Jurisdiction from Ch 8. of Data Security and Privacy Law: Combating Cyberthreats

Data Security and Privacy Law: Combating Cyberthreats

Kevin P. Cronin and Ronald N. Weikers

Current through the Spring 2003 Supplement

Chapter 8. Civil Litigation: Security

Kenneth P. Mortensen

J. T. Westermeier

G. Jeffrey Racho

§ 8:1. INTRODUCTION

This chapter discusses civil claims that may be brought in legal actions arising from security breaches and cyber incidents. Security programs and policies should be developed, maintained, and enforced with these claims in mind. Legal protection and remedies will help to strengthen security programs, deter security breaches, and minimize losses in the event security incidents occur.

This chapter begins with a discussion of the issues involved in asserting jurisdiction over defendants, including hackers, in computer security litigation. [FN1] It then discusses various traditional causes of action that may be asserted by plaintiffs in computer security litigation, including trespass to personal property/chattels, [FN2] conversion, [FN3] fraud/misrepresentation, [FN4] breach of contract, [FN5] negligence, [FN6] computer malpractice, [FN7] misappropriation of trade secrets, [FN8] and copyright infringement. [FN9] The chapter then addresses private causes of action available under the applicable provisions of the Digital Millennium Copyright Act ("DMCA") [FN10] and the Computer Fraud and Abuse Act ("CFAA"). [FN11]

[FN1]. See § 8:2.

[FN2]. See § 8:3.

[FN3]. See § 8:8.

[FN4]. See § 8:12.

[FN5]. See § 8:16.

[FN6]. See § 8:20.

[FN7]. See § 8:26.

[FN8]. See § 8:27.

[FN9]. See § 8:32.

[FN10]. See § 8:34.

[FN11]. See § 8:41.

§ 8:2. JURISDICTION

Plaintiffs must first assert jurisdiction over the party who may have breached security systems in states different from the state in which the party resides. Because, in most cases, the party is not within the physical boundaries of the jurisdiction in which the security incident took place, plaintiffs must rely on long-arm statutes of the states in order for the court to assert personal jurisdiction. [FN.20] However, this exercise is limited by the Due Process Clause of the Fourteenth Amendment of the United States Constitution. [FN.40] Zippo Manufacturing Co. v. Zippo Dot Com, Inc., provides the sliding scale by which to measure actions of a party related to the forum state. [FN.60] The activity of the party determines whether the forum has jurisdiction. [FN.80] Long-arm personal jurisdiction may be asserted over computer hackers who undertake their activities in a state different from the target of the attack, as indicated in Peridyne Technology Solutions, LLC v. Matheson Fast Freight, Inc., [FN1] and CompuServe, Inc. v. Patterson. [FN2]

The court determined in Peridyne that the defendants' contacts with the plaintiff's computer systems, located in a state different from the state in which defendants acted, were sufficient contacts to exercise personal jurisdiction. [FN3] The Peridyne court noted that the defendants should not be permitted to take advantage of modern technology via the Internet or other electronic means to escape traditional notions of jurisdiction. [FN4] Similarly, the Patterson court held that the act of uploading a shareware program to a computer was sufficient contact to subject the user to the forum where the computer was physically located. [FN5]

The Peridyne decision is applicable to hackers who upload or place worms, viruses, Trojan Horses, or other malicious code, which are also software programs, into computer systems. Furthermore, even if the computer hackers merely gain entry into the system, which could be a computer or network, they can be considered to have established sufficient contacts under the tests outlined by Peridyne. [FN5.50] This case indicates that an active step by the hacker in his or her access to the computer physically located in the forum constitutes a sufficient contact directed at the forum for a court to assert jurisdiction. [FN6] Conversely, a body of caselaw indicates that passive acts by hackers, such as simply posting a website [FN6.50] that is viewable in the subject forum, would be insufficient for a court to assert jurisdiction. [FN7] Jurisdiction will be based on the quality and quantity of interactivity and demonstrated purposeful availment with the subject forum. [FN8] Increasingly, the courts are requiring a showing of purposeful availment to exercise personal jurisdiction based on Internet activities. [FN9]

