In two unrelated decisions issued Wednesday, New Jersey courts have asserted jurisdiction over accused hackers who have no connection to the state, but allegedly sought to inflict harm on Garden State residents.
In one of the cases, the Appellate Division reinstated the indictment of a Florida man who launched a spam attack on a New Jersey company that was his competitor in the medical equipment business. A trial judge had dismissed the case for lack of jurisdiction, since the spam was sent from outside New Jersey. But the appeals court, in a published decision, ruled that the company and its New Jersey owner were harmed within the meaning of the state computer crime statute.
In a separate case, a federal judge in the District of New Jersey denied a motion to dismiss a civil suit against a Pittsburgh theological institute and four of its board members by its former executive director, a New Jersey resident, who accused the defendants of stealing his email and other computer files. The defendants argued that the New Jersey court lacked personal jurisdiction against them because they had no connection to the state. But the judge found the defendants are subject to personal jurisdiction of the New Jersey court because their alleged tortious conduct was aimed at someone who they knew resided in the state.
Published decisions focusing on jurisdiction in hacking cases are a welcome sight for New Jersey lawyers. Jurisdictional disputes in hacking cases are becoming more common, and courts have issued plenty of rulings, but there are few published decisions, said Scott Christie, a litigator at McCarter & English in Newark who handles internet-related civil and criminal cases.
Normally, jurisdiction in civil cases lies “where the harm happens,” said Christie. But “in the cyber-realm, things are a little less precise. Most courts these days have come around to the view that, even if the alleged harm was directed from a place outside the district where the court action is pending, if there is an intentional and purposeful effort to victimize a resident in the jurisdiction where the case is pending, that will generally be sufficient to satisfy a jurisdictional requirement,” he said. In cyber-crime cases, similarly, “you are generally looking for the jurisdiction where there is demonstrable harm caused by the criminal conduct or where the defendant is located,” Christie said.
However, such determinations are “pretty fact-sensitive—while the concepts are relatively clear, the application may not be,” Christie said.
In the civil suit, U.S. District Judge Freda Wolfson denied a motion to dismiss a suit against the National Institute for Newman Studies and four of its directors by Robert Christie, a former director of the institute who lives in New Jersey. He is not related to Scott Christie. The institute, affiliated with Duquesne University, is devoted to the study of theologian John Henry Newman.
Robert Christie, who served as the institute’s director, continued to live in New Jersey and commuted to Pittsburgh on commercial flights during his time working there. He filed suit in the District of New Jersey, claiming he was fired after being diagnosed with cancer, and that a separation agreement offered by the institute was revoked after individuals there illegally accessed his Yahoo email account and removed other files from his computer.
The defendants argued that their conduct related to the plaintiff was insufficient to meet the requisite minimum contacts with New Jersey for them to be subject to personal jurisdiction. The defendants also argued that the Yahoo email they were accused of hacking is stored on servers in California, and any unauthorized access was targeted at that state. But Wolfson found that defendants had minimum contacts with New Jersey because their alleged hacking constitutes a tort, that defendants knew their alleged hacking would harm the plaintiff in New Jersey, that the defendants affirmatively calculated their activities to harm the plaintiff in New Jersey, and that the plaintiff was, in fact, harmed in New Jersey.
Andrew Bolson, the lawyer for Robert Christie, said the decision is significant for its holding on where the emails exist, an issue not previously examined by a court in the District of New Jersey.
“Emails are a cloud-based system—they exist in cyberspace. The defendants were saying the emails exist on servers in California. New Jersey doesn’t have a tie to the emails. The judge said they allegedly hacked computers in New Jersey. You can’t lose sight of the fact that even virtual property, even emails exist in a physical presence, in a place. My client’s computer was in New Jersey. The emails don’t just live in cyberspace. That’s where the precedential value is and that’s really important,” said Bolson, of Rubenstein, Meyerson, Fox, Mancinelli, Conte & Bern in Montvale.
The decision is important because the alternative would be a Pennsylvania venue, and New Jersey law provides its citizens greater protection from hacking than the law of Pennsylvania, Bolson said.
Mark Melodia of Reed Smith in Princeton, who represents the National Institute for Newman Studies and the individual defendants, declined to comment on the ruling.
In the criminal case, the Appellate Division reinstated an indictment of Rory Tringali of Deerfield Beach, Florida, on charges of disrupting computer services and impersonating another for the purpose of obtaining benefits for himself. Authorities said Tringali orchestrated a large-scale spam attack against a Utah website that was affiliated with MedPro Inc., a company run by a New Jersey resident, Michael Moreno.
The Utah website was run by Justin Williams, who was an associate of Moreno in a business selling cosmetic lasers. Moreno would sell the devices and Williams fulfilled the orders. The website received a large number of undeliverable email messages sent from MedPro’s email address to nonexistent email accounts. In some instances, MedPro received 100 such messages per minute.
Other emails were sent to valid email addresses for parties with no relationship to MedPro, prompting the recipients to complain to MedPro. One recipient forwarded one of the emails to the Attorney General’s Office. MedPro, which did not have a physical store and conducted all of its sales online, changed its website address several times, but the spam attacks continued. The episode cost him more than $100,000, Moreno claimed.
Moreno and Williams identified Tringali, a former business partner of theirs who went on to start a competing business, to state officials as a potential suspect. Tringali admitted launching the attacks on MedPro with the help of a computer-savvy neighbor.
Superior Court Judge Terrence Cook, of Burlington County, granted Tringali’s motion to dismiss the indictment, noting that the immediate impact of the alleged spam attack was felt on a website in Utah. Cook cited a 2015 state Supreme Court decision, State v. Sumulikoski, which held that criminal jurisdiction required a direct nexus to New Jersey.
The state appealed and a panel composed of Judges Susan Reisner, Ellen Koblitz and Thomas Sumners Jr. reversed the decision, finding jurisdiction was proper in New Jersey.
“Although defendant’s conduct occurred in Florida, and its initial effect was to disrupt website domains and e-mail servers owned by an individual in Utah, one of the intended and actual end results of the conduct was to cripple MedPro’s access to internet service. Hence, although his conduct took place in Florida, defendant both inflicted a harm on MedPro and deprived MedPro of a benefit, in this state,” Reisner wrote for the panel.
Under the state computer crime statute, it doesn’t matter that the property immediately effected by the offense—the MedPro website and servers—were located in Utah, the panel said. What matters is that a result that is an element of the offense consisted of inflicting harm on a resident of this state, the court said.
Deputy Attorney General Joseph Remy handled the case for the state. He said in a statement that “The Appellate Division’s ruling recognizes that our citizens and businesses can seek protection under our state laws when attacked in cyberspace and anticipate that law enforcement will investigate and prosecute cybercrimes regardless of where a server or cloud happens to be located.”
Tringali’s lawyer, Lawrence Leven, a solo practitioner in Caldwell, said he did not dispute the panel’s analysis but said it was based on some erroneous facts. Leven said the court wrongly presumed that Tringali knew of the relationship between Moreno and Williams, and he disputed Moreno’s claim of $100,000 in damages.