
    Commonwealth v. Mark Farley
    Superior Court, Middlesex, SS
    No. 95934
    Memorandum Dated October 18, 1996
   Barrett, J.

INTRODUCTION

The defendant, Mark Farley, has moved to dismiss forty-four counts alleging violations of G.L.c. 266, §120F. Farley seeks dismissal on the grounds that the statute is unconstitutionally vague within the meaning of the Due Process Clause of the Fourteenth Amendment and parallel provisions of the State Constitution and Declaration of Rights, and further violates the prohibition against cruel and unusual punishment embodied in the Eighth Amendment and Art. 26 of the Declaration of Rights.

BACKGROUND

On April 4, 1995, Detective Aucoin met with Dawn LeBaron, Director of Security at the Newton-Wellesley Hospital. Ms. LeBaron stated that she was contacted by the mother of a nine-year-old girl who had been a patient at the hospital on March 23, 1995. The girl’s mother stated that her daughter received an obscene telephone call from an unknown male in her hospital room on March 23, 1995. In addition, the young girl received two more calls at her home the next day; one a hang-up and the other obscene. On March 28, 1995, the girl’s mother reported two hang-up calls at noon time. Hospital records reflected that the Patient Care Inquiry (PCI) computer records were accessed with a former employee’s password once on March 22, once on March 23, three times on March 24, and three more times on March 28. Hospital records indicated that the defendant was on duty during these times.

Ms. LeBaron further stated that she was contacted by the parents of a ten-year-old girl who had been treated at the hospital on March 26, 1995. Ms. LeBaron indicated that the young girl received two obscene phone calls at her home from an unknown male caller on March 28, 1995. Detective Paul Connors of the Westwood Police Department used *57 to trace the call. The results of this trace indicated that the call was made at 3:48:22 p.m. on March 28, 1995 from a trunk telephone line at the Newton-Wellesley Hospital.

Ms. LeBaron indicated that hospital records reflected that the PCI records for the child were accessed from the Cast Clinic terminal with a former employee’s password three times on March 28 and again the following day. The defendant’s employment records indicated that he was working in the Cast Clinic at these times. Detective Aucoin spoke with the former employee who stated that she did not know the defendant nor did she disclose her password to him.

Ms. LeBaron stated that on Friday, March 31, 1995, she became aware that a computer system check revealed that an unusually large number of patient records had been accessed. That same day, LeBaron, Annette Klein, the Assistant Vice President of Nursing, and Joan Comerford, Nurse Manager in charge of the CasL Clinic were monitoring the Clinic’s computer terminal from another location when they noticed that the terminal in the Clinic was being used to access PCI information. They immediately went to the clinic and observed the defendant sitting at a computer terminal. The defendant immediately cleared the screen. The defendant admitted he had been accessing confidential patient information by using a randomly obtained password. The defendant was suspended immediately.

The audit trail, which traced back to mid-December of 1994, indicated that the defendant logged on to the hospital computer system on at least 44 occasions. He accessed 1,720 different confidential patient files, retrieving a total of 3,504 confidential patient files.

On Sunday, April 9, 1995, Detective Aucoin, Officer McLean, Sergeant Fryar, and several Lowell police officers executed a search warrant at the home of the defendant. During the course of the search, the officers seized several items including cellular and residential telephone bills and a handwritten list of names and telephone numbers. Many of the names on the list matched patients at Newton-Wellesley Hospital whose files were accessed without authority. As a result of the police’s findings, the defendant was arrested and charged with forty-four counts alleging violations of G.L.c. 266, §120F.

RULINGS OF LAW

A. Constitutionality of G.L.c. 266, §120F

The defendant’s first argument contends that G.L.c. 266, § 120F is unconstitutionally vague because it fails to define the word “access.” G.L.c..266, §120F provides that:

Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means, knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of corrections for not more than thirty days or by a fine of not more than one thousand dollars, or both. The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.

