CYBER-EXTORTION: DUTIES AND
LIABILITIES RELATED TO THE
ELEPHANT IN THE SERVER ROOM
Adam J. Sulkowski 1
Cyber-extortion—demanding money or something else of value in
exchange for not carrying out threats to commit harm that would involve the
victim’s information systems—is an evolving and costly form of criminal
activity.2 The title of this article reflects the fact that cyber-extortion, like the
proverbial elephant in the room, is a large problem which has not been
thoroughly discussed. This article fills a conspicuous void in existing
scholarly and practitioners’ literature by comprehensively analyzing the legal
frameworks that apply to cyber-extortion and by discussing relevant public
The only publicly available survey that has addressed cyber-extortion to
date, a 2004 Carnegie Mellon University (CMU) survey of 100 companies,
found that 17% of small and midsize businesses had been the target of some
form of cyber-extortion.3 A further 13% of respondents were unsure if their
company had been targeted.4 A common tactic in cyber-extortion scenarios is
1. Assistant Professor of Business Law, Charlton College of Business, University of Massachusetts
Dartmouth. J.D., M.B.A. Boston College. The author wishes to acknowledge those who lent their expert
opinions, editorial input, or other assistance, including: Dr. Christopher T. Pierson, attorney with Lewis and
Roca LLP’s cybersecurity and intellectual property practice groups and President of the Phoenix, Arizona
Infragard chapter; Special Agent Shelagh Sayers of the Federal Bureau of Investigation; Robert Richardson,
Editorial Director of the Computer Security Institute; William A. Brandt, Jr., litigation and information
management consultant; and Blake A. Bell, senior knowledge management counsel with Simpson Thacher &
Bartlett LLP. Thanks are also due Dr. Timothy Shea, Associate Professor of Management Information
Systems at the Charlton College of Business at University of Massachusetts Dartmouth for inviting me to
collaborate in researching the phenomenon of cyber-extortion, and to graduate students Adam Silva (MBA,
Charlton College of Business, University of Massachusetts Dartmouth) and Eddy Robert (MBA, Charlton
College of Business, University of Massachusetts Dartmouth, JD, Southern New England School of Law) for
their preliminary research on the phenomenon of cyber-extortion.
2. Gregory M. Bednarski, Enumerating and Reducing the Threat of Transnational Cyber Extortion
against Small and Medium Size Organizations, INFORMATIONWEEK, Sept. 2004, at 21,
3. Id.at 13 illus. 23.
4. Id. The 2005 annual CSI/FBI Computer Crime and Security Survey did not separately measure
cyber-extortion incidents, but listed as the second through eighth most-frequently occurring computer crimes,
102 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
to threaten to incapacitate a victim’s transactional Web site or other
components of its information system.5 This is known as a denial-of-service
(or DoS) attack.6 One way to succeed with a DoS attack—and a means for
cyber-extortionists to conceal their identity—is to hijack the information
systems of unsuspecting businesses or other enterprises and use these hijacked
information systems as the tools for incapacitating the targeted victim’s Web
site or systems.7 When a network of hijacked computers is used to overwhelm
a victim’s system, the attack is called a Distributed Denial of Service (DDoS)
attack.8 Available evidence suggests that cybercriminals are employing
increasingly sophisticated techniques and are increasingly motivated by the
pursuit of financial gain.9
It bears pointing out at the onset that the scarcity of case law on the topic
of cyber-extortion to date means that legal questions related to cyber-extortion
are not fully resolved. Specifically, U.S. courts have not grappled with the
liability of professionals whose duties include protecting information systems
and who fail in those duties when a cyber-extortionist follows through on a
threat to disrupt businesses and cause harm. The state of the art in computer
security and crime is advancing and awareness of risks has spread.10 Even
minimum acceptable standards of care are arguably becoming established.11
Therefore, to both legal scholars and practitioners, cyber-extortion scenarios
present an evolving web of responsibilities and possible liabilities that will
demand scrutiny in the coming years. This article hopefully will serve as a
catalyst to that much-needed debate.
The legal and business ramifications of a typical cyber-extortion scenario
can be significant, ranging from liability for the abuse of private customer data
to unwittingly allowing one’s information system to be hijacked and used as a
tool to commit an attack on another company in the context of a DDoS
attack.12 Given the costs associated with cyber-extortion and the huge
in sequence: denial-of-service attacks, telecommunications fraud, unauthorized access to information, virus
deployment, financial fraud, insider abuse of Internet access and system penetration – all of which can be
elements of cyber-extortion – while the most common form of computer crime was laptop or mobile device
theft. LAWRENCE A. GORDON ET AL., 2005 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 12-13 (2005),
available at http://www.cpppe.umd.edu/Bookstore/ Documents/2005CSISurvey.pdf [hereinafter 2005
SURVEY] (discussing why separate statistics need to be tracked for cybercrime, and reviewing available data
sources). See generally Susan W. Brenner, Cybercrime Metrics: Old Wine, New Bottles? 9 VA. J.L. & TECH.
13 (2004) (discussing the “utility and viability” of keeping cybercrime statistics separately from other crime
5. Bednarski, supra note 2, at 21.
8. Id. at 3 n.2.
9. For a discussion of technical details and data indicating that cyber-extortionists are becoming more
professional, see Adam J. Sulkowski & Timothy Shea, Cyber-Extortion: The Elephant in the Server Room
(Jan. 8, 2007) (unpublished manuscript), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=955969. The
article also investigates why attorneys are generally the last to be informed of a cyber-security breach and
suggests action steps that attorneys can take to prevent and mitigate the harm of cybercrimes. Id.
10. Bednarski, supra note 2, at 14.
11. Id. at 3-4, 8-19.
12. See id. at 9-13 (listing the survey results of questions concerning preparedness against cybercrimes
and the potential consequences of those crimes).
No. 1] CYBER-EXTORTION 103
potential pool of malfeasors, targets, and third party plaintiffs, it is vital to raise
awareness of this form of crime, enhance knowledge of legal remedies and
responsibilities, and consider the policy implications of holding businesses
responsible for the security of their information systems.
However, companies and their employees do not seem to be taking the
threat very seriously.13 The 2004 CMU survey reports that respondents
believed that they were not likely to become victims of cyber-extortion
attempts: 68% responded that they were at no or low risk of such an attack.14
Only 21% of the companies had formal training programs to teach employees
how to respond to security breaches and only 37% had performed security
assessments within the six months prior to being surveyed.15 These pieces of
information are all the more troubling because 45% of survey respondents
expressed a lack of confidence in the ability of their technical department to
respond to security incidents.16 While the annual CSI/FBI Computer Crime
and Security Survey indicates that the adoption of information security
precautions is slowly increasing, respondents on average do not believe that
their companies adequately invest in information security awareness training.17
According to the 2004 CSI/FBI Computer Crime and Security Survey, DoS
attacks accounted for over $26 million in losses—accounting for the largest
share of the total of $141,496,560 in losses reported by 269 respondents.18
Therefore, while extensive statistical data is not publicly available, and while
existing information is not completely consistent, it is clear that cyber-
extortion is a significant problem for the business community.
The legal community needs to be aware of both the legal framework for
prosecuting cyber-extortionists and the vast potential web of liabilities that
may arise in the context of a cyber-extortion. Part II investigates the legal
framework for prosecuting and recovering damages from the perpetrators of
cyber-extortions. Part III will examine the duties and potential liabilities of
businesses that fail to protect themselves from being the victims or unwitting
accomplices of cyber-extortionists. Part IV will discuss the policy implications
of holding businesses accountable for the security of their information systems.
13. Id. at 10.
15. Id. at 10, 12.
16. Id. at 13.
17. LAWRENCE A. GORDON ET AL., 2006 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 13 (2006),
available at http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf; 2005 SURVEY, supra note 4, at 17-18.
18. LAWRENCE A. GORDON ET AL., 2004 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 10 (2004),
available at http://www.reddshell.com/docs/csi_fbi_2004.pdf.
104 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
II. LEGAL FRAMEWORK FOR PROSECUTION AND CIVIL LIABILITY OF CYBER-
A. Defining Cyber-Extortion
As defined by the Hobbs Act, extortion is “the obtaining of property from
another, with his consent, induced by wrongful use of actual or threatened
force, violence, or fear, or under color of official right.”19 As elaborated upon
below, extortion is a criminal act under federal and state laws.20 Cyber-
extortion involves the added element of a threat of committing a wrongful act
involving computers or information systems.21
Courts interpret the definition of extortion—specifically, what constitutes
a threatened wrongful act—broadly.22 Blackmail threats—even those that are
intended to enforce a legal right—may constitute extortion.23 Thus, attempting
to embarrass a victim into paying an overdue bill may constitute extortion,24 as
may the attempt to humiliate someone into paying a valid court judgment.25
Cyber-extortions often are comprised of three distinct illegal acts: the
threat, the act (if committed), and often a preliminary criminal act to make the
threatened act credible.26 For example, as described below: the threat to
19. 18 U.S.C. § 1951(b)(2) (2000).
20. See, e.g., United States v. Jackson, 986 F. Supp. 829, 831 (S.D.N.Y. 1997) (listing indictments of
defendants for extortion under the Hobbs Act and New York penal law).
21. Cyberextortion: Information from Answers.com, http://www.answers.com/topic/
cyberextortion?cat:technology (last visited Oct. 6, 2007).
22. See United States v. Jackson, 180 F.3d 55, 65-71 (2d Cir. 1999) (discussing at length the definition
of extortion and precedent cases, and legislative history and intent of the Hobbs Act).
23. At least one scholar has maintained a restricted definition of extortion which requires that the
threatened act be criminal; such a definition places some blackmail scenarios into a separate category.
Bednarski, supra note 2, at 3. Besides being consistent with court precedents, the author has decided to
maintain a broad definition because it is his opinion that: (1) cyber-extortion is under-reported, (2) not widely
discussed, and (3) is relatively unexplored territory for scholars, attorneys, managers, and courts. Id. at 2-3.
Therefore, there is reason to believe that whatever data has been collected has at times been reported by
individuals without knowledge or concern for precise differences in the definitions of cyber-extortion versus
cyber-blackmail. Thus, it is not only consistent with court precedent, but more consistent with common
understanding and usage of those reporting the cited data to maintain the broad definition of extortion.
24. The only exception may be instances of blackmail where the disclosed facts have a reasonable nexus
to the pursuit of a legal right, such as threatening disclosure of non-payment of dues or a consumer complaint.
Jackson, 180 F.3d at 70-71. Otherwise, as pointed out by the Second Circuit, the truth of the damaging
allegations underlying the threat is not a defense to a charge of extortion. Id. at 66 (citing Keys v. United
States, 126 F.2d 181, 185 (8th Cir. 1942), cert. denied, 316 U.S. 694 (1942); Unites States v. Von der Linden,
561 F.2d 1340, 1341 (9th Cir. 1977) (per curiam), cert. denied, 435 U.S. 974 (1978). Cf. United States v.
Pascucci, 943 F.2d 1032, 1033-34, 1036-37 (9th Cir. 1991)).
25. The Washington Supreme Court recently ruled that attempting to embarrass a former girlfriend into
paying a valid court judgment of $5000 by posting nude photographs online and mailing them to third parties
constituted extortion under Washington’s extortion statute. State v. Pauling, 69 P.3d 331, 337 (Wash. 2003)
(citing Unites States v. Jackson, 180 F.3d 55 (2d Cir. 1999)).
26. See, e.g., United States v. Ivanov, 175 F.Supp. 2d 367, 369 (D. Conn. 2001) (describing the factual
situation where the defendant threatened financial ruin via illegal access into their information systems after
No. 1] CYBER-EXTORTION 105
disrupt information systems with the goal of extorting money is a crime; if the
threat is fulfilled, the act of disrupting information systems is itself a crime,
and a credible threat to disrupt information systems typically involves showing
that the information system’s security has already been breached, which is also
B. What Has Worked: the Case of United States v. Ivanov27
Out of a handful of colorful, headline-grabbing arrests, only one court
opinion was available in Westlaw as of early 2007 that substantively explored
the bases for establishing jurisdiction and liability in the context of a cyber-
extortion: United States v. Ivanov.28 Furthermore, as of 2007, there was no
scholarly article available that was dedicated to the topic of cyber-extortion.
The following Parts discuss United States v. Ivanov and the statutes that
comprise the legal framework applicable to cyber-extortionists.
The fact pattern of United States v. Ivanov was paradigmatic of headline-
grabbing cyber-extortion cases: from Russia, Aleksey Ivanov accessed the
information system of a Connecticut-based Web site-hosting and credit card
processing company.29 The government claimed that defendant Ivanov’s e-
mailed offer to help protect the company from having its data destroyed in
exchange for $10,000 amounted to extortion.30 The published court opinion
deals with a motion to dismiss indictments for extortion, computer fraud,
conspiracy, and possession of unauthorized access devices (credit card
information) for lack of subject-matter jurisdiction.31 The court opinion
explains why subject matter jurisdiction under the Hobbs Act, Computer Fraud
and Abuse Act, and Access Device Statute were all appropriate, despite the
fact that the defendant was not in the U.S. at the time of his alleged criminal
The next five Parts describe Ivanov’s lessons for establishing jurisdiction
and applying relevant federal statutes to the context of cyber-extortion.33 The
having already illegally accessed those systems in order to send out a series of unsolicited e-mails).
28. Id. Since then, one case has cited to United States v. Ivanov. See Robert Diaz Assoc. Enter., Inc. v.
Elete, Inc., No. 03-CV-7758-DFE, 2004 WL 1087468, at *5 (S.D.N.Y. May 14, 2004) (finding, as in Ivanov,
that for jurisdictional purposes, the Computer Fraud and Abuse Act should be interpreted to apply where a
defendant intended harm to occur, even if the technology that facilitated or allowed the harm to be perpetrated
is physically located elsewhere). One similar case yielded a court opinion that specifically addressed the
discrete issue of evidence gathering. See United States v. Gorshkov, No. CR00-550C, 2001 WL 1024026, at
*4 (W.D. Wash. May 23, 2001) (holding that copying of computer data without a warrant when there was fear
that the evidence would be destroyed if the government was to wait was reasonable under the Fourth
Amendment). Otherwise, as mentioned above, only one other opinion discusses extortion and computers, in
the context of a man using both conventional mail and the Internet to publicize nude photos of his ex-girlfriend
in an effort to embarrass her into paying a valid court judgment in his favor. Pauling, 69 P.3d at 332-34. The
only somewhat novel holding of this case is that under Washington’s extortion statute, the use of blackmail to
pressure a victim into paying a legal debt or judgment constitutes second degree extortion. Id. at 337.
29. Ivanov, 175 F. Supp. 2d.at 369.
32. Id. at 370.
33. For a detailed analysis of various alternative cybercrime scenarios and how federal statutes would be
106 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
subsequent five Parts will consider additional grounds for prosecuting cyber-
extortionists and for civil lawsuits against cyber-extortionists.
