Chapter 20 of New Jersey's Code of Criminal Justice relates to theft. One portion of that chapter devotes itself to computer-related crimes. That portion is N.J.S. 2C:20-23 through N.J.S. 2C:20-34. The section under which most New Jersey computer-related crimes will be charged is N.J.S. 2C:20-25. That section is entitled computer-related theft.
N.J.S. 2C:20-25 contains a whole laundry list of offenses. These offenses span a range that includes merely accessing a computer without authorization to copying and destroying data. Here is N.J.S. 20-25 (in typical convoluted legalese) in its entirety:
|A person is guilty of computer criminal activity if the person purposely or knowingly and without authorization, or in excess of authorization:
a. Accesses any data, data base, computer storage medium, computer program, computer software , computer equipment, computer, computer system or computer network;
b. Alters, damages or destroys any data, data base, computer, computer storage medium, computer program, computer software, computer system or computer network, or denies, disrupts or impairs computer services, including access to any part of the Internet, that are available to any other user of the computer services;
c. Accesses or attempts to access any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network for the purpose of executing a scheme to defraud, or to obtain services, property, personal identifying information, or money, from the owner of a computer or any third party;
d. (Deleted by amendment, P.L.2003, c.39).
e. Obtains, takes, copies or uses any data, data base, computer program, computer software, personal identifying information, or other information stored in a computer, computer network, computer system, computer equipment or computer storage medium; or
f. Accesses and recklessly alters, damages or destroys any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network.
g. A violation of subsection a. of this section is a crime of the third degree. A violation of subsection b. is a crime of the second degree. A violation of subsection c. is a crime of the third degree, except that it is a crime of the second degree if the value of the services, property, personal identifying information, or money obtained or sought to be obtained exceeds $ 5,000. A violation of subsection e. is a crime of the third degree, except that it is a crime of the second degree if the data, data base, computer program, computer software, or information:
(1) is or contains personal identifying information, medical diagnoses, treatments or other medical information concerning an identifiable person;
(2) is or contains governmental records or other information that is protected from disclosure by law, court order or rule of court; or
(3) has a value exceeding $5,000.
A violation of subsection f. is a crime of the fourth degree, except that it is a crime of the third degree if the value of the damage exceeds $5,000.
A violation of any subsection of this section is a crime of the first degree if the offense results in:
(1) a substantial interruption or impairment of public communication, transportation, supply of water, gas or power, or other public service. The term “substantial interruption or impairment” shall mean such interruption or impairment that:
(a) affects 10 or more structures or habitations;
(b) lasts for two or more hours; or
(c) creates a risk of death or significant bodily injury to any person;
(2) damages or loss in excess of $250,000; or
(3) significant bodily injury to any person.
Every sentence of imprisonment for a crime of the first degree committed in violation of this section shall include a minimum term of one-third to one-half of the sentence imposed, during which term the defendant shall not be eligible for parole.
h. Every sentence imposed upon a conviction pursuant to this section shall, if the victim is a government agency, include a period of imprisonment. The period of imprisonment shall include a minimum term of one-third to one-half of the sentence imposed, during which term the defendant shall not be eligible for parole. The victim shall be deemed to be a government agency if a computer, computer network, computer storage medium, computer system, computer equipment, computer program, computer software, computer data or data base that is a subject of the crime is owned, operated or maintained by or on behalf of a governmental agency or unit of State or local government or a public authority. The defendant shall be strictly liable under this subsection and it shall not be a defense that the defendant did not know or intend that the victim was a government agency, or that the defendant intended that there be other victims of the crime.
A violation of any subsection of this section shall be a distinct offense from a violation of any other subsection of this section, and a conviction for a violation of any subsection of this section shall not merge with a conviction for a violation of any other subsection of this section or section 10 of P.L.1984, c. 184 (C.2C:20-31), or for conspiring or attempting to violate any subsection of this section or section 10 of P.L.1984, c. 184 (C.2C:20-31), and a separate sentence shall be imposed for each such conviction.
When a violation of any subsection of this section involves an offense committed against a person under 18 years of age, the violation shall constitute an aggravating circumstance to be considered by the court when determining the appropriate sentence to be imposed.
Surprisingly few New Jersey reported decisions discuss N.J.S. 2C:20-25. One decision that does is State v. Sergeant Kenneth Riley, 412 N.J.Super. 162 (Law Division, 2009). That case involved Princeton Borough Police Officer, Sgt. Riley, indicted for using a computer to access the digitized video of another officer, Sgt. Robert Currier, making a motor vehicle stop. Currier allowed the motorist to urinate in the bushes. Riley accessed the video in order to embarrass Currier.
In dismissing the computer-related theft count of the indictment, the judge observed that ambiguities in how N.J.S. 2C:20-25 was worded gave Riley insufficient warning that his use of the department's computer in that manner violated the statute. Riley, after all, legitimately had the computer password that enabled him to access the video.
In discussing how N.J.S. 2C:20-25 related to Riley's activities, the court observed:
|Federal law defines the term, “exceeds authorized access,” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.” 18 U.S.C. §1030(e)(6). That also is not unambiguous, as one may ponder what it means to be “not entitled to obtain or alter” data. Arguably, one is entitled if he has a password or code-based right to obtain or alter the data. See Katherine Mesenbring Field, Note: Agency, Code, or Contract: Determining Employees' Authorization Under the Computer Fraud and Abuse Act, 107 Mich.L. Rev. 819, 834 (2009) (hereinafter “Determining Employees' Authorization”) (arguing that the definition of “exceeding authorized access“ “merely shifts the focus to insider's entitlement to information or data and fails to explain whether such entitlement is determined by code-based limits to one's ability to access or by employer-defined limits“).
Significantly, New Jersey did not adopt the federal definition. In N.J.S. 2C:20-25(a), “in excess of authorization” simply modifies “access.” Thus, according to a narrow reading, the statute does not cover “use” in excess of authorization. Rather, it covers a situation where someone has password or code-based permission to enter certain databases but not others, but hacks his way into a second level within the computer data base. If the Legislature wanted to cover persons who acted in excess of authorization to use data, as opposed in excess of authorization to access data, it could have said so.
Allan Marain and Norman Epting, Jr. are New Jersey criminal defense lawyers. Their combined criminal defense experience exceeds seventy years. Allan has ten years experience as a computer programmer and systems analyst for major New Jersey and multi-national corporations. He is a Trustees of the Association of Criminal Defense Lawyers of New Jersey.
If you have been charged with computer theft, both Mr. Marain and Mr. Epting are available to discuss review your charges, and your options. Call them for a confidential no-charge no-obligation conference.