Data breaches are as common as the common cold—unfortunately, just as incurable. Run a news search on “data breaches” and you’ll find that all kinds of institutions—major retailers, tech companies, universities, even government agencies—have been vulnerable at some point. Now run a search on “data breaches,” but include the word “lawsuit.” You’ll find that many of these cases are going to court, but ultimately getting dismissed. What’s going on?
First, you should look at some of these lawsuits more closely: are they filed against the alleged perpetrators of the data breach? Many of them aren’t; those perpetrators are usually hackers who live outside the country or are unable to pay a money judgment. (In legal parlance, that’s known as being judgment proof.) Faced by those limitations, individual victims of data breaches frequently settle for the next best thing: going after the institutions that endured the breach.
Often, this isn’t fair—the institutions are victims too. The point here is that although going after the institutions looks like an easy win from “deep pockets,” that seldom turns out to be the case.
It’s with the third and final point—demonstrating injury—that plaintiffs have the most trouble. Why? Because courts view injury in fiscal terms; you need to show that you actually lost something, not simply that you might. So even if you were the victim of a data breach, as long your data hasn’t yet been compromised, it doesn’t really count as injury.
There have been exceptions, when the court greenlit cases based mainly on speculative injury, but these usually ended in a settlement before a legal precedent could be set. (See cases against Home Depot, Target, Adobe, and Sony.) For the most part, the fiscal view of injury has prevailed—reinforced in 2013, when the Supreme Court, weighing in on Clapper vs Amnesty Int’l, determined that a plaintiff cannot proceed with a data breach lawsuit unless he or she can demonstrate actual injury or at least imminent threat of injury, each one measurable in economic loss. Otherwise, mere perception of injury is too tenuous to establish legal standing, which a case requires to go forward, and the lawsuit will probably get tossed.
The challenge of establishing legal standing recently made its way to the Supreme Court in Spokeo v. Robins. In that case, a plaintiff filed suit against the “people search engine” Spokeo for publishing false information about him. The issue before the Court was this central question of how much injury must be shown for a case to go forward. Prospective plaintiffs were optimistic that the high court would affirm a lower court’s decision that speculative injury was indeed enough. Alas, the Supreme Court sidestepped the issue and punted it back to the lower court for further review. The Court nonetheless reinforced the general tenets that, for a plaintiff to have standing to bring a case, he must allege an “injury in fact” that is both “concrete and particularized.” There is still room for the lower court to broaden the approach to what constitutes an injury, but the Supreme Court’s ruling keeps the status quo in place.
For now, individuals whose data has been compromised generally must be satisfied with what the institutions offer them after a breach occurs: free credit checks and/or access to credit monitors. Do checks and monitoring seem inadequate? Not if you think about what type of harm people face after a data breach. Individuals can detect and report problems in the event someone actually misuses their data. If they keep on top of it, their credit scores will not be impacted. Moreover, credit card companies and other financial institutions will bear the cost of any unapproved charges. In the event of further problems, plaintiffs can then take their injury to the legal system and have their day in court. But at this point, the courts are right to keep this type of class action litigation at bay.
LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).
Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts. Once established, these new accounts could be used to view millions of LinkedIn member profiles. The software bots copied personal information off of those viewable pages, which contain extensive personal information. Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.
LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident. The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers. LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?
The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information. According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account. Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.
The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network. Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes. The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted. On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.
The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”
Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.
The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.
The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.
In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”
Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime