Between the holidays, the Second Circuit published a decision that might serve as a warning to employees to keep abreast of their companies’ data-use policies. Depending on the jurisdiction, violation of company policies may also violate state law that protect data privacy – and such violations can get you in trouble, even remotely. The court holds that the U.S. District Court for the District of Connecticut had long-arm jurisdiction over the plaintiff’s former employee in Canada, because she e-mailed herself data from servers located in Waterbury, Connecticut.
MacDermid, Inc. v. Deiter, No. 11-5388 (2d Cir. Dec. 26, 2012): The Court summarizes the circumstances of the underlying litigation –
“MacDermid stores proprietary and confidential electronic data on computer servers that it maintains in Waterbury and that employees of MacDermid Chemicals can access that information only by accessing the Waterbury servers. The record reflects that employees of MacDermid and its subsidiaries are, as a condition of employment, made aware of the housing of the companies’ email system and their confidential and proprietary information in Waterbury. The record further reflects that Deiter agreed in writing to safeguard and to properly use MacDermid’s confidential information and that she was not authorized to transfer such information to a personal email account.”
When Deiter learned that she was going to be fired, she allegedly e-mailed herself company data, using a computer in Fort Erie, Ontario, Canada to transmit the data to her personal e-mail address. MacDermid then sued Deiter in federal court in Connecticut, “alleging unauthorized access and misuse of a computer system and misappropriation of trade secrets in violation of Conn. Gen. Stat. §§ 53a-251 and 35-51 et seq.”
While the district court held that there was no personal jurisdiction over the Canadian defendant, the Second Circuit reverses. Jurisdiction over the defendant was established by her intentional, remote access to the Connecticut servers, despite that the computers that she personally used were located in Ontario.
Under the Connecticut long-arm statute, used to assert jurisdiction over out-of-state parties, a computer server meets the definition of a computer because it is “an electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.” Conn. Gen. Stat. § 53-451(a)(1).
The Second Circuit also holds that jurisdiction over the Canadian defendant also comported with federal due process requirements.
“Deiter purposefully availed herself of the privilege of conducting activities within Connecticut because she was aware ‘of the centralization and housing of the companies’ e-mail system and the storage of confidential, proprietary information and trade secrets’ in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. Most Internet users, perhaps, have no idea of the location of the servers through which they send their emails. Here, however, MacDermid has alleged that Deiter knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut. She used those servers to send an email which itself constituted the alleged tort. And in addition to purposefully availing herself of the privilege of conducting computer activities in Connecticut, she directed her allegedly tortious conduct towards MacDermid, a Connecticut corporation.”
Thus, employees who use their password-protected access to move employer data remotely put themselves in peril – not only of being sued, but being sued hundreds (or thousands) of miles away.