How Do You Sue an Unknown Hacker Who Steals Data through the Company Web Site

In Liberty Media Holdings, LLC. v. Does 1-59, 2011 WL 292128 *3 (S.D.Cal. Jan. 25, 2011) unknown individuals hacked into Liberty Media Holdings’ web servers and obtained “certain motion pictures” that it “reproduced and distributed . . . onto their local hard drives and other storage devices.” Not knowing the identity of these hackers Liberty Media Holdings filed a “John Doe” lawsuit alleging violations of three federal statutes: the Electronic Stored Communications Privacy Act, 18 U.S. C. §§ 2701 and 2702, violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030 and copyright infringement in violation of 17 U.S.C. § 501.

What the case describes is a fairly typical scenario – unknown individuals hack into the company web site and steal valuable data. There is no indication of the identity of the hackers. The only traces left behind are Internet Protocol (“IP”) addresses assigned to the hackers, the Internet Service Providers (“ISP”) that provided the hackers with Internet access and the dates and times of the intrusions.

Rather than wait for law enforcement to investigate and prosecute, something that may or may not happen, taking the aggressive approach outlined by this case can have the same remedial impact as a criminal prosecution in stopping the illegal activity. It also does not preclude the matter from also being referred at any time to law enforcement. Here, what Liberty Media Holdings did can be adopted as a template by any company victimized by a computer hacker. It filed a lawsuit against the unknown hackers as John Doe defendants and then moved for immediate discovery to subpoena the ISPs “to identify the users of the IP addresses during the dates and times” found on its web site. Id. at 1.

In analyzing Liberty Media Holding’s request, the court relied on Columbia Ins. Co. v., 185 F.R.D. 573, 577 (N.D. Cal. 1999) that had “recognized that “(s)ervice of process can pose a special dilemma for plaintiffs in cases … in which the tortious activity occurred entirely on-line. The dilemma arises because the defendant may have used a fictitious name and address in the commission of the tortious acts.” ‘[W]hether discovery to uncover the identity of a defendant is warranted,” Columbia Ins. Co. required the plaintiff to meet the following three standards:

First, . . . identify the missing party with sufficient specificity such that the Court can determine that (the) defendant is a real person or entity that could be sued in federal court .

Second, . . . identify all previous steps taken to locate the elusive defendant.

Third, . . . establish to the Court’s satisfaction that plaintiff’s suit against (the) defendant could withstand a motion to dismiss … Plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed the act.
Id., at 578-580.

Here, the court found that Liberty Media Holdings met all three criteria. First, the court found that it had sufficiently identified the defendants through the unique IP addresses and the ISPs that had provided the unknown defendants with their Internet access. The court also found that “the requested discovery is necessary for Plaintiff to determine the names and addresses of each Defendant who performed the allegedly illegal and infringing acts.” Id at *2.

Second, the court found that other than the IP addresses and their ISPs “there are no other measures Plaintiff could take to identify the Defendants.” Id.

Third, the court found that Liberty Media Holdings had three viable claims against the unknown hacker defendants for violations of the Electronic Stored Communications Privacy Act, the CFAA and Copyright Infringement. Thus, the court granted Liberty Media Holdings’ motion to take immediate discovery by issuing subpoenas against the ISPs and various cable operators for the identity of the names belonging to the IP addresses.

In short, any company that is victimized by an unknown hacker can provide these exact same justifications for immediate discovery to identify the hacker through an IP address by subpoenaing the ISP associated with the IP address.