1. Acquiring Jurisdiction
In Ivanov, Judge Thompson relied on two rationales for concluding that
he had jurisdiction over the case. First, the intended and actual harm of the
defendant’s actions in Russia occurred in the United States.34 This on its own
would allow for jurisdiction to be exercised by a U.S. court over a foreign
defendant under any of the laws relevant to the case. Second, Judge Thompson
reasoned that Congress intended that all three statutes under which the
defendant was charged were intended by Congress to apply extraterritorially.35
The opinion describes how the statutes were interpreted or amended to
explicitly cover foreign, in addition to interstate, contexts.36
2. The Hobbs Act37
The Hobbs Act of 1941, in relevant part, states:
Whoever in any way or degree obstructs, delays, or
affects commerce or the movement of any article or
commodity in commerce, by robbery or extortion or
attempts or conspires so to do, or commits or threatens
physical violence to any person or property in
furtherance of a plan or purpose to do anything in
violation of this section shall be fined under this title or
imprisoned not more than twenty years, or both.38
The Hobbs Act was the main piece of federal legislation criminalizing
extortion in the pre-Internet era.39 As demonstrated by Ivanov, even before the
passage of any modern computer crime legislation (since amended to cover
extraterritorial contexts) the Hobbs Act would have allowed for the
prosecution of cyber-extortionists, and was interpreted to apply to threats
originating from abroad.40
applied in other contexts, see Eric J. Sinrod & William P. Reilly, Cyber-Crimes: A Practical Approach to the
Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177, 189-203
(2000), available at http://www.sinrodlaw.com/cybercrime.doc.
34. Ivanov, 175 F. Supp. 2d at 370-73.
35. Id. at 373.
36. Id. at 373-75.
37. 18 U.S.C. § 1951 (2000).
38. 18 U.S.C. § 1951(a).
39. Ivanov, 175 F. Supp. 2d at 373. Judge Thompson noted that the U.S. Supreme Court characterized
the Hobbs Act as speaking “in broad language.” Id. (citing Stirone v. United States, 361 U.S. 212, 215
40. Judge Thompson then explained how the Third Circuit, relying in part on Stirone, concluded that:
“[E]ven if none of the [defendants’] overt acts had occurred in this country . . . Congress could give the
district court jurisdiction under the commerce clause so long as [the defendants’] activities affected [the
No. 1] CYBER-EXTORTION 107
3. Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act of 1986 (CFAA) contains several
sections that are related to cyber-extortion.41 CFAA has also been referred to
as the leading federal legislation applicable to a DDoS attack.42
It is helpful to begin this analysis of the relevant sections of the CFAA
with a step-by-step dissection of the elements of a typical cyber-extortion
attempt. First, unauthorized access to an information system with intent to
defraud is often one element of a typical cyber-extortion attempt.43 Second, by
accessing the information of a business or any other enterprise, the extortionist
effectively obtains something of value from another.44 Third, intentionally
accessing protected computers via interstate or foreign communications for the
purposes of financial gain or committing a criminal act are typical components
of cyber-extortion.45 Finally, cyber-extortion is often completed by
communicating a threat to damage some component of the accessed
All four of the components above were criminalized by CFAA, and
constituted four of the counts against defendant Ivanov.47 Knowingly
accessing protected computers with intent to defraud was criminalized by
§ 1030(a)(4).48 Obtaining something of value violates § 1030(c)(3)(A).49
Intentionally accessing protected computers and obtaining information via
interstate and foreign communications for purposes of financial gain and in
furtherance of a criminal act violates §§ 1030(a)(2)(C) and 1030(c)(2)(B).50
Finally, transmitting a threat to cause damage via interstate or foreign
communications violates § 1030(c)(3)(A).51 Section 1030(a)(7) explicitly
clarifies that extortion attempts fall under the ambit of § 1030(c)(7):
[Whoever] with intent to extort from any person . . . any
money or other thing of value, transmits in interstate or
foreign commerce any communication containing any
threat to cause damage to a protected computer; shall be
punished as provided in subsection (c) of this section.52
victim’s] commercial ventures in interstate commerce within the United States.” Id. at 373 (citing to
United States v. Inigo, 925 F.2d 641, 648 (3d Cir. 1991)).
41. 18 U.S.C. § 1030.
42. Jerry Wegman & Alexander D. Korzyk, Internet Denial of Service Attacks: Legal, Technical and
Regulatory Issues, 7 J. OF LEGAL, ETHICAL AND REG. ISSUES, 43, 48 (2004), available at
http://www.cbe.uidaho.edu/wegman/blaw265/DOS%20paper%20AA%202003%20web.htm; Aaron Burstein,
A Survey of Cybercrime in the United States, 18 BERKELEY TECH. L.J. 313, 320-21 (2003).
43. 18 U.S.C. § 1030.
47. United States v. Ivanov, 175 F. Supp. 2d 367, 374-75 (D. Conn. 2001).
48. 18 U.S.C. § 1030.
108 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
Section 1030(e)(8) defines “damage” as any “impairment to the integrity
or availability of data, a program, a system, or information” that either causes
at least a $5000 loss within a one-year period, interferes with medical
diagnosis or treatment, causes physical injury to a person, or threatens public
health or safety.53 The meaning of damage under the CFAA has been
interpreted broadly, such that DDoS attacks that use a large volume of e-mails
to disable a Web site has constituted damage under the CFAA.54 Individuals
may be convicted of unauthorized access to a computer under the CFAA
without intending to do harm.55
Significantly, § 1030(g) of the CFAA allows for civil actions for the
recovery of compensatory damages or injunctive or other equitable relief by
private plaintiffs.56 Such an action must be brought within two years of the
date of the act complained of or the date of discovery of the harm.57 The
minimum amount of harm required to bring such an action is $5000 of losses
within a one-year period.58
4. Access Device Statute
The Access Device Statute criminalizes the possession of counterfeit
access devices knowingly and with intent to defraud when that possession
affects interstate or foreign commerce.59 In the case of Ivanov and future
potential cyber-extortion cases, the acquisition of customer credit card
numbers and merchant account numbers constitutes a violation of this law.60
Even if a cyber-extortion attempt does not result in the victim transferring
something of value to a would-be extortionist, the fact that steps are taken to
commit the crime constitute in themselves the crime of conspiracy.61 One of
the counts against Ivanov was based on the federal conspiracy statute.62
54. In America Online, v. Nat’l Health Care Discount, 121 F. Supp. 2d 1255, 1274 (N.D. Iowa 2000),
the court decided that unsolicited bulk e-mail advertising created the sort of damages defined by the CFAA in
18 U.S.C. § 1030(e)(8)(A).
55. United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991).
56. 18 U.S.C. § 1030(g).
59. 18 U.S.C. § 1029.
60. United States v. Ivanov, 175 F. Supp. 2d 367, 371 (D. Conn. 2001).
61. In 1909, Congress enacted the first general aiding and abetting statute applicable to all federal
criminal offenses, providing that “those who provide knowing aid to persons committing federal crimes, with
the intent to facilitate the crime, are themselves committing a crime.” Cent. Bank of Denver, N.A. v. First
Interstate Bank of Denver, N.A., 511 U.S. 164, 181 (1994) (citing Nye & Nissen v. United States, 336 U.S.
613, 619 (1949)).
62. Specifically, Ivanov was charged with conspiracy to commit offense or to defraud under 18 U.S.C.
§ 371. Ivanov, 175 F. Supp. 2d at 370.
No. 1] CYBER-EXTORTION 109
C. What Could Also Work
In addition to the preceding statutes that have been proven to be
applicable to cyber-extortion by the case of United States v. Ivanov, the
following statutes and common law doctrines may allow for prosecuting and
recovering damages from cyber-extortionists.
1. Racketeer-Influenced and Corrupt Organizations Act
Because cyber-extortionists are becoming better organized, more
coordinated, and may be shown to demonstrate patterns of criminal conduct,
the Racketeer-Influenced and Corrupt Organizations Act (RICO)— the federal
organized crime statute—is relevant.63 According to Daniel B. Kelly, RICO
has recently become “the preferred legal weapon for establishing criminal and
civil liability in a panoply of situations involving allegedly extortionate
conduct. Prosecutions for extortion under RICO originally targeted so-called
‘organized crime enterprises’ that intimidate legitimate business owners for
money.”64 RICO allows for both government prosecutions and private
lawsuits of organized extortion groups and for the recovery of treble
2. Electronic Communications Privacy Act
The Electronic Communications Privacy Act of 1986 (ECPA)66 updated
the legal framework governing the surveillance of oral and wire
communications established in the Omnibus Crime Control and Safe Streets
Act of 1968.67 The ECPA provides criminal and civil penalties for accessing,
obtaining, or altering electronic communication without permission.68
63. 18 U.S.C. §§ 1961-1968 (2000). RICO was passed as Title IX of the Organized Crime Control Act
of 1970, Pub. L. No. 91-452, 84 Stat. 922, 941. According to Gerard E. Lynch, RICO is controversial because
of its harsh penalties and broad language, which has resulted in prosecutions that Congress may not have
foreseen. Gerard E. Lynch, RICO: The Crime of Being a Criminal, Parts I & II, 87 COLUM. L. REV. 661, 661
64. Daniel B. Kelly, Defining Extortion: RICO, Hobbs, and Statutory Interpretation in Scheidler v.
National Organization for Women, Inc., 123 S. Ct. 1057 (2003), 26 HARV. J.L. & PUB. POL’Y 953 (2003).
Kelly cites to the following recent examples: United States v. Corrado, 304 F.3d 593 (6th Cir. 2002)
(upholding convictions of Detroit Mafia for conspiracy and extortion under Hobbs Act and RICO); United
States v. DiDomenico, 78 F.3d 294 (7th Cir. 1996) (upholding convictions of Chicago Mafia for extortion,
bribery, and murder under RICO); United States v. Eufrasio, 935 F.2d 553 (3d Cir. 1991) (upholding
convictions of organized crime enterprise for racketeering, RICO conspiracy, and attempted extortion).
Id. at 953-54.
65. 18 U.S.C. §§ 1961-1968.
66. 18 U.S.C. §§ 2701-2712.
67. COMPUTER SCI. AND TELECOMMUNICATIONS BD. (CSTB) & NAT’L ACAD. OF ENG’G (NAE),
CRITICAL INFORMATION INFRASTRUCTURE PROTECTION AND THE LAW: AN OVERVIEW OF KEY ISSUES (Stewart
D. Personick & Cynthia A. Patterson eds., 2003) [hereinafter CSTB & NAE].
68. While the USA PATRIOT Act (discussed in Part III.A.8) removed certain restrictions upon
government surveillance of electronic communications, those changes are not relevant to the restrictions
against non-governmental interference with electronic communication. See generally William F. Zieske,
Demystifying the USA PATRIOT Act, 92 ILL. B.J. 82 (2004) (describing changes in government powers with
the PATRIOT Act, including in surveillance of electronic communications).
110 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
Therefore, while not relied upon in Ivanov, ECPA could be another basis for
prosecuting a cyber-extortionist.
3. The Travel Act and Interstate Transmission of Threats to Injure Another’s
Interstate travel in order to promote extortion violates the Travel Act.69
Transmitting threats to injure another person’s reputation across state lines
with the intent to extort money is also a crime.70 While it is possible to
threaten or complete cyber-extortion without violating either of these statutes,
they conceivably could constitute additional grounds for prosecution.
4. Other Criminal Statutes at the Federal and State Level
There are other federal statutes that could constitute grounds for
prosecuting a cyber-extortionist that were not originally intended for online
environments.71 It also bears mentioning that cyber-extortionists may be
prosecuted using state cybercrime statutes.72 There are also a variety of other
statutes at the federal and state level that specifically criminalize the
unauthorized disclosure of private information, as discussed below in the
context of the businesses’ and executives’ duties to consumers and employees
in Part III.A. Where a cyber-extortionist accesses or misuses private
information, there may be grounds for prosecution in federal and state privacy
5. Civil Liability of Cyber-Extortionists
The civil suit provisions of the CFAA present the strongest foundation for
a lawsuit to recover damages.73 This Part reviews other possible bases for
civil liability. However, as a practical matter, it is often difficult to identify or
bring a civil suit against cyber-extortionists, especially those who operate
outside of the United States.74 Further, cyber-extortionists may lack adequate
financial resources to compensate their victims. Therefore, although the
following tort theories may be viable bases for lawsuits, they may not be
69. 18 U.S.C. § 1952.
70. 18 U.S.C. § 875.
71. For example, the Espionage Act, 18 U.S.C. §§ 793, 794 & 798 (2000), the Wire Fraud Act, 18
U.S.C. § 1343 (2000), and the Economic Espionage Act, 18 U.S.C. § 1831 (2000) could all possibly be
violated by a cyber-extortion scenario, as suggested in CSTB & NAE, supra note 67, at 36.
72. An exhaustive state-by-state review of computer crime statutes is outside of the practical scope of
this article, and there are a number of online compilations of state computer crime laws. See, e.g., Computer
Crime Statutes State by State, http://www.onlinesecurity.com/forum/article46.php (last visited Oct. 6, 2007);
Computer Crime Laws by State http://nsi.org/Library/Compsec/computerlaw/statelaws.html (last visited Oct.
73. Supra Part II.B.3.
74. When an extortionist is not in the U.S. and cannot be lured into the U.S., the extradition process is
available for a criminal prosecutor to forcibly bring an extortionist into the U.S., assuming that the extortionist
can be located and apprehended abroad. However, nothing similar to the extradition process exists for forcing
a foreign extortionist to appear before a U.S. court in a civil suit.
No. 1] CYBER-EXTORTION 111
practical means for victims to seek redress for the harms that arise in the
context of a c
a. Trespass to Personal Property
Common law actions for trespass to personal property have been
successful in the context of electronic communications.75 Because DDoS
attacks often involve a Web site or information system becoming incapacitated
by barrages of unwelcome e-mails to an e-mail account, decisions such as
CompuServe, Inc. v. Cyber Productions, Inc.76 are particularly relevant. In this
decision, a federal district court found that unwanted e-mails constituted a
trespass to personal property, or chattel.77 Similarly relevant is the decision in
eBay, Inc. v. Bidder’s Edge, Inc., which found trespass to personal property
when a Web site’s speed was degraded by a program scouring a victim Web
site and collecting information.78
The tort of trespass to chattels requires that there be intent and a showing
that there was actual harm.79 As elaborated upon below in Part III.B.3, the
requirement that there be proof of harm has recently been reasserted.
Therefore, while some courts have appeared not to strictly enforce this
requirement, a plaintiff would be most likely to succeed in a recovery for
trespass to personal property where the plaintiff could prove substantial
damages.80 The initial, willful hacking of a computer system for the purposes
of presenting a credible threat would probably not be grounds for a suit against
a would-be cyber-extortionist based on trespass to personal property because
the lack of significant measurable harm would fail to demonstrate one of the
essential elements of the tort.
75. For a compilation of cases from six states and four federal circuit courts of appeal finding that
common law trespass claims are viable in the context of electronic communications, see Marjorie A. Shields,
Annotation, Applicability of Common-Law Trespass Actions to Electronic Communications, 107 A.L.R. 5th
76. Compuserve, Inc. v. CyberProductions, Inc., 962 F. Supp. 1015 (S.D. Ohio 1997). The decision of
the federal district court in Compuserve was foreshadowed by the case of Thrifty-Tel, Inc. v. Bezenek, 54 Cal.
Rptr. 2d 468 (Cal. Ct. App. 1996), in which it was decided that a cause of action exists for trespass to chattels
in the context of hacking into a computer, and that parents could be held liable for the hacking of their child.
77. For a discussion of the reasoning and implications of the CompuServe decision, see Steven E.
Bennett, Canning Spam: CompuServe, Inc. v. Cyber Promotions, Inc., 32 U. RICH. L. REV. 545 (1998).
78. 100 F. Supp. 2d 1058, 1071-72 (N.D. Cal. 2000).
