In one of the few published cases dealing with New Jersey’s Computer Related Offenses Act, N.J.S.A. 2A:38A-1 et seq. (“CROA”), Fairway Dodge, Inc. v. Decker Dodge, Inc. (App. Div. June 12, 2006), New Jersey’s Appellate Division recently affi rmed a verdict against two employees who gained unauthorized access to their employer’s computer system and transferred confi dential customer information to their new employer and a verdict against the employees’ new company because it found the employees were acting as its agents.
The case arose out of the sale of the Fairway Dodge dealership in Bergen County. When the dealership was sold to Ronald Sumner in 1995, the seller’s daughter, Kate Fair, along with several other employees, left Fairway Dodge and joined a competitor, Decker Dodge, Inc. (“DDI”).
After her departure, Fair and her husband, Timothy Morgan (who was still a Fairway employee), entered Fairway’s premises after business hours and attempted to make a back-up tape of Fairway’s computer system. Their fi rst attempt was unsuccessful but the following day, Morgan returned and successfully transferred the information. The back-up tape contained Fairway’s confi dential customer names and addresses, sales lists, and the complete sales and service history of vehicles and automotive parts. Morgan did not have the permission of either Sumner or Fair’s mother (who still owned the dealership at that time) to make the back-up tape.
Morgan gave the tape to Reynolds & Reynolds Company, a data processing fi rm that had been hired by DDI to upgrade its computer system. Reynolds, mistakenly believing that Fair owned both Fairway and DDI, downloaded the backup tape onto DDI’s computer system. At Reynold’s request, Fair provided a consent letter on Fairway stationary, stating: “This letter gives Reynolds & Reynolds Company permission to go into Fairway Dodge’s system to run specifi cations.” Sumner quickly learned of the unauthorized copying and fi led a lawsuit against DDI, Fair, Morgan and Reynolds, seeking injunctive relief and damages. Several other DDI employees were later added as defendants. The lawsuit alleged, among other things, unlawful interference with Fairway’s business, breach of the employees’ duties of loyalty to Fairway and violations of CROA as a result of the unlawful transferring of Fairway’s confi dential customer information. The trial court issued a preliminary injunction and the parties agreed to a consent order, which required DDI to delete Fairway’s confi dential data from its computer system and to refrain from soliciting customers whose names DDI acquired from the back-up tape. At trial, the jury returned a verdict in favor of Fairway, awarding approximately $2 million in compensatory damages, $130,000 in punitive damages under CROA, $525,678 in attorneys’ fees and costs, $16,429 in costs of investigation, and $853,000 in pre-judgment interest.
Defendants appealed, contesting, among other things, their liability under CROA. Fair and Morgan argued that they could not be liable because they only copied information from Fairway’s computer system. They contended that they did not assume ownership of the information or deprive Fairway of its use of the information. The Appellate Division rejected this argument, holding that defendants can be liable under CROA if they purposely or knowingly, and without authorization, access or attempt to access a computer system or if they purposely or knowingly access a computer system and recklessly obtain any data. By their own admissions, Fair and Morgan access Fairway’s computer system without authorization and obtained data. The Appellate Division explained further that because CROA is not limited to proprietary or confi dential information, it made no difference that Fair and Morgan had only obtained publicly available data.
The Appellate Division rejected other arguments by Fair and Morgan. Specifi cally, the Appellate Division held that:
(1) neither Fair’s status as an offi cer, her mother’s status as owner, nor Morgan’s status as an employee of Fairway authorized them to take information from Fairway’s computer system; (2) the fact that Fair still had keys to the dealership did not justify them entering the premises to access the computer system after business hours; (3) the fact that the purchase agreement did not contain a provision that Fair would maintain the goodwill of Fairway did not permit Fair to commit tortious acts; and (4) the unauthorized copying of Fairway’s customer information impaired Fairway’s ability to sell vehicles, services and parts, resulting in lost revenue, thereby establishing damages as required under CROA. DDI and the other former Fairway employees similarly contested liability under CROA. They argued that they could not have violated CROA because the statute only applies to “actors” who actually access, alter, damage, take or destroy computer information. The Appellate Division agreed in part and reversed the judgments against the other former Fairway employees. The Appellate Division, however, affi rmed the judgment against DDI fi nding that Fair was acting as DDI’s agent.
The development of case law interpreting CROA is still in the early stages. Fairway Dodge serves as an important guidepost for how New Jersey courts will interpret the boundaries of CROA and defi ne the types of conduct that will lead to civil liability.