Published by Al Saikali

January 2013

Are you a victim of identity theft when your personally identifiable information is stolen?  Is the theft alone, and the risk that your information may be misused, sufficient?  Does your information have to be misused in some fraudulent manner before you can be considered a victim?

A federal appellate court recently weighed in on these issues and decided that the theft of personally identifiable information, and even the sale of personally identifiable information, are not enough for someone to be considered a “victim” under criminal sentencing guidelines.

In U.S. v. Hall, No. 11-14698 (11th Cir. Jan. 16, 2013), the United States Court of Appeals for the Eleventh Circuit addressed the issue of what it means to be an identity theft victim.  The criminal defendant in Hall was an office assistant at a gynecological and obstetric health care office.  As part of her job, she was authorized to access patient files and copy patient information to fulfill her job duties.  Sensitive information in the files included patient names, dates of birth, social security numbers, and medical information.  The defendant provided this information via text messages to unauthorized individuals who in turn provided the information to organizers of the criminal scheme.  The defendant was promised $200 for each individual’s information or $1,000 if the information was successfully used to create a fraudulent account.  In total, the defendant received only $200, but she provided information about 65 to 141 individuals.  The defendant pled guilty to conspiracy to commit bank fraud, conspiracy to commit identity theft and access device fraud, and wrongfully obtaining and transferring individually identifiable health information for personal gain.

At sentencing, the District Court increased the defendant’s sentence because it found that the offense involved more than 50 victims.  The court rejected the defendant’s argument that the mere transfer or sale of the identifying information did not equate to the actual “use” of the information, so there were only 12 victims.

On appeal, the Eleventh Circuit reversed the District Court and held that while the 12 individuals whose information was used to obtain fraudulent credit cards are victims, the remaining individuals whose information was merely transferred or sold but not actually used for fraudulent purposes were not victims.  The court recognized a “paucity of helpful case law” on the issue.  Nevertheless, the court interpreted the term “use” to require the type of “action and implementation” that did not occur in this case.  Here, the mere sale of the information to the co-conspirators did not implement the purpose of the conspiracy (to obtain cash advances and purchase items by using fraudulent credit cards).  Accordingly, the court ruled that “[t]he personal identifying information was not used, as that term is ordinarily understood, until [the defendant’s] co-conspirators secured the fraudulent credit cards.  At that point, the 12 individuals whose personal information was compromised became victims.”  The sentence imposed by the District Court was therefore reversed.

What Are The Takeaways?

A few important takeaways should be drawn from this decision:

  • The underlying facts are a reminder that employee misconduct continues to be a significant point of exposure for companies that maintain sensitive information.  The sale of personally identifiable information on the black market can be a lucrative incentive for some employees to misuse their access to sensitive information.  Shore up your administrative and technical safeguards!
  • The decision may be used to support the proposition that, at least within the Eleventh Circuit, the mere access, acquisition, transfer, or sale of your personally identifiable information does not make you an identity theft victim.  It is the use of the information for fraudulent purposes that makes you an identity theft victim.  Keep in mind, however, this interpretation is for the sole purpose of defining the term “identity theft victim” for sentencing guideline purposes.
  • Finally, it will be interesting to see what impact, if any, the Eleventh Circuit’s definition of identity theft victim has on the issue of what constitutes cognizable harm for civil litigation purposes?  (The Eleventh Circuit recently allowed this data breach class action to proceed).


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

It is sometimes easy to forget with the increasing mobility of electronic information and our ability to “work from anywhere” that behind our office laptop, desktop, or tablet computing device is a network of servers that may be located anywhere in the world.  When we hit “send”, “save”, or “open”, we use the network to transmit, store, or obtain information that may be located outside our office building.  A recent U.S. Second Circuit Court of Appeals decision reminds us why it is a good idea for companies and their employees to know where and how data is stored.

In MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir. Dec. 26, 2012), the Second Circuit held that a Connecticut court can exercise jurisdiction over a defendant who, while domiciled in another country, allegedly accessed a computer server located in Connecticut to obtain confidential information belonging to her employer.

The plaintiff in MacDermid, Inc., a Connecticut-based company, sued the defendant, a former employee living and working in Canada, because the defendant allegedly forwarded confidential and proprietary company information to her personal email account from her work email account after she became aware of her impending termination from the company.  The U.S. District Court for the District of Connecticut dismissed the lawsuit, ruling that it lacked personal jurisdiction over the defendant.  The Second Circuit reversed.

In reversing the District Court, the Second Circuit applied a two-step analysis:  (1) did Connecticut’s long-arm statute provide jurisdiction over the defendant and, if so, (2) would such jurisdiction meet due process requirements of the Fourteenth Amendment.  Both questions would have to be answered affirmatively for the Connecticut court to exercise personal jurisdiction over the defendant.

