The Cyberattack Exception to the Foreign Sovereign Immunities Act: A Proposal to Strip Sovereign Immunity When Foreign States Conduct Cyberattacks Against Individuals and Entities in the United States

The political branches may ultimately deem it advisable to permit suits against foreign sovereigns who, without setting foot on American soil, use technology to commit torts against persons located here.  But if the FSIA is to be altered, that is a function for the same body that adopted it.”

Doe v. Fed. Democratic Republic of Ethiopia, 189 F. Supp. 3d 6, 25 (D.D.C. 2016) (citations, quotations and brackets omitted).

Background

Five days ago, while I was reading about the Russian hacking scandal and the resulting damage to America’s public institutions, a new thought occurred to me: there should be a cyberattack exception to the Foreign Sovereign Immunities Act.

I checked to see if anyone had made the proposal before.  It appears to have been mentioned once, nearly four years ago, in an article about China’s cyber activities by Daniel Blumenthal in the Foreign Policy magazine.[1]  However, Mr. Blumenthal only devoted two sentences to the idea, which (to my knowledge) was never further developed.[2]

Other attorneys have occasionally argued (both in and out of court) that cyberattacks falls within the FSIA’s existing tort exception, 28 U.S.C. section 1605(a)(5).[3]  One attorney even tried to provide a “roadmap to this new line of litigation” in a recent law review article.[4]  However, I litigated the tort exception in district and appellate courts for well over a decade, and it creates only roadblocks to civil suits for cyberattacks. 

In particular, the tort exception’s situs requirement[5] — as well as the discretionary function and misrepresentation exclusions limiting the exception — make any lawsuit against a foreign sovereign for a cyberattack under section 1605(a)(5) very difficult and expensive.[6]  Indeed, a recent dismissal under the FSIA in a cyber case in the United States District Court for the District of Columbia – where the court dismissed a Wiretap Act claim under the tort exception’s situs requirement – only highlights the challenges of such litigation.[7]  In addition, even assuming that a cyber suit falls under the tort exception to the FSIA, a judgment would be extraordinarily difficult to collect upon given the FSIA’s strong immunity provisions related to attachment and execution.[8]

The result is that foreign states can perpetrate cyberattacks with relative impunity in the United States.  Even worse, those harmed by such attacks – often individuals or corporations who are innocent of any misconduct – have no effective means of redress against the offending foreign sovereign (or its officials).

Does this make sense?  Why should countries like Russia and North Korea be immune from suit for illegal conduct targeting computer systems in the United States?  Why shouldn’t foreign states that attack individuals, corporations or institutions over the Internet be liable for the consequences of their misdeeds? 

The United States Supreme Court has emphasized that “foreign sovereign immunity is a matter of grace and comity on the part of the United States, and not a restriction imposed by the Constitution.”[9]  As a matter of “grace and comity,” there is nothing in the history of foreign sovereign immunity that supports a grant of immunity where a foreign state targets a specific individual or entity for attack on the territory of the United States.[10]

The Foreign Sovereign Immunities Act of 1976 is over forty years old.  The time has come to bring the FSIA into the 21st century to address a very real and growing threat.[11]  A new cyberattack exception to the FSIA (28 U.S.C. § 1605C) would remove immunity for foreign states who attack individuals and entities in the United States, and would finally provide those harmed with a means of redress.  It should be drafted and passed forthwith.

Key Components

There are several key components essential to ensure an effective cyberattack exception to the FSIA:

Jurisdictional Provision: The cyberattack exception should have a jurisdictional provision modeled after the tort and the terrorism exceptions of the FSIA, but which is nevertheless specifically tailored to address the peculiarities of a cyberattack:

A foreign state shall not be immune from the jurisdiction of courts of the United States or of the States in any case not otherwise covered by this chapter in which money damages are sought against a foreign state for a cyberattack by the foreign state or by an official, employee or agent of such foreign state acting within the scope of his or her office, employment, or agency.[12]

If this type of language were to be used, the term “cyberattack” would need to be defined elsewhere (such as in 28 U.S.C. § 1603), and would need to track the language in a new cause of action (see below).  The other terms and phrases used in this proposed provision – such as “employee” and “scope of employment” – already have received extensive interpretation in FSIA jurisprudence.[13]  Moreover, the cyberattack exception – like the terrorism exception – should have no discretionary function or misrepresentation exclusions.

