Cyber Security: The long arm of the law gets a little longer

New case from the second circuit in NY

Multinational companies, like hotel companies, often face challenges in enforcing claims against their employees and agents located in foreign jurisdictions. In December 2012, a federal appeals court decision -- MacDermid, Inc. v. Deiter, No. 11-5388-cv (2nd Cir. Dec. 26, 2012) -- made enforcement a bit easier when a company goes after employees who commit cyber theft beyond U.S. borders.

In this case, a Connecticut-based chemical company employed an account representative in Canada, and when the employee learned that she was to be terminated, downloaded to her personal email account data files that the company alleged were confidential and proprietary. The company sued the employee "alleging unauthorized access and misuse of a computer system and misappropriation of trade secrets." The terminated employee moved to dismiss the complaint for lack of personal jurisdiction. The trial court agreed with the Canadian employee because she had not used a computer in Connecticut. The Court of Appeals, however, held that jurisdiction over the defendant employee in Connecticut, where she had never physically visited, was established when she intentionally accessed the Connecticut servers.

Defining a path to protect sensitive information

Hotel brands and managers have employees in a wide variety of jurisdictions, often worldwide, and the vast array of foreign laws, regulations and policies can make it difficult to establish clear and comprehensive security plans, and even more difficult to enforce them. This decision creates a clearer path for multinational companies to protect their key business information.

The company in MacDermid won because (1) it had a written policy that both identified the location of its servers that stored the company's proprietary and confidential electronic data, and (2) the company made it a condition of employment that employees acknowledge in writing that they were not authorized to transfer that information to their personal email accounts.

Two important factors

The Court observed that "[m]ost Internet users, perhaps, have no idea of the location of the servers through which they send their emails. Here, however, [the company] has alleged that [the employee] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut."

The Court also said that "employees of [the company] and its subsidiaries are, as a condition of employment, made aware of the housing of the companies' email system and their confidential and proprietary information in Waterbury" and that the employee "agreed in writing to safeguard and to properly use [the company's] confidential information and that she was not authorized to transfer such information to a personal email account."

MacDermid offers a clear lesson for companies. Employee handbooks must contain a policy dealing with proprietary and sensitive information, with clear restrictions on use and prohibiting improper downloading of information from company servers. Also, companies with offshore employees should explicitly disclose the existence and the location of the servers that store confidential information, so that an employee who improperly downloads confidential information can be sued in the company's home jurisdiction.

Getting the "home field" advantage

This gives the company, rather than the employee, the "home field" advantage. Most companies do not explicitly identify where their data is located. And, where companies use cloud computing services, they may not even know. But whenever possible, companies should include this information in their employee policies. Employers will usually be better off suing and enforcing their rights in their home state, rather than a foreign jurisdiction.