Podcasts
Caveat
Ep 83
Caveat 6.23.21
Ep 83 | 6.23.21

Federal standing in identity theft cases.

Show Notes
Transcript

Tiana Demas: There has been a lot of back-and-forth between the different federal circuits about what is required to have federal standing to sue in cases involving data breaches and cyberattacks.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben unpacks the Trump administration's gathering of metadata from members of Congress. I've got the story of a judge pushing back on Google geofence warrant requests. And later in the show, my conversation with Tiana Demas from Cooley LLC on the recent 2nd Circuit decision concerning identity theft. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into some stories this week. Why don't you kick things off? You've got another big one this week. 

Ben Yelin: I do. This is a New York Times expose, although it was also reported by a couple of other news organizations. So we found out that the Trump administration, first under Attorney General Jeff Sessions back in 2018, was able to obtain metadata records on the online communications of a couple of key members of Congress - Adam Schiff, who at the time was the ranking Democrat on the House Select Committee on Intelligence, and one of his colleagues, Representative Eric Swalwell of California. They're actually both California representatives. And now Congressman Schiff is the chairman of that committee. 

Ben Yelin: So this was all in the name of trying to investigate leaks. There had been leaks allegedly coming out of Congress related to the Mueller investigation, the Russian collusion investigation at the time. And the Trump administration, under its attorney general, had been suspicious that those leaks were coming from members of Congress. 

Ben Yelin: So the Justice Department was able to obtain a grand jury subpoena to get metadata from Apple and Google. And, again, metadata is relatively limited. They did not obtain the contents of any communications. But they were able to obtain metadata not only on these members of Congress, but on family members, including, in one case, on an individual who was a minor. And moreover, I think what rubs a lot of people the wrong way about this is Representatives Schiff and Swalwell weren't made aware of the surveillance until very recently because there was a gag order attached to these subpoenas. Apple and Google could not divulge to their customers that they had received these subpoenas from the government. 

Ben Yelin: So this has led, predictably, to a pretty big outcry. Why was the Trump Justice Department using its authority to subpoena records from these Big Tech companies to investigate members of Congress? And there are a couple of things that are particularly problematic about this story. First of all, you don't need a judge to sign off on this type of subpoena. It is authorized by a grand jury who is doing these types of leak investigations. The only thing you need judicial approval for is the gag order itself. And they were able to obtain that from a federal magistrate judge. 

Ben Yelin: So because you don't need judicial approval, I think this type of subpoena authority, when we're talking about private communications, even if it's metadata, should be used rather sparingly. And it doesn't seem that there was any indication, any premonition, that these members of Congress were the source of these leaks. 

Ben Yelin: And I'll note, and this is a very important element to the story, Representatives Schiff and Swalwell were sworn enemies of the Trump administration. And so there's certainly the allegation and the appearance that this was, frankly, political harassment, that, you know, they were issuing these subpoenas not as part of a legitimate law enforcement investigation, but because this was, in the words of the former president, Shifty Adam Schiff. And, you know, I think that's a very important element to this story. 

Dave Bittner: OK. So a couple things I want to unpack here with you. First of all, isn't it so that the Obama administration was pretty aggressive when it came to hunting down leaks? Yes? 

Ben Yelin: Absolutely. So this is certainly not an issue that is strictly partisan. Multiple administrations of both parties have, frankly, in my view, been overaggressive in trying to prosecute leaks. They have obtained - specifically the Obama administration - authorization and certainly used the subpoena power to get the metadata and, in some cases, the actual contents of communications, particularly of journalists, thinking that they were the sources that leaked information. That's relatively common, for better or worse. I happen to think it's for worse, although I can understand why the government wants to investigate leaks. 

Ben Yelin: What's different here is that we're talking about members of Congress - that and not just members of Congress, but their families, including a minor. And that's something that, outside some sort of corruption investigation, is incredibly rare. Most of the experts who were consulted for this story said that they had never seen that during their careers of professional service. 

Dave Bittner: OK. So the other thing I'm wondering about is, if there's a claim here that this is some sort of harassment - you know, political harassment, which is the word you used - if these folks weren't aware that this was happening, if it was under a gag order, how were they being harassed? 

Ben Yelin: That's a good question. So, you know, one thing about surveillance and one reason it's a really interesting area of the law and one reason why it's particularly pervasive is that victims don't know that they're the victims until, perhaps, it's too late, as has happened here. So this investigation was actually - had gone dormant - they didn't have enough evidence - and then was revived without these members of Congress knowing that it had been revived once Attorney General Barr had been sworn in in 2019. They were only made aware after the investigation was dropped under the current Justice Department, led by Attorney General Merrick Garland. And that's when Apple and Google revealed that the subpoenas existed. 

Ben Yelin: I understand the tenor of your question. It doesn't seem like it would be harassment because they weren't aware that they were being surveilled. I think if they had found incriminating information on these members of Congress and they themselves had leaked it publicly, which is very possible, then that's how this could have turned into political harassment. Just the fact that you are going on a fishing expedition means that if you catch fish, you - that's something that you can horde over your political enemies using the powers granted to you by the Constitution, by our laws and by the Justice Department. And that's something that's particularly concerning. So even though it seems like they didn't really find anything, if they had found something, even if it wasn't related to leak investigations, that could have been used to silence, intimidate their political opponents. 

