For a C-suite level executive, CIO, or outside Board member concerned about a company becoming the next victim of a data breach, 2014 was a bad year. Each succeeding month brought news of yet another breach, affecting hundreds of millions of estimated records by year end. And 2015 is not going to be better. According to a recent article, 52% of security professionals say their organizations will likely be successfully hacked in the next 12 months. As such, for many companies, it is not a matter of if – but when – they will become the next victim of a data breach.
Data breaches make for strange lawsuits. Even though there is broad agreement that no system can be made impenetrable to attack, almost all of the news and commentary regarding litigation arising from a data breach covers litigation brought against the victim that has suffered the breach. But what if the victim decides it’s not going to just take the breach of its security lying down? What if it wants to go after the hackers, wherever they may be?
A powerful, but often misunderstood, weapon in the fight against cyber-criminals is the Computer Fraud & Abuse Act (CFAA). While a significant portion of the CFAA litigation has involved whether the CFAA applies to departing employees who take company information, the statute can be incredibly helpful in assisting a data breach victim identify – and pursue – the person(s) responsible for the breach.
The CFAA was originally enacted in 1984 as a criminal statute aimed at hackers who gained access to classified information in government computer systems. In 1996, Congress amended the CFAA to include computers “which [are] used in interstate or foreign commerce or communications” by defining such computers as “protected” computers. Because of the growth of the Internet, virtually all computers now satisfy this definition.
The CFAA criminalizes several different types of conduct:
- Intentionally accessing a computer without authorization or exceeding authorized access, thereby obtaining information from a protected computer.
- Knowingly and with intent to defraud, accessing a protected computer without authorization or exceeding authorized access, and by means of such conduct furthering the intended fraud and obtaining anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of use is not more than $5,000 in any 1-year period.
- Damaging a protected computer by, for example, deleting files, initiating a denial of service attack or unleashing a virus or worm.
- Knowingly and with intent to defraud trafficking in computer passwords and similar information when the trafficking affects interstate or foreign commerce.
- Making threats involving damage to a computer or involving confidential data as a means of extortion.
While the CFAA exposes cyber-criminals to criminal liability, its utility to victims of a data breach is through providing a private right of action, for both recovery of compensatory damages and injunctive relief, if the plaintiff can show: (a) damage or loss; (b) caused by; (c) a violation of one of the substantive provisions in the statute; and (d) the requisite degree of culpability or conduct.
Assuming that a data breach victim can satisfy the pleading requirements in an initial complaint, the CFAA can be a valuable tool in further identifying and pursuing the perpetrator(s), by providing a means for pursuing discovery. This is because, in order to specifically identify the person(s) responsible for a data breach, a company often has to obtain information from ISPs or others, who will not voluntarily provide that information without a court order or valid subpoena.
But, if there is an existing lawsuit, a company can then pursue discovery from third-parties in aid of identifying the responsible person(s). For example, in late February, Uber filed suit against “John Doe I”– the pseudonym it gave to the individual who allegedly used a “unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.” According to the Complaint, John Doe I’s actions violated the CFAA because:
- “Uber’s proprietary database is stored on Uber protected computers, which are connected to the internet and used in interstate commerce.”
- “John Doe I intentionally accessed Uber’s protected computers without authorization by accessing and downloading Uber’s proprietary database files.”
- “John Doe I’s access and download of Uber’s database from Uber’s computers has harmed Uber in that, among other things, Uber has expended resources to investigate the unauthorized access and prevent such access from occurring. The loss to Uber as a result exceeds $5,000.”
By filing its John Doe I complaint, Uber now has the possibility of seeking discovery that may help identify those ultimately responsible for hacking its computers and, once identified, substituting them as defendants in their lawsuit for damages.
Indeed, another data breach victim was able to do exactly that last year. After a “John Doe” lawsuit was filed, alleging a violation of the CFAA, the Court issued an Order allowing the plaintiff (SolarBridge) to subpoena information from Yahoo, Google and others aimed at discovering the identity of those potentially responsible for the breach.
Make no mistake, using litigation to identify cyber-criminals is very difficult, and it can get very expensive. Following the forensic cyber-trail through ISPs, top-level domain name registrars and IP addresses, and ultimately identifying defendants in such far flung places as Russia, Georgia, China, Turkey and the Baltic States, can very often turn cold or lead to defendants who are not subject to judgment in the U.S. But there are often other reasons to pursue those responsible for a computer hack, such as assuring customers, investors or Board members that everything that can be done is being done to catch those ultimately responsible for a security breach, or bolstering an “intervening cause” defense to a data breach class action against the victim. The CFAA is a very helpful tool in such a pursuit, and data breach victim needs to take early steps in order to later be able to assert a claim under the CFAA, including coordinating with law enforcement, a thorough forensic investigation and a thorough documentation of efforts to track and catch the cyber-crooks, which may later be used to support the affirmative claim against the bad guys, or as an affirmative claim against the victim.