Co-authored with: John Snyder
The First Amendment of the U.S. Constitution protects from judicial restraint discussions over matters of public concern, including claims of wide-scale data breaches of social security numbers and other personal information by a former employee on a blog, a New York State Supreme Court justice has ruled. Cambridge Who’s Who Publishing, Inc. v. Sethi, 009175/10, NYLJ 1201482619238, at *1 (Sup. Ct., Nassau Cty. Jan. 25, 2011). Finding no extraordinary circumstance that would overcome the Constitutional protection, the court denied a company’s request to enjoin its former employee from blogging about the company and its products, despite his agreement to maintain the confidentiality of confidential business information.
Harsharan Sethi was the Director of Management Information Systems for marketing and networking company Cambridge Who’s Who Publishing. When Sethi started working at Cambridge in July 2008, he signed an “employee covenants and non-disclosure agreement.” The agreement prohibited Sethi from using the company’s confidential information, except to pursue Cambridge’s business. Confidential information included “client names, addresses, and credit card numbers.” Cambridge terminated Sethi’s employment in February 2010.
The Blog Post
After Sethi’s termination, Cambridge suspected he was the author of a post on www.cambridgeregistrscam.com, which stated that members might be entitled to a full refund of their membership fees, suggested that members file complaints with the District Attorney and Attorney General, and offered to provide information on management personnel, including “their backgrounds,” “their life styles,” and “their prior run ins with [the] IRS.”
Cambridge viewed the blog post on May 11, 2010, and moved for a preliminary injunction the very next day. It sought to restrain Sethi from: (1) attempting to access Cambridge’s database; (2) contacting Cambridge’s “members” or customers; (3) disclosing customers’ personal information; (4) making any statements about Cambridge that might interfere with its goodwill, including contacting its employees or vendors; and (5) maintaining any blog or website concerning Sethi’s former employment.
The court granted the company’s request for a preliminary injunction, in part, enjoining the solicitation of Cambridge’s customers or disclosing their names or personal information. The court, however, denied Cambridge’s request that Sethi be restrained from making any allegedly defamatory statements regarding the company.
Cambridge later renewed its injunction request, submitting to the court allegedly defamatory statements made by Sethi after the court’s initial ruling. It presented an e-mail from Sethi to the New York Attorney General in which Sethi stated that tapes containing the personal data (including names, addresses, social security numbers, payroll data, checking account and credit card information) of 400,000 Cambridge members were lost or stolen from the company.
The court then granted a temporary restraining order enjoining Sethi from contacting Cambridge’s employees about his former employment or making statements that interfere with Cambridge’s goodwill, including maintaining a website or blog, until the preliminary injunction hearing.
First Amendment Protection
At the hearing, though, Justice Stephen Bucaria finally denied the injunction, holding that the First Amendment of the U.S. Constitution encompasses “at the least the liberty [to] discuss publicly and truthfully all matter of public concern without previous restraint or fear of subsequent punishment.” Finding that the alleged loss of social security numbers and credit card information, among other data, “implicate the economic interests of a large number of people” and, therefore, were matters of public concern, the court held that Cambridge had failed to establish “extraordinary circumstances” justifying a prior restraint on speech and warranting the denial of the injunction restraining Sethi from communicating with Cambridge’s customers or law enforcement agencies concerning data loss.
Cambridge provides employers with several significant lessons.
- First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
- Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
- Third, the decision raises two key points about data security:
- Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General's Office, and Consumer Protection Board.
- Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.