Time Is Precious with Computer-Hacking Claims

A recent ruling shows that plaintiffs must act fast when using a federal criminal statute for a civil suit.

The U.S. Court of Appeals for the Second Circuit in August addressed the proper application of the statute of limitations to a civil action—in the context of allegations of malicious statements made on the Internet over a broken romance and sexual  misconduct—brought under the federal computer crime statute,  the Computer Fraud and Abuse Act (CFAA).   The case was Sewell v. Bernardin.

The CFAA, primarily a criminal statute, permits those who have suffered damages or loss due to a violation of the CFAA to bring  a civil action to obtain compensatory damages and injunctive relief. However, for the cause of action to be valid, it must be brought within two years “of the date of the act complained or of the date of the discovery of the damage.”

Sewell underscores the need for immediate action upon discovering a data breach to investigate and identify the perpetrator of the computer crime.  Chantay Sewell sued her former boyfriend Phil Bernardin,  who had gained  access to her private AOL email and Facebook accounts through passwords he had allegedly gathered when visiting Sewell.  She was the only authorized user of both accounts and never shared her passwords with Bernardin.  According to her complaint,  Sewell discovered that she could no longer log into her AOL account because someone had changed her email password.  Shortly thereafter, malicious statements directed at Sewell linking her with “certain sexually transmitted diseases and sexual activities” were emailed from within her email account to her family and friends, whose contact information was contained in Sewell’s email account.

Some five months later, Sewell also discovered that her Facebook account had been compromised,  and she was unable to log into her Facebook account.  Shortly thereafter, someone posing as Sewell posted on Facebook similar malicious statements about Sewell’s “sex life.”  After the Facebook discovery, Sewell filed a lawsuit alleging, among other things, two violations of the CFAA, one for the intrusion into her AOL account, and the other for the intrusion into her Facebook account.

In her complaint, Sewell alleged that Bernardin had obtained her passwords “without  her permission.”  A critical element of a CFAA violation is that the defendant accessed the accounts “without authorization.”  Verizon records showed that Bernardin had   used his computer to access Sewell’s AOL and Facebook accounts and changed Sewell’s passwords.

The district court dismissed the CFAA claims on the ground that “Sewell was ‘aware that the integrity of her computer had been compromised’ ”when she first discovered the change to her AOL password and that discovery started the running of the two-year statute.  The Second Circuit affirmed the district court’s dismissal of the CFAA claim based on the AOL intrusion for failing to comply with the statute of limitations.   However, it reversed the district court on the later Facebook CFAA intrusion, holding that  the filing occurred within the CFAA’s two-year statute of limitations.

The Second Circuit faulted the  district court for assuming that “because one password for one Internet account was compromised,” all of Sewell’s Internet accounts had been compromised.  The appeals court took judicial notice “of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different user names and passwords,  less than all of which may be compromised at any one time.”  The appeals court also pointed out that the CFAA claim on the AOL account was not premised on Sewell’s own physical computer but “on impairment to the integrity of a computer owned and operated by AOL.”

‘TROUBLING CONSEQUENCES’

The Second Circuit acknowledged that the statute of limitations “may have troubling consequences in some situations” because “the investigation necessary to uncover the hacker’s identity may be substantial.”  One option the court recognized was for a  plaintiff to file a John Doe lawsuit to uncover the hacker’s identity.  However,  the court emphasized that the hacker’s identity  still must be discovered within two years because “Rule 15(c) does not allow an amended complaint adding new defendants to relate back if the newly-added defendants were not named originally because the plaintiff did not know their identities.”

Two district courts outside the Second Circuit recently granted expedited discovery requests to Internet Service Providers in John  Doe CFAA actions to learn the identities of the hackers.  Those are Jockey Club Information Systems v. John Doe, in the Eastern District of Kentucky, and Uber Technologies v. John Doe, in the Northern District of California.  In Jockey Club the plaintiff alleged that the hackers “accessed and stole proprietary data” from its website using “sixty different internet protocol … addresses to make over one million requests per day.”  In Uber the plaintiff was seeking to identify the hackers who accessed its website to steal “confidential details on the drivers” who use its “smartphone application that connects drivers and riders in cities all over the world.”

In both cases, the plaintiffs met the uniform good-cause standard for permitting expedited discovery, including showing: first, the John Doe defendant is a real person who can be sued; second, unsuccessful efforts to locate and identify the defendant; third, the action can withstand a motion to dismiss; fourth,  discovery is likely to identify the defendants; and fifth, the likelihood that ISPs will not preserve the information sought.

The obvious takeaway from Sewell is that potential CFAA plaintiffs must act immediately to identify the perpetrator once a computer hack is discovered.

The ‘Safe Harbor’ Scheme Coming Under Challenge

By: Ron Moscona, a partner in Dorsey & Whitney’s London Office

The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner[1], that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is invalid.

