Wednesday, November 22, 2006

Civil Suits for Hacking, Malware, etc.

The basic federal cybercrime statute is 18 U.S. Code § 1030.

Section 1030 criminalizes various types of hacking (unauthorized access to computers), denial of service attacks, distributing malware and using computer technology to commit extortion or fraud. When it was originally enacted in 1984, §1030 only addressed conduct that targeted computers used by the federal government and a limited category of private computers, such as those used by financial institutions.

As computers became more common, it became apparent that the statute needed to be expanded in scope to give federal authorities the ability to pursue criminals who attacked purely “civilian” computers. So in 1996 the statute was expanded to criminalize a variety of conduct that is directed at “protected computers.”

Section 1030(e)(2) defines a “protected computer” as a computer that is either
  • (a) used “exclusively” by a financial institution or the federal government “or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government;” or
  • (b) “is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”. The second definition essentially gives federal authorities over any computer located in the United States (especially if it is linked to the Internet) AND gives them the ability to apply the provisions of §1030 extraterritorially, i.e., to conduct occurring outside the territorial United States.
The statute therefore gives the Department of Justice and federal law enforcement agents wide latitude to pursue those who engage in criminal activity directed at federal or civilian computers. But today, for a change, I don’t want to write about criminal matters. Instead, I want to point out another aspect of §1030.

Section 1030(g) creates a private civil cause of action for anyone who has been injured by a violation of the criminal provisions of the statute. In other words, if a cybercriminal hacks your computers, infects you with a virus or worm, launches a DDoS attack at you, uses a computer to extort money or property from you or uses a computer to defraud you, you can bring a civil suit against that person under §1030(g).

Specifically, §1030(g) says that “[a]ny person who suffers damage or loss by reason of a violation of [§1030] may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The civil action can be brought if the conduct
  • (a) violated one of the criminal provisions of the statute AND
  • (b) caused loss aggregating at least $5,000 in one year OR the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals OR physical injury to any person OR a threat to public health or safety OR damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security”.
Damages for a violation causing only financial losses aggregating at least $5,000 in a one-year period are limited to economic damages. In Creative Computing v. LLC, the Ninth Circuit Court of Appeals held that loss of business and loss of business goodwill constitute “economic damages under the statute.

And the Third Circuit Court of Appeals held, in P.C. Yonkers, Inc. v. Celebrations The Party and Seasonal Superstore, 428 F.3d 504 (2005), that the statute’s limitation to “economic damages” to mean that “if one who is harmed does seek compensatory damages based on such conduct, . . . then those damages will be so limited. That is, compensatory damages for such conduct will be awarded only for economic harm.” This court found that nothing in the sentence quoted above prevents a court from also providing injunctive relief against someone who has been shown to be in violation of the statute.

Section 1030(e)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”. So all of these can be factored into the calculation of economic damages in a suit under §1030(g).

An injured party must file an action under §1030(g) “within 2 years of the date of the act complained of or the date of the discovery of the damage.” No action can be brought under §1030(g) “for the negligent design or manufacture of computer hardware, computer software, or firmware.”

I did a quick Westlaw search to see how many reported cases deal with suits brought under §1030(g) and found around 50. That seems a good number, given that most of the people who violate the criminal provisions of §1030 tend to be what we in the law call “judgment-proof,” i.e., without assets that could be used to pay off a civil judgment if a plaintiff were fortunate enough to prevail.

The theory behind provisions like §1030(g) is that private citizens act essentially as “adjunct Attorneys General.” That is, private citizens who bring suits under a statute like this are presumed to enhance the effectiveness with which the statute deters criminal violations, since the private suits also act as a sanction against those who violate the statute. I don’t know that anyone has actually conducted empirical research to see how well that works in practice, but it’s a reasonable theory.


DorianGray said...

It is very interesting to see that 1030(e)(2) has no requirements for the "protected computer" to provide basic industry standard security precautions.

The way it is now, a "protected computer" under the statute can be virtually "unprotected" in terms of security implimentations and leave files open and disclosed to the public.

Susan Brenner said...

Yes . . . that is the standard you find in nearly all criminal unauthorized access statutes, in the US and elsewhere.

For a while, the state of New York's unauthorized access statute required that the computer be equipped with some type of security designed to prevent such access, but the NY legislature eliminated that part of the NY statute in, I believe, 2007.

The Netherlands has required the same type of security measure as was in the NY statute, and I believe that requirement is still in effect there.

The argument for eliminating the requirement is that unauthorized access is analogous to criminal trespass . . . and it's trespass if you come into my house even though I left my door unlocked.