the improper purpose of causing ridicule and injury to the other sergeant.

According to N.J.S.A. 2C:20-23(q), "[a]n actor has authorization if a reasonable person would believe that the act was authorized.”

In Wilmouth, the Appellate Division stated that prosecutorial discretion would govern the application of the Domestic Violence Act in order to ensure that an individual was not criminally culpable for "every loss of temper, angry word, or quarrel between persons connected by a familial relationship." Wilmouth, supra, 302 N.J.Super. at 23, 694 A.2d 584.