All fifty states have a criminal statute regarding accessing a computer system without authority. The majority of these states use the word “access,” while a handful employ the word “use” in their statutes. The states that use “access” define it partly in terms of “storing data in or retrieving data from” a computer.

A statute is unconstitutionally vague when it either fails to define the criminal offense with sufficient definitiveness that ordinary people can understand what conduct is prohibited or it encourages arbitrary and discriminatory enforcement. Kolender v. Lawson, 461 U.S. 352, 357 (1983). Vague laws violate due process because individuals do not receive fair notice of the conduct proscribed by a statute and because vague laws that do not limit the exercise of discretion by officials engender the possibility of arbitrary and discriminatory enforcement. Department of Youth Services v. A Juvenile, 398 Mass. 516, 522 (1986), citing Papachristou v. Jacksonville, 405 U.S. 156, 162 (1972), and Groyned v. Rockford, 408 U.S. 104, 108-09 & n.4 (1972). “It is well established that vagueness challenges to statutes which do not involve the First Amendment freedoms, must be examined in the light of the facts of the case at hand.” Dep’t of Youth Services, supra at 522, quoting United States v. Powell, 423 U.S. 87, 92 (1975).

The statute in question specifically notes that the use of a password constitutes notice that such access is limited to authorized users. The defendant, once confronted, admitted he was using an unauthorized password. Therefore, the defendant is precluded from arguing that he did not understand what conduct was prohibited under the statute.

The defendant’s second argument alleges that the word “access” is unconstitutionally vague because it gives the Commonwealth unfettered discretion in formulating the charges to bring. Specifically, the defendant claims that the counts against him were arbitrary because instead of using a one-day time period to determine the counts, the Commonwealth could have just as easily used a one-hour or one-month time period instead. In United States v. Batchhelder, 442 U.S. 114 (1979), the Court noted that “whether to prosecute and what charge to bring . . . are decisions that generally rest in the prosecutor’s discretion.” Id. at 124. Discretion is limited only by the prohibition against discrimination against any class of defendants. Id.

The evidence shows that the defendant illegally logged on to the hospital’s computer a total of 3,504 times. Had the Commonwealth decided to charge the defendant for each separate access, there was a potential sentence of 288 years in prison and a fine of $3,504,000. The defendant argues that the Commonwealth charged the defendant for only forty-four offenses carrying a maximum sentence of less than 4 years and a fine of approximately $44,000 and thus had unconstitutionally excessive discretion as to what charges it would bring. The Commonwealth, however, did not abuse its discretion by charging the defendant with only forty-four counts representing the number of days that he accessed the confidential files. This is clearly within the discretion granted to the prosecution. The defendant has suffered no prejudice because he was not charged with a greater number of violations.

B. Cruel and Unusual Punishment

The defendant’s final argument alleges that the potential punishment resulting from a violation of the statute is so disproportionate as to constitute cruel and unusual punishment in violation of the Eighth Amendment and Art. 26 of the Massachusetts Declaration of Rights. See McDonald v. Commonwealth, 173 Mass. 322, 328 (1899). The defendant’s sentence, however, must be so disproportionate to the crime that “it shocks the conscience and offends fundamental notions of human dignify.” Commonwealth v. Jackson, 369 Mass. 904, 910 (1976), quoting In re Lynch, 8 Cal. 3d 410, 424 (1972).

In Jackson, the Supreme Judicial Court adopted a three-part analysis to determine whether a statute’s punishment is cruel and unusual. The court must first consider the nature of the offense and the offender in light of the degree of harm to sociefy. Jackson, supra at 910. Next, the court must compare the challenged punishment with other punishments imposed within the state, and finally, compare the challenged punishment with the same or similar crimes in other jurisdictions. Jackson, supra at 913.