Cause of Action: While there are State and federal civil causes of action available in cyberattack cases – such as under the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act – it is not always clear whether such provisions apply against foreign governmental entities.[14]  In fact, a federal district court recently concluded “that section 2520 of the Wiretap Act does not create a civil cause of action against a foreign state for interceptions of wire, oral, or electronic communications in violation of section 2511(1).”[15]  Accordingly, to clearly define the type of conduct that would fall within the new cyberattack exception, Congress should use existing federal law to create a new federal cyberattack cause of action against foreign states.  There is precedent for such an approach under the terrorism exception,[16] and it would serve the principle of uniformity underlying the FSIA.[17]  In addition, to avoid potential issues under international law, the new cause of action should clarify that the tort occurs in the United States, where the computer system is breached. 

Retroactivity and Statute of Limitations: To allow parties previously harmed by cyberattacks to bring suit, Congress should make the new immunity exception retroactive – which is permitted under Supreme Court jurisprudence.[18]  Like the terrorism exception, the cyberattack exception should also include a 10-year statute of limitations, extending back to claims occurring prior to the amendment’s enactment.[19]

Appearance/Default: Foreign states that engage in cyberattacks in the United States can be expected either not to appear at all in United States district court, or to withdraw from the litigation after making an initial appearance.[20]  Discovery is difficult to obtain under such circumstances, and yet the plaintiff still has the burden under section 1608(e) of “establish[ing] his claim or right to relief by evidence satisfactory to the court” prior to entry of default judgment.[21]  That burden is a particularly heavy one in cyberattack cases, especially for a private party who may have limited resources.  As a result, I would propose a new provision that specifically addresses a foreign state’s failure to appear in a cyberattack case:

If any federal law enforcement or intelligence agency certifies that there is probable cause that a foreign state, or an official, employee or official thereof, committed the act described in section * * *, there shall be a rebuttable presumption that the foreign state, or the official, employee or official thereof, has committed the act.  If the foreign state does not appear in the action, that presumption shall be accepted by the district court and shall constitute sufficient evidence to satisfy the requirements of section 1608(e).  If the foreign state appears in the action, the rebuttable presumption shall be rendered ineffective until such time, if any, that the foreign state no longer participates in the litigation.[22]

Damages: Under 28 U.S.C. section 1606, a foreign state sued under the cyberattack exception would “be liable in the same manner and to the same extent as a private individual under like circumstances; but a foreign state except for an agency or instrumentality thereof shall not be liable for punitive damages.”[23]  If the cyberattack exception creates a new cause of action, it should define the types of damages that should be recoverable (like the terrorism exception).[24]  Those damages should include reputational and professional harm caused by the hacking of personal and business e-mail systems.  As with the terrorism exception, Congress should also consider removing foreign sovereigns’ protection against punitive damages for cyberattacks, particularly if an attack causes major damage or disruption in the United States.[25]

Execution/Attachment: Because the FSIA currently provides strong protections against execution and attachment in a case involving a foreign sovereign,[26] it creates a massive disincentive to filing suit in a cyberattack case.  Even if a plaintiff establishes jurisdiction under the tort exception and prevails on the merits, the plaintiff is effectively limited to attaching or executing on “any contractual obligation or any proceeds from such a contractual obligation to indemnify or hold harmless the foreign state or its employees under a policy of automobile or other liability or casualty insurance covering the claim which merged into the judgment.”[27]  Given that foreign states do not (to my knowledge) carry insurance to protect themselves against cyberattack claims, a plaintiff can at best obtain a judgment that cannot be enforced – which is as useless as no judgment at all, especially when the foreign nation involved is a country such as Russia or North Korea.

