Recovering Damages in Cybercrime Cases – Part 1: Hacking

Before discussing the types of economic recovery available to the hacking victim, however, it is important to emphasize that hacking is a crime, and the crime should be reported to state and federal law enforcement. The FBI and other federal and state agencies can be very effective at identifying the hackers and bringing them to justice. It may also be the case that law enforcement is already investigating a particular criminal organization, and the report could further their investigation. Since these crimes are often perpetrated by large, international criminal organizations, the FBI may be the only law enforcement agency capable of investigating large scale operations and bringing the perpetrators to justice.

 

Law enforcement agencies, however, operate on behalf of the government for the purpose of bringing perpetrators to justice. Although restitution may be ordered as part of any criminal judgment, it is usually best to retain counsel who is versed in this nuanced practice area in order to maximize a recovery. In addition, there may be parties (such as banks, financial institutions, etc.) that were negligent in the maintenance of their security systems, and a financial recovery may be possible from these organizations even though there was no criminal action taken against that entity.

 

1. Civil Actions Against Hackers.

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 prohibits a wide range of unauthorized computer activity, including accessing a computer system without authorization[2] to a protected computer system or email server. This statute is frequently used to sue both hackers and anyone else who, without authority, accesses a protected computer system and, through false pretenses, obtains property or services. The CFAA also allows recovery for “computer invasion of privacy” which occurs when a cybercriminal logs onto someone else’s computer and accesses personal information related to the victim’s employment, salary, credit history, or any other financial information.

The CFAA is often used in conjunction with the Economic Espionage Act (EEA) to combat the theft of trade secrets. In many cases, cybercriminals will target U.S. based companies to steal technology; the Computer Fraud and Abuse Act provides a significant tool to combat this specific type of cybercrime.

The Stored Communications Act (SCA), 18 U.S.C. 2701, is similar to the CFAA in that it creates a civil cause of action, 18 U.S.C. 2707, against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided”. It also allows for economic recovery against anyone who “intentionally exceeds an authorization to access that facility”. There are exceptions to this general principle, but as is always the case, whenever a violation is suspected, the victim should consult an attorney familiar with this nuanced statute.

The SCA allows an injured party to recover actual losses; if losses cannot be determined, a minimum recovery of $1,000 is prescribed. If the violation is intentional, the court may impose punitive damages. The statute further allows a plaintiff to collect reasonable costs and attorney’s fees.

 

 

The most damaging hacks that occur target the victim(s) finances, including their bank accounts, investment accounts, crypto-currency accounts and any other institutions that may hold the funds of the victim. In many cases, the perpetrators of the fraud will be beyond the jurisdiction of the U.S., usually in a country that is complicit in the fraud or lacks the resources to combat it. In these cases, an investor may assume that the money is lost; however, it may be possible to recover these losses under certain circumstances.

 

If, after a thorough investigation, it has been determined that a financial institution or financial service’s company’s computer network has been hacked and that the hack resulted from a lack of appropriate security, it may be possible to pursue the bank or financial service company under any one of several theories.[3]

 

 

In the case of a bank, Article 4-A-202 of the Uniform Commercial Code provides that if “the bank accepts a payment order issued in the name of its customer as sender which is (a) not authorized and not effective as an order of the customer under Section 4-A-202, . . . the bank shall refund any payment of the payment order received from the customer. . .”. This generally means that the bank must act in a commercially reasonable manner to ensure that a payment order is valid. Recently, the U.S. District Court for the Southern District of New York in the case of Essilor International SAS and Essilor Manufacturing (Thailand) Co. Limited v. Mogan Chase Bank, N.A., held that the plaintiff could proceed to trial under this UCC provision. The amount in controversy in that case exceeds $272 million.

Other causes of action available to people who have had their accounts with financial institutions and financial services companies hacked include breach of contract and negligence. Not every loss, however, is going to include breach of contract or fraud. Currently, the customer service agreements of many financial services companies specifically disclaim liability for simple negligence, something they are generally entitled to do. They also structure the agreements to exclude liability for hacked accounts. This is not to say that financial institutions and financial services companies cannot be held liable for these causes of action—they can be and are all the time—but these cases can be challenging.

