How Do You Sue an Unknown Hacker?

The question was answered this week by a federal district court in Connecticut in the case of GWA, LLC v. Cox Communications, Inc. and John Doe, 2010 WL 1957864 (D.Conn. May 17, 2010). When the company computer is hacked, the only evidence that is usually available on the hacked computer to identify the hacker is the Internet Protocol (“IP”) address left behind by the hacker. The IP address is a unique number assigned to every computer connected to the Internet by an Internet Service Provider (“ISP”) through which the computer connects to the Internet.

Armed with the identity of owner of the hacker’s IP address, the computer owner is able to file a federal lawsuit against the hacker under the federal Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C. § 1030(g). The CFAA is the federal computer crime statute which provides for civil relief for any victim who “suffers damage or loss by reason of a violation of” the statute. In GWA the district court granted a petition by a corporate plaintiff to obtain pre-action discovery to identify the ISP account associated with the IP address from Cox Communications, the ISP owner of that address. The court relied upon Fed.R.Civ.P. 27 that permits discovery before the filing of a federal action to perpetuate testimony to “prevent a failure or delay of justice.” Rule 27(a)(3).

To obtain such pre-action discovery it is necessary under Rule 27(a)(1) to file a petition showing:

A) that the petitioner expects to be a party to an action cognizable in a United States court but cannot presently bring it or cause it to be brought;
(B) the subject matter of the expected action and the petitioner’s interest;
(C) the facts that the petitioner wants to establish by the proposed testimony and the reasons to perpetuate it;
(D) the names or a description of the persons whom the petitioner expects to be adverse parties and their addresses, so far as known; and
(E) the name, address, and expected substance of the testimony of each deponent.

The court also held that the “petitioner must show that absent prompt discovery, the testimony might be lost to a prospective litigant without immediate action.” GWA at *1.

The court found that the Petitioner made a proper showing under Rule 27 including “that it expects to be a plaintiff in an action against respondent John Doe related to Doe’s alleged unauthorized access into its computer systems,” that it “described the expected adverse party, respondent John Doe, even if it is currently unable to identify that party,” and that the ISP “Cox Communications will not maintain the requested testimony as needed by petitioner and the information will be lost or destroyed.” Id.

In short, Rule 27 and the recently decided GWA case provide an aggressive road map companies can follow to identify and sue hackers who gain access to their computers to steal or destroy data. The key to using this procedural device to gather sufficient evidence to file a federal lawsuit against the hacker for violating the CFAA is the universally recognized fact that “[electronic evidence can easily be erased and manipulated” and thus is likely to be lost or destroyed unless immediate action is taken to preserve it. Physicians Interactive v. Lathian Systems, Inc., 2003 WL 23018270 *10 (E.D. Va. Dec. 5, 2003).