You are general counsel of a major online retailer. One morning your Chief of Information Technology comes into your office looking pale. He tells you that someone is "hacking" into your company's computer system and accessing restricted files. He says it is impossible to tell whether any files have been disseminated to competitors, but at least some sensitive information has been sent internally within the company to people without proper clearances. This, in fact, is how the company found out about the breach of security - an employee whose position was scheduled to be eliminated as part of a confidential reorganization plan received an email, from an anonymous address registered with Microsoft's "hotmail" service, spilling the beans. What do you do next?
This unfortunate scenario is unfolding with increasing frequency in corporate America.1 The dangers such "hacking" attacks pose to a business are enormous - depending on exactly how the hacker obtained access to the system, he or she could have access to the company's most sensitive documents, could be copying, altering or erasing them and could be sending them to competitors, or could be using that access to steal intellectual property and even cash from the company.2 Obviously, there is a paramount need to take swift action to stop the attacks and ensure the integrity of the company's computer systems. But you don't even know who this hacker is, much less the damage he or she has done.
The first step is to find out as much about the hacker's identity as possible. This may be done in-house depending on the expertise and experience of the IT staff, but the company may have to engage forensic computer experts to analyze the situation and, if possible, identify the culprit.3 (As with other expert retentions, it will help in maintaining attorney work product privileges if the consultants are retained through outside counsel.) Depending on the sophistication of the hacker, a fair amount of information can be obtained from the "Internet Header Information" included on email communications. Each email communication generates stored information regarding the sender of the email, the time the email was sent and the Internet Protocol ("IP") address through which the email was sent. An IP address is the numeric address of a computer connected to a local area network and/or the Internet.4 The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address. Within an isolated network, IP addresses can be assigned at random as long as each one is unique. Whenever a network or computer is connected to the Internet, however, a registered IP address must be used to avoid duplicates.
Assuming the hacker has not used software that routes Internet communications through untraceable IP addresses,5 the IP address of the hacker is an important first step to determining his or her identity. More often than not, the IP address will be traceable back to a particular Internet Service Provider ("ISP"). ISPs usually own "blocks" of IP addresses, in which only the last few digits differ, through which their customers connect to the Internet. The IP address either will be statically or dynamically assigned depending on the configuration of the ISP. An IP address of a static cable modem user constitutes a constant, traceable "fingerprint" of both the ISP provider and the specific user's computer terminal.
Here, however, the investigation may hit a proverbial brick wall. ISPs generally do not (or cannot) divulge their customers' personal identifying information in the absence of a court order or, in some cases, a valid subpoena.6 One option, therefore, is to file a "John Doe" complaint and obtain the proper process to obtain the hacker's identity from the ISP. This strategy, however, has at least one significant drawback. ISPs are obligated to notify their subscribers of the subpoena or court order "expeditiously" after its receipt.7 If you are dealing with a hacker who has even minimal familiarity with computers, he or she will know how, with a few quick and simple keystrokes, to erase vital evidence (such as log files of Internet use, files cached in the computer's memory) that may tie the hacker to the hacking activity. Obviously, the risk of spoliation is extremely high and therefore obtaining a court order and/or serving a subpoena, with the inevitable consequence of "tipping" the perpetrator off, may not be an attractive option.
Another option is to try to "sleuth" the identity of the subscriber yourself or with the assistance of an outside expert. Internet forensic experts maintain massive databases of historical information on Internet usage and may be helpful in tying an IP address to a physical address and/or person, such as by finding a posting with personal information tied to the same IP address. Once a physical identity is determined through this type of forensic technique, more traditional "Private Eye" techniques - surveillance, socially engineered email, phone or in-person encounters - can be employed to verify the identity of the hacker.