Another possible avenue of recovery for the consumer are state data privacy laws. All states and the District of Columbia now have data privacy laws that theoretically protect the personal private information of an account holder; however, these laws vary widely from state to state. In general, these laws require financial institutions to protect personal privacy information. When these laws are violated, however, the remedies available to the injured parties vary greatly. In Maryland, for example, any company storing a customer’s personal information has a duty to protect that information, and if it fails to do so, the customer may sue the company for the violation.

Across the border in Pennsylvania, however, the Pennsylvania Consumer Data Protection Act has not been passed by the State Legislature or signed into law. There is, therefore, no state statute protecting the data of the citizens of Pennsylvania. There is a Breach of Personal Information Notification Act, but it only requires companies to notify customers of a breach of the system and the compromise of personal information. The statute does not create a cause of action for customers injured by the data breach.

3. The Importance of a Thorough Investigation.

There are many ways that a computer system can be hacked, and the first step to recovering from a hack is to have an independent and highly qualified cyber security professional conduct a forensic investigation to determine the source of the hack, the manner in which the hack was completed, and the damages associated with a hack. The IT person at the company is not the right person to conduct the investigation; nor is the department manager who knows a lot about computers.

This investigation will often go beyond an examination of a compromised computer or computer system. In the case of a former employee who steals data from his or her former employer, a review of surveillance videos or interviews of co-workers will often be necessary. Since a violation of the CFAA requires that the entry into the system be “unauthorized”, a review of company policies, procedures, and employees may be necessary to understand what the actual and implied scope of authority was at the time of the violation.

In many cases, a password or other identifying information used to wrongfully obtain access to an account will come from the account holder who is tricked into providing protected information to the cybercriminal. While a person cannot generally recover against a company when he or she provides access codes or passwords to a fraudster. However, there may be exceptions.

Banks and other financial services companies can and do block transactions they deem to be “suspicious”. What happens if a financial institution knows that a specific transfer is suspicious, possibly even fraudulent, but then allows the transfer to proceed anyway? Thus far, most courts have been protective of the banks, finding that the Uniform Commercial Code (UCC) imposes no duty on a bank to stop a suspicious transaction and that the UCC preempts other common law causes of action.

There is an emerging consensus that banks can and do have an obligation to prevent. The Consumer Financial Protection Bureau (CFPB) and the American Bankers Association have established “best practices” for dealing with the financial exploitation of the elderly; these best practices could give rise to a standard of care that could be legally enforced. Regulations under the Bank Secrecy Act could also establish a standard of care. These are areas that, in any event, should be explored in an investigation.[4]

[4] In Grinder v. Bank of America Corp., a U.S. District Court in Florida found that Bank of America had a duty under Florida’s Elder Abuse Statute to protect an elderly customer who had transferred a substantial amount of her life savings to an individual in Thailand.

4. Conclusion.

There are cybercriminals everywhere. They target the young, the elderly, businesspeople, families and family businesses, small and large corporations, non-profits, governments, and, in short, everyone. When cybercriminals strike, what can be done? The first thing the victim should do is contact the police and the Federal Bureau of Investigation (FBI) and report the crime. In most cases, however, there will not be an effective law enforcement solution. There are simply too many cases, and cybercrimes are extremely difficult to investigate. Cybercriminals are also frequently located overseas, beyond the jurisdiction of U.S. law enforcement.

This does not mean there is nothing that can be done. Victims of cybercrime, however, do have rights. These may involve legal actions against the hackers themselves and any corporation that aids in the hacking. We have successfully represented companies victimized by the hacking of a former employee, conducted at the behest of a new employer that sought the intellectual property of the company that was the victim of the hack. We have successfully represented individuals who have had their savings or investments stolen by hackers.

Each case is different, but if you or someone you know has been the victim of hacking or some other cybercrime, please contact us. We may be able to help.