The Business Court has ruled that it does not have personal jurisdiction over the defendant in a misappropriation of trade secrets case because the operative facts of the litigation—where the trade secrets were stolen and what they were used for—did not have a substantial connection to the defendant’s admittedly significant Texas activities.
Go Secure, Inc. v. CrowdStrike, Inc., and Cloudstrike Holdings, Inc. (2026 Tex. Bus. 13; March 13, 2026) arose from a dispute over the alleged theft of trade secrets in California in 2011 and 2012. GoSecure, a Delaware company based in California, sued Crowdstike, also a Delaware company based in California, contending that CrowdStrike’s founder conspired to steal its source code repository and other confidential engineering information under cover of serving as a GoSecure board member. When the founder left the board, he promised not to use any of the information to benefit his new company. After a decade or so, GoSecure became aware that CrowdStrike’s platform (which blinked out in July 2024 all over the world) “employed methods derived from GoSecure’s trade secrets.”
GoSecure sued in California state court in November 2024 and alleged that the court had personal jurisdiction over CrowdStrike and its founder because it was founded in California, had its principal place of business there, and misapproriated the trade secrets there. After some procedural back-and-forth, GoSecure voluntarily dismissed its California action and refiled the suit in Texas, asserting essentially the same claims for misappropriation of trade secrets and TUTSA violations. Despite what it said in the California suit, GoSecure alleged that the court had specific jurisdiction over CrowdStrike because it “does business and is headquartered in Texas.” CrowdStrike filed a special appearance.
In an opinion by Judge Andrews, the court granted the special appearance and dismissed GoSecure’s claims. Although the parties quibbled over various alleged procedural defects, the court cut through all of that and decided the case on the merits based on the jurisdictional evidence properly before it. The question boiled down to whether CrowdStrike’s contacts with Texas were “so continuous and systematic as to render it ‘essentially’ at home in Texas.” CrowdStrike was incorporated in Delaware, so that much was clear. The parties, however, disputed the location of its principal place of business. Applying the “nerve-center test,” the court found that CrowdStrike’s principal place of business was in Sunnyvale, California rather than Austin, as GoSecure alleged. Most of its management, research, and HR personnel were located there, while over 80% of its Austin employees filled sales positions (although it does have several vice presidents and its chief communications officer in Austin). And although many of CrowdStrike’s executives work remotely, none of them work from Texas.
GoSecure failed to produce any evidence that CrowdStrike’s officers “direct, control, and coordinate” activities from Austin, as required by the nerve-center test. (The court noted that an AI chatbot’s identification of CrowdStrike’s principal location as Austin was less than credible.) The court also observed that a federal district court reached the same conclusion in the context of a dispute over federal diversity jurisdiction. GoSecure tried to argue that the “exceptional case doctrine” demanded a different result, but the court didn’t go for it. To show that, GoSecure would need evidence that “CrowdStrike’s activities in Texas must be ‘comparable to a domestic enterprise’ in Texas,” enough to render it “essentially at home” here. While GoSecure showed that CrowdStrike has its largest office in Austin, where one of its chief executive officers, several vice presidents, and a large sales staff reside, and that CrowdStrike does a lot of business in Texas, CrowdStrike demonstrated that its Texas business was a relatively small fraction of its entire business. Though in some ways “continuous and systematic,” CrowdStrike’s activities didn’t render it “at home” in Texas “when Texas is neither its place of incorporation nor its principal place of business.”
The court determined further that GoSecure failed to establish that its claims “arise out of or relate to” CrowdStrike’s purposeful contacts with Texas. Here the “operative facts of the litigation” (the ones that will be the focus of the trial) all occurred in California in 2011 and 2012, when the alleged misappropriation took place. GoSecure’s argument that CrowdStrike’s subsequent use of the information and sales in Texas should be enough to confer jurisdiction, but that “would mean that any foreign plaintiff could bring suit in Texas against any foreign defendant for trade-secret misappropriation that occurred anywhere in the world, so long as even one of the offending products was sold in Texas.” The court found no “substantial connection” between the operative facts and CrowdStrike’s activities in Texas. By contract, everything at issue in the lawsuit took place before CrowdStrike ever opened its Austin office. Although the court made it clear that a Texas court “could never have personal jurisdiction over the out-of-state defendant accused of misappropriation” when “trade secrets are created, acquired, and first used outside of Texas,” it was too far of a stretch in this case. It granted the special appearance and dismissed the case.