[FN.20]. See Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997). The court noted that its authority to assert personal jurisdiction was conferred on it by state law within the constitutional bounds of the Due Process Clause. The court then detailed how it would verify its assertion of personal jurisdiction, determining either general or specific jurisdiction over a non-resident party. General jurisdiction permits a court to hale a non-resident party into the forum for non-forum-related activities, if the party has minimum contacts with the pertinent jurisdiction. See International Shoe Co. v. State of Wash., Office of Unemployment Compensation and Placement, 326 U.S. 310, 66 S. Ct. 154, 90 L. Ed. 95, 161 A.L.R. 1057 (1945) (party over which jurisdiction is to be asserted must maintain minimum level of contacts with asserting jurisdiction, such that party availed itself of benefits of jurisdiction). On the other hand, specific jurisdiction is controlled by a three-pronged test defined by: (1) whether the party has sufficient minimum contacts with the forum state; (2) whether the claim arises out of those contacts; and (3) whether exercise of jurisdiction is reasonable. Again, the court will look to International Shoe and its progeny to determine whether the party "purposefully established" contacts. Burger King Corp. v. Rudzewicz, 471 U.S. 462, 105 S. Ct. 2174, 85 L. Ed. 2d. 528 (1985). This extension to the "minimum contacts" rule looks to see what actions of the party created meaningful contacts surrounding the relationships and obligations of the party vis á vis the forum state. A manner of determining how meaningful the contacts are is to see if the party could foresee its actions causing it to be haled into court in the forum state. Usually in the case of security intrusions, the party knows that its actions are highly questionable and perhaps illegal. Once the contacts are examined, they must have a relation to the claim being brought by the plaintiff to satisfy the second prong. See Keeton v. Hustler Magazine, Inc., 465 U.S. 770, 104 S. Ct. 1473, 79 L. Ed. 2d 790, 10 Media L. Rep. (BNA) 1405 (1984) (Court permitted assertion of jurisdiction, even though neither party resided in forum state and main purpose for selection of forum state by plaintiff was longer statute of limitations, because claims brought by plaintiff did have effect in forum state on which plaintiff could state a valid claim). The third prong looks to the reasonableness of the assertion of jurisdiction, which serves to protect parties from unfair litigation. See World Wide Volkswagen Corp. v. Woodson, 444 U.S. 2686, 100 S.Ct. 714, 62 L.Ed.2d 723 (1980) (protects parties from being forced to answer in forum because of random or fortuitous contact with forum state). The court may continue and thereby assert jurisdiction if that exercise would not offend "traditional notions of fair play and substantial justice." International Shoe Co., 326 U.S. at 316. The Zippo court concluded that the exercise of specific jurisdiction was proper and noted that, even though the defendant in the case had never physically entered the forum state, the exercise of jurisdiction fit the existing legal framework, meaning that access via networks would qualify as well. See Burger King, 471 U.S. at 475; see also Bensusan Restaurant Corp. v. King, 937 F. Supp. 295 (S.D.N.Y. 1996) (website insufficient for jurisdiction as contacts mainly in control of website visitors); cf. Pres-Kap, Inc. v. System One Direct Access, 636 So. 2d 1351 (Fla. App. 1994) (only contact with forum state was logging onto computer system in forum state via network, but distinguished as a consumer transaction, which is fundamentally different from one of a provider or, arguably, a hacker).

[FN.40]. U.S. Const. amend. XIV, § 1.

[FN.60]. See generally Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119, 1124 (W.D. Pa. 1997). See also Pavlovich v. Superior Court, 29 Cal. 4th 262, 127 Cal. Rptr. 2d 329, 58 P.3d 2, 65 U.S.P.Q.2d (BNA) 1422 (2002). The California Supreme Court rejected a lower court's finding of specific personal jurisdiction based on the use of the jurisdictional rule found in Zippo. Here, the court noted that the defendant's website was a passive one and, although the software released from it would have the effect of permitting others to illegally copy copyrighted works and that effect should have been known to the defendant, that knowledge did not rise to the level of a contact with the forum state. The court agreed that most people would know that California would be greatly affected by the release of the software because it has a large entertainment industry, but that knowledge without more express interaction on the part of the defendant is not enough to invoke the state's long-arm statutes without violating the defendant's due process rights.

