It is sometimes difficult to predict what laws will apply to a particular compliance issue. For instance, in Section 814 of the Patriot Act, the U.S. Congress extended the jurisdiction of its federal law enforcement officers to include crimes that do not occur in the U.S. or have any victims in the U.S. It could be argued that “[e]very nation has the right to extend the scope of its law beyond its borders to protect the rights and property of its own nationals.” See Security Focus: Ashcroft’s Global Internet Power-Grab by Mark Rasch located at www.securityfocus.com/columnists/39. However, when neither the criminal nor the victims reside in the U.S., it is difficult to determine what protections are being afforded to citizens. There is no question that lawmakers and politicians are focusing on trends in technology. Robert Holleyman, CEO and President of the Business Software Alliance applauded recent trends. “The Congress and the President will face important policy decisions this year, and we remain hopeful that any new policies will enhance the future of American innovation,” Holleyman said. “We look forward to working with the Congress and the Bush Administration to enact legislation and promote policies that will ensure a robust, competitive environment for our economy generally, and for information technology specifically.”
The United States’ efforts to expand its jurisdiction over defendants who do not reside in the United States is not unique. For example, other countries have exercised jurisdiction over foreign defendants in hacking cases. In one highly publicized case, a British company and a Russian company were embroiled in a legal battle with a state-owned company in Tajikstan. When the British company’s computers were hacked, the British company made a claim against the Russian company under Sections 1 and 2 of the British Computer Misuse Act of 1990. See Out-Law News: Russian Hacking Case Can be Heard in England, Says Judge located at www.out-law.com/page-7434. The court based its conclusion on the fact that the server was located in the U.K. and therefore, the most significant element of the offense occurred in the U.K.
When faced with a foreign lawsuit, some companies elect to ignore the proceedings and allow the plaintiff to receive an award by default. This approach can have dire consequences. For example, Spamhaus, a British company that maintains a spam blacklist was sued in the United States by e360 Insight. Spamhaus concluded that the Illinois court did not have jurisdiction over it and declined to appear or defend itself in the action. See Out-Law News: Spamhaus decides to fight first US court Action located at http://www.out-law.com/page-7404. The Illinois court entered a default judgment in favor of e360 Insight for $11.7 million. The court also instructed ICANN to suspend the spamhaus.org domain. ICANN claimed it did not have the power to suspend the domain, but indicated that Spamhaus’ hosting company would do so. With precedents like Spamhaus, defendants may be reluctant to ignore foreign lawsuits. The best strategy is to consult with legal counsel in both jurisdictions and formulate an approach that minimizes your risks without jeopardizing your legal position.