Cyberattacks have become an unfortunate fact of life for many companies and individuals in the digital age. While the perpetrators of such attacks are frequently anonymous and undiscoverable, several plaintiffs have recently advanced civil claims against their alleged attackers seeking monetary compensation for injuries inflicted by cyberattacks. Here are some of the causes of action advanced in those cases.
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
The CFAA is a criminal statute that generally outlaws authorized access of computer systems connected to the internet. See 18 U.S.C. § 1030(a). The law imposes both criminal and civil penalties on anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer,” or who conspires or attempts to do so. Id. §1030(a)(2)(C); §1030(b); §1030(g). While the CFAA contains several provisions, certain provisions are more popular with civil litigants than others. For example, in WhatsApp Inc. v. NSO Group Technologies Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), WhatsApp and Facebook alleged that the defendants violated 18 U.S.C. section 1030(a)(2) because they intentionally accessed Plaintiffs’ computers without authorization, as well as section 1030(a)(4) because they knowingly and with intent to defraud accessed Plaintiffs’ computers and “by means of such conduct furthered the intended fraud and obtained something of value.” Id. ¶¶ 50–57.
The Lanham Act, 15 U.S.C. §§ 1114, 1125(a), 1125(c)
Cyberattacks can frequently use company trademarks to trick victims into disclosing their credentials or downloading malware. As a result, trademark claims have featured prominently in many cases brought by large tech companies such as Microsoft and Facebook (now known as Meta). For instance, Meta recently filed a Lanham Act complaint against 100 “John Doe” defendants for creating more than 39,000 fake versions of Facebook, Instagram and WhatsApp login pages to trick users into giving up their credentials. See Meta, Taking Legal Action Against Phishing Attacks, (Dec. 21, 2021), https://about.fb.com/news/2021/12/taking-legal-action-against-phishing-attacks/. Microsoft similarly brought a Lanham Act against unknown Chinese-based entities that injected malicious code into an image of Microsoft’s Internet Explorer trademark.