Earlier today, the Democratic National Committee filed a massive lawsuit against almost everyone arguably associated with the hack on the DNC’s servers, including the Russian Federation, Russia’s foreign military intelligence agency (GRU), the hacker known as “Guccifer 2.0,” Wikileaks, Donald J. Trump for President, Inc., Donald Trump, Jr., Jared Kushner, Roger Stone, and others who have been, in press reports or in filings from the Special Counsel, alleged to have served as conduits between Russia and the Trump campaign. (Notably, Donald Trump was not himself named.) The complaint raises a host of claims ranging from the Computer Fraud & Abuse Act, the Stored Communications Act, the Racketeer Influenced and Corrupt Organizations Act, to the Digital Millennium Copyright Act, and a couple of state law tort claims too.
I’ve discussed almost all of these types of claims on this blog before (see, e.g., CFAA here and here, SCA here, RICO here, DMCA here), so the archive is rich with information if you want to learn more. For our purposes here, we’ll break everything in this lawsuit down into manageable chunks:
- Why Now
- Why The Complaint Alleges Those Causes Of Action
- Whether Russia And Its Agents Have “Sovereign Immunity”
- The “Plausibility” Pleading Requirement For The Case To Go Forward
- The Potential Role Of The U.S. Government (Next Post)
- The Role Of Parallel Criminal Prosecutions (Next Post)
- The First Amendment Issues (Next Post)
- What This Lawsuit Can Actually Accomplish (Next Post)
If you’ve already read the below, click here for my follow-up post.
I. The DNC Had To File This Case Now Or The Statute Of Limitations Would Have Run
The core of the DNC’s complaint is, of course, about the hack on their servers, and thus most of the case revolves around claims under the Computer Fraud & Abuse Act (“CFAA”) and the Stored Communications Act (“SCA”).
As the complaint says, “on April 28, 2016, DNC IT staff detected and ultimately confirmed access to the DNC network by unauthorized users.” The DNC thus had just one more week before the statute of limitations would have run: claims under the CFAA and SCA have to be brought, respectively, “within 2 years of the date of the act complained of or the date of the discovery of the damage,” 18 U.S.C. § 1030(g) and “[not] later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation,” 18 U.S.C. § 2707(f).
It’s common for complex civil litigation to follow a government investigation — it happens in everything from airplane accidents (with an NTSB investigation) to antitrust cases (with a DOJ investigation) — and I have no doubt the DNC would have preferred to wait for Mueller’s investigation to conclude, after which they would rely on whatever Mueller discovered. But the DNC had to file this lawsuit now or never. I wouldn’t be surprised if the DNC asked for the court to stay the lawsuit (meaning, to simply pause the proceedings) until the end of the Mueller investigation and the various indictments already filed. I also wouldn’t be surprised if Russia (and the defendants affiliated with them) and the Trump Organization (and the defendants affiliated with them) objected to a stay and asked for the court to rule on their initial motions now.
II. To Understand The Lawsuit’s Causes Of Action, Put Aside Politics And Russia
The DNC’s Complaint looks like a smorgasbord of federal statutes and unusually-named common law claims, such as “conspiracy to commit trespass to chattels,” that give the impression of someone sneaking onto a farm and stealing a cow (which, truth be told, is indeed part of the historical origin of “trespass to chattels,” and of the phrase “caught red handed”). But the claims make sense in the context of the facts alleged.
Let’s start with a hypothetical to go through the alleged facts without politics getting in the way: the plaintiff is Wayne Enterprises (its former Chief Executive Officer is, of course, Bruce Wayne). Bruce Wayne has been regularly criticized by competitors in the media, and Wayne Enterprises’ computer systems remain under constant attack from hackers. It’s not unusual for Wayne’s competitor, Lex Luthor of LexCorp, to criticize him and point out his failings. It’s also not unusual for the League of Assassins to try to break into computers associated with him.