In analyzing the first prong of the three-part test, the legislature presumably sought to protect the privacy interests of individuals and business entities. With today’s technological advancements in the area of computers, there is a need for protection from unauthorized disclosure of personal information. With the ever growing use of computers to store information, it is essential that this information be protected from unauthorized interference. Nothing triggers the protection of these privacy rights more than securing confidential patient files in hospitals.

The defendant belittles this by suggesting that one could be punished by merely “looking at confidential records without authority.” This, however, is exactly the type of behavior the statute seeks to protect against. While it is true that the statute says nothing about doing anything improper with the files, it properly prohibits the invasion of privacy contained in confidential files.

The second prong of the three-part test compares the statute in question with others in the state. Both parties agree that the punishment for a single offense is relatively minor. In fact, the statute imposes the shortest term of imprisonment of any criminal statute in Massachusetts with the exception of motor vehicle laws. The defendant, however, theorizes that when charged with numerous counts, the potential punishment becomes significantly disproportionate. This, however, could be said for any criminal statute where multiple counts may be brought for separate violations. The fact that a trial judge could sentence an individual to consecutive sentences does not, in and of itself, result in cruel and unusual punishment. The inquiry must be into the statute as it reads for a single count. In this instance, a maximum penalty of thirty days imprisonment and a $1,000 fine does not “shock the conscience” of this court.

Finally, a comparison between that statute in question and similar statutes in other jurisdictions must be made. G.L.c. 266, §120F is comparable to other jurisdictions, and in some instances, more lenient with respect to the potential sentences. See R.I. Gen. Laws §11-53-3 (maximum of five years and $5,000); Conn. Gen. Stat. Ann. §53 (a)-251(b)(1) (maximum of six months and $1,000); Me. Rev. Stat. Ann. tit. 17-A, §432( 1) (maximum of one year and $ 1,000); N.Y. Penal Law §156.10 (maximum of one year and $1,000).

Taking into consideration the three-part test, the defendant was not excessively charged and is not subject to cruel and unusual punishment as a result of the forty-four counts brought against him.

ORDER

For the foregoing reasons, it is hereby ORDERED that the defendant, Mark Farley’s motion to dismiss forty-four counts alleging violations of G.L.c. 266, §120F be DENIED. 
      
      PCI records are confidential and contain privileged information about patients. These records contain biographic and demographic information about patients including age, gender, address, telephone number, and medical treatment and history.
      Hospital employees have access to the computer system on a “need to know” basis depending on their responsibilities. Access is obtained through individually assigned and confidential random passwords. Employees are not allowed to divulge their passwords or allow others to use them.
     
      
      The Cast Clinic is part of the hospital in which orthopedic patients have casts put on or taken off. Ms. LeBaron told Detective Aucoin that two people worked at this clinic, one of which was the defendant. Neither employees had passwords to access the PCI files.
     
      
      As a result of a computer check, the hospital was able to determine that the access code belonged to an individual who had worked for the hospital for one week early in September and had valid access to the PCI files. A list of all inquiries made through the cast clinic terminal as of December 14, 1994 under the ex-employee’s password indicated that there were a total of 3,504 accesses. 1720 different individual patient files were examined, over 900 of which were female between the ages of 3 and 34.
     
      
      The defendant was also charged with twenty-two counts alleging violations of G.L.c. 269, §14A (annoying telephone calls).
     
      
      G.L.c. 266, §120F went into effect on October 26, 1994. The constitutional challenge at hand is the first of its kind.
     
      
      See Conn. Gen. Stat. §53a-250(l) (“to instruct, communicate with, store data in, or retrieve data from a computer, computer system, or computer network”); Kan. Stat. Ann. §21-3755(a)(l) (“to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network”); R.I. Gen. Laws §11-52-1(1) (“to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network”); S.D. Codified Laws Ann. §43-43B-2(4) (“to instruct, communicate with, store data in, retrieve data from a computer, computer system, or computer network”); Utah Code Ann. §76-6-702(1) (“to directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them”).
     