79. Shields, supra note 75 at 549. See infra Part III.B.3 for an elaboration upon the precise differences
among courts in terms of their practical approaches to finding whether a trespass to personal property has
80. School of Visual Arts v. Kuprewicz, 771 N.Y.S.2d 804 (N.Y. Sup. Ct. 2003) (holding that the
trespass to chattels was the unwelcome receipt of job applications and pornography that breached no security
systems, but did place a burden on the computer systems). See also Intel Corp. v. Hamidi, 71 P.3d 296, 306-
09 (Cal. 2003) (which illustrates the trend of courts to not require a showing of damages to find a trespass to
chattels by even ordering an injunction after a plaintiff ceased pursuing a lawsuit, although the California
Supreme Court reversed those decisions). The Hamidi decision has been interpreted by practitioners
nationwide as reasserting the requirement that damages be proven when attempting to recover for a trespass to
personal property, according to Dr. Christopher T. Pierson. E-mail from Dr. Christopher T. Pierson to author
(April 3, 2006) (on file with author). For a discussion of how the damage requirement in trespass cases in the
online context was being abrogated prior to the Hamidi decision, see Dan Hunter, Cyberspace as Place and the
Tragedy of the Digital Anticommons, 91 CALIF. L. REV. 439, 487 (2003).
112 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
b. Interference with Contractual Relations
Jerry Wegman and Alexander Korzyk raise the possibility that the tort of
interfering with contractual relations may be viable as a claim in the context of
DDoS attacks.81 As they explain, the tort requires proof of a legally
enforceable contract existing between two parties, and that a third party
unjustifiably interfered with the execution of that contract.82 They offer the
case of Pennzoil Co. v. Texaco, Inc.83 as an illustration, wherein Texaco was
held liable for inducing Getty Oil Co. to breach its contract agreeing to merge
with Pennzoil, resulting in damages of $11 billion. Wegman and Korzyk point
out that the perpetrators of DoS attacks are interfering with contracts between
Web sites and their customers, and between customers and their Internet
The likelihood of success of a lawsuit based exclusively on this theory
would be low compared to using the civil suit provisions of the CFAA. First,
this variety of tort requires that an extortionist intentionally made someone
break a contract.85 Second, this variety of tort typically involves someone
interfering with a contractual relationship with the intent to replace one of the
contracting parties.86 In these two respects, an extortion scenario differs
significantly from the paradigm illustrated by Pennzoil v. Texaco.
c. Invasion of Privacy
Daniel J. Solove suggests that there may be grounds for a lawsuit based
on the tort of public disclosure of private facts because some cybercrime
scenarios may involve the fulfillment of a threat to divulge or sell or use
confidential customer data that is of a highly personal or sensitive nature.87 In
a majority of states, a person has a cause of action for public disclosure of
personal information when another widely discloses a private matter that is
“highly offensive to a reasonable person” and “is not of legitimate concern to
the public.”88 This tort allows lawsuits for disclosing true information even if
the information was obtained through lawful means.89 Arguably, the broad
category of tort known as invasion of privacy90 has an easier-to-prove sub-
category called intrusion upon seclusion.91 This may be more desirable
grounds upon which to base a lawsuit against a cyber-extortionist because the
81. Wegman & Korzyk, supra note 42, at 48.
83. 481 U.S. 1 (1987).
85. 18 AM. JUR. TRIALS 59 § 9 (2007).
86. Id. at § 10.
87. See Daniel J. Solove, The Virtues of Knowing Less: Justifying Privacy Protections Against
Disclosure, 53 DUKE L.J. 967, 970-74 (2003) (discussing the public policy concerns related to disclosure of
personal information and free speech rights).
88. RESTATEMENT (SECOND) OF TORTS § 652D (1977).
89. Solove, supra note 87, at 971.
90. RESTATEMENT (SECOND) OF TORTS § 652A (1977).
91. Id. at § 652B.
No. 1] CYBER-EXTORTION 113
unauthorized acquisition of private information is the key element; proof of
publicity of the information is not required to win damages.92
In the context of cyber-extortion, these torts would provide for the
recovery of damages against the extortionist, but not the company that fails to
adequately protect confidential customer data. This is because an actionable
disclosure does not take place when the disclosure is the result of an unlawful
act of someone other than the defendant.93 The case of Corcoran v.
Southwestern Bell Telephone Co. is instructive: the plaintiffs failed to establish
publication by the telephone company where the company mailed their bill to
the plaintiff’s daughter-in-law’s address (at the plaintiffs’ daughter-in-law’s
request) and where the daughter opened the bill.94 The court came to this
conclusion because the opening of the misdirected bill was an intervening
illegal act over which the telephone company had no control.95 A court could
find that, in the context of cyber-extortion, the extortionist’s actions are a
supervening illegality that eliminates the possibility of suing a corporation with
negligently inadequate information systems security. However, the torts
dealing with invasion of privacy could be viable bases for attempting to
recover from cyber-extortionists that access or publicize private information.
Because cyber-extortionists are difficult to identify and apprehend and
because they may lack sufficient resources to compensate for the damage that
they cause, it is likely that the victims of cyber-extortion will seek redress for
their harms from other sources. Both consumers and employees whose data
may be compromised and businesses who suffer financial losses will likely
look to the institutions whose information systems became the tools for
committing the harms. Namely, individuals whose data is accessed and
misused will likely attempt to seek compensation from the businesses who
failed to adequately secure the compromised information, and businesses who
suffer losses will likely attempt to seek compensation from other businesses
whose information systems were hijacked and used to cause harm. The focus
of the following Parts is therefore upon the duties of executives to guard the
privacy of information and to prevent their businesses’ information systems
from being used to cause harm.
III. DUTIES AND LIABILITIES OF CEOS AND CIOS
Potential liability to third parties for failures in their duties to protect
against cyber-attackers has been examined from a negligence perspective in
one article in the Westlaw database.96 Less than half a dozen other analyses of
liabilities for allowing one’s computers to be used as attack zombies in DDoS
attacks are available online. The severe consequences of DDoS attacks are
93. 43 AM. JUR. PROOF OF FACTS 2D 449 § 9 (2007).
94. Corcoran v. Southwestern Bell Telephone Co., 572 S.W.2d 212, 215 (Mo. Ct. App. 1978).
96. Stephen E. Henderson & Matthew E. Yarbrough, Suing the Insecure?: A Duty of Care in
Cyberspace, 32 N.M. L. REV. 11 (2002).
114 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
discussed slightly more in the IT arena, often in trade periodicals, and perhaps
out of the motivation, in some instances, to sell information security services.
A. Customers and Employees
The duties and possible liabilities of Chief Executive Officers (CEOs)
and Chief Information Officers (CIOs) to consumers and employees are
defined by statutes, regulations, and common law doctrines. Since cyber-
extortion may involve holding sensitive and private data hostage or threatening
its misuse, destruction, publication or the disclosure of its being compromised,
the issue of data privacy is significant in evaluating potential executive liability
to third parties.
1. No Federal Statute Controls When Individuals Must Be Notified of Data
As of early 2006, no federal law defines when customers or employees
must be informed of an information security breach that compromises the
privacy of their personal or otherwise sensitive data.98 Thus, even the FDIC
delayed an announcement to its employees about the theft of personal
information, partly to further its efforts in identifying the culprits.99
At least thirty pieces of relevant federal legislation have been proposed
and were circulating in the U.S. Congress as of 2005, but none as of 2006 were
close to being passed by the House or Senate.100 However, there is a
patchwork of differing reporting obligations to employees and customers
created by twenty-two – soon to be as many as thirty-nine – state statutes.101
California’s Security Breach Information Act 102 has been the object of
commentary by both scholars and practitioners.103 Companies doing business
97. See, e.g., Cisco.com, DDos Protection Services, http://www.cisco.com/en/US/netsol/ns615/
networking_solutions_sub_solution.html (last visited Oct. 21, 2007).
98. Glen Fest, Data Breach Notification: States Differ On When To Sound The Alarm, BANK
TECHNOLOGY NEWS, Jan. 2006, available at http://www.banktechnews.com/article.html?id=
99. Id. The discovery that the Department of Justice had made social security numbers available on the
Internet was another event that prompted questions about how quickly enterprises must inform individuals
about compromised private data. Larry Greenemeier, InformationWeek Exclusive: Justice Department Reveals
Social Security Numbers, INFORMATIONWEEK, Dec. 23, 2005, available at http://www.informationweek.com/
news/showArticle.jhtml?articleID=175400150; Larry Greenemeier, Social Security Numbers On The Justice
Department’s Web Site Could Lead To Identity Theft, INFORMATIONWEEK, Dec. 23, 2005, available at
100. Tony Kontzer & Larry Greenemeier, Sad State of Data Security, INFORMATIONWEEK, Jan. 5, 2006,
available at http://www.wstonline.com/showArticle.jhtml?articleID=175801687.
102. CAL. CIV. CODE § 1798.82 (West 2003).
103. E.g., Ethan Preston & Paul Turner, The Global Rise of a Duty to Disclose Information Security
Breaches, 22 J. MARSHALL J. COMPUTER & INFO. L. 457, 461-63, 468-70 (2004); Timothy H. Skinner,
California’s Database Breach Notification Security Act: The First State Breach Notification Law Is Not Yet a
Suitable Template for National Identity Theft Legislation, 10 RICH. J.L. & TECH. 1, passim (2003),
No. 1] CYBER-EXTORTION 115
internationally should be cognizant of higher standards applicable to data
privacy and the disclosure of data privacy breaches that exist in Europe.104
However, despite the lack of a consistent federal legal framework
governing when disclosures must be made to customers about breaches to the
confidentiality of sensitive data, as discussed in the following Parts, federal
statutes and recently promulgated regulations impose duties on executives to
maintain controls on the privacy of certain forms of information.105 An up-to-
date inventory of state privacy statutes is available online.106
2. Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (commonly referred to as SOX)107 has
generated extensive scholarly commentary,108 but its relevancy to information
security is relatively under-appreciated. Section 404 of SOX requires that
internal controls on information systems be put in place and that they be
documented and tested at least once a year.109 Section 302 of SOX requires
the company’s principal officers to certify each annual and quarterly report
with respect to their review of the report and the internal controls now
mandated by the Act. Section 906(a) of SOX requires CEO and CFO
certification of the veracity of each periodic report that contains financial
statements, with criminal penalties for failure to comply. “Knowing”
violations of a CEO’s or CFO’s certification duties are punishable by up to $1
million in fines or up to ten years’ imprisonment.110 “Willful” violations of a
104. See Preston & Turner, supra note 103, at 468-70 (comparing the European approach to disclosing
security breaches with the Californian approach).
105. For a more extensive discussion of the justification for myriad federal and state statutes related to
data privacy that are applicable to specific types of information, see Solove, supra note 87, at 972-76. Solove
points to federal statutes that “restrict disclosure of information from school records, cable company records,
video rental records, motor vehicle records, and health records. . . . Various states have also restricted the
disclosure of particular forms of information, such as data about health, alcohol and drug abuse, sexual offense
victims, HIV status, abortion patients, and mental illness.” Id. at 971-72 (footnotes omitted).
106. Electronic Privacy Information Center, Privacy Laws by State, http://www.epic.org/privacy/
consumer/states.html (last visited Oct. 6, 2007).
107. Sarbanes-Oxley Act of 2002, Pub. Law No. 107-204, 116 Stat. 745 (codified as amended at 15
U.S.C. §§ 7201-7266 (2005) and in scattered sections of 18 U.S.C., 28 U.S.C. & 29 U.S.C.). Elsewhere SOX
has been referred to as the Corporate and Criminal Fraud Accountability Act of 2002. See, e.g., Robert P.
Riordan & Lisa Durham Taylor, Sarbanes-Oxley Whistleblower Claims: Fast Start or Fizzle, TRENDS in
Litigation (2004), http://www.alston.com (search for “fast start or fizzle”; follow “Trends Spring 04.indd”
108. E.g., Andrew A. Lundgren, Sarbanes-Oxley, Then Disney: The Post-Scandal Corporate-
Governance Plot Thickens, 8 DEL. L. REV. 195 (2006); Byron F. Egan, The Sarbanes-Oxley Act and Its
Expanding Reach, 40 TEX. J. BUS. L. 305 (2005); Roberta Romano, The Sarbanes-Oxley Act and the Making
of Quack Corporate Governance, 114 YALE L.J. 1521 (2005); Larry Catá Backer, Surveillance and Control:
Privatizing and Nationalizing Corporate Monitoring After Sarbanes-Oxley, 2004 MICH. ST. L. REV. 327
(2004); Niels Schaumann, The Sarbanes-Oxley Act: A Bird’s-Eye View, 30 WM. MITCHELL L. REV. 1315
109. For a more in-depth discussion of duties created by the Sarbanes-Oxley Act, see Larry Catá Backer,
The Duty to Monitor: Emerging Obligations of Outside Lawyers and Auditors to Detect and Report Corporate
Wrongdoing Beyond the Federal Securities Laws, 77 ST. JOHN’S L. REV. 919 (2003).
110. For a discussion of the legislative history of the Sarbanes-Oxley Act and, to a certain extent, the
relatively greater significance of corresponding federal sentencing commission guidelines, see Frank O.
Bowman, III, Pour Encourager les Autres? The Curious History and Distressing Implications of the Criminal
116 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
CEO’s or CFO’s certification duties are punishable by up to $5 million in fines
or twenty years’ imprisonment.111 SOX provides for both civil and criminal
penalties.112 Corporate executives—and even directors—may not only be
exposed to criminal liability, but also to suits by private citizens i 113
The requirements that executives confirm that adequate “internal
controls” are in place has led to a burgeoning market in information
technology (IT) systems claiming to be “Sarbanes compliant,” inasmuch as the
systems are secured from both internal and external tampering.114 The
obligation to confirm the status of internal control systems coupled with the
threat of both criminal and civil sanctions has raised the possibility that SOX
lawsuits, like RICO civil suits, will be successfully initiated in contexts that
were not contemplated by legislative drafters.
A single vulnerability of an internal control of a corporation that is
exploited to cause harm to third parties may now conceivably result in: (1) the
CEO, CFO, and company being sued by a defrauded third party, such as a
customer; (2) the CEO, CFO, company, and its accounting firm being sued in a
class action lawsuit brought by public shareholders; (3) an accounting firm
suing the CEO and CFO for failing to disclose the vulnerability; and (4) the
Securities and Exchange Commission bringing civil and criminal proceedings
against the company and its CEO and CFO.115
Interestingly, a recent survey of fraud examiners revealed widespread
perceptions that: (1) SOX has been effective in revealing frauds; yet (2) fraud
in the corporate world is still a major and worsening problem; and (3) bribery
and extortion still rank among the most prevalent forms of financial fraud.116
While the context of SOX’s passage and its content indicate that the act was
intended to combat corporate fraud, the mandated maintaining of internal
controls guards corporations against external bad actors as well – including
those bent on extortion. The discovery of an executive’s false assurance of
adequate internal controls and monitoring is grounds for liability, regardless of
how that false assurance comes to light.117
Provisions of the Sarbanes-Oxley Act and the Sentencing Guidelines Amendments that Followed, 1 OHIO ST. J.
CRIM. L. 373, 404 (2004).
113. It is important to note, however, that the SEC’s ability to impose civil liability on directors is subject
to the same standard as under any other statute. See NICOLAS MORGAN, DLA PIPER, COURT REJ ECTS SEC’S
IMPOSITION OF CIVIL PENALTIES AGAINST DIRECTORS IN EARLY TEST OF SARBANES-OXLEY (2005),
http://www.dlapiper.com/files/upload/CorpGov_051123.htm (discussing a recent federal district court decision
that criticized the SEC for imposing harsh civil penalties that it could not have won in federal court).
114. See Mark Rasch, Sarbanes Oxley for IT Security? THE REGISTER, May 3, 2005,
http://www.theregister.co.uk/2005/05/03/sarbanes_oxley_for_it_security (noting the widespread claim by
computer security vendors that their products and services to be “100% Sarbanes Oxley Compliant” and
examining how SOX is relevant to IT security and how proper IT security can prevent some types of fraud).