Further, the CJEU held that the Irish Data Protection Commissioner, before whom the case was originally brought, must investigate the matter and decide whether the transfer of personal data to the U.S. by U.S. companies that signed up to the Safe Harbor scheme (Facebook, in the case at hand)  should be suspended on the grounds that the U.S. does not ensure an adequate level of protection to personal data transferred from the EU.

In this note we will explain the ramifications of this decision and our recommendations for U.S. companies that rely on the Safe Harbor scheme to process personal data collected in the EU in their data centres in the U.S..

The Safe Harbor scheme

EU data privacy legislation[2] restricts the transfer of personal data to any territory outside of the EU which does not provide adequate protection to privacy rights. The Safe Harbor scheme was set up in 2000 in order to facilitate the free flow of personal data to the U.S. (which, in general, is considered to be a jurisdiction that does not provide an equivalent level of protection to privacy rights as required under EU legislation). To bridge the gap, the Safe Harbor scheme proceeds on the basis of two elements: (i) a commitment by organisations participating in the scheme to abide by privacy rules reflecting the principles of EU data privacy legislation coupled with self-certification, and (ii) enforcement powers by U.S. agencies (predominantly the Federal Trade Commission).  Participation in the Safe Harbor scheme is voluntary, but the rules are binding on those organisations that do so.

Background to the CJEU ruling

At the heart of the case that was brought before the CJEU is the controversy arising from the revelations made by Edward Snowden in 2013 in relation to the alleged mass surveillance of electronic communications carried out by the U.S. national security and law enforcement agencies. The EU would like to ensure that such surveillance activities by U.S. agencies are carried out proportionately, subject to proper judicial oversight and open to challenges by affected EU residents through the U.S. courts.

While U.S. authorities have publicly disputed the allegations of mass indiscriminate surveillance, the U.S. government has announced significant changes in its surveillance practices since the Snowden revelations broke out and the President has directed the intelligence and law enforcement authorities to ensure the same level of protection that U.S. law extends to U.S. citizens and residents to citizens of other countries whose data may be subject to surveillance. These steps were taken in order to address the concerns raised in Europe and in response to threats made by politicians across Europe to suspend data flows into the U.S..

In November 2013, in two Communications to the European Parliament and the EU Council, the EU Commission identified weaknesses in the Safe Harbor scheme and promised to rectify the situation.  Since then, the EU Commission has engaged in negotiations with the U.S. government to address the issue of the protection of personal data flowing from the EU and to modify the Safe Harbor scheme. But a new deal has been stalled, most recently (as reported) by disagreements over provisions on data sharing with U.S. law enforcement agencies.

Over the last few days, since the publication of the Advocate General’s opinion in the Schrems case, both U.S. officials and their counterparts in the EU Commission have made public announcements claiming that a new deal for the Safe Harbor is near completion.

What did the CJEU decide?

The CJEU held that the decision of the EU Commission of July 2000 by which the Commission (in accordance with its powers under EU legislation) adopted the Safe Harbor scheme, is invalid. The Court considered that the Safe Harbor scheme provided too broad exceptions for national security, public interest and domestic legislation.

The Court’s decision to invalidate the decision of the Commission on the Safe Harbor was also informed by concerns raised in the EU Commission’s Communications to the Parliament and the Council of November 2013, by which the Commission raised concerns regarding the Safe Harbor scheme and the manner in which it operates in practice in the U.S.. Among other issues, the Commission raised the issue of unrestricted access to personal data that is allegedly given to U.S. intelligence agencies by companies that signed up for the scheme, and the lack of judicial oversight over intelligence activities and legal redress for EU citizens whose data is jeopardised. The Court pointed out that similar matters were also identified by the Irish High Court (sitting on appeal on the decision of the Data Protection Commissioner) based on the evidence submitted in the Schrems case.

The other limb of the CJEU’s decision is that national regulators must investigate complaints alleging that a third party does not ensure an adequate level of protection to personal data – even if the EU Commission has found otherwise, in exercising its statutory powers.

Is it now unlawful to transfer personal data to the U.S. under the Safe Harbor scheme?

The CJEU’s decision does not hold that the transfer of data to the U.S. is unlawful. However, the decision means that there is now a high level of legal uncertainty. The CJEU invalidated the legal basis for the Safe Harbor scheme which means that the transfer of personal data under the scheme from any particular EU country to the U.S. might now be held by a national court or regulator in that EU country to be unlawful.

