New Jersey’s Section 2C:20-31 – Wrongful Access, Disclosure of Information

New Jersey’s computer crime statute, Section 2C:20-31, makes it a third degree crime to purposely or knowingly access or disclose information stored on a computer system without authorization or in excess of authorization. This section, titled “Wrongful access, disclosure of information; degree of crime; sentencing,” was enacted to criminalize unauthorized access and disclosure of sensitive information stored electronically.

What does the law actually prohibit?

Simply put, Section 2C:20-31 prohibits accessing or disclosing information on a computer system if you don’t have permission to do so. This includes things like hacking into someone’s email account, stealing customer data from a business’s servers, accessing medical records without authorization, etc. It applies to information stored electronically on any type of computer system, whether it’s a personal device, business network, government database, or anything else.

The law has two main parts – wrongful access and wrongful disclosure. Wrongful access means accessing information you don’t have rights to see. Wrongful disclosure is sharing or releasing information you obtained through unauthorized access. Both parts make it a third degree crime if done “purposely or knowingly” and “without authorization or in excess of authorization.”

What are the penalties?

A third degree crime in New Jersey carries a potential prison sentence of 3-5 years. Fines can go as high as $15,000. Actual sentences vary case by case, but prosecutors often recommend probation for first-time offenders in computer crime cases. Still, unauthorized access or disclosure of sensitive information is treated as a serious offense.

What kind of information does the law protect?

The law defines “information” very broadly. It includes things like private communications, financial records, medical history, trade secrets, or any other data stored electronically. Section 2C:20-31 protects the confidentiality and privacy of electronic information from unauthorized access or disclosure.

So for example, a disgruntled employee who logs into the company network and downloads customer credit card numbers could face charges under this statute. The law essentially prohibits accessing or sharing any information you don’t have a legitimate right to see or distribute.

What defenses could apply?

There are a few potential defenses in unauthorized access cases:

• Lack of criminal intent – If there’s no evidence you purposely or knowingly exceeded your rights, this could undermine charges. Mistakenly opening an email attachment addressed to someone else would likely not qualify.
• Authorization – If you had permission to access the information, even if it seemed to exceed authorization, this defense may apply. For example, an IT worker troubleshooting network issues.
• First Amendment – If the unauthorized access or disclosure was done to expose illegal activity or matters of public concern, the First Amendment offers some protection. However, the State may still have a compelling interest in limiting disclosure of sensitive information.

Overall, Section 2C:20-31 serves an important purpose in the digital age. Safeguarding confidential information stored electronically is vital for both businesses and individuals. However, the broad scope of the law also raises civil liberties concerns. There are open questions around balancing privacy rights with principles of fair disclosure and transparency. Several cases in recent years have tested the boundaries of New Jersey’s computer crime statute:

• In State v. Reid, the court upheld charges against a sheriff’s officer who accessed a confidential state database for personal reasons. But should off-duty access always be a crime? What if the officer had exposed government corruption instead? There are interesting debates around authorizing access for whistleblowers.
• In E.K. v. Starbucks, a Starbucks manager sued after being fired for accessing employees’ personal information in the company’s system. Starbucks claimed the access exceeded authorization. But managers could argue certain responsibilities require oversight of employee records. Where is the line between management duties and invasion of privacy?
• In Apple v. Doe, an Apple employee leaked confidential product plans on a blog. Apple sued but the court denied their request to unmask the blogger’s identity. Was the public interest in learning about unreleased products more important than Apple’s commercial privacy rights? How courts balance these factors is still developing.

In conclusion, Section 2C:20-31 remains vitally important for the digital era. But there are still open questions on the appropriate scope. Going forward, New Jersey will likely continue clarifying and revising their computer crime laws. Striking the right balance between privacy, property rights, and principles of fair disclosure is an ongoing challenge in the Internet age.