115. JOHN S. VISHNESKI, III, MAYER, BROWN, ROWE & MAW LLP, NEW LIABILITIES CREATED BY
SARBANES-OXLEY; ARE YOUR DIRECTORS, OFFICERS COVERED? (2003), http://www.mayerbrownrowe.com/
116. Gene J. Koprowski, Study: Sarbanes-Oxley Law Not Changing Technology Business Culture,
TECHNEWSWORLD, Nov. 28, 2005, http://www.technewsworld.com/story/47467.html.
117. See generally VISHNESKI, supra note 115 (providing an example of how corporate officers could be
No. 1] CYBER-EXTORTION 117
One indication of how seriously executives have taken the prospect of
being sued or prosecuted for maintaining inadequate internal controls is their
expenditures on SOX-compliant IT systems. A recent survey by the Gartner
Group had forecasted that IT budgets grew by 10 to 15% in 2006, up from an
increase of 5% in 2004.118 “Projects that were not aligned with compliance
and corporate governance were delayed or cancelled, and SOX efforts
inhibited the purchase of large amounts of software related to building new
technologies and deploying new projects,” stated French Caldwell, a research
vice president at Gartner.119
3. Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act of 1999 (GLBA)120 facilitated affiliations
between banks, securities firms, and insurance companies by repealing
provisions of the Glass-Steagall Act.121
The GLBA controls the ways that financial institutions deal with the
nonpublic personal information of individuals. The Act consists of three
sections: The Financial Privacy Rule regulates the collection and disclosure of
private financial information; the Safeguards Rule stipulates that financial
institutions must implement security programs to protect such information; and
the pretexting provisions prohibit the practice of accessing private information
using false pretenses.122 The Act also requires financial institutions to give
customers privacy notices that explain their information-sharing practices.123
The Federal Trade Commission was empowered to enforce the GLBA by
15 U.S.C. § 6805(a)(7) and promulgated regulations in 2000.124 The FTC
rules implemented the GLBA and also provided sample compliance privacy
As noted by the Federal District Court for the District of Maryland in
F.T.C. v. AmeriDebt, Inc., the GLBA and related regulations define financial
institutions “very broadly.”126 Universities and other enterprises that deal with
a variety of financial records also fall under the ambit of the GLBA and
therefore have a responsibility to secure personal records.127 The GLBA
held liable for unknown embezzlement by a junior officer).
118. Dinesh C. Sharma, Compliance Laws Boosting IT Budgets, CNET NEWS.COM, Dec. 15, 2005,
120. Gramm-Leach-Bliley Financial Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999)
(codified at 15 U.S.C. §§ 6801-6809) (GLBA is also known as the Financial Industries Modernization Act).
121. The FTC tried to use the GLBA as a basis for regulating lawyers, but this was rejected by the U.S.
District Court for the District of Columbia. N.Y. State Bar Ass’n v. FTC, 276 F. Supp. 2d 110, 136-40
122. 15 U.S.C. § 6803(a) (2000).
124. For a succinct analysis of the regulations implementing the GLBA, see L. Richard Fischer, The
Gramm-Leach-Bliley Act and Its Implementation, SG066 ALI-ABA 65 (2002).
125. 16 C.F.R. § 313.18 (2005).
126. FTC v. AmeriDebt, 343 F. Supp. 2d 451, 457 (2004).
127. See Id. at 456-57 (explicitly stating that the term “financial institution” includes several entities not
traditionally recognized as financial).
118 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
directs that all institutions implement an Information Security Program and
designate a program coordinator.128
The greatest limitation of the GLBA from the view of privacy advocates
is that it does not provide any remedies for individuals should a firm fail to
comply with the Act’s disclosure provisions.129 In the words of Jolina C.
Various federal regulators, state insurance authorities,
and the Federal Trade Commission have responsibility
for enforcing these provisions. However, according to
section 505(b)(1), enforcement equates to
implementation of standards. As one commentator
pointed out, “the law establishes . . . overlapping
regulatory supervisory enforcement mechanisms to
identify and correct abusive policies and practices rather
than to remedy or resolve individual rights affected by
specific infractions. The structure is thus somewhat
illusory, lacking in any recourse for an individual to
remedy the infringement of his or her privacy.” Without
the threat of monetary remuneration, adherence to these
privacy provisions may not be a high priority for firms
faced with a barrage of economic pressures. This lack of
remedies further compromises the individual’s right to
4. Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996
(HIPAA)131 originally had three main goals: “(1) to guard patients’ protected
health information from unauthorized disclosures; (2) to improve the quality of
healthcare by restoring trust in the system; and (3) to protect and improve the
rights of consumers to access their own healthcare information.”132
HIPAA required the Secretary of the Department of Health and Human
Services (HHS) to recommend privacy measures to Congress.133 HIPAA’s
Administrative Simplification provisions required the establishment of
standards for electronic health care transactions and the security and privacy of
health data.134 Requirements for administrative, physical, and technical
safeguards for ensuring the privacy of health data took effect April 20, 2005.135
128. 12 C.F.R. § 748.2 (2002).
129. Jolina C. Cuaresma, The Gramm-Leach-Bliley Act, 17 BERKELEY TECH. L.J. 497, 514 (2002).
130. Id. (footnotes omitted).
131. Health Insurance Portability Act, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in
scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., 42 U.S.C.).
132. David R. Morantz, HIPAA’s Headaches: A Call for a First Amendment Exception to the Newly
Enacted Health Care Privacy Rules, 53 U. KAN. L. REV. 479, 481-86 (2005).
133. For a description of the long history of the promulgation of the HIPAA privacy standards, see id.
134. 45 C.F.R. § 160 (2002).
135. 45 C.F.R. §§ 164.308, 310, 312 (2006); Pietrina Scaraglino, Complying With HIPAA: A Guide for
No. 1] CYBER-EXTORTION 119
“Protected Health Care Information,” includes any “individually
identifiable information concerning the past, present, or future physical or
mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for that provision of health
care to an individual.”136 The law states that “covered entities” include health
care providers, health plans (which include group plans), insurance companies,
parts of Medicare, Medicaid, long-term care providers, and health care
clearinghouses, which process health data and provide billing services.137
However, employee welfare benefit plans and entities such as universities are
covered.138 The law requires covered entities that transmit, process, or
disclose protected health information to limit such disclosures to the minimum
amount necessary, known as the “minimum necessary” informa 139
A single, unintentional violation of the law is punishable by a $100
fine,140 but multiple violations in one calendar year can result in a $25,000
fine.141 Therefore, these provisions could affect businesses if confidential
health care data is compromised in the course of a cyber-extortion. However,
HIPAA regulations do not create a private right of action to recover damages
from keepers of medical records who unintentionally disclose a record.142
Instead, private parties have the right to file a formal complaint with a covered
provider or health plan or with HHS about violations of the provisions of this
rule or the policies and procedures of the covered entity.143
5. Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act of 1998 (COPPA)144
requires companies that use Web sites to collect data about children under
thirteen years of age to (1) give clear notice of the type and use and disclosure
of information collected, (2) allow ways for parents to easily review collected
information, and (3) limit, in some cases, collected information to what is
reasonably necessary.145 Companies must also obtain verifiable parental
consent before collecting personal information of children under thirteen years
the University and Its Counsel, 29 J.C. & U.L. 525, 527-29 (2003).
136. Diane Kutzko et al., HIPAA in Real Time: Practical Implications of the Federal Privacy Rule, 51
DRAKE L. REV. 403, 411 (2003) (citations omitted) (providing a thorough analysis of the statute’s provisions).
137. Scaraglino, supra note 135, at 529.
139. Id. at 547 n. 119.
140. 42 U.S.C. § 1320d-5(a)(1) (2000).
142. 45 C.F.R. § 160.410 (2006).
143. U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, PROTECTING THE PRIVACY OF PATIENTS’
HEALTH INFORMATION (2001), http://aspe.hhs.gov/admnsimp/final/pvcfact2.htm.
144. 15 U.S.C. §§ 6501-6506 (2000).
145. 15 U.S.C. § 6502(b)(1). For a concise summary of COPPA, see Anita L. Allen, Minor Distractions:
Children, Privacy and E-Commerce, 38 HOUS. L. REV. 751, 758-66 (2001); Rachael Malkin, How the
Children’s Online Privacy Protection Act Affects Online Businesses and Consumers of Today and Tomorrow,
14 LOY. CONSUMER L. REV. 153, 156-59 (2002). For a description of how businesses were collecting and
selling personal data on children under the age of thirteen, see Michelle Z. Hall, Note, Internet Privacy or
Information Piracy: Spinning Lies on the World Wide Web, 18 N.Y.L. SCH. J. HUM. RTS. 609, 620-25 (2002).
120 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
Of greatest significance to the present analysis, companies must maintain
the confidentiality of the personal data that they collect on children under
thirteen years of age.147 COPPA empowers the Federal Trade Commission
(FTC) to oversee implementation and enforcement of the regulations,148 but,
like the GLBA and HIPAA, does not create a right for private parties to file a
civil suit.149 The final implementing rule went into effect on April 21, 2000.150
FTC enforcement actions have led to companies paying up to $400,000 for
violating COPPA.151 Given that cyber-extortionists may disclose or threaten
disclosure of companies’ personal data about children, COPPA’s penalty
provisions could apply to a company that failed to protect the confidentiality of
6. Unfair Trade Practices and the Fair and Accurate Credit Reporting Act
It is important to note the role of the FTC in enforcing previously
discussed legislative and regulatory security requirements. Another part of the
FTC’s mission is protecting consumers from false and deceptive trade
The Federal Trade Commission has prosecuted and settled with several
companies—Eli Lilly, Microsoft, Guess, and Tower Records—for
misrepresentations to consumers that security and privacy measures were more
robust than they really were.154 New York’s Attorney General has also
prosecuted and settled with several businesses, including Ziff Davis, Barnes &
Noble, Victoria’s Secret, and the ACLU for making misrepresentations about
or compromising the privacy of customer data.155
It is important to note that the FTC settlements have clarified how the
GLBA and HIPAA’s information security requirements may be satisfied in
practice. As summarized in the Computer Science and Telecommunications
Board’s (CSTB) and National Academy of Engineering’s (NAE) Critical
Information Infrastructure Protection and the Law: An Overview of Key
146. 15 U.S.C. §§ 6501(1), 6502(b)(1)(A)(ii).
147. 15 U.S.C. §§ 6501(1), 6502(b)(1)(D).
148. 15 U.S.C. § 6505(a).
149. COPPA is not cited to as frequently in analyses of the possible liability of businesses for
maintaining lax security standards or in reviews of statutes that are having an impact upon industry practices.
One authority that discusses COPPA is Preston & Turner. Preston & Turner, supra note 103, at 471-78. As
reflected by the number of authorities cited in the corresponding Parts of this article, the GLBA and HIPAA
are more commonly cited as having affected both perceptions of what constitutes a reasonable standard of care
and the actual functioning of businesses.
150. FTC Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.1 (2007).
151. Steven A. Wells, Mark Courtney & Peter Vogel, [Un]Safe Harbor: No Common Denominator in
Privacy Compliance, 9 COMP. L. REV. & TECH. J. 257, 270 (2004).
152. 16 C.F.R. § 312.8 (2007).
153. Federal Trade Commission Act, 15 U.S.C. § 45(a) (2000).
154. Preston & Turner, supra note 103, at 479.
155. Id. at 479-80.
No. 1] CYBER-EXTORTION 121
Recent FTC settlements have established “reasonable
security” as a written, comprehensive information
security program that (1) designates appropriate
personnel accountable for information security, (2)
assesses security risks, taking into account, among other
things, employee training, (3) implements reasonable
security safeguards to control risks, and (4) adjusts the
information security program in response to regular
testing and monitoring. The GLB implementing
regulations and recent FTC actions go a long way to
setting the stage for best practices and may give rise to a
de facto industry standard for negligence liability.
However, a number of questions remain about the FTC’s
de facto security standard. It is not clear whether ISO
17799 meets these requirements. Nor is it known what
types of documentation, training, and supervision are
necessary to meet the standard. The Microsoft settlement
appears to indicate that damage is not necessary to trigger
an FTC inquiry and the imposition of its security
standard. Clearly, though, the recent FTC actions,
combined with the GLB and HIPAA regulations, confirm
that companies can no longer continue to address security
issues informally. GLB and HIPAA regulations have
caused a seismic shift in the financial and health care
industries (similar to the effect of Y2K on the computer
industry) as institutions scramble to comply with the
More recently, the settlements of the FTC’s actions against ChoicePoint,
BJ’s Wholesale, and DSW indicated that the very lack of information security
safeguards—regardless of whether promises about data privacy were made—
are grounds for prosecution as unfair trade practices when data is stolen.157 In
its case against ChoicePoint, the FTC charged that the database company
violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports
to subscribers who did not have a permissible purpose to obtain them and by
failing to maintain reasonable procedures to verify the identities of the
requesting entities and how they intended to use the information.158 The
settlement involved Choicepoint paying $15 million in penalties and agreeing
156. CSTB & NAE, supra note 67, at 58 n.46.
157. Press Release, Fed. Trade Comm’n, BJ’S Wholesale Club Settles FTC Charges (June 16, 2005),
http://www.ftc.gov/opa/2005/06/bjswholesale.shtm [hereinafter BJ’s Wholesale]; Press Release, Fed. Trade
Comm’n, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million
for Consumer Redress (Jan. 26, 2006), http://www.ftc.gov/opa/2006/01/choicepoint.shtm [hereinafter
ChoicePoint]; Press Release, Fed. Trade Comm’n, DSW Inc. Settles FTC Charges (Dec. 1, 2005),
http://www.ftc.gov/opa/2005/12/dsw.htm [hereinafter DSW PR].
158. ChoicePoint, supra note 157. 163,000 consumers’ personal financial records were compromised.
122 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
to external security audits every two years.159
In its settlements with BJ’s Wholesale160 and DSW,161 the FTC similarly
showed that failure to take appropriate security measures to protect sensitive
information may constitute an unfair practice that violates federal law. The
settlements with both companies require them to implement a comprehensive
information security program and obtain audits by an independent third party
security professional every other year for twenty years.162
The prosecutions of BJ’s Wholesale and DSW suggest that a viable de
facto standard of care for securing information exists, and is violated by the
following acts and omissions: storing sensitive information longer than a
legitimate business need would so require, failing to use readily available
technology to limit access to computer networks through wireless access
points, failing to encrypt files, and failing to employ sufficient measures to
detect unauthorized access.163 Failing to limit the connectivity between
computers in different stores was also a basis for prosecuting these types of
7. Fair and Accurate Credit Transactions Act and the FTC’s Disposal Rule
The Fair and Accurate Credit Transaction Act (FACTA) of 2003165
amended the federal Fair Credit Reporting Act (FCRA)166 and included
provisions intended to enhance the accuracy and privacy of data, limit
information sharing, and expand consumer rights to disclosure.167 The
Disposal Rule, passed by the FTC in July, 2005, as required by FACTA, calls
for the disposal of information by, among other means, the destruction or
erasure of electronic files containing consumer records to protect against
unauthorized access or use of the information.168 Significantly, the rule
160. BJ’s Wholesale, supra note 157.
161. DSW PR, supra note 157.
162. BJ’s Wholesale, supra note 157; DSW PR, supra note 157.
163. BJ’s Wholesale, supra note 157; DSW PR, supra note 157. As with standards of care in other
contexts, this standard should not automatically be deemed to have been violated anytime there is a data
security breach; rather, the FTC appears to be pursuing cases where there was a failure to take reasonable
precautions. See Anne P. Fortney & Lisa C. DeLessio, Federal Laws Applicable to Consumer Data Security
Breaches, 59 CONSUMER FIN. L.Q. REP. 229, 237 (2005) (stating that the “FTC staff has said that they will
recommend formal FTC enforcement actions only in those cases where a company substantially failed to have
reasonable procedures to avoid a security breach, or to manage a security breach”).
