The Computer Fraud and Abuse Act has become a favorite weapon for employers to use against employees who engage in computer misconduct. A question that often arises in cases involving computer misconduct is whether the employer can bring suit on its home turf based on an out-of-state employee’s computer misconduct. A recent opinion sheds light on this issue.
The United States Court of Appeals for the Eleventh Circuit, interpreting Georgia law, has held that Georgia’s long-arm statute does not confer personal jurisdiction over defendants who used a peer-to-peer computer network to access confidential computer files located on servers within Georgia.
In LabMD, Johnson, a Dartmouth professor, worked with Tiversa, Inc. (“Tiversa”) a company that monitors global peer-to-peer network searches and provides data security services, to examine data security in the medical profession. LabMD, Inc. v. Tiversa, Inc., 2013 WL 425983 (11th Cir., Feb. 5, 2013). Johnson and Tiversa searched peer-to-peer networks for files that could be used to commit medical or financial identity theft. As part of their search, they found a critical document including patient information on LabMD’s computer system.
Tiversa made a telephone call to notify LabMD that it had been able to find the file. Over the ensuing two months, Tiversa sent LabMD nine emails offering its intelligence and security services and soliciting LabMD’s business.
LabMD filed suit in the Superior Court of Fulton County, Georgia, asserting claims for trespass, conversion, and violations of the Computer Fraud and Abuse Act and the Georgia Computer Systems Protection Act. Defendants removed the case to the United States District Court for the Northern District of Georgia. The district court granted Defendants’ motion to dismiss, concluding that it lacked personal jurisdiction over Defendants under Georgia’s long-arm statute. O.C.G.A. § 9-10-91.
LabMD appealed, arguing that Defendants were subject to personal jurisdiction in Georgia under two separate subsections of Georgia’s long-arm statute.
First, subsection (2) of Georgia’s long-arm statute provides for personal jurisdiction where a non-resident defendant “[c]ommits a tortious act or omission within [Georgia].” O.C.G.A. § 9-10-91(2).
Second, subsection (3) of Georgia’s long-arm statute provides for personal jurisdiction where a non-resident defendant:
[c]ommits a tortious injury in [Georgia] caused by an act or omission outside [Georgia] if the tort-feasor regularly does or solicits business, or engages in any other persistent course of conduct, or derives substantial revenue from goods used or consumed or services rendered in [Georgia].
O.C.G.A. § 9-10-91(3).
LabMD argued that subsection (2) conferred jurisdiction over Defendants because Defendants used peer-to-peer software to open a Transmission Control Protocol/Internet Protocol port on a LabMD computer that was physically located in Georgia. LabMD accordingly contended that the “tortious act” of access took place within Georgia and met the requirements of subsection (2).
The Eleventh Circuit was not persuaded. For purposes of personal jurisdiction, Georgia courts have held that, when a defendant uses the telephone or email to contact a Georgia resident, the defendants’ conduct is held to have occurred at the place where the defendant speaks into the telephone or types and sends his email. See Anderson v. Deas, 632 S.E.2d 682, 279 Ga. App. 892 (2006). Accordingly, the Eleventh Circuit held that the conduct giving rise to LabMD’s claim occurred where Defendants caused their computers to access LabMD’s file. Because Defendants therefore acted outside of Georgia, subsection (2) did not confer personal jurisdiction.
LabMD also argued that subsection (3) conferred jurisdiction over Defendants because Tiversa made one telephone call to LabMD and sent nine e-mails offering Tiversa’s services. Because of these contacts, LabMD contended, Tiversa “regularly solicited business” in Georgia as required by subsection (3).
The Eleventh Circuit disagreed, explaining that Georgia courts consider a number of factors in assessing jurisdiction under subsection (3), including: whether a defendant regularly does business or solicits business within Georgia; engages in a persistent course of conduct within Georgia; derives substantial revenue from services rendered within Georgia; has employees located within Georgia; or is authorized to do business in Georgia. The Eleventh Circuit then noted that Tiversa was not registered to do business in Georgia, had no employees or customers in Georgia, derived no revenue from business activities in Georgia, owned no property in Georgia, and paid no Georgia taxes before concluding that Tiversa was not subject to personal jurisdiction in Georgia under subsection (3).
In this sense, the Georgia long-arm statute as interpreted by the Eleventh Circuit differs substantially from the Connecticut long-arm statute as interpreted by the Second Circuit in MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir., December 26, 2012). There, a defendant was found to be subject to personal jurisdiction when she used an out-of-state computer to access information that she knew to be housed within the state. The element of knowing access was key in MacDermid and allowed for the exercise of personal jurisdiction.
In LabMD, however, the court did not even explore whether Defendants’ access was knowing. In this sense, then, the Georgia long-arm statute is not as powerful a tool in allowing in-state plaintiffs to sue out-of-state defendants in Georgia courts based on internet activity.
Thus, LabMD may limit a Georgia employer’s ability to file suit in a Georgia court against an out-of-state former employee who engages in computer misconduct or improper internet activity and who does not otherwise have sufficient contacts with Georgia to confer jurisdiction.