Long-Arm Jurisdiction

Connecticut’s long-arm statute states that a “court may exercise personal jurisdiction over any nonresident individual . . . who in person or through an agent . . . uses a computer . . . or a computer network . . . located within [Connecticut].”  The long-arm statute adopts the definitions of a “computer” and a “computer network” set forth in the state’s computer crimes statute:

“Computer” means an electronic, magnetic or optical device or group of devices that, pursuant to a computer program, human instruction or permanent instructions contained in the device or group of devices, can automatically perform computer operations with or on computer data and can communicate the results to another computer or to a person.  “Computer” includes any connected or directly related device, equipment or facility that enables the computer to store, retrieve or communicate computer programs, computer data or the results of computer operations to or from a person, another computer or another device. . . . “Computer network” means a set of related, remotely connected devices and any communications facilities including more than one computer with the capability to transmit data among them through the communications facilities.

The District Court reasoned that the defendant had not used a Connecticut computer or computer network but had simply sent email from one computer in Canada (her work computer) to another computer in Canada (her personal computer).  The Second Circuit rejected this analysis, pointing to the fact that to use her work email and access work data, the defendant accessed computer servers located in the plaintiff’s Connecticut offices.

The court held that a “computer server” meets the Connecticut long-arm statute’s definition of a computer because it is:

An electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.

In short, the court noted, “[i]t is not material that [the defendant] was outside of Connecticut when she accessed the [Connecticut] servers.  The statute requires only that the computer or network, not the user, be located in Connecticut.  The statute reaches persons outside the state who remotely access computers within the state.

Due Process

Having concluded that jurisdiction over the defendant existed under the Connecticut long-arm statute, the court next turned to the second step in the analysis:  whether such jurisdiction meets the due process requirements of the Fourteenth Amendment.  To make this determination, the court had to decide that:  (1) there were minimum contacts between the defendant and Connecticut, and (2) the exercise of personal jurisdiction over the defendant was reasonable.

In determining whether minimum contacts existed between the defendant and Connecticut, the court looked to whether the defendant purposefully availed herself of the privilege of conducting activities within Connecticut, thus invoking the benefits and protections of its laws.  The court held that the defendant did purposefully avail herself because she:

was aware of the centralization and housing of the [plaintiff’s] email system and the storage of confidential, proprietary information and trade secrets in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. . . . [The plaintiff alleged that the defendant] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut.  She used those servers to send an email which itself constituted the alleged tort.  And . . . she directed her allegedly tortious conduct towards [the plaintiff], a Connecticut corporation.

Next, the court determined that personal jurisdiction was reasonable, relying on factors such as the lack of burden on the defendant, the interests of Connecticut, and the plaintiff’s interest in obtaining relief.  The court held that although the defendant would have to travel to Connecticut to defend the lawsuit, that burden alone did not render the exercise of personal jurisdiction unreasonable.  The court also pointed to the fact that the plaintiff is based in Connecticut, the majority of corporate witnesses are located in Connecticut, and Connecticut has an interest in the proper interpretation of its laws.  The court ended its analysis by noting that “efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.”

Let’s Keep This Decision In Context . . .

Some may argue that the Second Circuit’s opinion will pave the way for plaintiffs to obtain personal jurisdiction over foreign defendants in cases involving electronic information, but it is important to keep this decision in context with the facts that may distinguish it from other situations.

For example, Connecticut’s long-arm jurisdiction statute explicitly provides for jurisdiction based on the use of a computer or computer network in Connecticut.  Not all states provide such long arm jurisdiction or provide specific definitions of computers and computer networks.

Also, the court noted that the defendant purposefully availed herself of the privilege of conducting activities in Connecticut in part because she was informed ahead of time that her company’s email system and the storage of confidential information were in Connecticut.  If the defendant had not previously been informed of the location of those company servers, it is quite possible (perhaps even likely) that the outcome would have been different.

Finally, it is not clear from the facts presented in the opinion whether servers existed in states other than Connecticut.  If a company has servers in multiple jurisdictions and employees are not informed about the location of data/systems they might access (email, document management, etc.), the plaintiff will have a more difficult time persuading a court that the defendant purposefully availed herself of the privilege of conducting activities in that forum.

Despite these cautionary notes, the opinion is still an example of a U.S. court’s impressive jurisdictional reach where the underlying controversy involves electronic information.  The fact that a person and her computing device may be located in one jurisdiction does not mean that she is not subject to jurisdiction in another state (or country).  The court’s opinion reminds us that a computer is like the tip of an iceberg—beneath the surface is a much larger support system that facilitates the storage, transmission, and monitoring of an entire network of computers and electronic information.

The Takeaway

There are several important points that underlie this opinion, but if I were corporate counsel reading this opinion, one practical “next step” I might want to take is to ensure that my employees are informed (in writing) about the location of the company’s electronic information and computer servers, assuming that the information is stored in a jurisdiction where I may want to file a lawsuit to protect the company’s confidential and proprietary information in the future.  Another “next step” might also include researching the long arm jurisdiction statute where my company might want to invoke personal jurisdiction at some point in the future to see whether and under what circumstances they include the use of a computer or computer network.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.