Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Where Can You Be Sued For Using A Computer?

Posted in All Things E, Jurisdiction, Lawsuits

It is sometimes easy to forget with the increasing mobility of electronic information and our ability to “work from anywhere” that behind our office laptop, desktop, or tablet computing device is a network of servers that may be located anywhere in the world.  When we hit “send”, “save”, or “open”, we use the network to transmit, store, or obtain information that may be located outside our office building.  A recent U.S. Second Circuit Court of Appeals decision reminds us why it is a good idea for companies and their employees to know where and how data is stored.

In MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir. Dec. 26, 2012), the Second Circuit held that a Connecticut court can exercise jurisdiction over a defendant who, while domiciled in another country, allegedly accessed a computer server located in Connecticut to obtain confidential information belonging to her employer.

The plaintiff in MacDermid, Inc., a Connecticut-based company, sued the defendant, a former employee living and working in Canada, because the defendant allegedly forwarded confidential and proprietary company information to her personal email account from her work email account after she became aware of her impending termination from the company.  The U.S. District Court for the District of Connecticut dismissed the lawsuit, ruling that it lacked personal jurisdiction over the defendant.  The Second Circuit reversed.

In reversing the District Court, the Second Circuit applied a two-step analysis:  (1) did Connecticut’s long-arm statute provide jurisdiction over the defendant and, if so, (2) would such jurisdiction meet due process requirements of the Fourteenth Amendment.  Both questions would have to be answered affirmatively for the Connecticut court to exercise personal jurisdiction over the defendant.

Long-Arm Jurisdiction

Connecticut’s long-arm statute states that a “court may exercise personal jurisdiction over any nonresident individual . . . who in person or through an agent . . . uses a computer . . . or a computer network . . . located within [Connecticut].”  The long-arm statute adopts the definitions of a “computer” and a “computer network” set forth in the state’s computer crimes statute:

“Computer” means an electronic, magnetic or optical device or group of devices that, pursuant to a computer program, human instruction or permanent instructions contained in the device or group of devices, can automatically perform computer operations with or on computer data and can communicate the results to another computer or to a person.  “Computer” includes any connected or directly related device, equipment or facility that enables the computer to store, retrieve or communicate computer programs, computer data or the results of computer operations to or from a person, another computer or another device. . . . “Computer network” means a set of related, remotely connected devices and any communications facilities including more than one computer with the capability to transmit data among them through the communications facilities.

The District Court reasoned that the defendant had not used a Connecticut computer or computer network but had simply sent email from one computer in Canada (her work computer) to another computer in Canada (her personal computer).  The Second Circuit rejected this analysis, pointing to the fact that to use her work email and access work data, the defendant accessed computer servers located in the plaintiff’s Connecticut offices.

The court held that a “computer server” meets the Connecticut long-arm statute’s definition of a computer because it is:

An electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.

In short, the court noted, “[i]t is not material that [the defendant] was outside of Connecticut when she accessed the [Connecticut] servers.  The statute requires only that the computer or network, not the user, be located in Connecticut.  The statute reaches persons outside the state who remotely access computers within the state.

Due Process

Having concluded that jurisdiction over the defendant existed under the Connecticut long-arm statute, the court next turned to the second step in the analysis:  whether such jurisdiction meets the due process requirements of the Fourteenth Amendment.  To make this determination, the court had to decide that:  (1) there were minimum contacts between the defendant and Connecticut, and (2) the exercise of personal jurisdiction over the defendant was reasonable.

In determining whether minimum contacts existed between the defendant and Connecticut, the court looked to whether the defendant purposefully availed herself of the privilege of conducting activities within Connecticut, thus invoking the benefits and protections of its laws.  The court held that the defendant did purposefully avail herself because she:

was aware of the centralization and housing of the [plaintiff’s] email system and the storage of confidential, proprietary information and trade secrets in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. . . . [The plaintiff alleged that the defendant] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut.  She used those servers to send an email which itself constituted the alleged tort.  And . . . she directed her allegedly tortious conduct towards [the plaintiff], a Connecticut corporation.

Next, the court determined that personal jurisdiction was reasonable, relying on factors such as the lack of burden on the defendant, the interests of Connecticut, and the plaintiff’s interest in obtaining relief.  The court held that although the defendant would have to travel to Connecticut to defend the lawsuit, that burden alone did not render the exercise of personal jurisdiction unreasonable.  The court also pointed to the fact that the plaintiff is based in Connecticut, the majority of corporate witnesses are located in Connecticut, and Connecticut has an interest in the proper interpretation of its laws.  The court ended its analysis by noting that “efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.”

Let’s Keep This Decision In Context . . .

Some may argue that the Second Circuit’s opinion will pave the way for plaintiffs to obtain personal jurisdiction over foreign defendants in cases involving electronic information, but it is important to keep this decision in context with the facts that may distinguish it from other situations.

For example, Connecticut’s long-arm jurisdiction statute explicitly provides for jurisdiction based on the use of a computer or computer network in Connecticut.  Not all states provide such long arm jurisdiction or provide specific definitions of computers and computer networks.

Also, the court noted that the defendant purposefully availed herself of the privilege of conducting activities in Connecticut in part because she was informed ahead of time that her company’s email system and the storage of confidential information were in Connecticut.  If the defendant had not previously been informed of the location of those company servers, it is quite possible (perhaps even likely) that the outcome would have been different.

Finally, it is not clear from the facts presented in the opinion whether servers existed in states other than Connecticut.  If a company has servers in multiple jurisdictions and employees are not informed about the location of data/systems they might access (email, document management, etc.), the plaintiff will have a more difficult time persuading a court that the defendant purposefully availed herself of the privilege of conducting activities in that forum.

Despite these cautionary notes, the opinion is still an example of a U.S. court’s impressive jurisdictional reach where the underlying controversy involves electronic information.  The fact that a person and her computing device may be located in one jurisdiction does not mean that she is not subject to jurisdiction in another state (or country).  The court’s opinion reminds us that a computer is like the tip of an iceberg—beneath the surface is a much larger support system that facilitates the storage, transmission, and monitoring of an entire network of computers and electronic information.

The Takeaway

There are several important points that underlie this opinion, but if I were corporate counsel reading this opinion, one practical “next step” I might want to take is to ensure that my employees are informed (in writing) about the location of the company’s electronic information and computer servers, assuming that the information is stored in a jurisdiction where I may want to file a lawsuit to protect the company’s confidential and proprietary information in the future.  Another “next step” might also include researching the long arm jurisdiction statute where my company might want to invoke personal jurisdiction at some point in the future to see whether and under what circumstances they include the use of a computer or computer network.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.