Data Misappropriation–Where to Sue

Determining where your data is stored for purposes of “venue” (where you can bring suit) is a relatively new issue not resolved in current case law. Traditionally, courts have focused on the location of the relevant server. But in this age of the cloud, where there are multiple and redundant servers to enhance access and security, we argue that the place where data is managed and controlled is the locus of the property and proper venue.

Consider the following scenario: You are the president of a company that is headquartered in New York City. The company’s IT function is run out of New York, including all management, software, hardware design, vendor selection, employee access and operations. You receive word that company trade secrets, captured in numerous Word and Excel documents residing on your central computer system, have been misappropriated by an employee in your company’s Chicago office who just resigned to join a competitor. You quickly want sue the offender in federal court for misappropriation of trade secrets and violation of the federal Defend Trade Secrets Act. But where to sue?

The federal venue statute 28 U.S.C. § 1391 (b), offers a plaintiff some choices. Under this statute, venue, meaning the proper court to hear and try your case (in other words where you may file your complaint), is the judicial district where: (1) the defendant resides; or (2) the events took place that gave rise to the claim; or (3) a substantial part of the property that is the subject of the action is situated. The purpose of these statutory restrictions is to protect the defendant against the risk that a plaintiff will select an unfair or inconvenient place for trial. Leroy v. Great W. United Corp., 443 U.S. 173, 184 (1979).

The first two grounds are pretty simple. Find the employee’s address, locate the nearest federal courthouse in the same state, and that’s where you can file. Similarly, if the employee logged onto a local computer terminal in the Chicago office and or sent himself the misappropriated materials from there, then that is where the “events giving rise to the claim arose.” But, that means filing suit in Chicago. Your home turf is New York and your lawyers are in New York. Thus, the company would rather sue in New York.

That brings us to the last basis for venue: “where a substantial part of the property is located” and whether such language allows the company to sue in New York federal court. If the data was maintained on specific hard drives or servers located in a fixed location, say the company’s IT office in New York, then the answer is straightforward. In Argent Funds Group, LLC v. Schutt, No. 3:05CV01456, 2006 WL 2349464, (D. Conn. June 27, 2006), the Court found that Connecticut was an appropriate venue and that it was immaterial that the defendant accessed the plaintiff’s confidential information remotely because the “Connecticut file servers . . . played a central role in the events that gave rise to the claim, and were one of the means by which the defendant allegedly stole the information.” The Court further found that even if a substantial part of the events or omissions giving rise to the claim had not occurred in Connecticut, venue would still be appropriate in Connecticut pursuant to section 1391(b) because a substantial part of property that was the subject of the action was situated on servers in Connecticut. See alsoEMI Corp. v. Opal, No. 1:15 CV 1257, 2015 WL 5782069, at *2 (N.D. Ohio Sept. 29, 2015) (courts have found that where a defendant accesses trade secret information out of state, stored on a computer located in the forum state, venue is proper where the computer servers are located. Citing The Premier Group v. Bolingbroke, No. 15-CV-01469, 2015 WL 4512313 (D.Col. July 27, 2015)). Other cases have turned on where the bad acts occurred. SeeCrayola, LLC v. Robert Buckley, 179 F..Supp.. 3d 473 (E.D. Pa. 2016).

But what If the “property” is stored in the cloud and your host has server farms located in multiple locations for security and your data is spread out across the country. Most of the current crop of data/venue cases are pre-cloud or don’t address the issue. Moreover, the drafters of the venue rules likely never heard of cloud storage, for that technology did not exist in operative form in 1976 when the “location of the property” rule was enacted. Thus, Courts have to date, focused on server location because (1) that was the current technology and (2) because they are tangible, fixed, identifiable items that are physically present in the jurisdiction in which the case is to be tried.

In cases where data is stored in the cloud and decentralized, the management and control situs is a rational test that can give effect to the spirit of the “property location” portion of the venue statue. It satisfies the element that the judicial district is a fair and appropriate location to hear the suit because it is likely where the relevant documents and witnesses will be, where control over the data is exercised (for example to save, categorize, print, or delete), as well as the location of the decision makers who determine what is and what is not a confidential trade secret and why. Thus, it may be an even more appropriate location for a trial then simply a remote location in which an employee has accessed a “dummy” terminal to effectuate the misappropriation. Moreover, as one court has recognized in dicta: “Given cloud storage and the ubiquity of internet use,” the venue rules, “would offer little protection for defendants if they could be hauled into any district where their data passes through or is remotely stored.” Crayola, 179 F. Supp. 3d at 479. The management and control test precludes this result while maintaining the purpose of the rule, to permit venue where relevant IT control, documents, and witnesses reside.