164. DSW PR, supra note 157.
165. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952 (2003)
(amending 15 U.S.C. §§ 1681-1681x; 20 U.S.C. §§ 9701-9708; and 31 U.S.C. § 5318 (2004)).
166. Fair Credit Reporting Act, Pub. L. No. 91-508, 84 Stat. 1128 (1970) (codified as amended at 15
U.S.C. § 1681 (2007)).
167. Fair and Accurate Credit Transactions Act §§ 212, 312, 411, 15 U.S.C. §§ 1681g(a), 1681s–2,
1681b(g) (2005). It has been pointed out that while FACTA includes protections advantageous to consumers,
it also preempts state laws that could go further in protecting consumers. ARCHIVE OF 2003 – 2004 Credit
Reporting and Identity Theft Documents, http://www.pirg.org/consumer/fcra.htm (last visited Oct. 6, 2007) .
There are some ways that states may still go beyond minimum federal protections. GAIL HILLEBRAND,
CONSUMERS UNION, AFTER THE FACT ACT: WHAT STATES CAN STILL DO TO PREVENT IDENTITY THEFT 10-
16, http://www.consumersunion.org/pdf/FACT-0104.pdf (last visited Oct. 6, 2007).
168. FTC Disposal Rule, 16 C.F.R. § 682.3(b)(2) (2005); FTC, FTC BUSINESS ALE RT (2005),
No. 1] CYBER-EXTORTION 123
applies not just to businesses that acquire data through consumer transactions,
but to landlords, employers, insurers, attorneys, and private investigators,
among others.169 The Disposal Rule effectively defines another element of the
duty of care that a business must fulfill if it wishes to meet the FTC’s standard
of taking reasonable care to prevent data theft or misuse
8. USA PATRIOT Act
The Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001170
reformed the Banking Secrecy Act (BSA).171 Section 3, Title III of the USA
PATRIOT Act and new regulations implementing the act require key financial
sector industries to implement programs and employee training designed to
prevent the services they offer from being used to facilitate money laundering
or the financing of terrorism.172 A management-level compliance officer must
be responsible for the institution’s anti-money-laundering activities, and must
have independent board-level reporting authority.173 Enterprises must actively
monitor individual accounts to detect suspicious activity and must submit
Suspicious Activity Reports and Currency Transaction Reports.174 These
reforms also require that enterprises providing financial services175 retain data
for five years and stipulate that reported-on individuals do not need to be
In examinations of banks for compliance, even five errors out of 1500
transactions justified a bank being failed; in fact, in one federal reserve district,
all fifteen banks failed.177 This indicates that the combined effect of
heightened regulatory requirements requiring greater scrutiny of accounts and
longer periods of data retention have not yielded complete compliance. 178
http://www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.pdf (last visited Oct. 6, 2007) [hereinafter FTC
169. FTC BUSINESS ALERT, supra note 168.
170. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA PATRIOT) Act of 2001, Pub. L. No. 107-56, 2001 U.S.C.C.A.N. (115 Stat.) 369
(2001) (codified at 18 U.S.C. § 1960 and in other amended sections of the U.S. Code).
171. Federal Deposit Insurance Act, Pub. L. No. 91-508, 1970 U.S.C.C.A.N. (84 Stat. 1114) 1301 (1970)
(codified as amended at 12 U.S.C. §§ 1730d, 1829b, 1951-1959; 18 U.S.C. §§ 6002; and 31 U.S.C. §§ 321,
5311-5314, 5316-5322) (§ 1730d repealed 1989).
172. OFFICE OF THE COMPTROLLER OF THE CURRENCY, COMBATING MONEY LAUNDERING AND
TERRORIST FINANCING: BANK SECRECY ACT (BSA) AND USA PATRIOT ACT REGULATIONS,
http://www.occ.treas.gov/BSA/BSARegs.htm (last visited Oct. 6, 2007).
173. Ken Proctor, Managing Compliance Risk: Bank Secrecy Act and the USA PATRIOT Act (Sept. 2,
175. Financial institutions include banks, and also mutual fund companies, operators of credit card
systems, money transfer companies and check cashers, securities brokers and dealers registered with the
Securities and Exchange Commission, and futures commission merchants and accompanying introducing
brokers registered with the Commodity Futures Trading Commission. See Bank Secrecy Act, 31 U.S.C.
§ 5312(a)(2)(A)-(X) (2007) (as amended by the USA PATRIOT Act).
176. 31 C.F.R. § 103.18 (2006).
177. Proctor, supra note 173.
178. See id. (indicating that although examiners have granted time to some banks to remedy the non-
compliance, such leniency may be running out).
124 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
Most importantly, these statutory and regulatory requirements constitute an
important piece of the legal obligations of executives with regard to the data
systems of their enterprises. 179
9. State Consumer Protection Statutes
State consumer protection statutes may also be applicable to false
promises of data privacy protection.180 Just as the FTC actions described
above were based on federal laws prohibiting unfair trade practices, even when
there was no reliance upon a false promise,181 reliance upon false promises
may not be necessary to prove an unfair trade practice under a state consumer
protection statute.182 Rather, inadequate data security provisions alone may be
adequate to demonstrate an unfair trade practice.183 While an attorney general
could bring a prosecution, customers may bring actions to implement these
statutory protections.184 Harmed citizens may be entitled to treble damages or
attorney’s fees, creating an incentive for using these statutes to seek recovery,
and exacerbating the exposure of businesses to liability when the
confidentiality of customer data is breached.185
10. Contract Law
Contract law is relevant where it can be demonstrated that a promise to
keep information private was so essential to a purchase decision as to be a part
of the basis of the bargain.186 If the data is made public—a breach of the
promise to keep private information confidential—three possible remedies are
conceivable.187 First, a court may allow the customer to rescind the contract188
—that is, to be absolved of any further obligations to make payments and
receive benefits under a two-year cell phone contract. This could result in
significant damages for cell phone service companies and similar services that
rely on long-term contracts as a source of revenue. The second remedy under
contract law is to award monetary damages to the plaintiff, equal to the
difference between the contracted goods or service as promised and the value
180. See Victor E. Schwartz & Cary Silverman, Common-Sense Construction of Consumer Protection
Acts, 54 U. KAN. L. REV. 1, 18 (2005) (noting that several states require reliance for a viable claim under state
consumer protection statutes).
181. See, e.g., BJ’s Wholesale, supra note 157 (announcing the settlement between the FTC and BJ’s,
which involved charges of unfair trade practices involving many security failures, but did not contain a claim
of reliance by customers on any promise of security by BJ’s).
182. Schwartz & Silverman, supra note 180, at 18.
184. Schwartz & Silverman, supra note 180, at 3.
186. See generally U.C.C. § 1-201(b)(3) (2007) (defining an agreement); RESTATEMENT (SECOND) OF
CONTRACTS §§ 344(a), 351 (1981) (defining purposes of remedies and foreseeable damages); Andrew Kull,
Restitution As a Remedy for Breach of Contract, 67 S. CAL. L. REV. 1465 (1994) (discussing contract
187. RESTATEMENT (SECOND) OF CONTRACTS §§ 344(a), 351; Kull, supra note 186, at 1514.
188. Kull, supra note 186, at 1514.
No. 1] CYBER-EXTORTION 125
of the goods and services as delivered.189 However, it may be difficult to
assign such a value when the breach involves data being compromised.190
Finally, in the event that foreseeable damages result from the violation of a
promise, consequential damages are possible. These may present the most
likely means of recovery in the context of someone suing to recover damages
from the breach of a promise to keep data confidential.191
a. Torts of Fraudulent and Negligent Misrepresentation
If a business communicated that customer data would be kept private,
then several types of tort liability may exist. Claims of tortious
misrepresentation are based on the communication of false facts upon which a
plaintiff relies to his or her detriment.192 A concise differentiation of the three
varieties of misrepresentation is as follows:
First, intentional misrepresentation, often called fraud or fraudulent
misrepresentation or deceit, is an intentional tort requiring a showing that the
defendant knowingly misrepresented the truth. Second, reckless
misrepresentation—confusingly, also sometimes called intentional
misrepresentation—occurs when the defendant is conscious that she doesn’t
know whether her assertions are true or false. And third, negligent
misrepresentation may arise when a seller carelessly communicates
information that she should know is false.193
All of these forms of misrepresentation would allow for the rescission of
the agreement that was entered into based on the misrepresentations.194
Further, tort damages—more than conventional contractual remedies—
typically allow for whatever damage award would place the plaintiff in the
position he or she was in prior to the defendant’s tortious conduct.195 In
egregious cases where a court is convinced that future instances of such
conduct ought to be deterred, punitive damages are possible.196
Ethan Preston and Paul Turner argue convincingly that the privacy
policies of businesses make them vulnerable for liability for both negligent
misrepresentation and fraud because “businesses disclose their privacy policies
in part to induce data subjects into transactions with the business and into
190. RESTATEMENT (SECOND) OF CONTRACTS § 344(a).
191. RESTATEMENT (SECOND) OF CONTRACTS § 351.
192. Richard H. Acker, Comment, Choice-of-Law Questions in Cyberfraud, 1996 U. CHI. LEGAL F. 437,
439 n.12 (1996).
193. J. David Prince, Defective Products and Fraud and Misrepresentation Claims in Minnesota, 29
HAMLINE L. REV. 261, 261 (2006).
194. See RESTATEMENT (SECOND) OF CONTRACTS §§ 163-64 (indicating when a contract is not formed or
voided by a misrepresentation).
195. 22 Am. Jur. 2d Damages § 25, n.5 (2004).
196. Id. at § 542.
126 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
providing them with information.”197
b. Tort of Breach of Confidentiality
As pointed out by Daniel Solove, there is also the relatively new tort of
breach of confidentiality, which remedies disclosures of medical information
by physicians and financial data by banks; liability under this tort has been
extended to third parties who induce the disclosure.198
B. Downstream Liability to Other Businesses
Given that unsecured computer networks are hijacked and used to execute
DDoS attacks as part of cyber-extortion schemes, that extortionists can be
difficult to catch and may lack the resources to compensate their victims, and
that the owners of the unsecured networks may be identifiable and have the
resources to compensate the victims, it is foreseeable that a victim of a cyber-
extortion scheme involving a DDoS attack will sue the owners of the networks
used to perpetrate the attack.
There is no statute that criminalizes allowing one’s computer or network
to be hijacked and used as a zombie to attack other computers or networks.
However, there are doctrines and precedents that are applicable to this
seemingly novel fact pattern. In the following Parts of this article, several
avenues for establishing liability will be examined.
Some of the following applications of legal theories may seem like
earnest speculation. Indeed, they are almost by definition speculative
applications until a lawsuit is commenced that relies on these theories. To lend
credibility to the following Parts and give credit where it is deserved, the
following individuals must be recognized for their pioneering work on the
issue of downstream liability for negligence in the context of DDoS attacks:
Stephen E. Henderson and Matthew E. Yarbrough,199 Robert Bourque and
Blake Bell,200 Ronald B. Standler,201 and William J. Cook.202 The authors are
197. Preston & Turner, supra note 103, at 478.
198. Solove, supra note 87, at 971-72. See also Hammonds v. AETNA Cas. & Sur. Co., 243 F. Supp.
793, 803 (N.D. Ohio 1965) (finding liability for tort of breach of confidentiality where third-party induced
disclosure); Peterson v. Idaho First Nat’l Bank, 367 P.2d 284, 290 (Idaho 1961) (finding liability for tort of
breach of confidentiality in disclosure by bank); McCormick v. England, 494 S.E.2d 431, 439 (S.C. Ct. App.
1997) (finding liability for breach of confidentiality tort in disclosure by physician); Alan B. Vickery, Note,
Breach of Confidence: An Emerging Tort, 82 Colum. L. Rev. 1426, 1426-27 (1982) (noting that courts have
increasingly shown a willingness to attach legal consequences to third party breach of confidence claims).
199. Henderson & Yarbrough, supra note 96.
200. Robert Bourque and Blake Bell, Computer Owners Face Liability for On-Line Attacks, N.Y.L.J.,
Aug. 11, 2000, at 1, available at http://www.stblaw.com/content/publications/pub289.pdf (online version is
titled Dealing with Liability Risks to Owners of Computers Used in Denial of Service Attacks).
201. Ronald B. Standler, Possible Vicarious Liability for Computer Users in the USA?, Apr. 17, 2004,
available at http://www.rbs2.com/cvicarious.pdf.
202. William J. Cook, Partner, Foley & Lardner LLP, Former Head of U.S. Dep’t of Justice Computer
Crime Task Force, Liability Developments and Best Practices 2005, address at the InfraGard National
Conference (Aug. 10, 2005), available at http://www.infragard.net/library/congress_05/
regulatory_compliance/liability_developments.ppt#673,21; William J. Cook, Partner, Foley & Lardner LLP,
No. 1] CYBER-EXTORTION 127
also indebted to Dr. Christopher Pierson for his practitioner’s insights and
To date, there has been one lawsuit initiated against a company for
allowing its Web site to be hacked and for the resulting damages to a third
party.203 In this case, FirstNET, a Scottish Internet Service Provider, was
flooded with traffic that was directed to it from the compromised Web site of
Nike.204 FirstNET sued Nike in a Scottish court for the cost of redirecting
traffic back to Nike.205 At the time, in 2000, FirstNET also contemplated
suing Nike in U.S. court on a tort theory for the damage suffered as a result of
the disruption from the flood of traffic.206 FirstNET reportedly withdrew its
lawsuit and compensated Nike for an unspecified amount of “judicial
expenses.”207 This example demonstrates that, while the theories below have
not been thoroughly tested, the concept of suing businesses for failure to secure
information systems is within the realm of possibility.
The common law provides for the tort of negligence.208 To establish
liability for negligence, the following elements must be proven: (a) the
existence of a duty of care, (b) the violation of that duty, and (c) proximate
causation of a (d) harm.209
In the case of business D allowing its network to be used as a tool to
threaten or commit a DDoS attack on business P, a court could conceivably
find that (a) business D owed business P a duty of care to prevent its network
from being vulnerable to hacking, that (b) business D’s failure to meet certain
security standards is a violation of that duty of care, and that (c) the violation
of that duty of care is the proximate cause of (d) the harm caused by business
Former Head of U.S. Dep’t of Justice Computer Crime Task Force, The Legal Aspects of Cyberspace, address
at the Infragard Super Conference (May 15, 2003), available at http://www.wi-infragard.com/
203. Out-Law.Com, Nike Sued by Scottish-based ISP over Web Site Attack, OUT-LAW NEWS, Jan. 23,
206. Id. Greg Lloyd Smith, Managing Director of FirstNET, indicated that his company planned to sue
Nike in the U.S. for damages, based on the theory that Nike’s unsecured Web site was an “attractive
nuisance,” explaining that:
Much the same as a swimming pool in your back garden, such a potential danger
must be protected at all costs in order to prevent damage or loss to others. The
fact that Nike failed to ensure adequate security measures for their web address
caused considerable damage to our company and denial of services to our on-
line clients. Nike should be held responsible for all resulting losses. Id.
207. Discussion of “Hijacking” of nike.com, http://web.archive.org/web/20011129000437/www.
nikesucks.org/ (last visited Oct. 6, 2007).
208. 57A Am. Jur. 2d Negligence § 2 (2004).