In light of the foregoing, and in keeping with an analogous provision related to the terrorism exception,[28] Congress should add a new section 1610(a)(8):

The property in the United States of a foreign state. . . used for a commercial activity in the United States, shall not be immune from attachment in aid of execution, or from execution . . . [if] the judgment relates to a claim for which the foreign state is not immune under section 1605C [the cyberattack exception], regardless of whether the property is or was involved with the act upon which the claim is based.

Just as importantly, Congress should make judgments entered against foreign states in cyberattack cases subject to section 1610(g)(1), so that plaintiffs can collect from agencies or instrumentalities of the foreign state – even if such agencies or instrumentalities were not involved in the cyberattack at issue.[29]

Official Immunity: Congress should consider making all of the prior provisions, mutatis mutandis, applicable to foreign officials who order or participate in the cyberattack.  That includes, in particular, the exception to immunity and the punitive damages provision set forth above.  However, given the international law doctrine of head-of-state immunity, Congress should refrain from providing a means to assert jurisdiction over a sitting head of state for such conduct.

Final Thoughts

The FSIA largely renders foreign states immune for cyberattacks against individuals, corporations and institutions located in the United States.  However, given the financial and non-financial harm caused by such attacks, foreign states should be held liable, and should be compelled to provide compensation to those damaged by their actions.  Such a result not only makes sense, but it is also perfectly acceptable under long-established doctrines of foreign sovereign immunity.  And, perhaps most importantly, a new cyberattack exception – if it has real bite – would disincentivize foreign states from engaging in such harmful conduct in the future.

[1] See D. Blumenthal, “How to Win a Cyberwar with China,” ForeignPolicy.com
(Feb. 28, 2013) (“Congress could also create a cyberattack exception to the Foreign Sovereign Immunities Act, which currently precludes civil suits against a foreign government or entity acting on its behalf in the cyber-realm. There is precedent: In the case of terrorism, Congress enacted an exception to immunity for states and their agents that sponsor terrorism, allowing individuals to sue them.”).  Mr. Blumenthal’s idea was subsequently repeated, in similar conclusory form, in other sources.  Seee.g., Mazza, Michael.  Statement to the House, Committee on Foreign Affairs.  Cyber Attacks: An Unprecedented Threat to U.S. National Security (Mar. 21, 2013), at 47.

[2] Because I wanted to share this proposal as soon as possible – so that it may be considered and improved upon by others – I cannot claim an exhaustive search of prior sources related to cyberattacks under the FSIA.  However, I have not seen any other attempts to describe what such an exception would look like.  If such a prior proposal exists, I welcome comment from, and discussion with, its author.

[3] See U. Colella, “Foreign governments should be sued for cyberattacks,” Washington Examiner (Feb. 13, 2017).

[4] Scott A. Gilmore, Suing the Surveillance States: The (Cyber) Tort Exception to the Foreign Sovereign Immunities Act, 46 Colum. Hum. Rts. L. Rev. 227 (2015) (hereinafter “Gilmore”).  The article is available online.

[5] Mr. Gilmore underestimates the problem posed by the tort exception’s situs requirement in cyberattack cases.  See Gilmore, supra note 4, at 287, n. 149.  Based upon my experience in many cases, the situs requirement poses a major obstacle to jurisdiction in cross-border tort casesSee also infra, note 7.

