A key decision by the NJ Appellate Division issued on April 5, 2013 modifies New Jersey law where plaintiffs pursuing online defamation or other tortious conduct claims against anonymous "John and Jane Doe" defendants seek to subpoena Internet service providers (ISPs) to obtain the defendants' true identities.
In the case of Warren Hospital v. John Does, No. A-41110-11T4 (N.J. Super. Ct. App. Div. Apr. 5, 2013), anonymous defendants unlawfully hacked into a hospital's website to access the hospital's secure mailbox to send highly defamatory messages to the hospitals' employees. Plaintiff hospital and its employees who were defamed sued "John/Jane Doe" defendants and sought issuance of a subpoena to Verizon, the ISP used by the defendants, for disclosure of the actual identities of the defendants who hacked into the hospital's system. After the trial court quashed the subpoena, plaintiffs took an interlocutory appeal to the New Jersey Appellate Division, which reversed.
The Court modified the New Jersey standard for third party provider subpoenas where essentially unlawful activity is involved (as here, hacking), in contrast to situations where a subpoena is sought to be issued to an ISP that hosts a public blog, Internet message board or website where defamatory comments are merely posted by anonymous end users. The New Jersey standard was set forth in Dendrite Int'l, Inc. v. Doe No. 3,342 N.J. Super. 134 (App. Div. 2001), where a four-part test — intended to avoid harassment and intimidation consistent with protecting First Amendment rights — was established for issuance of subpoenas to ascertain the identity of persons posting messages on ISP message boards. Under that test, a plaintiff must: "(1) identify the fictitious defendant with 'sufficient specificity' to allow for a determination as to whether the defendant 'is a real person or entity' who may be sued; (2) demonstrate a 'good-faith effort to comply with the requirements of service of process'; (3) present sufficient facts from which it may be concluded that the suit can withstand a motion to dismiss; and (4) provide 'a request for discovery with the [c]ourt, along with a statement of reasons justifying the specific discovery requested as well as identification of a limited number of persons or entities on whom discovery process might be served and for which there is a reasonable likelihood that the discovery process will lead to identifying information about defendant that would make service of process possible.'" Dendrite, 342 N.J. Super. at 151-52 (citations omitted).
In carving out an exception from its prior decision in Dendrite, the Court in Warren Hospital now emphasizes that "[u]nlike Dendrite, we are not considering the anonymity of individuals posting statements on a public Internet message board. Plaintiffs have presented sufficient facts from which we may assume that what John Does One and Two did electronically was no different than if they had broken into the hospital and spray painted their messages on the hospital's walls. We reject the argument that those who engage in this type of conduct are entitled to cling to their anonymity…" In such a case, "It is enough that plaintiffs have demonstrated (1) the speakers' unlawful or impermissible mode of communication, and (2) that the allegedly defamatory statements would survive a motion to dismiss."
At a time when incidents of hacking and cybercrime are on the rise, this decision will give plaintiffs another tool with which to weed out anonymous parties who cyber-attack their network systems, servers and IT infrastructure.