Saturday, July 22, 2006

IBM Sued for Hacking?

D.C. Law Firm Claims IBM Worker Hacked Its Computers by Paul McDougall
InformationWeek (Jul 14, 2006)

A Washington, D.C., law firm says it's the victim of a computer hacker, but it claims the perpetrator isn't some nerdy cyberpunk. . . .Rather, the firm says its computers are under attack by tech giant IBM.

Attorneys at Butera & Andrews claim an unidentified hacker working within IBM's WebSphere services facility in Durham, N.C., secretly dropped malicious code into the firm's e-mail server, giving him or her unauthorized access to the system. The IBM worker "initiated, directed and managed this attack from the Durham, North Carolina facility," Butera & Andrews claims in a lawsuit. The firm says its servers were hit by the assailant's code more than 40,000 times throughout 2005. . . .

Butera & Andrews also charges IBM with maintaining lax security procedures at the Durham facility, thus making it easier for would-be hackers to carry out their work undetected. The lawsuit states that IBM last year implemented a policy under which all computer user logs at the facility are wiped clean after 24 hours. The policy "assures anonymity for any wrongdoer," the firm charges.

In the paragraphs below, I’m going to speculate a bit about the legal premises and viability of the Butera & Andrews suit. I’m speculating because I haven’t seen the complaint, can’t find it online and can’t find any more information about the suit than is in this article.

First possible premise: 18 USC § 1030.

Section 1030 of Title 18 of the U.S. Code is the basic federal cybercrime provision. It defines a number of computer-related offenses, e.g., hacking, cracking, virus dissemination, fraud, password trafficking, and extortion. It was added to the federal criminal code in 1984, substantially revised in 1986 and has been amended a number of times since.

Section 1030: Provisions and sentencing

Section 1030(a) reaches conduct directed at a “protected computer.” A “protected computer” is one that falls into either of two categories: (1) a computer that is used exclusively by a financial institution or the federal government or that is used, albeit nonexclusively, by a financial institution or the federal government but the conduct constituting the offense affects that use; or (2) a computer that is used in interstate or foreign commerce or communication. 18 U.S. Code § 1030(e)(2)

The concept of basing liability on conduct targeting “protected computers” was introduced by a 1996 amendment; until then, § 1030 only reached conduct targeting “federal interest computers,” e.g., computers used by the federal government or computers located in more than one state. As a result of the 1996 amendment, the statute now reaches conduct directed at any computer connected to the Internet, regardless of whether the computers involved are located in the same state.

Section 1030(a) makes it a federal crime to do any of the following:

  • To (i) knowingly access a computer without authorization or by exceeding authorized access and thereby obtain information that is protected against disclosure which the perpetrator has reason to believe could be used to the disadvantage of the U.S. or to the advantage of any foreign nation and (ii) willfully either deliver that information to a person not entitled to receive it or retain the information and refuse to deliver it to the federal agent entitled to receive it;
  • To intentionally access a computer without authorization or by exceeding authorized access and thereby obtain (i) information contained in a financial record of a financial institution, or of a card issuer or contained in a file of a consumer reporting agency on a consumer, (ii) information from any federal department or agency, or (iii) information from any protected computer if the conduct involved an interstate or foreign communication;
  • To intentionally and without authorization access (i) a computer used exclusively by a federal department or agency or (ii) a computer not used exclusively by a federal department or agency when the conduct affects the computer’s use by or for the federal government;
  • To knowingly and with the intent to defraud access a protected computer without authorization or by exceeding authorized access and thereby further the intended fraud and obtain anything of value unless the object of the fraud and the thing obtained consist only of the use of the computer and the value of that use does not exceed $5,000 in any one-year period;
  • To (i) knowingly cause the transmission or a program, information, code or command and thereby intentionally cause damage to a protected computer; (ii) intentionally access a protected computer without authorization and thereby recklessly cause damage; (iii) intentionally access a protected computer without authorization and thereby cause damage; AND (iv) by conduct falling into any of the three prior categories, cause or attempt to cause physical injury, the modification or impairment of any medical diagnosis, loss aggregating $5,000 in one year period, threat to public health or safety or damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national security or national defense;
  • To knowingly and with intent to defraud traffic in any password or other information used to access a computer if (i) the trafficking affects interstate or foreign commerce or (ii) the computer to which access can be gained is by or for the federal government;
  • To transmit in interstate or foreign commerce any threat to cause damage to a protected computer with the intent to extort money or any thing of value.
Section 1030(b) makes it a federal crime to attempt to commit any of the above offenses, and section 371 of Title 18 of the U.S. Code can be used to charge conspiracy to violate § 1030.

Section 1030: B&A (possible) civil claim

Section 1030 also creates a civil cause of action. Since the cause of action is created by a federal statute, a federal court has jurisdiction over the case (which means it will be heard by a federal court).

