Published on:

Cyber Security Alert: How to protect your proprietary information from employees

By Jim Butler and the Global Hospitality Group®
Hotel Lawyers | Authors of www.HotelLawBlog.com
11 April 2013


Hotel Lawyer on technology challenges to your proprietary and sensitive corporate information. The continuing advances of technology continue to present a double edged sword. On the one edge are tremendous cost savings, efficiencies and power to manage information. On the other edge are daunting issues of information security and privacy.

In the article below, two of our Global Hospitality Group® lawyers talk about a recent court decision from the respected second circuit in New York that has important implications for every employer in the hospitality industry. It serves as a reminder that good employee handbooks and company policies are important to protecting your valuable business information and electronic data.

Here is what it is all about.

Cyber Security: The long arm of the law
gets a little longer

by
Robert E. Braun and Michael A. Gold ] Hotel Lawyers

New case from the second circuit in NY

Multinational companies, like hotel companies, often face challenges in enforcing claims against their employees and agents located in foreign jurisdictions. In December 2012, a federal appeals court decision — MacDermid, Inc. v. Deiter, No. 11-5388-cv (2nd Cir. Dec. 26, 2012) — made enforcement a bit easier when a company goes after employees who commit cyber theft beyond U.S. borders.

In this case, a Connecticut-based chemical company employed an account representative in Canada, and when the employee learned that she was to be terminated, downloaded to her personal email account data files that the company alleged were confidential and proprietary. The company sued the employee “alleging unauthorized access and misuse of a computer system and misappropriation of trade secrets.” The terminated employee moved to dismiss the complaint for lack of personal jurisdiction. The trial court agreed with the Canadian employee because she had not used a computer in Connecticut. The Court of Appeals, however, held that jurisdiction over the defendant employee in Connecticut, where she had never physically visited, was established when she intentionally accessed the Connecticut servers.

Defining a path to protect sensitive information

Hotel brands and managers have employees in a wide variety of jurisdictions, often worldwide, and the vast array of foreign laws, regulations and policies can make it difficult to establish clear and comprehensive security plans, and even more difficult to enforce them. This decision creates a clearer path for multinational companies to protect their key business information.

The company in MacDermid won because (1) it had a written policy that both identified the location of its servers that stored the company’s proprietary and confidential electronic data, and (2) the company made it a condition of employment that employees acknowledge in writing that they were not authorized to transfer that information to their personal email accounts.

Two important factors

The Court observed that “[m]ost Internet users, perhaps, have no idea of the location of the servers through which they send their emails. Here, however, [the company] has alleged that [the employee] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut.”

The Court also said that “employees of [the company] and its subsidiaries are, as a condition of employment, made aware of the housing of the companies’ email system and their confidential and proprietary information in Waterbury” and that the employee “agreed in writing to safeguard and to properly use [the company's] confidential information and that she was not authorized to transfer such information to a personal email account.”

MacDermid offers a clear lesson for companies. Employee handbooks must contain a policy dealing with proprietary and sensitive information, with clear restrictions on use and prohibiting improper downloading of information from company servers. Also, companies with offshore employees should explicitly disclose the existence and the location of the servers that store confidential information, so that an employee who improperly downloads confidential information can be sued in the company’s home jurisdiction.

Getting the “home field” advantage

This gives the company, rather than the employee, the “home field” advantage. Most companies do not explicitly identify where their data is located. And, where companies use cloud computing services, they may not even know. But whenever possible, companies should include this information in their employee policies. Employers will usually be better off suing and enforcing their rights in their home state, rather than a foreign jurisdiction.

Developing a comprehensive information privacy and security program

The JMBM Global Hospitality Group® and the JMBM Data Security Group work with clients to establish and enforce data security policies, and assists clients when there are breaches. We have helped a variety of clients, including hospitality companies, in developing compliance programs, addressing data breach issues, and negotiating contracts with vendors and providers. Contact Bob Braun (RBraun@jmbm.com, 310.785.52331) or Mike Gold (MGold@jmbm.com, 310.201.3529) for assistance. Bob Braun is a member of the International Association of Privacy Professionals and was the first and only “Super Lawyer” in Southern California in 2012 with a specialty in information technology.

If this article was of interest, you may also wish to read other articles on “Data Technology, Privacy & Security,” which include the following articles:

What the Target data security breaches mean for hoteliers

Cyber Security Alert: How to protect your proprietary information from employees

Hotel Lawyer Privacy Alert: Do your hotel mobile apps comply with new interpretations of online privacy rules?

Hotel Liability for Guest Information — What you need to know and how to avoid liability.

Losing the expectation of privacy bit by bit, byte by byte.

Dodd-Frank Act presents Hotels with decisions on credit and debit card charges.

Bob Braun

Robert Braun is a senior member of the Global Hospitality Group® at JMBM. Mr. Braun advises hospitality clients with respect to hotel management agreements, franchise agreements and operating issues. He also advises on transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry. He is a member of the International Association of Privacy Professionals. Contact him at 310.785.5331 or rbraun@jmbm.com.


This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. We’ve done more than $60 billion of hotel transactions and have developed innovative solutions to help investors be successful in bidding for hotel acquisitions, and helping investors and lenders to unlock value from troubled hotel transactions. Who’s your hotel lawyer?


Our Perspective. We represent hotel lenders, owners and investors. We have helped our clients find business and legal solutions for more than $60 billion of hotel transactions, involving more than 1,300 properties all over the world. For more information, please contact Jim Butler at jbutler@jmbm.com or +1 (310) 201-3526.

Jim Butler is a founding partner of JMBM, and Chairman of its Global Hospitality Group® and Chinese Investment Group™. Jim is one of the top hospitality attorneys in the world. GOOGLE “hotel lawyer” and you will see why.

Jim and his team are more than “just” great hotel lawyers. They are also hospitality consultants and business advisors. They are deal makers. They can help find the right operator or capital provider.