209. Id. at § 5.
128 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
a. Existence and breach of a duty of care
In the context of a hypothetical lawsuit against a company for having
inadequate information security, the plaintiff would argue that a defendant had
a duty to secure its information system. The failure to secure an information
system—not the hijacking or the DDoS attack—would be argued to constitute
the breach of the duty of care. To evaluate the success of arguing these two
elements, a review of what defines a duty of care is in order.210 The standard
of care does not need to be perfection, but rather the amount of care that a
reasonable person would exercise.211 In cases involving trained professionals,
courts evaluate a defendant’s conduct in light of the amount of care that a
reasonable professional in that field would exercise.212 In cases involving
businesses, courts evaluate a defendant’s conduct in light of industry
standards.213 Finally, legislation and regulations may be referred to in
determining an appropriate standard of care.214
Some have pointed out that federal statutes such as the GLBA and
HIPAA and the regulations that they authorized and the FTC consent
agreements described above articulate standards of care that could be used in
such a case.215 Even if a court were convinced that it would not be appropriate
to refer to those statutes or regulations as indications of an appropriate standard
of care, expert witnesses in the field of information security or CIOs/CSOs
could testify about accepted industry practices.
There is even precedent for a court to go beyond available evidence about
standard industry practices and impose a higher, court-determined duty of care
retroactively.216 In such a case, a court may decide upon the reasonable
standard of care by weighing the cost of a preventative, precautionary step
against the likelihood and cost of foreseeable harms that were not protected
Therefore, the criticism that a court could never determine an acceptable
standard that defines a business’s or an executive’s appropriate duty of care is
not a well-founded objection. It is a basic virtue of the Anglo-American
tradition of the common law that judges have always applied established
210. Id. at § 132.
211. Id. at §§ 133, 135.
212. 65 C.J.S. Negligence § 164 (2007).
213. 57A AM. JUR. 2D Negligence § 164.
214. Id. at § 135.
215. Henderson & Yarbrough, supra note 96, at 20-21 (noting that the GLBA and HIPAA data security
regulations, while useful in helping a court decide upon a reasonable duty of care, were not drafted with the
specific intent to protect against DDoS attacks, and therefore their standards do not rise to the level of defining
negligence per se). Violating a statutorily-specified standard of care, such as a building code requirement,
constitutes negligence per se; in such a context, just the proof of the violation of specified standard is enough
to establish liability for negligence. 57A AM. JUR. 2D Negligence, § 135.
216. The T.J. Hooper, 60 F.2d 737, 740 (2d Cir. 1932) (containing Judge Learned Hand’s famous opinion
finding tugboat owners negligent for not having weather radios aboard, even though that was not yet industry
practice, because “there are precautions so imperative that even their universal disregard will not excuse their
217. United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947). See also CSTB & NAE,
supra note 67, at 49; Henderson & Yarbrough, supra note 96, at 20-21.
No. 1] CYBER-EXTORTION 129
doctrines and principles to new-yet-analogous fact patterns.
However, as a practical matter, for the present time, practitioners doubt
that a plaintiff could actually win at trial in a negligence suit against a
company for failing to maintain adequate cyber-security standards such that its
information systems become hijacked and used to commit harm.218 According
to Dr. Christopher Pierson, attorney with Lewis and Roca LLP and President
of the Phoenix Infragard Chapter, there are two reasons for this belief.219 First,
many of these cases will settle before trial.220 Second, at trial, a defendant’s
lawyer would have the advantage of being able to show that security practices
still vary extremely widely in the business world.221 However, according to
Dr. Pierson, as security practices become more routine over time, the
likelihood of a plaintiff winning a negligence lawsuit in the context of
downstream liability will improve.222
Recent prosecutions initiated by the FTC are not dispositive, but their
resolutions also suggest that there is a minimum reasonable standard of care
with regard to cyber-security that is gradually evolving.223 As discussed above
in Part III.A.6, settled lawsuits against several companies alleged that, for
example, failure to encrypt data or properly control access to information
systems were unfair trade practices.224 Since such allegations served as the
basis for viable lawsuits, one of which resulted in a $15 million settlement, this
suggests that in the near future, similar allegations in a tort suit could serve as
grounds for arguing that a reasonable standard of care existed and was
Given the facts and the trends above, it is reasonable to conclude that, in
the near future, a court may conclude that there is a duty to secure information
systems and that failure to secure an information system is a breach of that
legally cognizable duty.
218. Pierson, supra note 80.
221. Id. Two cases serve to illustrate why practitioners are skeptical that a court would find that
minimum standard of care for information security exists. In Stollenwerk v. Tri-West Healthcare Alliance,
there was no negligence found in a case where thieves twice broke into a facility, and on their second time,
stole computers with personal data. No. Civ. 03-018SPHXSRB, 2005 WL 2465906, at *7 (D. Ariz. Sept. 6,
2005). One would imagine that the failure to heighten security after the first break-in would serve as the
violation of a reasonable duty of care, but it did not. Id. In Guin v. Brazos Higher Educ. Serv. Corp., Inc.,
allowing an employee to keep unencrypted data on a laptop computer which was taken home and stolen from
the employee’s residence was not held to constitute a violation of a duty of reasonable care. No. Civ. 05-668
RHK/JSM, 2006 WL 288483, at *6 (D. Minn. Feb. 7, 2006). In both of these cases, however, the plaintiffs
alleged that the harm was a higher risk of identity theft rather than actual harm – conceivably, the courts may
have ruled otherwise, had there been actual identity theft committed as a consequence of the defendants’
failure to take more aggressive steps to protect data security. Stollenwerk, 2005 WL 2465906, at *2; Guin,
2006 WL 288483, at *2-3.
222. Pierson, supra note 80.
223. See supra Part III.A.6.
225. See supra note 158 and accompanying text.
130 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
In addition to proving the existence of a duty of care and a violation of a
duty, causation must be demonstrated.226 Beyond proving that the carelessness
of the defendant caused the harm, it is necessary that the harm be reasonably
foreseeable.227 Available survey data indicate that a growing majority of
managers responsible for IT are aware of the risks of online crime and the risks
of having inadequate information system security.228 As executives become
familiar with phenomena such as DDoS attacks, it will be increasingly difficult
to pretend to be ignorant that their unsecured networks pose a serious risk to
The last possible objection to holding business executives liable for
negligence in allowing their networks to be hijacked and used to commit
DDoS attacks is that non-monetary harm—in addition to purely economic
harm—has traditionally been required for a court to find a defendant liable for
negligence; however, that requirement has been eroded.230 Also, alternatively,
some argue that the inability to serve customers and the possible loss of data
qualify as physical damage.231 Therefore, it is entirely reasonable to believe
that a court may find a company liable for the economic losses to another
company stemming from a DDoS attack.
d. Analogous Cases
The case of company D’s inadequately secured network being hijacked to
launch a DDoS attack on company P is very similar to other cases where courts
have found liability for negligence. Practitioners and scholars have pointed out
parallels that could be employed to convince a court that liability is
226. Palsgraf v. Long Island Railroad Co., 162 N.E. 99, 101 (1928).
227. The causation element can be bifurcated into causation-in-fact and proximate causation. Id. First-
year tort classes in law school typically clarify the concept of proximate causation by meditating upon the case
of Palsgraf. The case involved employees of the Long Island Railroad sloppily assisting a passenger in his
effort to board an already-moving train, during which a nondescript package fell onto the tracks. Id. at 99.
The package contained fireworks which ignited. Id. The explosion dislodged distant scales on the station
platform, which hit and injured Ms. Palsgraf. Id. Ms. Palsgraf sued the Long Island Railroad Railway for
negligence. Id. at 100. The jury originally found the railroad company liable. Id. On appeal, this decision
was reversed. Id. Writing for the majority, Judge Benjamin Cardozo opined that such cases must be evaluated
not on the basis of a defendant’s duty to the world-at-large, but on the basis of a duty to the plaintiff in the
specific case. Id. Therefore, while the sloppy efforts of Long Island Railroad’s employees illustrated
causation-in-fact (Ms. Palsgraf’s injuries would not have occurred but-for the negligence of the railway
employees), their conduct was not the proximate cause of her injuries. Id. Another, simpler way of
understanding proximate causation is to see it as a question of foreseeability. WILLIAM L. PROSSER,
HANDBOOK OF THE LAW OF TORTS 170-71 (4th Ed. 1971).
228. See Bourque & Bell, supra note 200, at 5 (pointing out that the attacks have become so
commonplace as to become accepted as a fact of life).
230. See generally BMW of N. Am., Inc. v. Gore, 517 U.S. 559 (1996) (discussing economic harm).
231. Henderson & Yarbrough, supra note 96, at 11.
No. 1] CYBER-EXTORTION 131
The most analogous case has been pointed out by Robert Bourque and
Blake A. Bell,233 as well as Ronald Standler.234 AT&T v. Jiffy Lube Int’l,
Inc.235 is the latest in a sequence of cases finding that a telephone company
client will be held liable for the cost of calls placed by unauthorized third
parties.236 This case is relevant to the paradigmatic DDoS attack inasmuch as
the unauthorized third party hacked into Jiffy Lube’s inadequately secured
computerized exchange and used this as a conduit for the theft of over $55,000
worth of phone calls from AT&T.237 In other words, this case demonstrates
that negligently providing the means by which a third party can inflict harm
can be the basis for liability. In their 2000 article,238 Bourque and Bell pointed
to the case of Computer Tool & Engineering, Inc. v. Northern States Power
Co.,239 where a company sued both a local power and a local telephone
company for negligence. Specifically, the telephone company, in laying cable,
severed power lines, causing a power surge to damage a computer system
owned by the plaintiff.240 The lawsuit also attempted to recover damages from
the power company on the theory that the power company could have
protected the plaintiff company from the power surge.241 In this case, the
power company was shielded from liability only by virtue of being a public
utility.242 The remaining question of determining the relative fault of the
plaintiff and the telephone company was properly deemed to be a question for
the jury.243 Once again, this case illustrates that, where a company, through its
negligence, provides a conduit for another to inflict harm, there is viable basis
for a negligence lawsuit.244
Stephen Henderson and Matthew Yarbrough suggest that downstream
liability in the context of a DDoS attack would be easier to establish than
liability to handgun manufacturers or distributors because of the closer nexus
between the defendant and plaintiff.245 By implication, if suits against gun
makers were viable, certainly a suit to establish downstream liability should be
Ronald Standler suggests that several further analogies may be used to
convince a court that downstream liability should be found in a DDoS
232. E.g., Bourque & Bell, supra note 200.
233. E-mail from Blake A. Bell & Robert Bourque to author (Feb. 27, 2006) (on file with author).
234. Standler, supra note 201, at 11.
235. 813 F. Supp. 1164 (D. Md. 1993).
236. Id. at 1167-69.
237. Id. at 1165.
238. Bourque & Bell, supra note 200, at 5.
239. 453 N.W.2d 569 (Minn. Ct. App. 1990).
240. Id. at 571.
241. Id. at 572.
243. Id. at 573-74.
244. Id. at 575.
245. Henderson & Yarbrough, supra note 96, at 16-17.
132 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
scenario.247 Two in particular appear to be apt metaphors. First, Standler
points out that, in some states, courts have found car owners liable when they
leave the ignition keys in an unlocked and unattended car, and when those cars
are subsequently stolen and used to cause harm.248 Courts have found that
such cases are examples of oversights that proximately caused harm to the
plaintiffs because the intervening criminal act of the car theft was
foreseeable.249 The case of a car owner leaving their keys in an unlocked car is
analogous to an executive or IT professional not taking reasonable steps to
secure the company’s network. In some states, this could be an analogy that
might help to convince a court.250
Standler suggests that another analogous fact pattern is that of failing to
secure domestic animals or agricultural livestock who subsequently cause harm
to others.251 In such cases, courts find animal owners to be strictly liable for
the harm caused to other people by unsecured animals or livestock.252 Any of
these may prove to be useful metaphors in convincing a court that liability
should arise for failing to take reasonable steps to secure something which may
become a means of inflicting harm.
Based on the reasoning and examples presented in this Part, a court may
conclude that a negligence suit is appropriate where a business failed to take
reasonable steps—as defined by statutes, regulations, industry practices or
even retroactively-applied standards determined by a judge—to secure its
network, and where this failure allows for the hijacking and use of the network
in a DDoS attack that results in harm to another company.
2. Vicarious Liability: A Prospect in the Future?
Agency law has been applied to software in the context of programs that
automatically bid on—and commit to—transactions.253 Automated interfaces
that take sales orders are commonly referred to as e-agents. Per section 14 of
the Uniform Electronic Transactions Act (UETA), drafted by the National
Conference of Commissioners on Uniform State Laws in 1999, e-agents may
enter into binding agreements on behalf of their principals.254 UETA has been
adopted, with minor adjustments, by a majority of states. Section 107(d) of the
247. Standler, supra note 201, at 4-8.
248. Id. at 4 (listing several cases from various jurisdictions where such liability is found).
249. Id. at 5.
250. However, Standler points out, in some states, the theft of the car is considered an intervening act,
such that proximate causation does not exist between the car owner’s negligence and the plaintiff’s harm. Id.
at 6. See, e.g., Merchants Delivery Serv. v. Joe Esco Tire Co., 533 P.2d 601, 604 (Okla. 1975) (stating that
the law in Oklahoma is that the theft of the car is an intervening act which makes the negligent act of the car
owner not the proximate cause of the harm).
251. Standler, supra note 201, at 8.
252. E.g., Byram v. Main, 523 A.2d 1387, 1389 (Me. 1987).
253. FRANK B. CROSS & ROGER LEROY MILLER, WEST’S LEGAL ENVIRONMENT OF BUSINESS, 462-63 (5th
ed. 2004); see Todd V. Mackey, Limiting Exposure for Internet Vendors: Separating the Wheat from the
Chaff, 21 J. MARSHALL J. COMPUTER & INFO. L. 207, 222-23 (2003) (describing automated transactions and
the potential applicability of agency law).
254. Unif. Elec. Transactions Act. § 14 (1999).
No. 1] CYBER-EXTORTION 133
Uniform Computer Information Transactions Act (UCITA) also states that a
company or individual using an e-agent “is bound by the operations of the
electronic agent, even if no individual was aware of or reviewed the agent’s
Although it would represent a greater extension of existing legal
principles than applying straightforward negligence theory, it is conceivable
that a court would eventually accept the argument that a business’s computers
are agents in the context of tort liability as well. In such a scenario, the victim
of a DDoS attack could argue that a zombie computer network is analogous to
an employee. Under the common law tradition of agency relationships, an
employer (one type of principal) is responsible in many situations for the
harms caused by an employee (one type of agent).256 While only one other
author, Ronald Standler, has argued that vicarious liability could be applied to
the context of a DDoS attack, the possible application of agency law is worth
Vicarious liability may be found in the context of employers failing to
exercise reasonable care when hiring or retaining an employee.258 To
analogize to the context of a DDoS attack, one could argue that the defendant
enterprise has failed to exercise reasonable care and has placed an agent—its
information systems—in a position where it can cause harm to others.
Vicarious liability may also be found for an agent’s negligent acts so long
as they are committed within the scope of the agent’s work for the principal
under the doctrine of respondeat superior.259 Therefore, the employer will be
found liable for an agent’s negligent torts even while on a detour that is
unbeknownst to the employer. To analogize to the context of a DDoS attack,
one could argue that a hijacked computer system is like an employee on a
detour – the computer system or the software is knowingly set loose in an
environment where it may stray in the course of its employment, causing harm
to others. In the case that came closest to considering the applicability of
respondeat superior to this context, a company was held responsible for an
online trespass by a computer program, albeit when the trespass was directed
by one of the defendant company’s employees.260
255. Unif. Computer Info. Transactions Act § 107(d) (Proposed in 1999, but withdrawn in 2002).
256. Meyer v. Holley, 537 U.S. 280, 285-86 (2003).
257. Standler, supra note 201, at 10-11.
258. Louis Buddy Yosha & Lance D. Cline, Negligent Hiring and Retention of An Employee, 29 Am.
Jur. Trials 267, 275 (Charles S. Parnell ed., 1982).
