The Racketeer Influenced and Corrupt Organizations Act (RICO), 18 U.S.C. §§ 1961–68
Congress passed RICO as part of a comprehensive legislative package aimed at combating the influence of organized crime on interstate commerce. However, because the statute outlaws various types of racketeering activities, it can be broadly applied to cover claims relating to hacking. For example, Section 18 U.S.C. section 1962(c) prohibits a person from conducting the affairs of an enterprise through a pattern of racketeering, and can be applied to pursue hackers. For example, in Google LLC v. Starovikov, 1:21-cv-10260 (S.D.N.Y. Dec. 2, 2021), Google alleged a RICO claim under Section 1962(c), relying in part on violations of the CFAA and wire fraud as predicate acts. Id. ¶¶ 120–30.
Defend Trade Secrets Act (DTSA)
The DTSA amended the Economic Espionage Act to add a federal private, civil cause of action for misappropriation of trade secrets. Under the DTSA, the “owner of a trade secret . . . may bring a civil action . . . if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce.” 18 U.S.C § 1836(b)(1). Cyberattacks often target companies’ trade secrets and other valuable confidential information from overseas or through interstate attacks. This cause of action provides a potentially powerful tool to remediate these attacks.
Misappropriation of Trade Secrets
Similarly, state law provides a cause of action for misappropriation of trade secrets. Trade secrets are generally something (1) that derives economic value from not being generally known, and (2) which has been subject to reasonable efforts to be kept secret. See Uniform Trade Secrets Act (“UTSA”) § 1(4). If hackers steal information meeting this definition and, for example, disclose it to the public or a competitor, this cause of action can be used to recover the “actual loss” caused by the disclosure. Id. §§ 1(2), 3.
Breach of Contract
In some cases, a company plaintiff will be able also be able to leverage a contract, such as terms of service, to hit back at cyber attackers. For example, in WhatsApp Inc. v. NSO Grp. Techs. Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), WhatsApp and Facebook brought a breach of contract claim based on violations of WhatsApp’s terms of service, against a defendant that had used the platform to target the accounts of 1,400 WhatsApp users to gather information about them. Id. ¶¶ 68–73; see also Apple v. NSO Grp. Techs. Ltd., 3:21-cv-09078 (N.D. Cal. Nov. 23, 2021) (alleging similar breach of contract actions).
Trespass to Chattels
Trespass to chattels is likewise a potentially viable cause of action, because in most jurisdictions it only requires: (1) the lack of the plaintiff's consent to the trespass; (2) interference or intermeddling with possessory interest; and (3) intent to trespass. Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 437 (2d Cir. 2004); Chevron Corp. v. Donziger, 871 F. Supp. 2d 229, 258 (S.D.N.Y. 2012). In WhatsApp Inc. v. NSO Grp. Techs. Ltd., No. 4:19-cv-07123-PJH (N.D. Cal. Oct. 29, 2019), for example, the plaintiffs advanced a trespass to chattels claim.
Tortious Interference with Business Relationship
Some companies have also advanced tortious interference claims, arguing that the hackers knew or should have known the companies had a continuing business relationship with the users who interact with their systems and computer networks. For example, in Google LLC v. Starovikov, 1:21-cv-10260 (S.D.N.Y. Dec. 2, 2021), Google brought suit against two Russian nationals who allegedly created a “botnet” to infiltrate computers and steal users’ account information. As part of its claims, Google alleged that the hackers interfered with Google’s relationship with its users “by undermining the security and reputation of Google’s systems and networks.” Id. ¶¶ 186–92.
Cyberattack victims often report their attacks to authorities who can pursue criminal charges against perpetrators. But in cases where perpetrators can be identified, victims should also consider civil remedies as an additional avenue to redress cyberattacks.