Litigating Cybersecurity and Cybercrime

Hackers continue to proliferate: Just this week, the U.S. Department of Justice indicted the founder of Oilpro.com, a professional networking site for energy professionals, for hacking into a competitor’s database. Also this week, hackers struck law firms such as Cravath, Swaine & Moore and Weil, Gotshal & Manges. Last year, networking company Ubiquiti lost $46.7 million as a result of employee impersonation and fraudulent requests from an outside entity targeted at the company’s finance department. 

We litigate and try cybersecurity cases. This is not our first rodeo.

Many law firms have advisory cybersecurity practices. That is not our focus. Our practice our experience comes from the battlefield, prosecuting and defending cases involving computer fraud and abuse. These representations include: 

• Pending investigation of cybersecurity breach resulting in losses in excess of $1,000,000; 

• ongoing prosecution of theft liability involving “spoofing” by hackers posing as a supplier to large industrial company; 

• obtaining jury verdict of punitive damages for former employee whose accounts were accessed by former employer; 

• successful defense of large financial institution sued by lawyer who fell victim to an online counterfeit check and advanced-fee scheme, obtaining settlement just prior to jury selection; and 

• successful prosecution, and recovery, of almost $1,000,000 for elderly widow whose caretaker used login and password to transfer funds to caretaker’s own accounts. We had the case on file on a Sunday, just about 24 hours after the initial client contact. We had a temporary restraining order signed the next morning, preserving the funds and thereby ensuring their recovery.

Areas of expertise

Cybercrime cases require a combination of skill sets that often require rapid-fire legal action; the learning curve is steep yet the need for action is in many cases immediate. Among many others, some of the core areas of law that have arisen in our practice include: 

• the law of injunctions and temporary restraining orders; 

• the law and operation of payment systems (such as Uniform Commercial Code articles 3, 4, and 4A, along with numerous state and federal banking regulations); 

• causes of action under Texas Theft Liability Act, the Federal Computer Fraud and Abuse Act, the Texas Criminal Wiretapping Act, and other statutes. 

Cybersecurity cases can require retention of experts in computer and financial forensics. The cases may raise issues of whether the theft came from an insider. They can lead to criminal investigations and prosecutions and are often reported to law enforcement authorities. 

In many instances, the hackers vanish with the funds, but in some instances, lost funds can be recovered, or losses otherwise mitigated, particularly if the victim and the victim’s counsel act swiftly. 

The developing law 

 UCC duties. The law in this area varies from state to state and court to court. For example, the courts have split on the duties of a depositary bank to an online customer. Compare Greenberg, Trager & Herbst, LLP v. HSBC, 17 N.Y.3d 565; 958 N.E.2d 77; 934 N.Y.S. 2d 43 (N.Y. 2011) (refusing to relieve law firm from liability to bank for counterfeit check), with Valley Bank of Ronan v. Hughes, 147 P.3d 185, 192 n.4 (Mont. 1996) (acknowledging split of authority as to whether a common-law exception exists to a bank’s absolute rights under Uniform Commercial Code).

Insurance coverage. Comprehensive General Liability (“CGL”) policies often contain specific exclusions for cybersecurity breaches, and many courts have refused to find any coverage for such losses even without specific exclusions. The insurance industry has become concerned about the increasing expense of managing and defending against cybersecurity risks. A major insurability problem arises from and the difficulty of obtaining recovery against cybercriminals – a problem with which we are all too familiar. Insurers are thus increasingly requiring insureds to buy dedicated cybersecurity coverage or forgo offering it at all. As with other areas of the law of cybersecurity, however, many insurance coverage issues remain unsettled. 

Class action data-breach litigation and securities litigation. The increased number of data breach incidents has triggered class-action litigation by both aggrieved customers and shareholders of companies victimized by cybercrime. 

Little doubt exists that as society becomes increasingly dependent on the so-called “Internet of Things,” we will see an increase in the number and type of cases involving cybersecurity. Please do not hesitate to call on us if you have questions.