In the case at hand, a complaint was made by Maximillian Schrems, an Austrian resident and Facebook user since 2008, against Facebook Ireland (the European subsidiary of Facebook that contracts with European customers). The complainant asked that the Irish Data Protection Commissioner order Facebook Ireland to suspend the flow of personal data from the EU to the U.S.. Facebook, like many other U.S. companies, relies on the Safe Harbor scheme to meet the requirements of EU law (in this case, as implemented in Ireland) in relation to the transfer of personal data for storage and processing in the U.S..

As a result of the decision of the CJEU, the Irish regulator is now required to investigate the complaint made by Mr. Schrems which alleges that the U.S. does not, by its domestic legislation and international commitments (that is, through the Safe Harbor scheme) ensure an adequate level of protection for personal data transferred to its territory.

Accordingly, the Irish Data Protection Regulator will now have to investigate the facts (including the legal position in the U.S.) and will be required to decide whether to order Facebook Ireland to suspend the flow of personal data to the U.S..

Equally, in view of the invalidation of the EU Commission’s decision on the Safe Harbor scheme, individuals throughout the EU can now file similar complaints to national data protection regulators seeking orders against companies that rely on the Safe Harbor scheme to suspend all data flows under the scheme. Courts and regulators could now hold that any transfer of data under the scheme (at least as of today’s date) is unlawful.

Does the decision spell the end of the Safe Harbor scheme?

Clearly, the scheme in its current form is now untenable. It may be only a matter of time before regulators across the EU will start issuing orders against companies that rely on the scheme to suspend all data flows in reliance on the scheme.

However, the Schrems case is unlikely to bring the scheme to an end. While there are alternatives (which will be discussed below), it is an extremely convenient tool, within the framework of EU law, which offers immeasurable economic benefits to participating companies as well as to the health of the digital economy in the EU and the U.S. in general. It is unlikely that the scheme would be abandoned.

As mentioned above, the U.S. has taken steps to address the privacy concerns that have arisen in Europe and it is currently in final negotiations with the EU commission to modify the Safe Harbor scheme and to address its alleged weaknesses.

Once a new agreement is reached between the U.S. and the EU Commission, it is likely that the Commission will, once again, use its powers under EU legislation and issue a decision recognising that the new agreement ensures an adequate level of protection for personal data transferred from the EU. A new agreement and a decision giving it legal effect in the EU may face new legal challenges, but it is safe to assume that a revised deal would be more difficult to invalidate. A new agreement on the Safe Harbor is therefore likely to restore legal certainty.

How should companies react in the meantime?

Any transfer of personal data to the U.S. under the Safe Harbor scheme can now be held unlawful. Even though there is a reasonable expectation that a new deal will be reached between the EU and the U.S., there is no way of telling how long it will take to emerge. Further, if the parties scramble to find a quick solution, it is more likely that challenges will be brought again it and a higher risk that such challenges might be successful.

It is advisable, therefore, for any companies that have so far relied on the Safe Harbor scheme, to consider the alternatives.

Statutory exceptions  

Companies should  be mindful of the various statutory exceptions to the rule restricting the transfer of personal data to countries that ‘do not ensure an adequate level of protection’ to privacy rights. These exceptions allow the transfer of data, for example, when it is “necessary for the conclusion or performance of a contract” or where “it is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims”. Similarly, there are various other circumstances where the transfer of data outside the EU is exempted from the restriction.

Companies should consider whether (or to what extent) they can rely on these exceptions rather than on the Safe Harbor scheme.

Data subject consent

While the different specific exceptions are unlikely to address the needs of large companies for mass data flows of customer, HR and other personal data that they process, one key exception could be relied on in some cases. That is, where the data subjects consent to the transfer of the date for processing in the U.S. (or any other country).

Many companies prefer not to seek the consent of thousands of individuals, whether customers, employees or other groups. Inevitably, there will be some proportion that would withhold their consent and the process of obtaining consents from numerous individuals may be cumbersome. However, obtaining the data subjects’ consent can be an ideal option in some cases. If the consent is properly obtained, the transfer of the data for processing in the U.S. (or in any other country to which consent was given) will be permitted.

We emphasise, however, that the consent itself must be obtained properly and meet applicable legal requirements that must be assessed on a case by case basis. A transfer of data to a third party is not restricted if it is made with the data subject’s consent. The consent itself can be challenged unless it is obtained properly. For example, in some EU countries, consent obtained from employees could be challenged on the grounds that it was not given freely. In many countries, consent obtained from consumers can be challenged if it is not given independently and on an informed basis.

Data transfer agreements and binding corporate rules

The most convenient alternative to the Safe Harbor scheme, however, is the route that is taken by numerous companies that transfer personal data for processing in the U.S. without signing up to the Safe Harbor scheme. That is, by putting in place “appropriate contractual clauses”.

EU legislation recognises that these contractual arrangements (based on standard language adopted in decisions of the EU Commission) may provide “adequate safeguards” for the transfer of data from the EU to countries which do not, in general, provide for an equivalent level of protection of privacy rights.