SIDENOTE: Before we go forward, perhaps you have questioned my decision to bless the DNC with the mantle of Batman while condemning Trump as Lex Luthor and Russia as the League of Assassins. That’s on purpose, so our hypothetical is consistent with the standard the court will apply when evaluating the initial motions in the case. When a federal court evaluates the allegations made by a plaintiff (such as when a court reviews a motion to dismiss a complaint), it assumes all of the properly-pleaded facts in the plaintiffs’ favor, along with all reasonable inferences that can be drawn from it. The court can (and will) ignore legal conclusions alleged by the plaintiff, as well as “facts” that seem to have no basis, but the court will not try to weigh the facts and decide who is right. Now, back to our hypothetical.
One summer, someone — government investigators and Wayne Enterprises’ cybersecurity firm both say it was likely the League of Assassins, but they don’t have a smoking gun or a confession — succeeds in hacking the company’s computers and stealing a large amount of information, including internal communications, copyrighted materials, and documents that are potentially trade secrets, and they start leaking that information through various channels. The situation is made even more frustrating by what appears to be an unusual amount of coordination with LexCorp and the leaked information, such that at least one consultant for LexCorp appears to have advance knowledge of the stolen information.
As the next year goes by, Wayne Enterprises learns of pre-existing connections between Lex Luthor and the League of Assassins. They also learn of meetings, emails, and other contacts between LexCorp employees and people associated with the League of Assassins that happened before the hack and which, in parts, suggest knowledge of the hacks. There’s a prosecutor looking into these issues, too — they’ve already filed indictments against multiple LexCorp employees for matters relating to the League of Assassins — but they won’t comment publicly on the status and Wayne Enterprises doesn’t have anything more than anonymously sourced press reports to determine where the investigation is going or when it will conclude.
So what does Wayne Enterprises do? It waits for as much information as it can get until the two year point, when the CFAA and SCA statutes of limitations will run, then it files a lawsuit with essentially the same claims raised by the DNC. It files a pile of claims relating to hacking / cybersecurity, like the Computer Fraud & Abuse Act, the Wiretap Act, the Stored Communications Act, the Virginia Computer Crimes Act, and a couple common law claims for trespass. It also adds claims relating to the specific property taken, like the Digital Millennium Copyright Act, and the federal and Washington D.C. Trade Secrets Acts.
Wayne Enterprises also files a RICO claim for a rather simple reason: because at the moment they don’t even know who actually hacked their servers — the ones the other claims are really aimed at — they just know the people that they believe were in on the conspiracy. One of the people they think is in on the conspiracy is Lex Luther’s son.
In real life, in the Complaint, that’s Donald Trump, Jr. Does anyone suspect that Donald Trump Jr. personally hacked the DNC servers? Of course not. At the very most, based on the allegations, he had knowledge of it having occurred and then exploited that for personal gain, which is hardly an ideal setup for tagging him with a CFAA claim, but which can fit into a RICO claim, or at least a RICO conspiracy claim. (We’re not yet getting into the merits of these specific claims. Accept this as an article of faith: despite the simple language in the statute, proving any form of RICO claim is quite difficult.)
III. Russia, the GRU, and Cyberattacks Under the Foreign Sovereign Immunities Act
Going way back, like The Schooner Exchange v. M’Faddon, 11 U.S. 116 (1812), the federal courts have recognized “sovereign immunity” for foreign governments, which prohibits them from being sued. Since 1976, however, the United States has had a codified, consistent method for determining when foreign governments may be sued under the Foreign Sovereign Immunities Act, 28 U.S.C. §§ 1330, 1332, 1391, 1441, and 1602–1611 (not to be confused with the “Foreign Intelligence Surveillance Act,” which relates mostly to warrants for eavesdropping on matters of national security). A foreign state, as well as its “agents” and “instrumentalities,” are “presumptively immune from the jurisdiction of United States courts” unless one of the Act’s express exceptions to sovereign immunity applies. Saudi Arabia v. Nelson, 507 U.S. 349, 355 (1993).
