New Jersey v Tringali: NJ Appeals Court Exercises Jurisdiction Over Out-of-State Hacker
July 18, 2017
New Jersey v Tringali: Out-of-State Hacker Prosecuted under NJ Jurisdiction
Hackers located out of state may think twice about targeting New Jersey businesses. The Appellate Division recently held in New Jersey v Tringali that criminal jurisdiction was proper in New Jersey in a case against a defendant who launched a spam attack from the State of Florida.
Allegations of Computer Criminal Activity in New Jersey v Tringali
According to prosecutors, the defendant, acting in Florida, launched a series of “spam” attacks that targeted a Utah website that was an integral part of a New Jersey-based company’s internet business. Victim Michael Moreno is a resident of New Jersey and was an owner of a company called MedPro, Inc. (MedPro). The other victim, Justin Williams, is a resident of Utah and owns a company called Physicians Information Services. The two men were in a business relationship in which Moreno sold cosmetic lasers and Williams fulfilled the orders they received.
Moreno and Williams told investigators that MedPro’s email server received a large number of undeliverable email messages concerning emails that MedPro had not sent. In some instances, MedPro received as many as 100 undeliverable emails per minute. Other emails impersonated the identity of Moreno’s business and were sent to actual email addresses. Many of the recipients correctly viewed the emails as spam and complained to MedPro or its website manager that the emails were unwelcome. One individual sent the emails to New Jersey authorities.
Due to all of the spam messages, MedPro was forced to take its website offline and disable its email system. In an effort to rectify the situation, MedPro changed its URL address, but the spam messages continued four more times, attacking each of the new websites. The cost of changing URLs and other damages exceeded $100,000.
Moreno and Williams identified Rory Tringali, a resident of Miami Beach, Florida, as the suspected perpetrator. Tringali was a former business partner of Moreno and Williams who later launched a competing business that sold cosmetic lasers. Tringali was ultimately charged with disrupting or impairing computer services, N.J.S.A. 2C:20-25(b), impersonating another for the purpose of obtaining a benefit for himself or injuring another, N.J.S.A. 2C:21-17(a)(1), and conspiring to commit those offenses.
In seeking to dismiss the indictment, Tringali submitted evidence that MedPro’s website domain (MedPro.com) and email server were actually owned by a resident of Utah. Tringali further maintained that his cyber attack targeted the website and the server, rather than directly targeting MedPro.
The trial court dismissed the indictment on jurisdictional grounds. It relied largely on the Supreme Court of New Jersey’s recent decision in State v. Sumulikoski, 221 N.J. 93, 102-03 (2015). The court held that territorial jurisdiction requires more than a connection between a defendant’s New Jersey “status” or “attendant circumstances” occurring in New Jersey. Based on the requirement of a direct nexus to New Jersey, the trial judge reasoned that, because the defendant had the spam sent from outside New Jersey and shut down a Utah-based website: there is no direct nexus to New Jersey regarding any conduct or results of the offenses charged.” Accordingly, the trial court found that New Jersey had no territorial jurisdiction to prosecute defendant.
Appellate Division Reinstates Indictment in New Jersey v. Tringali
The Appellate Division disagreed and reinstated the indictment. “We hold that, as to both computer criminal activity and impersonation, the harmful result to the victim is an ‘element’ of the offense, within the meaning of the territorial jurisdiction statute,” the panel’s opinion states. “Because the State produced some evidence that the New Jersey resident, and the New Jersey corporation he operated, suffered harm in this State which was an element of each computer crime statute, New Jersey has territorial jurisdiction to prosecute the defendant for those offenses.”
The appeals court agreed that for purposes of territorial jurisdiction, the State must prove that defendant’s conduct or the result of that conduct occurred in New Jersey. In this case, it found that the alleged injurious result, which included more than $100,000 in economic damage to MedPro, took place in New Jersey. As Judge Susan Reisner further explained:
Although defendant’s conduct occurred in Florida, and its initial effect was to disrupt website domains and e-mail servers owned by an individual in Utah, one of the intended and actual end results of the conduct was to cripple MedPro’s access to internet service. Hence, although his conduct took place in Florida, defendant both inflicted a harm on MedPro and deprived MedPro of a benefit, in this state.
The Appellate Division’s decision is good news for New Jersey businesses that seek to hold hackers liable for any harm that they cause. Deputy Attorney General Joseph Remy, who prosecuted the case, applauded the ruling in a statement. “The Appellate Division’s ruling recognizes that our citizens and businesses can seek protection under our state laws when attacked in cyberspace and anticipate that law enforcement will investigate and prosecute cyber crimes regardless of where a server or cloud happens to be located,” he said.
Do you have any questions regarding the ruling in New Jersey v Tringali? Would you like to discuss the matter further? If so, please contact me, Roshan Shah, at 201-806-3364.