On March 14, 2017, the D.C. Circuit affirmed the district court’s dismissal of a lawsuit against Ethiopia that arose out of an alleged hacking of a computer in the United States. See Doe v. The Federal Democratic Republic of Ethiopia, — F.3d —, 2017 WL 971831 (D.C. Cir., Mar. 14, 2017, No. 16-7081). You can read the opinion here.
The D.C. Circuit’s opinion makes it clear that the FSIA’s tort exception is wholly inadequate as a means to assert jurisdiction over a foreign state in a cyberattack case. As the D.C. Circuit correctly held, the tort exception is inapplicable in such cases because of the situs requirement: “The tort [the plaintiff] alleges . . . did not occur entirely in the United States; it is a transnational tort over which we lack subject matter jurisdiction.” Doe, 2017 WL 971831, at *3, citations, quotations and brackets omitted. The D.C. Circuit stated that Congress’s “primary purpose in enacting § 1605(a)(5) was to eliminate a foreign state’s immunity for traffic accidents and other torts committed in the United States,” and that “[i]t is thus unsurprising that transnational cyberespionage should lie beyond section 1605(a)(5)’s reach.” Ibid., citation and quotations omitted.
The D.C. Circuit’s holding – that the tort exception’s situs requirement bars a claim arising out of a cyberattack originating overseas – corresponds exactly with the point that I made in my prior post. It is the reason why commentators who argue that the tort exception is sufficient to address the growing cyberattack problem are simply wrong.
Sovereign immunity was born centuries ago, and it underwent an important evolution in the 20th century to reflect a changing world. The FSIA now needs to catch up to the modern realities of the Internet Age. Given the prevalence of computer hacking by foreign states, and the resulting harm to American individuals and companies, a new cyberattack exception to the FSIA is urgently needed. However, as I previously explained, such an exception will only work if it has teeth – such as, for example, the ability to collect on judgments against foreign states from the state’s instrumentalities and agencies, even if such entities were not involved in the cyberattack at issue. Cf. 28 U.S.C. § 1610(g)(1)(A)-(E). Otherwise, a new exception will do little to stem the rising tide of cyberattacks by foreign sovereigns in the United States.