The DNC complaint identifies, in the most general form, the two exceptions they intend to rely upon: 28 U.S.C. § 1605(a)(5), which removes immunity for tortious acts committed in the United States, and 28 U.S.C. § 1605(a)(2), which removes immunity for commercial activities.
Starting with § 1605(a)(5), it sure seems like a foreign government hacking into a political committee’s files would count for tortious conduct — trespass is, of course, a tort — but the FSIA was written with much more banal factual circumstances in mind, like a car accident caused by a negligent driver who happens to work for a foreign government:
A foreign state shall not be immune from the jurisdiction of courts of the United States or of the States in any case … in which money damages are sought against a foreign state for personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of that foreign state or of any official or employee of that foreign state while acting within the scope of his office or employment;
except this paragraph shall not apply to … any claim based upon the exercise or performance or the failure to exercise or perform a discretionary function regardless of whether the discretion be abused
1605(a)(5)(italics added). That would be the “discretionary function” exception, and it is intentionally similar to the same “discretionary function” language contained in the Federal Tort Claims Act (“FTCA”), which outlines when the United States itself may be sued for causing injuries to persons or property. See Swarna v. Al-Awadi, 622 F. 3d 123 (2d Cir., 2010)(holding FSIA discretionary function exception should be interpreted in pari materia with FTCA).
That’s a bit of a problem for the DNC, because the FTCA’s own “discretionary function” exception can be quite broad. As the Supreme Court held,
When established governmental policy, as expressed or implied by statute, regulation, or agency guidelines, allows a Government agent to exercise discretion, it must be presumed that the agent’s acts are grounded in policy when exercising that discretion. For a complaint to survive a motion to dismiss, it must allege facts which would support a finding that the challenged actions are not the kind of conduct that can be said to be founded in the policy of the regulatory regime. The focus of the inquiry is not on the agent’s subjective intent in exercising the discretion conferred by statute or regulation, but on the nature of the actions taken and on whether they are susceptible to policy analysis.
United States v. Gaubert, 499 U.S. 315-324 (1991). One relatively recent, and deeply frustrating, example involved the U.S. Army Corps of Engineers’ shocking failure to maintain Mississippi River Gulf Outlet Reach 2 Levee, resulting in the cataclysmic flooding of St. Bernard Parish and the Lower Ninth Ward during Hurricane Katrina. Judge Duval of the Eastern District of Louisiana presided over the ensuing litigation, finding the United States liable, just to see his decision metaphorically washed away by the Fifth Circuit. He wrote a law review article about it with a rather revealing title: “The Discretionary Function: License To Kill?” As he wrote, “If that analysis [by the Fifth Circuit] is correct, then the FTCA is practically meaningless for anything other than quotidian postal-car accidents or medical malpractice at a Veterans Administration Hospital.”
Coming back to our purposes, Russia’s alleged systematic effort to hack the DNC and then coordinate the release of documents to manipulate the 2016 election is certainly not a “quotidian postal-car accident.” It would appear to be the very sort of actions “founded in the policy of the [Russian] regulatory regime,” per Gaubert, and thus within the “discretionary function” exception, “regardless of whether the discretion be abused,” per § 1605(a)(5).
This sort of upside-down analysis in which the shocking nature of the alleged conduct works to the benefit of the defendant is, regrettably, somewhat commonplace in cases against government entities, whether it’s a claim against a foreign government, a tort claim against the United States, or a civil rights claim. Our liability regime is not well constructed for holding accountable those who abuse governmental power.