[FN.80]. See, e.g., ALS Scan, Inc. v. Digital Service Consultants, Inc., 293 F.3d 707, 63 U.S.P.Q.2d (BNA) 1389, 52 Fed. R. Serv. 3d 1121 (4th Cir. 2002)

, cert. denied, 123 S. Ct. 868 (U.S. 2003). In ALS, the court looked to see whether a person electronically transmitting or facilitating information transmission over the Internet, which caused injury to a person in Maryland, would be subjected to Maryland jurisdiction. Adopting the Zippo model, the court held Maryland could not, consistent with due process, exercise judicial power over the out-of-state ISP. The ISP's activity was passive, as it operated from Georgia, and, as such, merely provided bandwidth to the other defendant, also located in Georgia, permitting it to develop a website and transmit information over the Internet. Because the website was open to the world and the parties could not determine, nor limit, the places from which visitors would come. See also Verizon Online Servs., Inc. v. Ralsky, 203 F. Supp. 2d 601 (E.D. Va. 2002). In Verizon, the issue before the court was whether the transmission of millions of unsolicited commercial e-mails through the plaintiff's servers in Virginia amounted to sufficient contacts with the forum state in order to satisfy the due-process requirement of personal jurisdiction. The court held that sending commercial e-mail was a form of advertising, and that the defendant could reasonably see being summoned into a Virginia court.

[FN1]. Peridyne Technology Solutions, LLC v. Matheson Fast Freight, Inc., 117 F. Supp. 2d 1366 (N.D. Ga. 2000).

[FN2]. CompuServe, Inc. v. Patterson, 89 F.3d 1257, 1996 FED App. 228P (6th Cir. 1996) (overruling recognized by, Bird v. Parsons, 127 F. Supp. 2d 885 (S.D. Ohio 2000)).

[FN3]. See Peridyne Technology Solutions, LLC v. Matheson Fast Freight, Inc., 117 F. Supp. 2d 1366 (N.D. Ga. 2000).

[FN4]. See Peridyne Technology Solutions, LLC v. Matheson Fast Freight, Inc., 117 F. Supp. 2d 1366 (N.D. Ga. 2000). The court's jurisdictional analysis was based on the tortious activity by defendants via the Internet. The court found that the plaintiff's claims arose out of or were related to the defendants' activities directed at the plaintiff's computer systems, and that the defendants had actively entered the plaintiff's computer system using passcodes and authorizations obtained from the plaintiff in the course of their business dealings with the plaintiff. With respect to venue, the court also found that the defendants' use of computers and telephones to enter Georgia did not make venue in the state improper.

[FN5]. See CompuServe, Inc. v. Patterson, 89 F.3d 1257, 1996 FED App. 228P (6th Cir. 1996) (overruling recognized by, Bird v. Parsons, 127 F. Supp. 2d 885 (S.D. Ohio 2000)) (shareware trademark claim).

[FN5.50]. See Peridyne Technology Solutions, LLC v. Matheson Fast Freight, Inc., 117 F. Supp. 2d 1366, 1372 (N.D. Ga. 2000). The court noted that the defendants actively entered the system, manipulated security rights, and viewed files. These actions did not necessarily include loading and running software on the compromised systems. Further, the court found that the defendants should not be surprised that they were haled into court in the forum state because they knew that the systems were located in Georgia. See Burger King Corp. v. Rudzewicz, 471 U.S. 462, 472, 105 S.Ct. 2174, 85 L.Ed.2d 528 (1985). Cf. Desktop Technologies, Inc. v. Colorworks Reproduction and Design, Inc., 1999 WL 98572 (E.D. Pa. 1999) (passive website); Asahi Metals Indus. Co. v. Superior Court., 480 U.S. 102, 107 S.Ct. 1026, 94 L.Ed.2d 92 (1987) (stream-of-commerce argument).