Section 1030(g) states that any “person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The statute also provides that “a civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).” These are the factors set out above: cause or attempt to cause physical injury, the modification of a medical diagnosis, financial loss aggregating $5,000 in one year period, threat to public health or safety or damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national security or national defense. Suits for financial loss are limited to the recovery of damages.

It looks to me like B&A may well be bringing a civil suit under section 1030. This fits with their claim that the IBM employee gained unauthorized access to the system. So let’s assume that, and analyze the viability of their claim against IBM.

To prevail in a civil action of this sort, the plaintiff essentially has to prove a criminal case under section 1030, though they only have to prove it by a preponderance of the evidence (not the beyond a reasonable doubt standard used in criminal cases).

Here, if we assume the allegations in the complaint are true and that B&A can prove them, they would clearly have a viable civil claim against the IBM employee who is alleged to have gained unlawful access to their system. The problem is holding IBM liable.

Assuming, again, that the allegations in the complaint are true and B&A can prove them, IBM’s should be, basically, “so what?” Hence the motion to dismiss: IBM can only be held liable if it can be shown to be responsible, in some way, for what the employee did. At this point, we’re talking about holding him criminally responsible; I’ll talk about civil liability in a minute.

Holding IBM liable for what the employee did requires imputing the employee’s criminal conduct to IBM, and the only way to do that is with one – maybe two – criminal doctrines.

The first is accomplice liability: If I aid and abet your commission of a crime, then I become guilty as an accomplice, which basically means that I, too, stand in your shoes. I can be convicted of the crime just as if I committed it personally. To be an accomplice, one must, basically, either encourage or facilitate the commission of the crime. I see no indication B&A claims IBM encouraged the crime, and I doubt that very much, so we’ll try the other option.

It looks to me like B&A may be claiming IBM facilitated the commission of the crime by maintaining lax security procedures which made it possible/easy for the IBM employee to hack B&A’s system. There’s a problem with that, in terms of imposing accomplice liability on IBM: Courts almost entirely agree that to be an accomplice you must have acted with the purpose of facilitating the target crime (here, the hacking), though some have held that acting knowingly is enough. I don’t see how B&A is going to be able to show IBM either acted with the purpose of facilitating this crime (it would have had to be their intent to see that the crime was committed) or with the knowledge that the employee was going to use its lax security to commit the crime. It looks to me very much like B&A are claiming IBM was negligent, and that just won’t fly in terms of accomplice liability.

There is a possible other way to impute the employee’s conduct to IBM, though I don’t think it would work either. This is to claim IBM conspired with the employee for the commission of the crime (hacking B&A); in the federal system, a principle known as the Pinkerton doctrine holds conspirators (like IBM in this hypothetical) liable for crimes that are committed by other members of the conspiracy (IBM’s employee) as long as they are a foreseeable consequence of the conspiracy. What seems to me the obvious problem with this theory is that you’d have to show IBM conspired for the commission of the hacking crime, and that, again, requires that you show IBM intended (has as its purpose) the commission of that crime. It doesn’t look to me like B&A is alleging that, and I doubt they could.

So, if this is a section 1030(g) claim, I don’t think it works.

Second possible premise: Negligence

B&A might be asserting a basic negligence claim, using diversity of citizenship between it and IBM to establish federal jurisdiction (and therefore get into federal court).

The essential elements of a civil tort action for negligence are (i) a duty to the injured party (B&A), (ii) breach of that duty (iii) which caused (iv) injury to the plaintiff (B&A). Here, B&A’s theory could be that IBM is liable because it breached a duty to supervise its employees, and the breach of that duty caused injury to B&A. It would, though, probably be difficult for B&A to establish such a claim.

Courts have imposed a duty on companies to supervise their employees, though this obligation usually extends only to actions that are within the scope of the employee’s job-performance. At least one federal court declined to apply this principle to federal employees who committed crimes for their own benefit:

The criminal conduct at issue in the instant case was clearly prompted by purely personal motives and was not related to the accomplishment of objectives within the line of any Customs Service duties. The former agents' outrageous . . . conduct was in no sense rationally connected to the subject matter which formed the basis of the respondeat superior relationship existing between them and the Customs Service. These individuals had no desire to serve the government's interest and had indisputably stepped outside the scope of their employment in committing intentional criminal acts against the plaintiffs. . . .

Attalah v. United States, 758 F.Supp.81 (D.P.R. 1991), affirmed 955 F.2d 776 (1st Cir. 1992). I suspect a similar rule would apply here, since it seem that the IBM employee was acting entirely out of personal motivation and that what he did was way, way outside the scope of his employment with IBM.

Even if B&A can show that what the employee did was sufficiently within the scope of his employment to have triggered the duty to supervise, there might well be a question as to whether the duty that arose extended to B&A. Usually, the duty to supervise extends to the employer’s customers and others who can foreseeably be harmed by an employee’s negligence, malpractice, etc. If B&A was not a customer of IBM, then it seems IBM could credibly argue that, even assuming it breached a duty to supervise this employee, the duty did not extend to B&A, so it cannot complain about the employee’s actions.

No comments:

Post a Comment