chevron-down Created with Sketch Beta.
    December 30, 2022 Practice Points

    Fighting Back on Cyberattacks

    The perpetrators of such attacks are frequently anonymous and undiscoverable, several plaintiffs have recently advanced civil claims against their alleged attackers seeking monetary compensation for injuries inflicted by cyberattacks.

    By Brian A. Hill and Cody Marden

    Cyberattacks have become an unfortunate fact of life for many companies and individuals in the digital age. While the perpetrators of such attacks are frequently anonymous and undiscoverable, several plaintiffs have recently advanced civil claims against their alleged attackers seeking monetary compensation for injuries inflicted by cyberattacks. Here are some of the causes of action advanced in those cases.

    Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030

    The CFAA is a criminal statute that generally outlaws authorized access of computer systems connected to the internet. See 18 U.S.C. § 1030(a). The law imposes both criminal and civil penalties on anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer,” or who conspires or attempts to do so. Id. §1030(a)(2)(C); §1030(b); §1030(g). While the CFAA contains several provisions, certain provisions are more popular with civil litigants than others. For example, in WhatsApp Inc. v. NSO Group Technologies Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), WhatsApp and Facebook alleged that the defendants violated 18 U.S.C. section 1030(a)(2) because they intentionally accessed Plaintiffs’ computers without authorization, as well as section 1030(a)(4) because they knowingly and with intent to defraud accessed Plaintiffs’ computers and “by means of such conduct furthered the intended fraud and obtained something of value.” Id. ¶¶ 50–57.

    The Lanham Act, 15 U.S.C. §§ 1114, 1125(a), 1125(c)

    Cyberattacks can frequently use company trademarks to trick victims into disclosing their credentials or downloading malware. As a result, trademark claims have featured prominently in many cases brought by large tech companies such as Microsoft and Facebook (now known as Meta). For instance, Meta recently filed a Lanham Act complaint against 100 “John Doe” defendants for creating more than 39,000 fake versions of Facebook, Instagram and WhatsApp login pages to trick users into giving up their credentials. See Meta, Taking Legal Action Against Phishing Attacks, (Dec. 21, 2021), https://about.fb.com/news/2021/12/taking-legal-action-against-phishing-attacks/. Microsoft similarly brought a Lanham Act against unknown Chinese-based entities that injected malicious code into an image of Microsoft’s Internet Explorer trademark.

    The Racketeer Influenced and Corrupt Organizations Act (RICO), 18 U.S.C. §§ 1961–68

    Congress passed RICO as part of a comprehensive legislative package aimed at combating the influence of organized crime on interstate commerce. However, because the statute outlaws various types of racketeering activities, it can be broadly applied to cover claims relating to hacking. For example, Section 18 U.S.C. section 1962(c) prohibits a person from conducting the affairs of an enterprise through a pattern of racketeering, and can be applied to pursue hackers. For example, in Google LLC v. Starovikov, 1:21-cv-10260 (S.D.N.Y. Dec. 2, 2021), Google alleged a RICO claim under Section 1962(c), relying in part on violations of the CFAA and wire fraud as predicate acts. Id. ¶¶ 120–30.

    Defend Trade Secrets Act (DTSA)

    The DTSA amended the Economic Espionage Act to add a federal private, civil cause of action for misappropriation of trade secrets. Under the DTSA, the “owner of a trade secret . . . may bring a civil action . . . if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce.” 18 U.S.C § 1836(b)(1). Cyberattacks often target companies’ trade secrets and other valuable confidential information from overseas or through interstate attacks. This cause of action provides a potentially powerful tool to remediate these attacks.

    Misappropriation of Trade Secrets

    Similarly, state law provides a cause of action for misappropriation of trade secrets. Trade secrets are generally something (1) that derives economic value from not being generally known, and (2) which has been subject to reasonable efforts to be kept secret. See Uniform Trade Secrets Act (“UTSA”) § 1(4). If hackers steal information meeting this definition and, for example, disclose it to the public or a competitor, this cause of action can be used to recover the “actual loss” caused by the disclosure. Id. §§ 1(2), 3.

    Breach of Contract

    In some cases, a company plaintiff will be able also be able to leverage a contract, such as terms of service, to hit back at cyber attackers. For example, in WhatsApp Inc. v. NSO Grp. Techs. Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), WhatsApp and Facebook brought a breach of contract claim based on violations of WhatsApp’s terms of service, against a defendant that had used the platform to target the accounts of 1,400 WhatsApp users to gather information about them. Id. ¶¶ 68–73; see also Apple v. NSO Grp. Techs. Ltd., 3:21-cv-09078 (N.D. Cal. Nov. 23, 2021) (alleging similar breach of contract actions).

    Trespass to Chattels

    Trespass to chattels is likewise a potentially viable cause of action, because in most jurisdictions it only requires: (1) the lack of the plaintiff's consent to the trespass; (2) interference or intermeddling with possessory interest; and (3) intent to trespass. Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 437 (2d Cir. 2004); Chevron Corp. v. Donziger, 871 F. Supp. 2d 229, 258 (S.D.N.Y. 2012). In WhatsApp Inc. v. NSO Grp. Techs. Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), for example, the plaintiffs advanced a trespass to chattels claim.

    Tortious Interference with Business Relationship

    Some companies have also advanced tortious interference claims, arguing that the hackers knew or should have known the companies had a continuing business relationship with the users who interact with their systems and computer networks. For example, in Google LLC v. Starovikov, 1:21-cv-10260 (S.D.N.Y. Dec. 2, 2021), Google brought suit against two Russian nationals who allegedly created a “botnet” to infiltrate computers and steal users’ account information. As part of its claims, Google alleged that the hackers interfered with Google’s relationship with its users “by undermining the security and reputation of Google’s systems and networks.” Id. ¶¶ 186–92.

    Cyberattack victims often report their attacks to authorities who can pursue criminal charges against perpetrators. But in cases where perpetrators can be identified, victims should also consider civil remedies as an additional avenue to redress cyberattacks.

    Brian Hill is a member and Cody Marden is an associate at Miller & Chevalier in Washington, D.C.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).