While there is no guarantee that the transfer of data under “appropriate contractual clauses” will not be challenged (as discussed below), it may be advisable for any company that currently relies on the Safe Harbor to put in place data export agreements compliant with EU legislation to ensure that its data flows are not held to be illegal. The process is simple and the agreement can be put in place between affiliated group companies. For instance, if it has not done so already, Facebook Ireland would be able to contract with its parent company in the U.S. (or with the relevant U.S. entity that processes data on behalf of Facebook) for the export of data from Ireland (and indeed from the whole of the EU) for processing in the U.S.. This agreement will ensure that its data flows will not be at risk of being held unlawful.

There are a number of different types of standard contractual clauses (or data export agreements) that were approved by the EU Commission and companies will need to consider which ones are appropriate in each case.

The so called “binding corporate rules” for the transfer of data among members of a multinational group are another method that was recognised as a legitimate way of transferring personal data from the EU for processing in countries that do not ensure an adequate level of protection to privacy rights.

Are the alternative routes for transferring data safe?

As mentioned above, in some cases, companies can rely on the statutory exceptions, most importantly, where data subjects’ consent has been obtained. This would be a very safe route to take as long as the validity of the consent cannot be easily challenged.

However, alternative routes such as “appropriate contractual clauses” and “binding corporate rules” are no more immune to legal challenges than the Safe Harbor scheme. In fact, particularly in view of the decision of the CJEU in the Schrems case, individuals and regulators could well decide to challenge these alternative arrangements.

Further, in some EU countries (although not in all of them) the transfer of personal data under a data export agreement (or other alternative methods, such as “binding corporate rules”) requires notification to the national regulator which has the power not to approve the agreement. If regulators believe that the transfer of personal data to the U.S. is unsafe due to the powers and activities of U.S. security agencies, they can refuse to permit the transfer of personal data by alternative methods such as under a data export agreement (notwithstanding that standard language for the agreement has been approved by the EU Commission). Further, regulators in member states will be able to determine that “contractual clauses” for the transfer of data or “binding corporate rules” do not ensure sufficient protection to data transferred to the U.S., for instance due to interference with such data by U.S. security agencies, and could therefore order such data flows to be suspended.

However, from a risk assessment point of view, companies must recognise that the Safe Harbor scheme (in its present form) has now been declared invalid by the highest court in the EU and therefore there is a clear risk that any data flows under the scheme would be held unlawful by national regulators and courts of law. Companies that continue to rely on the scheme could face significant penalties as well as private law suits. By contrast, there has been no determination yet that the transfer of data under an approved data export agreement is unlawful. Until such determination is made, the transfer of data under these agreements will remain lawful.

Longer term considerations

New data protection legislation has been in progress through the European Parliament, the EU member states and the EU Commission for a number of years now. The current drafts of the new legislation do not suggest a significant revision of the rules relating to the transfer of data to third party countries. However, the row following the Snowden revelations and the latest development in the Schrems case may prompt legislators to look further into the issue.

Much will depend on the success of the U.S. government and the EU Commission in reaching a satisfactory agreement that would ensure sufficient safeguards for the protection of privacy rights in respect of data transferred from the EU, while allowing legitimate intelligence gathering and law enforcement activities to continue in a proportionate, supervised and controlled manner.

It is likely that a resolution will be found (although it is impossible to know how soon). However, in the longer term, wider issues may be at play. Concerns for the protection of data and privacy in the digital age are growing, not only in the EU but around the world and among consumers. The free flow of data around the world in this age of cloud computing may come across different obstacles in the future. Governments recognise the economic value of that free flow of data, but consumers, legislatures and regulators are keen on protection. The EU is unlikely to relax its regime for the control of data transfers to third countries. Today the main issue is focused on national security and law enforcement; tomorrow other issues could arise.

Rising concerns over the protection of privacy could spell more controls and more obstacles to business. Already, the current proposals for a new EU data protection legislation suggest a much higher level of regulatory supervision of companies that process large amounts of personal data and the level of effort and investment that the law requires companies to put in order to comply with privacy rules is set to increase substantially. This could also mean that, in the longer term, the free flow of personal data from the EU may become subject to stricter controls and regulations.

At some point in the future, it may become inevitable that data collected in the EU will have to be processed in the EU territory and subject to the laws of the EU. Large companies should consider whether it may be prudent (or simply easier) to set up data centres in the EU to process their customer, HR and similar classes of personal data where they are collected. The legal position, however, has not gone that far yet. For now, alternative measures can be put in place to address the effective suspension of the Safe Harbor scheme and the likelihood is that the scheme will go back into operation sooner or later.

[1] Case C-362/14, Maximillian Schrems v. Data Protection Commissioner

[2] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data