Now you know the identity of the hacker - how do you get relief and still avoid the risk of spoliation? First, determine the substantive law on which legal action will be based. There are a variety of federal and state laws that hacking may violate. These include: the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C.§ 1030; the Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. § 2701, the tort of trespass, and depending on whether copies of materials were made, the Copyright Act, 17 U.S.C. § 101 et seq. The facts set forth above fall squarely within the CFAA.8
The CFAA is at its core an anti-hacking statute, and is therefore tailor-made to address the kind of misconduct at issue in this hypothetical.9 18 U.S.C. § 1030(a)(2) makes it illegal to "intentionally access[] a computer without authorization" and "thereby obtain[] . . . information from any protected computer if the conduct involved an interstate or foreign communication."10 Similarly, 18 U.S.C. § 1030(a)(5)(A)(iii) prohibits any person from "intentionally access[ing] a protected computer without authorization, and as a result of such conduct, causes damage." The CFAA defines a "protected computer" as "a computer . . . which is used in interstate or foreign commerce or communication. . . ."11 "Damage" under the CFAA means "any impairment to the integrity or availability of data, a program, a system or information."12 In addition, a civil action generally can be brought under the CFAA only if the plaintiff suffered "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value."13 "Loss," furthermore, is defined broadly under the statute as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service."14
You have a solid legal basis for your lawsuit and you know who to sue. The question now is how do you proceed in a way that does not give your hacker friend a chance to deep six the evidence?
The solution may be in applying to the Court ex parte for an order authorizing the U.S. Marshal's Office to seize and impound the hacker's computer equipment, a similar remedy to that more typically used in trademark counterfeiting actions. Even without a specific impoundment remedy, as exists in the Copyright Act and the Lanham Act,15 Courts have the authority to issue such interim relief, ex parte, in any federal case pursuant to Fed. R. Civ. P. 65(b).16 Where there is a danger of destruction or hiding of the evidence, ex parte seizure and impoundment not only can be appropriate under Rule 65(b), but necessary to protect the integrity of the litigation process.17 "Furthermore, [a] [p]laintiff need not show that a particular Defendant would not adhere to a TRO but rather only that someone like the Defendant would be likely to hide or destroy the evidence of his [illegal] activity" to warrant relief.18
Under these circumstances, removing from the hacker's possession his or her computer's hard drive files and any storage medium, such as CD-ROMs, floppy disks or zip drives on which he or she may have stored materials from the Company's servers, may be the only way to prevent the hacker from easily concealing, disposing of or destroying the evidence of his violations of the CFAA that were committed.19 Courts therefore have approved narrowly drawn seizure orders as necessary to preserve the status quo until a hearing is held. In In the Matter of Vuitton et Fils S.A., 606 F.2d 1, 5 (2d Cir. 1979), for example, the Second Circuit issued a writ of mandamus ordering the district court to issue an ex parte temporary restraining order to assist the petitioner in its trademark infringement case. The district court had denied the application for such an order because the adverse parties were known to the petitioner. The Second Circuit, however, found that, if notice were given to the alleged infringer, it was highly probable that the infringer would dispose of the infringing goods before the hearing. This finding was based on the petitioner's description of its experience in other similar cases in which the action became futile after defendants disposed of their inventories before the courts could issue orders and hold hearings.20
Even the Supreme Court has acknowledged the constitutionality of ex parte seizures,21 and courts across the country have issued seizure orders pursuant to Rule 65(b) to prevent the spoliation of evidence and further wrongful acts.22 That is not to say that such orders are matters of routine,23 but in the appropriate circumstances and when narrowly tailored,24 such relief may be the most effective way to pursue claims involving illegal computer hacking.1 See Adam Piore, Hacking for Dollars, www.msnbc .com/id/3706599 (hacking attacks against corporate servers, web sites, etc. sharply on the rise; "The average U.S. company is now attacked 30 times a week.").
2 Piore, supra n.1 (recounting how one Russian hacker stole $300,000 in one year from various U.S. companies).
3 Several firms, such as Kroll Associates and the Internet Crimes Group, offer such forensic services.
4 See Register.com v. Verio, Inc., 356 F.3d 393, 407 (2d Cir. 2004) (IP address is "a unique identification of the location of an end-user's computer").
5 See, e.g., www.iprivacytools.com (visited June 7, 2004) (software that purports to allow "anonymous" web surfing by routing communications to IP addresses in "15 different countries").
6 See 47 U.S.C. §551(c)(2)(B) (cable company can divulge customer information only pursuant to court order and on notice to subscriber); Recording Industry Association of America, Inc. v. Verizon Internet Services, 351 F.3d 1229 (D.C. Cir. 2003) (quashing subpoenas issued under the Digital Millennium Copyright Act ("DMCA") for identity of subscribers in copyright infringement case; subpoena provisions apply only in cases where ISP itself is storing or maintaining infringing files).
7 17 U.S.C. § 512(h)(4); 47 U.S.C. § 551(c)(2)(B).
