Jurisdiction is the territorial area of authority to hear and judge cases. The internet, however, has no territorial boundaries: it is a virtual world of interconnected computer networks, known as cyberspace.
Consider an example. Company A purchases online payment software delivered as a download. The software corrupts A’s server. The seller, company B does not have a physical store in any particular country. B sells its software exclusively as a web service. Questions immediately arise about jurisdiction. Is it:
- Where the software download was receipted?
- Where the software was downloaded?
- The location of B’s Internet Protocol (IP) address?
Similarly, what about hacking cases. Is jurisdiction where the hacking occurs or the location of the server that is attacked?
The United States’ (US) focus is on the characteristics of the internet presence. Jurisdiction is determined by a ‘sliding scale’ analysis of the interactivity of the website concerned. Three categories have emerged:
- Passive websites: present information but do not accept information, sell products or offer services. Generally, the US courts do not find jurisdiction with these websites.
- Intermediate websites: the courts assess the level of interactivity and commercial nature of the exchange of information. The question, in some cases, is whether the nature of the commercial activity is substantial enough to be a substitute for a physical store. In one case, jurisdiction was found over a party who, through its website, had signed up subscribers to its business. However, where a website provided information and a link about tour packages, this did not constitute the kind of interactivity required to establish jurisdiction.
- Active websites: jurisdiction is found over providers of websites that actively conduct their business over the internet by displaying products or services and allowing the user to enter into contracts and purchase products.
Returning to our example, in the US a court where A is situated will have jurisdiction as B’s website is ‘active’. The website permits the software to be downloaded to A’s IP address in its location. If, however, B’s website merely provided information about the software, and a physical address from which it could be physically ordered, then it is unlikely that a US court would find jurisdiction.
European Union rules
The basic rule under Regulation 1215/2012 (Brussels Regulation recast) is that jurisdiction is based on the domicile of the defendant.
In our scenario, B can be sued in the European Union Member State in which it is domiciled (i.e. has its principal place of business). Note: the location of B’s IP address is not determinative of domicile; it tells us no more than the location of a computer and its user.
There are exceptions to the basic rule:
- A person may be sued in the place of the performance of the contract unless otherwise agreed. A software company’s terms might specify the place of performance of the contract.
- In tort, a person may be sued in another Member State where the harmful event occurred. In our scenario this would be where A’s server that has suffered corruption is located.
- A ‘consumer’ may also sue in the Member State of their domicile.
From Russia with love?
Where the Brussels Regulation recast does not apply (for example, the defendant is not domiciled in an EU Member State) the English courts will apply common law rules to determine jurisdiction.
In Ashton Investments Ltd and another v OJSC Russian Aluminium (Rusal) and others  it was alleged that the Defendants had hacked into and installed spyware onto the Claimants’ server in London. The hackers’ IP address was said to be Russian. The Claimants commenced English proceedings. The Defendants disputed jurisdiction, arguing that the tort occurred in Russia: that was where the installation of the spyware software occurred and where the administrator’s username and password were improperly entered.
The High Court held that the case should be heard in London. This was where the hacking had occurred and access to the server was achieved. Although because of actions taken in Russia, these were designed to make things happen in London.
Down to earth
Determining cyber jurisdiction involves an application of existing rules.
Ideally, companies that trade online should be aware of these and take appropriate action. For example, if a company wants to avoid being sued in a particular jurisdiction it could use software to restrict access based upon the user’s IP address.
The unique global character of the internet and the territorial exposures it potentially creates is also relevant to underwriters. It is advisable to ask an insured that trades on the internet questions about its ‘cyber reach’:
- Do you use software or other technologies to block user access in certain jurisdictions, and if so, where?
- What are your terms of business, for example about the place of performance, jurisdiction and governing law?
These questions may seem basic, but cyber’s virtual nature might mean that these contractual essentials have been neglected. Whilst cyberspace is a mythical virtual domain that knows no territorial boundaries, it all comes back down to earth when cyber claims are made and pursued in the courts.