The last few years have irrevocably altered the expectations of employment, with millions of employees now engaged in some degree of remote work.
This presents a legal and logistical conundrum for businesses who need these employees to have seamless remote access to sensitive information without sacrificing the safeguards and supervision necessary to protect it.
A recent District of New Jersey opinion illustrates some valuable lessons for employers navigating this data dilemma in 2024.
Enforcing Restrictive Covenants and Protecting Data with Remote Workers
A remote work force raises a number of key issues to consider, assuring the protection of proprietary information from unauthorized disclosure or unfair competition by former remote workers.
While the law protecting businesses from the unauthorized disclosure of information are rigorous, businesses need to exercise care:
- Remote work can invite jurisdictional challenges when a company sues to protect its trade secrets or enforce its restrictive covenants.
- Remote work also brings additional misappropriation risks that require robust data protection and device management to protect a business from its former employees.
The case involves TMG, a New Jersey-based business process outsourcing company, and the conduct of Mikkola, a former business development employee, working remotely from Texas, who had quit to join a competitor.
The recent opinion touches on the complexities of restrictive covenants, data protection, and jurisdictional analysis in the post-COVID era of remote work.
Remote Worker Resigns to Work for Competitor – Misappropriation Alleged
TMG brought its lawsuit in New Jersey federal court against Mikkola arose from his move to a competitor, immediately after he resigned from a sales position.
Central to TMG’s complaint was the allegation that Mikkola misappropriated confidential information to solicit TMG’s clients — in violation of his restrictive covenants with TMG.
The fact that Mikkola performed his duties remotely from Texas added a layer of complexity to the case, reflecting a scenario becoming increasingly common in today’s workforce.
Critical to this case are the allegations that Mikkola had a local copy of TMG’s OneDrive saved to his company laptop. This allowed him to continue accessing TMG’s confidential customer data even after his resignation was tendered, and his remote access had been cut off.
This vulnerability reflects a frequent compromise made by companies. On one hand, allowing local storage of files on a company’s cloud server can empower remote employees by putting essential information at their fingertips.
On the other hand, it also invites the risks we see playing out in this case: it allows employees to freely copy confidential information and the employer is helpless to detect or prevent it until the damage is already done.
Legal and Practical Challenges of Enforcing Claims Against Remote Workers
Mikkola moved to dismiss the case for lack of personal jurisdiction pursuant to Rule 12(b), arguing that because he scarcely set foot in New Jersey, did not work or live there, his employment contract was not negotiated or executed there. And, that the complaint failed to allege that any of the purportedly stolen clients or projects were based in New Jersey.
With the rise of remote work, jurisdictional defenses are likely to become increasingly common in cases involving former employees. Although it has some intuitive appeal, TMG’s opposition demonstrated the plain limits of that strategy.
While the complaint alone may lack the detail necessary to support personal jurisdiction against an out-of-state employee, a plaintiff can supplement their complaint with additional facts in their opposition to a Rule 12(b) motion — and that is exactly what TMG did here.
In its opposition, TMG marshalled evidence of Mikkola’s connections to New Jersey clients. That evidence included, among other things, a declaration from TMG’s president that Mikkola had sent solicitation emails and cookie cakes to its New Jersey clients following his resignation.
Cookie cakes weren’t the only apparent misstep by Mikkola, TMG also conducted forensics analysis on his belatedly returned company laptop to provide extensive details about the files that Mikkola had transferred off the laptop after his resignation.
Being able to offer a detailed timeline and pinpointing the exact files copied by Mikkola gave TMG another edge in its case. Once again, the double-edged sword of TMG’s data policy came into play — demonstrating the practical issues faced by countless other employers.
By allowing Mikkola to make local copies, TMG had created a vulnerability in the protection of its confidential information and/or trade secrets. However, by utilizing data forensics, TMG was able to mitigate that vulnerability by swiftly exposing the former employee’s misappropriation.
Nevertheless, data protection is a game of cat and mouse, and future employees will not be so clueless about digital forensics. Indeed, while TMG had the capability to uncover misappropriation once it had received the physical device — detection and prevention could have prevented a costly lawsuit.
It could have also prevented the sharing of its customer information with a competitor… and some awkward calls to clients about cookie cakes.
Key Issue: Centralized Office Assist Employer to Establish Jurisdiction Over Dispute
The New Jersey court ultimately held that it had personal jurisdiction over Mikkola based upon on the Calder test. The Calder test applies in cases involving intentional torts, like misappropriation of trade secrets or tortious interference with contracts.
Under that test, courts evaluate the location of both the target and the effect of an intentional tort. In this case, the court easily concluded that the claims against Mikkola satisfied both prongs for New Jersey and offered some key takeaways.
The first takeaway is that maintaining a centralized in-person office continues to reap jurisdictional benefits, especially when many employees work remotely. The court found that Mikkola knew TMG was based in New Jersey and that he routinely communicated with TMG’s employees in New Jersey.
The same cannot be said about many decentralized operations, where both employees and their supervisors are out-of-state and relevant lines of communication become untethered from a company’s principal place of business.
Companies that fail to maintain a clear connection between their forum and their employees risk complicating the jurisdiction question and, at best, needlessly increasing their legal costs.
The second takeaway is that employers facing such jurisdictional challenges should aggressively gather evidence regarding how the former employee’s conduct concerns its operations in the forum state.
In this case, TMG provided evidence that Mikkola had taken information about New Jersey clients, solicited those clients, and even “showed the receipts” for cookie cakes sent to them. That clear evidence of conduct targeting the forum state turned a potentially complex jurisdictional analysis for a former remote employee into a relatively simple one.
Business owners, particularly those in sectors where proprietary information and client relationships are key assets, should also take heed of the other lessons from this case:
Key Issue: Intentions Torts Can Confer Jurisdiction Based on Location of Business
- Employee Exit Processes: The case highlights the need for stringent exit protocols. This includes ensuring the return of all company devices and securing company data upon an employee’s departure. Those protocols should be backed up by practices, particularly mobile device management solutions that allow an employer to disable access to company devices possessed by employees going through the exit process.
- Non-Compete Clauses and Confidentiality Agreements: In a remote working environment, the enforceability of non-compete clauses and the protection of confidential information become more complex but no less critical. Businesses must ensure these agreements are legally robust, clear, and specific enough to protect their interests across all jurisdictions where their employees may reside and work.
- Jurisdictional Awareness: Understanding the potential for legal action in various jurisdictions is crucial. If companies wish to enforce restrictive covenants and protect trade secrets on their home turf, they should make sure that even remote employees are sufficiently connected to that turf. Having communication and information that flows through the company’s home state is a good start.
- Remote Work Policies: Companies should develop comprehensive remote work policies that address data protection, confidentiality, and the use of digital resources. When remote employees are permitted to have local copies of sensitive files, those copies should be limited to company devices that have active countermeasures for unauthorized copying or dissemination.
Businesses must be able to navigate the legal intricacies of having employees who, though physically distant from the company’s headquarters or primary place of business, remain deeply intertwined with the company’s operations and client relationships.
Experienced counsel is essential to such a journey and the businesses that fail to understand, appreciate, and proactively address such challenges will undoubtedly struggle to survive, let alone thrive, in the information age. That’s just how the cookie cake crumbles.