[FN6]. See also Panavision Intern., L.P. v. Toeppen, 141 F.3d 1316 (9th Cir. 1998) (domain name dispute; "effects" test used by Ninth Circuit in exercising jurisdiction over out-of-forum defendant) (citing Cybersell, Inc. v. Cybersell, Inc., 130 F.3d 414 (9th Cir. 1997)(domain name dispute)); Cody v. Ward, 954 F. Supp. 43 (D. Conn. 1997) (securities; misrepresentations made by e-mail sufficient to assert jurisdiction in state where e-mail recipient resided); Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997) (domain name dispute; sale of passwords to individuals in forum state and contracts with Internet service providers in forum state constituted sufficient contacts for court to exercise jurisdiction); EDIAS Software Intern., L.L.C. v. BASIS Intern. Ltd., 947 F. Supp. 413 (D. Ariz. 1996) (e-mails and website postings of allegedly defamatory statement available to residents of forum was sufficient for court to assert jurisdiction because defendant could foresee that activity would affect corporation with offices in forum state); Maritz, Inc. v. Cybergold, Inc., 947 F. Supp. 1328 (E.D. Mo. 1996) (availability of commercial website to forum residents sufficient to establish jurisdiction).

[FN6.50]. Posting a passive website is not the same as the act of website "defacing," wherein the hacker gains unauthorized access to the content of a web server and alters the web pages to displace alternative information. This is a common act among "hacktivists," or people promoting political or propagandist speech via the web.

[FN7]. See, e.g., GTE New Media Services, Inc. v. Ameritech Corp., 21 F. Supp. 2d 27 (D.D.C. 1998) (ability of forum residents to access interactive website held to be insufficient contacts with subject forum); America Online, Inc. v. Huang, 106 F. Supp. 2d 848 (E.D. Va. 2000) (act of registering allegedly infringing domain name insufficient to permit court to assert in personam jurisdiction over registrant); Desktop Technologies, Inc. v. Colorworks Reproduction & Design, Inc., 1999 WL 98572 (E.D. Pa. 1999) (operation of passive website on computer outside forum is insufficient contact for court to assert jurisdiction); CFOs 2 Go, Inc. v. CFO 2 Go, Inc., 1998 WL 320821 (N.D. Cal. 1998) (same); American Homecare Federation, Inc. v. Paragon Scientific Corp., 27 F. Supp. 2d 109 (D. Conn. 1998) (same); Edberg v. Neogen Corp., 17 F. Supp. 2d 104 (D. Conn. 1998) (same, even though commercial website); Green v. William Mason & Co., 996 F. Supp. 394 (D.N.J. 1998) (same); Bensusan Restaurant Corp. v. King, 937 F. Supp. 295 (S.D. N.Y. 1996), aff'd, 126 F.3d 25 (2d Cir. 1997) (same).

[FN8]. Note that the courts continue to avoid applying general personal jurisdiction for non-physical contacts, but prefer specific personal jurisdiction. See Smith v. Basin Park Hotel, Inc., 178 F. Supp. 2d 1225 (N.D. Okla. 2001). The Smith court, while relying on the Zippo sliding scale for the evaluation of the contacts with the jurisdiction, observed that the Zippo classification was the most useful during specific-personal- jurisdiction analysis. It also noted that, even though several courts have used the Zippo scale in a review of general personal jurisdiction, no court to date has relied solely on Internet contacts to impose general personal jurisdiction on a defendant. Going further, the court pointed out that a website subjects a defendant to general jurisdiction if, and only if, the defendant has deliberately and expressly used its website to conduct commercial transactions on a substantial basis with a substantial number of persons in the forum attempting to apply jurisdiction.

[FN9]. But see Calder v. Jones, 465 U.S. 783, 104 S.Ct. 1482, 79 L.Ed.2d 804 (1984). The Supreme Court held that, even though employees did not have full control over their employer in the distribution of an article into a forum state, nor did the employees have a direct economic stake in the distribution, being an employee does not insulate them from jurisdiction. Rather, the Court looked to the intent of the defendants and noted that their actions where directed at the plaintiff with knowledge that she was in another jurisdiction, even if their actions were not predicated on the fact that she was in another jurisdiction. See also Keeton v. Hustler Magazine, Inc., 465 U.S. 770, 104 S. Ct. 1473, 79 L. Ed. 2d 790, 10 Media L. Rep. (BNA) 1405 (1984) (noting it is not required that plaintiff have "minimum contacts" with forum state before permitting state to assert personal jurisdiction over nonresident defendant).