What can we do if we believe our former CEO is trying to access our new CEO's email?

Full Question:

Our weekly report of authority/system reports revealed that a the former Chief Financial Officer of our company made three attempts to log into our current Chief Financial Officer's mail . We have identified their 'workstation' , 'geostation' and 'Thinkpad' ID numbers as his. Is this a crime? Should the company contact an attorney?
01/17/2009   |   Category: Internet ยป Hacking   |   State: New Jersey   |   #15015

Answer:

Criminal violations of unauthorized use of Password or PIN(s) to obtain data stored in computers fall into two distinct categories –

(1) data retrieved from a computer system such as a network of a corporation, business or financial institution, and
(2) data unlawfully retrieved from a stand-alone computer. Courts have held that that the prohibition proscribed in N.J.S.A. 2C: 20-30 applies only to a computer system and not an individual computer.

Thus, when a person accesses a computer system, such as the system containing financial records of a corporation or financial institution, the criminal penalties would apply. When the unauthorized retrieval of data is from a stand-alone computer, it may violate N.J.S.A. 2C:20-25, N.J.S.A. 2C:20-29 or N.J.S.A. 2C:20-32.

The law surrounding the unauthorized access of computer and internet information is evolving. If the unauthorized access of information is obtained from an individual’s computer, the common-law tort of invasion of privacy provides a civil remedy. N.J.S.A. 2C:20-32 (Wrongful Access to Computer) provides a disorderly person’s offense when the unauthorized access does not result in the altering, damaging or destruction of any property or services. It remains unclear whether the retrieval of electronically stored materials in the post-transmission storage is a violation under N.J.S.A. 201256A-27b.
If the unauthorized access is from a computer system, such as a corporation or financial institution, there exists the common-law tort of invasion of privacy, as well as the civil remedies under the New Jersey Wiretap Statute. Additionally, accessing a computer system will violate the criminal statutes of N.J.S.A. 2C:20-25 (Computer-Related Theft), N.J.S.A. 2C:20-30 (Damage or Wrongful Access to Computer System), N.J.S.A. 2C:20-31 (Disclosure of Data for Wrongful Access), and/or N.J.S.A. 2C:20-32 (Wrongful Access to Computer).

The basic rule of the New Jersey Wiretap and Electronic Surveillance Control Act is that the interception of wire, electronic or oral communications, by means of electronic, mechanical or other devices is illegal. N.J.S.A. 2A:156A-1, et seq.

The New Jersey Wiretap Statute provides criminal penalties for the unlawful access to stored communications. N.J.S.A. 2A:156A-27 provides:

a. A person is guilty of a crime of the fourth degree if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or electronic communication while that communication is in electronic storage.

b. A person is guilty of a crime of the third degree if, for the purpose of commercial advantage, private commercial gain, or malicious destruction or damage, he
(1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and
(2) thereby obtains, alters, or prevents authorized access to a write or electronic communication while that communication is in electronic storage.

N.J.S.A. 2C:20-25 provides as follows:

“A person is guilty of theft if he purposely or knowingly and without authorization: (a) alters, damages, takes or destroys any data, database, computer program, computer software or computer equipment existing internally or externally to a computer, computer system or computer network, (b) alters, damages, takes or destroys a computer, computer system or computer network, (c) accesses or attempts to access any computer, computer system or computer network for the purpose of executing a scheme or fraud, or to obtain services, property or money, from the owner of a computer or any third party, or (d) alters, tampers with, obtains, intercepts, damages or destroys a financial instrument.”

The NJ Criminal Code defines additional criminal activities as follows:

2C:20-30. Damage or Wrongful Access to Computer System; No Accessible Damage; Degree of Crime.

A person is guilty of a crime of the third degree if he purposely and without authorization accesses, alters, damages or destroys a computer system or any of its parts, where the accessing and altering cannot be assessed a monetary value or loss.

L.1984, c.184, § 9, eff. March 14, 1985.

2C:20-31. Disclosure of Data from Wrongful Access; No assessable Damage; Degree of Crime.

A person is guilty of a crime of the third degree if he purposely and without authorization accesses a computer system or any of its parts and directly or indirectly discloses or causes to be disclosed data, data base, computer software or computer programs, where the accessing and disclosing cannot be assessed monetary value or loss.

L.1984, c.184, § 10, eff. March 14, 1985.

2C:20-32. Wrongful Access to Computer; Lack of Damage or Destruction; Disorderly Persons Offense

A person is guilty of a disorderly persons offense if he purposely and without authorization accesses a computer or any of its parts and this action does not result in the altering, damaging or destruction of any property or services.

L.1984, c.184, § 11, eff. March 14, 1985.

There is a common-law tort of invasion of privacy, which may be pursued when a person obtains information in a way considered “highly offensive to a reasonable person.” This common-law tort may exist even if the action is not prohibited by the New Jersey Wiretap Statute.

RESTATEMENT (SECOND) OF TORTS, §652B (1977) provides:

“One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another, or his private affairs or concerns, is subject to liability to the other for the invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.”

If interstate commerce is involved, federal laws in the. the Computer Fraud and Abuse Act (CFAA), may apply.

The most common civil causes of action under the CFAA are brought under either:

1. 18 U.S.C. 1030(a)(2)(C), which requires a showing that a person
(1) "intentionally,"
(2) accessed a computer,
(3) "without authorization" or "exceeded authorized access,"
(4) and obtained information from any "protected computer,"3
(5) if the conduct involved an interstate or foreign communication;

2. 18 U.S.C. 1030(a)(4) which requires a showing that a person has
(1) "knowingly and with intent to defraud,"
(2) accessed a "protected computer,"
(3) "without authorization," and thus
(4) has furthered the intended fraudulent conduct and obtained "anything of value"; or

3. 18 U.S.C. 1030(a)(5) which requires a showing that a person
(1) "knowingly,"
(2) caused transmission of a program, information, code or command and,
(3) as a result, "intentionally"
(4) caused damage,
(5) "without authorization,"
(6) to a "protected computer," or
(7) "intentionally,"
(8) accessed a "protected computer,"
(9) "without authorization," and
(10) caused damage" and "loss" aggregating at least $5,000.00.

In Bunnell v. Motion Picture Association of America , the plaintiff's complaint alleged misappropriation of trade secrets, conversion, unfair competition, violations of the Computer Fraud and Abuse Act (CFAA), tortious interference with a business expectancy, and sought injunctive relief and damages.

Please see the information at the links below to determine which violations may apply. Because of the evolving nature of the law and complexity of evidence and laws involved, it is recommended to consult with an attorney. You may consult our attorney directory at the link below.