8 The conduct, as mentioned, may well violate other laws, a discussion of which is beyond the scope of this article. As a strategic matter, the plaintiff should consider whether or not to pursue alternative theories at the preliminary stage. If the plaintiff is seeking immediate injunctive relief and/or an ex parte order, it may be a sound strategy to seek such relief based on a single straightforward legal theory while preserving others in the pleadings.
9 See, e.g., YourNetDating, LLC. v. Mitchell, 88 F. Supp.2d 870 (N.D.Ill. 2000) (granting TRO to prevent company's former IT employee from "hacking" into company's website to divert Internet traffic to other websites); Physicians Interactive v. Lathian Sys., Inc., , 2003 WL 23018270, at *5-*7 (E.D. Va. Dec. 5, 2003) (granting temporary restraining order and preliminary injunction under CFAA to prevent future "hacks" into plaintiff's web servers).
10 See America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp.2d 1255, 1275 (N.D. Iowa 2000) (defendant obtained information within meaning of statute when it hacked into plaintiffs' system to retrieve email addresses); see also United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000) (former employee's unauthorized logging into former employer's computer system falls within the activity prohibited by the CFAA).
11 18 U.S.C. § 1030(e)(2)(B).
12 18 U.S.C. § 1030(e)(8). See Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp.2d 1121, 1126-27 (W.D. Wash. 2000) (plaintiff suffered "damage" when hacker accessed trade secret information on plaintiff's system).
13 18 U.S.C. § 1030(g) ("A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv) or (v) of subsection (a)(5)(B)"). The $5,000 loss requirement is set forth in clause (i) of subsection (a)(5)(B).
1418 U.S.C. § 1030(e)(11). See Physician's Interactive, 2003 WL 23018270, at *6 ("loss under the CFAA includes remedial and investigative expenses incurred by the plaintiff") (collecting cases); Middleton, 231 F.3d at 1210-12 (loss includes costs to "restore the data, program, system, or information that" was found damaged or cost to implement measures which were "reasonably necessary to resecure the data, program, system, or information from further damage"); Fischer v. Mt. Olive Lutheran Church, Inc., 207 F.Supp.2d 914, 926 (W.D. Wisc. 2002) (holding that loss encompasses remedial expenses), EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001) (remedial and investigative expenses).
15 15 U.S.C. § 1116; 17 U.S.C. § 503.
16 See Comcast of Illinois X, LLC v. Till, 293 F. Supp.2d 936, 938-39 (E.D. Wisc. 2003) (clarifying that Rule 65 governs ex parte seizure orders).
17 See Charles Alan Wright, Arthur R. Miller & Mary Kay Kane, FEDERAL PRACTICE & PROCEDURE § 2951 n.13 (2004) (ex parte relief under Rule 65(b) appropriate where necessary to "preserve property" or evidence "which might be destroyed as soon as notice is given."); Century Home Entertainment, Inc. v. Laser Beat, Inc., 859 F. Supp. 636, 638 (E.D.N.Y. 1994) ("[I]t is the norm in this district that where a danger of destruction or hiding of the evidence exists to grant ex parte orders of seizure.").
18 Laser Beat, 859 F. Supp. at 639 (emphasis added).
19 WRIGHT & MILLER § 2951 n. 13 (ex parte seizure order appropriate when spoliation would "render fruitless further prosecution of [the] action").
20Vuitton, 606 F.2d at 5.
21 Mitchell v. W.T. Grant Co.., 416 U.S. 600 (1974).
22 See, e.g., Columbia Pictures Indus., Inc. v. Jasso, 927 F. Supp. 1075 (N.D. Ill. 1997); MPOW, Inc. v. MRLJ Enters., 584 F. Supp. 132 (D.D.C. 1984); see also Laser Beat, 859 F. Supp. at 638 (collecting cases).
23 See D.C.I. Comp. Sys., Inc. v. Pardini, 1990 WL 180251 (E.D. Cal. 1990) (sanctioning plaintiffs' counsel for seeking ex parte seizure order in trade secret case where there was no imminent risk of spoliation and where application in support of such relief contained misstatements of fact).
24 Such narrow tailoring should include a commitment to work with law enforcement to conduct the seizure with professionalism and to work diligently to return to the hacker, as quickly as feasible, all files on his computer that are not relevant to this lawsuit and otherwise to cooperate in all reasonable ways to minimize the disruption caused by the removal of the hacker's computer and computer files.
Published July 1, 2004.