[6] See 28 U.S.C. § 1605(a)(5)(A)-(B).  Given the breadth of the misrepresentation exclusion, its effect on computer fraud cases against foreign states remains an open question — particularly since the tort exception’s exclusions, which are based upon similar provisions in the Federal Tort Claims Act (28 U.S.C. §§ 2680(a), (h)), are so ill-defined.  In addition, although Mr. Gilmore may be correct that the discretionary function exclusion does not bar cyberattack claims outright (Gilmore, supra note 4, at 265-274), Mr. Gilmore’s article may not fully appreciate how the discretionary function exclusion can impact specific causes of action or theories of liability.  See, e.g., Doe v. Holy See, 557 F.3d 1066, 1083–85 (9th Cir. 2009).  While the District Court for the District of Columbia recently seemed inclined not to apply the discretionary function exclusion in a cyber case, the discretionary function exclusion is – at a bare minimum – an additional hurdle that complicates any case brought under the tort exception.  See Doe v. Fed. Democratic Republic of Ethiopia, 189 F.Supp.3d 6, 25-28 (D.D.C. 2016). As a result, it provides yet another obstacle to proceeding under the FSIA’s tort exception in a cyberattack case.

[7] Doe, 189 F.Supp.3d at 9; see also id. at 25 (“the Court holds that [plaintiff’s] claim for intrusion upon seclusion is barred by the ‘entire tort’ rule”).

[8] 28 U.S.C. §§ 1609-1611.  As discussed below, Mr. Gilmore’s article does not address this major problem with proceeding under the tort exception.  See infra at note 27.

[9]  Verlinden B.V. v. Cent. Bank of Nigeria, 461 U.S. 480, 486 (1983).

[10] The terrorism exception, 28 U.S.C. § 1605A, is the modern embodiment of this principle.  However, while absolute immunity was the norm pre-1952, even the Schooner Exchange Court recognized that there could be proper restrictions on immunity.  See The Schooner Exch. v. McFaddon, 11 U.S. 116, 123 (1812) (“We may forbid the entrance of [foreign states’] public ships, and punish the breach of this prohibition by forfeiture; nor do we deny the obligation of a foreign sovereign to conform to pre-existing laws, as to offences-and as to the acquisition of property; nor his liability for his private debts and contracts.”) (emphasis added).

[11] For a discussion of recent cyberattacks by foreign states, see Gillmore, supra note 4, at 228-32.  Of course, the problem has only gotten much worse since Mr. Gillmore’s article, and now includes economic and political tampering of a type that was perhaps previously unimaginable. 

[12] See 28 U.S.C. §§ 1605(a)(5) and 1605A(a)(1).

[13] However, to streamline litigation for plaintiffs and defendants alike (as well as serve the principle of uniformity underlying the FSIA), I would strongly urge Congress to apply the federal common law to identify officials, employees and agents, and to define the scope of their office, employment and agency.  The current hodgepodge of State laws creates unnecessary confusion and expense under the existing exceptions; if not addressed, these problems would persist under a new cyberattack exception as well.

[14] See Gilmore, supra note 4, at 244-50.

[15] Doe, 189 F.Supp.3d at 15.

[16] See 28 U.S.C. § 1605A(c).

[17] See, e.g., Verlinden, 461 U.S. at 489 (discussing “the importance of developing a uniform body of law in this area”) (citations and quotations omitted).

[18] Republic of Austria v. Altmann, 541 U.S. 677 (2004).

[19] 28 U.S.C. § 1605A(b).

[20] See, e.g., Calderon-Cardona v. Democratic People’s Republic of Korea, 723 F. Supp. 2d 441, 444 (D.P.R. 2010) (non-appearance by North Korea in FSIA action); Agudas Chasidei Chabad of U.S. v. Russian Fed’n, 729 F. Supp. 2d 141, 144 (D.D.C. 2010) (after participation in the litigation for years, Russia filing a “Statement with Respect to Further Participation [71] which informed th[e] Court that defendants ‘decline[d] to participate further in this litigation’ and ‘believe[d] this Court has no authority to enter Orders with respect to the property owned by the Russian Federation and in its possession, and the Russian Federation will not consider any such Orders to be binding on it’”).

[21] 28 U.S.C. § 1608(e).

[22] If such a provision were adopted, there would need to be a mechanism for certification by federal law enforcement or intelligence agencies.

[23] 28 U.S.C. § 1606.