Moving to the other FSIA section cited by the DNC, the “commercial activities” clause says:
A foreign state shall not be immune from the jurisdiction of courts of the United States or of the States in any case … in which the action is based upon a commercial activity carried on in the United States by the foreign state; or upon an act performed in the United States in connection with a commercial activity of the foreign state elsewhere; or upon an act outside the territory of the United States in connection with a commercial activity of the foreign state elsewhere and that act causes a direct effect in the United States…
1605(a)(2). The DNC’s complaint alleges, “Russia committed the trespass in order to steal trade secrets and commit economic espionage, two forms of commercial activity undertaken in and directly affecting the United States.”
A recent Supreme Court opinion on “commercial activity” under FSIA would appear to be problematic for the DNC, because the Supreme Court reiterated that, for a plaintiff to avoid sovereign immunity, their claim had to be “based upon” the commercial activity at issue and not, say, sovereign acts abroad. Obb Personenverkehr AG v. Sachs, 136 S.Ct. 390 (2015). That said, in a footnote, the Supreme Court said “caution is warranted here,” and that, although they found sovereign immunity for a claim against Austria involving a railroad accident in Austria, “domestic conduct with respect to different types of commercial activity may play a more significant role in other suits under the first clause of § 1605(a)(2).” Thus, the DNC might have a solid hook here: whatever else can be said about the hacking, it most certainly involved the domestic activity of breaking into the DNC’s servers in the United States and removing the materials from the United States.
Ted Folkman flags a recent case from the D.C. Circuit (which isn’t binding on the court the DNC case is in, but which could be persuasive) that involved hacking allegations and held the defendant government was entitled to sovereign immunity unless the entire tort was committed in the United States. I agree with Ted that such an analysis would likely doom the DNC’s claims against Russia, and I agree with Ted that this sort of analysis isn’t compelled by the text of the FSIA statute or by Supreme Court precedent. There are many important issues of legal and foreign policy raised by the DNC’s complaint against Russia, but, even if the claims should be dismissed against Russia, that doesn’t necessarily mean they should be dismissed by way of an unduly narrow interpretation of FSIA. I’ll discuss those non-FSIA issues in the next post.
IV. Does The DNC Allege A “Plausible” Link Between The Hacking And The Trump Campaign?
Among the worst words in current legal jargon is “Twiqbal,” a bad portmanteau of the names Twombly and Iqbal, both Supreme Court cases about the level of factual detail required by a plaintiff for their lawsuit to survive a motion to dismiss.
Discussions about pleading standards are like quicksand, and it’s easy to get lost in them. So instead I’m going to quote the Second Circuit (the appellate court that oversees, among others, the Southern District of New York where this case was filed):
To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face. We must accept as true all of the allegations contained in a complaint, though threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice. Though we are confined to the allegations contained within the four corners of the complaint, we may also consider any documents attached to the complaint as an exhibit or incorporated in it by reference.
Carlin v. Davidson Fink LLP, 852 F. 3d 207, 212 (2d Cir., 2017)(quotations and citations omitted).
It would be neither worth my time nor your time for me to go through the “plausibility” of each claim as to each defendant — although that’s exactly what the parties and the court will do when a motion to dismiss is filed. So this is more a general overview.
You may have noticed the DNC’s complaint references a lot of documents, with 107 endnotes. It is not typical to have “endnotes” in a Complaint. But a couple of those endnotes deserve special mention:
These aren’t minor details, nor are they matters that can be easily swept aside. In general, I think it is quite “plausible” to allege that Russia was involved in the hack on the DNC and that various members of the Trump Organization had contemporaneous contacts with agents of the Russian government.
But does the DNC “plausibly” link the Trump Organization’s contacts to the hacking itself? In many ways, the question is a political Rorschach test, and odds are good you have already reached your own conclusions. Similar questions could be asked of Wikileaks: there seems ample evidence of Wikileaks communicating and perhaps coordinating with Trump Campaign members, but there’s no smoking gun showing Wikileaks having prior knowledge of the hacking or coordinating with Russia’s GRU. How much do we have to infer for that “conspiracy” to be “plausible?” Is it too much of a leap?
Once you’ve finished the above, click here for my follow-up post.