259. Meyer, 537 U.S. at 285-86. The underlying theory of vicarious liability for harm caused by an agent
is the doctrine of respondeat superior or “let the master respond.” Frank J. Vandall et al., Torts: Cases and
Problems 1041 (2d ed. 2003). The logic of this doctrine is that the master ought to be accountable for the
foreseeable risks created by requiring a servant to complete a given task and that the master is in a better
position to compensate third parties for harms that may result. Kavanaugh v. Nussbaum, 523 N.E.2d 284, 288
(N.Y. 1988). Similarly, it is foreseeable that a business’s computers would be treated analogously to agents,
regardless of whether one prefers to think of a computer or information system as a servant or employee.
260. Oyster Software, Inc. v. Forms Processing, Inc., No. C-00-0724 JCS, 2001 WL 1736382, at *11
(N.D. Cal. Dec. 6, 2001) (applying California law, the court ruled that even if the defendant company did not
know about the initial act of sending a program to the plaintiff’s Web site and copying its metatags, it could be
liable for trespass to personal property if the plaintiff could prove that the defendant company was the
134 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
Admittedly, attempting to base a lawsuit solely on agency theory to
recover damages from a company that has maintained inadequate security of
its information systems would, for the moment, be an ill-advised strategy. By
comparison, negligence theory appears more applicable. However, twenty
years ago, it may have seemed equally far-fetched to argue that agency law
would be applied to a computer program connected to a phone line, yet
referring to software as an e-agent is now an uncontroversial matter of course.
Therefore, agency law is a theoretical basis for finding liability for insecure
information systems that should not be utterly dismissed. Over the coming
decades, judges finding liability for unsecured information systems may well
mention respondeat superior as part of the theoretical justification for their
This Part will describe why establishing downstream liability for failure
to secure an information system would most likely fail under the current
application of trespass theory to the online context. This Part will consider,
however, how the application of trespass doctrines could foreseeably evolve
such as to provide grounds for recovery.
As alluded to above, unsolicited electronic communications and
violations of computer systems can constitute the intentional tort of trespass to
private property, or chattels. Maintaining inadequate security, such that one’s
network can be hijacked and used to violate another information system, is
distinguishable because it is not an intentional act, but rather negligent
The level of protection of ownership interests in real property is higher
than the protection of ownership interests in personal property in that proving
trespass onto land requires no proof of harm and inasmuch as, for example, an
animal owner can be strictly liable for his animals trespassing onto another’s
land.261 Trespass to land may be found when minute particles or intangible
electronic signals are sent over another’s land.262
Perhaps the most debated requirement in proving trespass to personal
property in the online context is the element of proof of the deprivation or
damage to the personal property. This requirement was recently reasserted by
the California Supreme Court in the case of Intel Corp. v. Hamidi.263 In this
case, the California Supreme Court overturned the rulings of a trial court and
appellate court that had found an ex-employee’s repeated and unsolicited e-
employer of the individual who caused the harm).
261. RESTATEMENT (THIRD) OF TORTS § 21 (2005).
262. E.g., Bradley v. Am. Smelting and Refining Co., 104 Wash. 2d 677, 688 (Wash. 1985).
263. 71 P.3d 296 (Cal. 2003). The Hamidi decision was foreshadowed by the decision in Ticketmaster
Corp. v. Tickets.Com, Inc., finding that some damage must be evidenced in a claim for trespass to personal
property in the context of either (1) programs aggregating data from another Web site without authorization or
(2) one Web site linking to another without authorization. No. CV997654HLHVBKX, 2003 WL 21406289, at
*3 (C.D. Cal. Mar. 7, 2003).
No. 1] CYBER-EXTORTION 135
mails to current employees of Intel to constitute trespass to personal
property.264 The Court overruled the lower court decisions because of an
insufficient showing of either injury to property or injury to the possessor’s
interest.265 Practitioners across the country cite to Hamidi as having
persuasive authority.266 Arguably, when the California Supreme Court
clarified the damage requirement in Intel Corp. v. Hamidi, the limitations of
the trespass to chattels doctrine were highlighted; namely, that the doctrine is
too rigid and fails to adequately balance r 267
In contrast, state and federal courts in other jurisdictions have sometimes
applied a looser standard when they decide cases involving a trespass to
information systems.268 Other courts have accepted, for example, the loss of
prospective business or a small decrease in processing speed or loss of server
capacity as sufficient damage to personal property to support a finding of
trespass to personal property.269 This trend was recently continued by an
Illinois federal court in Sotelo v. Directrevenue.270
Some scholars have pointed out that several court opinions have focused
on whether the information system access was explicitly not allowed in
justifying their finding of trespass and granting of injunctions. Patricia L.
Bellia has pointed out that this was the case in CompuServe Inc. v. Cyber
Promotions, Inc.,271 America Online, Inc. v. IMS,272 the lower courts in Intel
Corp. v. Hamidi,273 and eBay, Inc. v. Bidder’s Edge, Inc.274 The harm in these
cases was certainly not dispossession of property, and the economic harm that
the courts perceived was more potential than actual in all of these cases. 275
This is perhaps best illustrated by the decision in eBay, where programs that
scoured a Web site and collected publicly available information were violating
rights adequately to justify a court injunction on the grounds that such activity
was a trespass to chattel.276
Several prominent scholars have lamented that courts have been sloppy in
mixing metaphors and standards, arguing that it would be bad public policy for
courts to drift toward treating electronic communications more like physical
264. Hamidi, 71 P.3d at 300-01.
265. Id. at 303-11.
266. Pierson, supra note 80.
267. See Steven Kam, Intel Corp. v. Hamidi: Trespass to Chattels and a Doctrine of Cyber-Nuisance, 19
BERKELEY TECH. L.J. 427, 445-46 (2004) (noting that the court rejected employee time and productivity as
interests that the plaintiff can claim as harmed for the purposes of the tort). Steven Kam proposes a theory of
cyber-nuisance that would balance the relative utility of, for example, unsolicited e-mails, such that the harms
caused by this conduct could be discouraged and redressed. Id. at 442-45.
268. E.g., CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015, 1023 (S.D. Ohio 1997).
270. 384 F. Supp.2d 1219 (N.D. Ill. 2005).
271. 962 F. Supp. 1015.
272. 24 F. Supp. 2d 548 (E.D. Va. 1998).
273. 71 P.3d 296 (Cal. 2003).
274. 100 F. Supp. 2d 1058 (N.D. Cal. 2000).
275. Patricia L. Bellia, Defending Cyberproperty, 79 N.Y.U. L. REV. 2164, 2227 (2004).
276. eBay, 100 F. Supp. 2d at 1069-72.
136 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
trespass to land.277 The negative public policy impact of such a drift has been
characterized as a tragedy of the anticommons, in that online commerce and
freedom of expression depend on being able to access information on others’
servers and that moving toward a de facto standard of trespass to real property
would limit the potential of the Internet for business and expressive
Although they represent a minority view, several other scholars have
advocated that unauthorized computer network trespasses be explicitly treated
the same as trespass to real property.279 The public policy in favor of such an
explicit standard is compelling, in that it would discourage only access to
information systems that is explicitly unauthorized. Much as the elevation of
an exclusive right to real property was considered an essential step in
furthering economic development and avoiding problems such as the tragedy
of the commons in medieval England, one could argue that a “zero tolerance”
approach to explicitly unwelcome trespassing onto each other’s servers is
essential to the smooth conduct of commerce in the present era. Further, it can
be argued that unauthorized access into an information system does bear
adequate similarity to trespassing onto land so as to justify applying a standard
similar to that of trespass to real property. A visit to a Web site is actually like
stopping by someone’s office and gesturing toward and requesting to borrow a
book. In other words, even a permissible Web site visit does necessarily
involve electronic signals entering the physical server associated with a
“visited” site. Thus, metaphors comparing cyberspace to real space are not
A move toward the explicit adoption of the standards of trespass to real
property would raise the prospect that one could be liable for damages caused
by failure to secure one’s network under a theory of strict liability.280 The
likelihood of winning a downstream liability suit would increase, inasmuch as
additional or clearer analogies could be drawn between existing case law and
the context of a cyber-trespass. Specifically, it would be possible to argue that
277. Hunter, supra note 80, at 443-44; Maureen A. O’Rourke, Property Rights and Competition on the
Internet: In Search of an Appropriate Analogy, 16 BERKELEY TECH. L.J. 561, 586-93 (2001). Such a
confusion on the part of courts is understandable, due to terminology such as “website,” “logging onto,”
“hosting,” or “visitors to a website,” all of which imply physicality, even though, in the characterization of
some authors, it is more accurate to say that a server transmits a Web site to a viewer. For an analysis of
whether metaphors to the physical world have truly been a contributing factor to judges articulating standards
more reflective of the physical world, see David McGowan, The Trespass Trouble and the Metaphor Muddle,
1 J.L. ECON. & POL’Y 109 (2005).
278. See, e.g., Hunter, supra note 80, at 443-44 (discussing the “tragedy of the anticommons” when
cyberspace is viewed legally as actual property resulting in the stifling of innovation).
279. Susan M. Ballantine, Computer Network Trespasses: Solving New Problems with Old Solutions, 57
WASH. & LEE L. REV. 209, 255 (2000). For a discussion of how analogizing to physical space could yield to a
new, Internet-specific standard for online conduct, see Ronnie Cohen and Janine S. Hiller, Towards a Theory
of Cyberplace: A Proposal for a New Legal Framework, 10 RICH. J.L. & TECH. 2 (2003). For a discussion of
the range of possible alternative standards for governing online trespass, see Bellia, supra note 275, at 2164.
Finally, as already mentioned, Steven Kam suggests that adopting nuisance standards from the context of real
property would allow for the better balancing of rights and interests in the online context. Kam, supra note
267, at 442-45.
280. Standler, supra note 201, at 8.
No. 1] CYBER-EXTORTION 137
failing to secure one’s network resulting in its hijacking and use in a DDoS
attack is analogous to failing to secure one’s cattle, resulting in their stampede
onto another’s land. The enterprise that failed to secure its chattel, resulting in
a trespass, could be found strictly liable for damages that resulted. While it
currently may seem fanciful to argue that a hijacked information system
sending slews of e-mails is analogous to stampeding cattle, this analogy would
be irresistible in a jurisdiction that explicitly accepted that unwelcome
violations of one’s server are equivalent to violating one’s real property.
Much like applying agency law to online tort scenarios, this theoretical
approach is not likely to succeed or even to be attempted in the immediate
future. However, given that courts in some jurisdictions have already loosened
the requirement of proof of damages in trespass to personal property cases in
the online context, it is not impossible to imagine that some courts will
eventually—either explicitly or in practice—apply a standard of trespass to
information systems that resembles the standard of trespass to real property.
This development could then serve as a basis for recovering damages against
another enterprise that failed to secure its information system, resulting in a
4. Statutory Civil Suit Provisions
It may be tempting to consider using CFAA in the context of downstream
liability. However, it is inapplicable, because the unauthorized access must be
intentional, even if no harm was intended. In the context of a downstream
liability case, the defendant does not intend its information system to trespass
or cause harm, but instead is responsible for the lack of security that results in
a harm unintended by the defendant. Given this scenario, the civil suit
provisions of the CFAA do not provide a means of recovering damages from
an entity that fails to secure its information system.
As mentioned above in Part III.A.2, section 404 of SOX requires that
internal controls on information systems be in place, documented and tested at
least once a year, section 302 requires that executives certify reports and
section 409 requires that material financial changes be communicated with
supporting data quickly to the public.281 These provisions have been
interpreted by the IT community to necessitate enhanced access controls,
encrypting data and protection against DDoS attacks, among other security
measures.282 Available data indicate that managers perceive that SOX’s
penalties and requirements have had a significant impact on information
systems security.283 While the civil suit provisions in SOX were not intended
to create downstream liabilities, the text of SOX does not eliminate the
possibility of companies using SOX provisions to sue executives, for
281. See supra Part III.A.2; Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745 (to be codified
at 18 U.S.C. §§ 1341, 1343).
282. Keith Pasley, Sarbanes-Oxley (SOX) – Impact on Security In Software, DEVELOPER,
http://www.developer.com/security/article.php/3320861 (last visited Oct. 6, 2007).
283. GORDON ET AL., supra note 4, at 21-22.
138 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
executives’ failure to maintain adequate internal controls that resulted in
harm.284 Therefore, it is foreseeable that a DDoS victim may eventually
attempt to sue a company pursuant to SOX, in addition to suing on other
grounds, for failing to maintain the security of its information systems.
5. Product Liability Unavailable
Relatively unpublicized provisions of the USA PATRIOT Act amended
the CFAA so that no civil actions may be brought against producers for “the
negligent design or manufacture of computer hardware, computer software or
firmware.”285 Further, section 230 of the Communications Decency Act of
1996 (CDA) has been used to shield Internet Service Providers (ISPs) from
liability.286 The section reads: “[n]o provider or user of an interactive
computer service shall be treated as the publisher or speaker of any
information provided by another information content provider.”287 This
language has been interpreted broadly to protect ISPs when their service is the
mechanism for delivery of damaging computer programs.288
Therefore, despite the apparent analogy that hardware and software
companies and ISPs may be providing the equivalent of negligently designed
bridges and Ford Pintos for the information superhighway, and may therefore
be vulnerable to product liability lawsuits, federal statutes afford these
companies and their executives an unusual degree of protection. However,
executives in other industries should not rely upon a hope that the CDA will be
extended further to shield all businesses from immunity when their unsecured
computers become zombie attackers.289
6. Damages and Defenses
As mentioned above, a key advantage of pursuing a tort claim in addition
to or instead of pressing criminal charges is the recovery of damages.
Assuming that a defendant’s conduct is proven to be the exclusive cause of the
284. For a brief summary of the legislative history of section 404 of SOX and the high costs associated
with complying with that section, see Joseph A. Castelluccio III, Sarbanes-Oxley and Small Business: Section
404 and the Case for a Small Business Exemption, 71 BROOK. L. REV. 429, 459-63 (2005).
285. USA PATRIOT Act of 2001, § 814(e)(2), 115 Stat. 384 (codified as amended at 18 U.S.C. §
1030(g) (2006)); Beryl A. Howell, Cybersecurity Liability: Is it Time to Get Off the Soapbox?, COMPUTER &
INTERNET LAW., May 2004, at 1, 4.
286. E.g., Zeran v. America Online, Inc., 129 F.3d 327, 330 (4th Cir. 1997).
287. 47 U.S.C. § 230(c) (1996).
288. Laurin H. Mills, ISP Immunity Provision Is Broadly Interpreted, NAT’L L.J., April 13, 2002, at C19;
e.g. Green v. America Online, Inc., 318 F.3d 465, 471 (3d Cir. 2003). For an argument that U.S. statutory
provisions should be harmonized with European standards, such that ISPs would be responsible for harmful
activities that they knew about but chose not to remedy, see Michael L. Rustad & Thomas H. Koenig,
Rebooting Cybertort Law, 80 WASH. L. REV. 335, 392 (2005).