[24] See 28 U.S.C. § 1605A(c)-(d) (“(c) . . . In any such action, damages may include economic damages, solatium, pain and suffering, and punitive damages. In any such action, a foreign state shall be vicariously liable for the acts of its officials, employees, or agents.  (d) Additional damages.–After an action has been brought under subsection (c), actions may also be brought for reasonably foreseeable property loss, whether insured or uninsured, third party liability, and loss claims under life and property insurance policies, by reason of the same acts on which the action under subsection (c) is based.”).

[25] Not only is there recent precedent for lifting the punitive damages bar (28 U.S.C. § 1605A(c)), but the bar was always on precarious footing with respect to international law.  Cf. H.R. Rep. No. 94-1487 (1976), at 22, citing, inter alia, 5 Hackwork, Digest of International Law, 723-26 (1943) (“Under current international practice, punitive damages are usually not assessed against foreign states.”) (emphasis added).  Hackworth’s treatise, cited in the FSIA’s legislative history, stated the following:

[T]he refusal of international tribunals to assess punitive, vindictive, or exemplary damages, as such, against respondent governments may be explained in part by the absence of malice, or mala mens, on the part of the government of the respondent state.

5 Hackworth, Digest of International Law 723-26 (1943).  It is unclear whether a foreign state lacks “malice” in a cyberattack case, especially where the attack is significant and is intended to disrupt core economic or political activities in the other nation.

[26] See 28 U.S.C. §§ 1609-1611.

[27] 28 U.S.C. § 1610(a)(5).  The plaintiff in a cyberattack case proceeding under the tort exception will be limited to section 1610(a)(5), because the plaintiff likely would not be able to show that the foreign state has waived immunity (§ 1610(a)(1)), that “the property is or was used for the commercial activity upon which the claim is based” (§ 1610(a)(2)), that “the execution relates to a judgment establishing rights in property which has been taken in violation of international law or which has been exchanged for property taken in violation of international law” (§ 1610(a)(3)), that “the execution relates to a judgment establishing rights in property . . . which is acquired by succession or gift, or . . . which is immovable and situated in the United States” (§ 1610(a)(4)), that “the judgment is based on an order confirming an arbitral award rendered against the foreign state, provided that attachment in aid of execution, or execution, would not be inconsistent with any provision in the arbitral agreement” (§ 1610(a)(6)), or that “ the judgment relates to a claim for which the foreign state is not immune under section 1605A or section § 1605(a)(7) (as such section was in effect on January 27, 2008), regardless of whether the property is or was involved with the act upon which the claim is based” (§ 1610(a)(7)).  In his article, Mr. Gilmore does not address the difficulties caused by the FSIA’s attachment and execution provisions with respect to any cyberattack claim proceeding under the tort exception.  Gilmore, supra note 4, passim.  

[28] 28 U.S.C. § 1610(a)(7).

[29] The terrorism exception’s section 1610(g)(1), which was intended to remove the presumption of separate juridical status set forth in First Nat. City Bank v. Banco Para el Comercio Exterior de Cuba (“Bancec”), 462 U.S. 611 (1983), states the following in relevant part:

[T]he property of a foreign state against which a judgment is entered under section 1605A, and the property of an agency or instrumentality of such a state, including property that is a separate juridical entity or is an interest held directly or indirectly in a separate juridical entity, is subject to attachment in aid of execution, and execution, upon that judgment as provided in this section, regardless of–(A) the level of economic control over the property by the government of the foreign state;(B) whether the profits of the property go to that government;(C) the degree to which officials of that government manage the property or otherwise control its daily affairs;(D) whether that government is the sole beneficiary in interest of the property; or(E) whether establishing the property as a separate entity would entitle the foreign state to benefits in United States courts while avoiding its obligations.

28 U.S.C.A. § 1610.  Section 1610(g)(1) could be easily amended to over both terrorism cases (§ 1605A) and cyberattack cases (proposed § 1605C).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: