Breaching Cybersecurity With No Liability?

By: Maxine Ainetchi

Technology and the internet have allowed modern attacks to widen the scope to encompass the ability to achieve more types, greater degrees, and faster attacks against one’s target. In modern times, headlines have included phrases such as ‘hacked’ and ‘cyber-attack’. As technology has become more sophisticated in the modern era, individuals, companies, and countries have gained the ability to cause harm from a computer. However, although technology develops at a rapid rate, the law may struggle to match its pace or complex nature.

The United States Court of Appeals for the District of Columbia Circuit (“Court of Appeals”) reviewed Broidy Capital Mgmt. LLC v. Muzin, considering (1) whether the Court has jurisdiction over this case, and (2) whether Defendants could claim immunity as ‘foreign agents’ of the State of Qatar.[1] I will be focusing on the issue of a foreign agent. The Defendants are American citizens and reside with the United States.[2] Although the District Court dismissed the motion to dismiss the case, and an order denying a motion to dismiss is not an appealable final order in cases involving sovereign immunity, orders denying colorable claims of sovereign immunity are immediately appealable pursuant to the collateral order doctrine.[3] The Court established jurisdiction over the case before applying the de novo standard of review.[4] The Court considered whether the Defendants qualified under common-law doctrine of foreign sovereign immunity, immunity claims not covered by the FSIA, under conduct-based sovereign immunity for the private agents of foreign governments, and derivative immunity.[5] The Court reviewed each defense, reaching the conclusions that the Defendants do not qualify for immunity, nor was there a principle-agent relationship formed between the Defendants and the Qatari government.[6]

This case was not Broidy’s first lawsuit against the Defendants.[7]Broidy sued all except one of the Defendants in the Central District of California, which dismissed the claims for lack of subject matter jurisdiction under the FSIA and lack of personal jurisdiction.[8] This was affirmed by the Ninth Circuit.[9] This argument was used in the case discussed above, but was rejected, as the FSIA covers only civil actions against a foreign state or its political subdivisions and agencies or instrumentalities, not individuals.[10] Broidy additionally sued Defendant’s alleged coconspirators in individual lawsuits in the Southern District of New York, including a U.N. official, which was affirmed by the Second Circuit.[11] The second suit was determined to lack sufficient allegations linking the cybersecurity firm to the hack.[12]

Broidy’s attempt to achieve some type of justice for the invasion of his private computer is exemplary of the imprecise and problematic nature of the current state of law that governs matters pertaining to hackings involving private citizens, and the lack of clarity as to how to immunity will apply in future cases. Information has the capacity to be a weapon; however, perpetrators maintain the ability to circumvent responsibility. The effect of the state of law as it stands, has left the current state of law open ended. Common law has long established the punishment for those that steal. However, this long-standing tradition has not carried unto modern times in terms of technology.

[1] Broidy Cap. Mgmt. LLC v. Muzin, No. 20-7040, 2021 U.S. App. LEXIS 26667, at *8-10 (D.C. Cir. 2021).

[2] Id. at 5.

[3] Id. at 12.

[4] Id. at 11.

[5] See id. at 6, 7, 9.

[6] See id. at 10, 20.

[7] See id. at 6.

[8] Id.

[9] Id.

[10] Id. at 8.

[11] Id. at 6, 7.

[12] Id. at 7.