289. While the CDA has even been used to protect eBay from liability when its forum was used to sell
pirated sound recordings in Stoner v. eBay, Inc., 56 U.S.P.Q. 2d 1852, 1852-53 (Cal. Super. Ct. 2000), the
CDA did not shield an ISP for knowingly allowing a hosted Web site to violate a trademark. Gucci America,
Inc. v. Hall & Assocs., 135 F. Supp. 2d 409, 420-22 (S.D.N.Y. 2001); Stoner, 56 U.S.P.Q. 2d at 1854-56.
No. 1] CYBER-EXTORTION 139
damages, then the measurable harm caused by the conduct may be awarded.290
In egregious cases, a court may be convinced that future instances of such
conduct ought to be deterred, and punitive damages may be awarded, further
boosting one’s economic incentive for pursuing such a lawsuit.291
It is important to highlight, however, that there is the possible defense of
comparative negligence that could be presented in a typical DDoS scenario.
This defense could either reduce or entirely eliminate the award of damages,
even if liability for negligence or vicarious liability or trespass to personal
property can be readily established. To review: in the hypothetical scenario
where company D was negligent and its network was compromised and used
to launch a DDoS attack on company P resulting in harm, company P would be
the plaintiff suing defendant company D to recover for damages. So far, so
good. Defendant company D, however, could argue that company P bears part
of the responsibility for its own losses because company P was itself negligent.
In the vast majority of states, this is referred to as comparative negligence.292
In situations where the court decides that company P’s own negligence is 0-
50% responsible for its own harms, the final award is reduced by the
appropriate percentage. In comparative negligence states, once a court finds
that company P is more than 50% at fault for its own damages, company P will
recover nothing.293 A minority of states allows for pure comparative
negligence, which would allow for proportionate recovery even if plaintiff
company P’s own negligence is judged to be more than 50% of the reason for
its damages.294 There has been at least one instance where, once a hacking
was discovered, the failure to mitigate damages was the basis for a court
declining to award dam 295
The other possible defense would be to argue that an intervening criminal
act is the true cause of the damages. This is not an unprecedented defense in
tort cases. However, as mentioned above, a DDoS attack utilizing an
unsecured network is most analogous to leaving the ignition keys in an
unlocked and unattended car. In these cases, liability has been attached to the
negligent conduct of the car owner.296 The defense of an intervening act being
the true cause of the plaintiff’s harm fails because the intervening act is
290. 22 AM. JUR. 2D Damages § 25 (2004).
291. Id. at § 542.
292. Paul H. Edelman, On Apportionment in Comparative Negligence (Vanderbilt Law and Economics
Research Paper, Paper No. 06-20, 2006), available at http://ssrn.com/abstract=929562.
293. See FRANK J. VANDALL ET AL., TORTS: CASES AND PROBLEMS 571-72 (2d ed. 2003) (comparing
types of comparative negligence doctrines).
294. Id. Prior to comparative negligence being adopted by the vast majority of states, any finding of a
plaintiff being responsible for his or her own damages would serve as an absolute bar to recovery. Christopher
J. Robinette & Paul G. Sherland, Contributory or Comparative: Which Is the Optimal Negligence Rule?, 24 N.
ILL. U. L. REV. 41, 41 (2003). This doctrine, known as contributory negligence, survives in a small minority of
states. Jennifer J. Karangelen, The Road to Judicial Abolishment of Contributory Negligence Has Been Paved
by Bozman v. Bozman, 34 U. BALT. L. REV. 265, 265 (2004). Ultimately, the chances of the success of
mounting a defense that involves proving the plaintiff’s own negligence will be determined by the specific
facts of a case.
295. AM. JUR. 2D NTS Computers and the Internet § 73 (2005).
296. Abdallah v. Caribbean Sec. Agency, 557 F.2d 61, 61 (3d Cir. 1977); Vining v. Avis Rent-A-Car
Sys., Inc., 354 So. 2d 54, 54 (Fla. 1977).
140 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
entirely foreseeable, and reasonable steps could have been taken to ensure that
one’s property does not become a tool for inflicting harm.
7. Why the Dearth of Tort Claims?
Given the high profile of a few cyber-extortion attempts and, more
broadly, the tens of thousands of complaints to the FTC about various other
online misdeeds, the relative dearth of resulting tort claims is puzzling.
Michael L. Rustad and Thomas H. Koenig provide some theories as to why
there is a lack of case law applying tort liability to online contexts.297 First,
they point out that a lag time is typical whenever a new technology emerges.298
For example, applying “horse and buggy” legal principles to the automotive
age took decades, and – of particular significance to the analysis in this article
– eventually resulted in some creative stretching of old doctrines to fit the new
paradigm.299 Second, Rustad and Koenig point to the fact that tort law has
been significantly retrenched in the majority of states through state statutes
limiting damages and liability; they suggest that this hostile environment to tort
suits may have contributed to the dearth of case law.300 When asked by the
author for his opinion, Blake A. Bell suggested that perhaps there are not more
cases because larger companies—the most lucrative targets for a tort lawsuit—
have taken the best security precautions.301
Cyber-extortion is a large problem that has received inadequate coverage
and attention. In instances where one can establish the identity of the
extortionist, there are tools for prosecuting and recovering damages from the
extortionist. However, one is typically unlikely to ascertain the identity or
location of a cyber-extortionist and the cyber-extortionist is very possibly
beyond U.S. borders. Because extortionists typically lack extensive financial
resources, one is also unlikely to recover the full amount of desired damages.
Therefore, government prosecution of cyber-extortionists may be a more
appropriate means of deterrence and punishment of extortionists when they can
Given the comparative ease of learning which businesses’ information
systems were hijacked to commit a cyber-extortion, and those companies’
297. Michael L. Rustad & Thomas H. Koenig, Cybertorts and Legal Lag: An Empirical Analysis, 13 S.
CAL. INTERDISC. L.J. 77, 115-38 (2003).
299. Id. at 77-79. The authors borrow the words of former President Richard Nixon to illustrate the
concept of legal lag. Id. at 77. As a law student at Duke University, Nixon observed that “in 1905 all of
American automobile case law could be contained within a four-page law review article, but three decades
later, a ‘comprehensive, detailed treatment [of automobile law] would call for an encyclopedia.’” Id. (citing to
Richard M. Nixon, Changing Rules of Liability in Automobile Accident Litigation, 3 LAW & CONTEMP. PROBS.
300. Rustad & Koenig, supra note 297, at 139-40.
301. E-mail from Blake A. Bell to author (Feb. 27, 2006) (on file with author).
No. 1] CYBER-EXTORTION 141
relatively deeper pockets, businesses with compromised information systems
will soon be targets for civil lawsuits. This will obviously be a desirable
development from the perspective of victimized businesses seeking the
recovery of damages. Negligence is clearly the most applicable potential
framework in seeking redress from a business that fails to take reasonable steps
in protecting its information system, such as to allow it to become an attack
Some will lament that finding tort liability in such contexts will be a
windfall to trial attorneys and will make businesses operating in the U.S. less
competitive. Some may visualize a nightmare scenario of thousands of
negligence lawsuits that could incapacitate businesses to an unreasonable
degree. The alternative solution would be to propose a statutory or regulatory
scheme as the appropriate approach to combat inadequate information system
security. Further, some may argue that immunity from, or limitations to, tort
liability should be created by statute.
The author suggests that allowing tort liability to serve as a means of
deterrence and redress of harms is the more desirable option for businesses and
society. Most importantly, tort law allows for the most flexible and adaptable
standard to be applied to a rapidly changing technological environment. It
bears pointing out that, far from requiring a standard of perfection, an action
based on negligence theory will, practically by definition, seek out and enforce
a reasonable standard. It will also reduce or prohibit damages to reflect the
comparative negligence of plaintiffs who failed in their own responsibilities to
meet a reasonable security standard. As this article has reviewed, the
reasonable standard of care may be determined by reference to existing
statutory and regulatory schemes that articulate minimum data security
requirements. Second, in industries where statutory and regulatory minimum
standards do not exist, the standard of care will be defined in reference to
reasonable industry practices, to which expert witnesses can testify. These
security experts presumably should have been consulted in the first place by
reasonable executives. Finally, as we have seen, if a new paradigm suddenly
evolves such that a court cannot defer to any other approach, a calculation may
be used whereby a court would consider the cost of prevention compared to the
likelihood and cost of an undesirable outcome to determine what the
reasonable applicable standard of care ought to be.
Contrast these bases for deciding upon a standard of care with the
consequences of attempting to impose statutory or regulatory standards.
Statutory and regulatory standards for information systems security are
plagued by the inherent difficulty of responding to the exigencies of the fast-
evolving realities of technology and information security.302 Almost
inherently, statutes and promulgated regulations would always be at least
302. Other authors have also sounded a cautionary note regarding governmental legislation and
regulation as the panacea to problems of cyber-security. E.g. Robert W. Hahn & Anne Layne-Farrar, The Law
and Economics of Software Security, 30 HARV. J. L. & PUB. POL’Y 283 (2006); Robert W. Hahn & Anne
Layne-Farrar, Is More Government Regulation Needed to Promote E-Commerce?, 35 CONN. L. REV. 195
142 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
slightly out-of-date. Second, a higher and more costly standard may be
imposed by statutes or regulations than is either desirable or would have been
deemed necessary retrospectively in a negligence analysis.303 It bears
repeating that IT spending in 2006 rose over 10% as a result of businesses
purchasing data systems to satisfy the perceived requirements of SOX—a
statute that did not even seek to regulate data systems security per se.304
Third, statutes and regulations may impose a perversely inappropriate standard
by mistake. The CAN-SPAM Act305 is a perfect example of a statute that
imposed a counterproductive remedy. The statute mandated the inclusion of e-
mail addresses in unsolicited messages to which a recipient could reply in
order to “opt-out” of receiving further messages.306 This appeared to be a
reasonable way to curb the perceived problem. However, it encouraged
precisely what “phishers” (people who phish—that is, people who acquire and
trade in personal information nefariously acquired online) desire: namely,
verification that an e-mail account is active.307 Fourth, to regulate and then
adequately monitor, investigate and enforce IT security issues, a massive,
expensive and unwieldy new government body would be necessary. Finally,
the compounding of out-of-date standards over time can accumulate and spiral
into an unmanageable tangle. In the 1980s, it was realized that the penalties of
federal criminal laws numbered in the thousands, were at times inconsistent,
and were often generated by spasmodic responses to the crises of a particular
moment. SOX is but the latest example of this phenomenon in U.S.
legislation. The ability to prosecute for multiple counts of the same criminal
charges means that the mandatory statutory minimum or maximum penalties
are of exaggerated and mostly symbolic importance. Indeed, the purpose of
the Federal Minimum Sentencing Commission was to efficiently bring
consistency and predictability to criminal sentencing. Unfortunately, the
Sentencing Commission is a small group of appointees who are unaccountable
to an electorate during their term, yet they are allowed to make binding
decisions in secret. This provides an object lesson for those who see tort
liability as the enemy and statutory or regulatory standards as the obvious best
choice: namely, the sediments of statutory and regulatory requirements may
over time create a confusing mess of inconsistencies that may eventually get
sorted out in a process that is less open and accountable than some may
Also, to address another important policy perspective: allowing tort
liability to operate results in an incentivization of common-sense
responsibility, or, in other words, a standard that both can be lived with and
303. For a critique of the Computer Fraud and Abuse Act as having resulted in overly-punitive
consequences, see Reid Skibell, Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and
Abuse Act, 18 BERKELEY TECH. L.J. 909 (2003).
304. Sharma, supra note 118.
305. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 18 U.S.C. § 1037
307. Spam Glossary, http://www.rahul.net/falk/glossary.html (last visited Oct. 6, 2007).
No. 1] CYBER-EXTORTION 143
which one would want everyone else to live by. Responsible executives
should consult experts on cyber-security and encourage others to do so, as
well. Incentivizing a secure information infrastructure, especially in the early
twenty-first century, serves the interests of everyone. Further, statutory and
regulatory solutions are limited in their geographic scope. Given the size of
the cyber-extortion problem, the geographic dispersion of the world’s IT
industry to countries such as India and the fact that an information system is
only as strong as its weakest link, pursuing a comprehensive solution through
the national legislatures of the world and treaty commitments between
governments hardly appears practical. If tort liability was statutorily limited in
the U.S. in the context of downstream liability, U.S. enterprises with weak
links anywhere in the world may tolerate weaknesses that no reasonable person
would wish to have allowed.
Thus, not only will downstream liability based on negligence become a
reality in the absence of statutes that declare otherwise, but the business
community should embrace tort liability in this context.308 Of course, large
businesses could lobby and likely secure immunity from lawsuits, much as the
USA PATRIOT Act immunized hardware and software manufacturers309 and
the Communications Decency Act immunized Internet Service Providers from
tort liabilities.310 This is actually undesirable, inasmuch as businesses would
not only immunize themselves, but also everyone else, including negligent
actors who one may later want to hold accountable for their unsecured
networks.311 Embracing tort liability should also be seen as consistent with
best practice-sharing and prevention efforts that have been voluntarily
undertaken by industry—one should want to retain the ability to punish those
who betray agreements to share best practices and who violate community
308. There is a rich literature dedicated to the relative economic efficiencies of tort liability as compared
with regulatory regimes. E.g. ROBERT COOTER AND THOMAS ULEN, LAW & ECONOMICS (4th Ed. 2004).
Some authors have pointed out that, depending on the context, either regulation or a liability regime may be
more efficient, and that sometimes a combination of the two is optimally efficient. Charles D. Kolstad et al.,
Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements, 80 AM. ECON. REV.
888, passim (1990); Steven Shavell, A Model of the Optimal Use of Liability and Safety Regulation, 15 RAND
J. OF ECON. 271, passim (1984). A thorough economic analysis of the relative efficiencies of regulation versus
tort liability is beyond the scope of this paper. The intent of this paper has primarily been to explain the legal
framework as it exists now and the foreseeable application of negligence principles in the context of cyber-
extortion, rather than to investigate the relative economic efficiencies of various potential remedies.
309. See supra, notes 285-289 and accompanying text. Some authors have suggested that vendors of
unreasonably insecure software should be held liable in negligence. E.g., Jennifer A. Chandler, Security in
Cyberspace: Combating Distributed Denial of Service Attacks, 1 U. OTTAWA L. & TECH. J. 231, 255-61
(2003); Kevin R. Pinkney, Putting Blame Where Blame Is Due: Software Manufacturer and Customer
Liability for Security-Related Software Failure, 13 ALB. L.J. SCI. & TECH. 43, 69-82 (2002).
310. See supra, notes 286-289 and accompanying text. Some authors argued that ISPs should not be
shielded from liability. E.g., Doug Lichtman & Eric Posner, Holding Internet Service Providers Accountable,
14 SUP. CT. ECON. REV. 221 (2006).
311. As indicated by the last three footnotes, the question of what constitutes the optimal mix of liability
among potentially responsible parties is a field of scholarship unto itself. Other approaches to the problem of
cybersecurity include cyber-insurance. Jay P. Kesan et al., The Economic Case for Cyberinsurance, (Univ. Ill.
Col. Law, Working Paper No. 1001, 2004). Another intriguing proposal recommends collective efforts of
Internet users to prevent cybercrime. Susan W. Brenner, Toward a Criminal Law for Cyberspace: Product
Liability and Other Issues, 8 U. PITT. J. TECH. L. & POL’Y 2 (2005).
144 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2007
standards. Ultimately, the policy debate framed in this conclusion will not be
fruitful so long as cyber-extortion remains the elephant in the server room. An
open dialogue—specifically about the duties and liabilities of businesses who
become cyber-crime victims or who unwittingly provide the tools to perpetrate
a cyber-crime—is overdue and should ideally involve scholars, practicing
attorneys, business leaders, public interest group representatives and IT