Dave Bittner: I see. Well, help me understand here this prohibition against doing something like this to members of Congress. Is that a courtesy, or is that an important sort of separation of powers issue, or both? 

Ben Yelin: So just to be clear, there isn't actually a law or policy that forbids the use of the subpoena power on members of Congress. This is just something that's not customary, I think, for separation of powers purposes. Generally, as an executive branch, you want to maintain good relations with Congress. But beyond that, I mean, one of the principles of our system is that Congress, as a separate and coequal branch, should not be intimidated by the people who have all the guns and money. And that's (laughter) the executive branch. I mean, the Justice Department has the resources and the power to potentially politically threaten or otherwise intimidate members of Congress. And that really does cut against our constitutional system of separation of powers. 

Ben Yelin: And this is something - and we've talked about many of these instances in the past, where even members of the opposing party can sometimes get insulted when the executive branch goes after members of Congress. You know, we saw - we've talked about the example back in the mid-2000s when the FBI raided the office of a member of Congress who was storing $90,000 in his freezer. 

Dave Bittner: Mmm hmm (laughter). 

Ben Yelin: And he was a Democratic member of Congress. It was a Republican administration. But the Republican leadership and speaker of the House said, we are not OK with you invading our constitutional facility here. We're not OK with you breaching the separation of power to engage in this investigation because we retain that status as a coequal branch of government. So I think even though it's not a formal restriction, there's no law saying that you can't issue this type of subpoena to a member of Congress. 

Dave Bittner: OK. 

Ben Yelin: I think it's a principle that Congress should have leeway within the confines of the law to engage in the nation's business and to investigate the executive branch. And if you had a situation where the executive branch was consistently doing this, that might have a chilling effect on Congress being able to use its oversight powers. You know, what was happening here is, there was a investigation, both in Congress and with the special counsel's office, into alleged nefarious activity from the leader of the executive branch and potentially other members of the executive branch. And, you know, if you are using the powers of the Justice Department to investigate the investigators, then that can undermine the sanctity of that investigation. 

Dave Bittner: What about the leak itself? I mean, if former President Trump and his colleagues had a legitimate concern about these leaks, does this put that type of investigation out-of-bounds? Let me just play devil's advocate here and say that if some of these members of Congress were actually the source of the leaks, does that give them impunity to do that because of the courtesy that they're granted here? 

Ben Yelin: It does not. It certainly does not. I think the executive branch has a perfectly legitimate reason to investigate leaks. They certainly - I don't want to say abuse their power in doing so regularly. But sometimes they are overzealous in their pursuit of identifying leaks when that pursuit becomes a greater story and a greater inhibition on our civil rights and liberties than the leaks themselves. 

Dave Bittner: I see. 

Ben Yelin: So sometimes there is this overreaction. There's certainly a legitimate interest, especially when we're talking about divulging sensitive national security information, to investigate members of Congress. I just think it is a bit of a constitutional faux pas to focus on members of Congress themselves. I think they're sort of owed the benefit of the doubt that without other compelling evidence, they're not the source of these potential leaks. And from the information we have now, there was no definitive proof that these representatives or other members of Congress or their staff members were the source of these leaks. And without having that extra layer of proof, it does feel more like a fishing expedition. 

Ben Yelin: So while the effort to identify leakers is certainly legitimate, it's, you know, certainly something that - I think you could expect a grand jury to return a subpoena for something like that. When you're talking about members of Congress who haven't specifically been accused and when there hasn't been really sufficient evidence to show that they were involved in the leak, that's where I think you get into this more dangerous territory. 

Dave Bittner: And what about the Biden administration? What are they signaling in terms of how they're going to approach these sorts of things? 

Ben Yelin: So as it relates to members of Congress, they've criticized the Trump administration for this investigation. The attorney general assured these members of Congress that the investigation has been concluded, that they are no longer under suspicion of being the leakers here. Of course, Apple has informed both Congressman Schiff and Congressman Swalwell that the investigations have ended. They're no longer submitting their metadata to the government. 

Ben Yelin: The Biden administration, as it comes to the investigation of other leaks, did continue some efforts from the Trump administration to use the Department of Justice to try and go after journalists for being the source of leaks. That caused a bit of an outcry. And I think the Biden administration has started to back off and at least signal that, going forward, they're going to be much more careful and selective about trying to obtain the online communications of journalists. But, you know, as you said at the beginning, this is not something that's confined to the Trump administration, particularly when we're talking about journalists. I think government officials get obsessive. You can understand why they're obsessive. They are dealing with classified information, sometimes information that's sensitive, that's related to national security. So you can understand why they want to go after leakers. That's why President Nixon created the Plumbers unit originally was to target leakers. But sometimes there is this tendency to be overzealous in that pursuit. 

Ben Yelin: I think many administration officials in administrations of both parties have abused that authority. So I think the Biden administration even signaling that it's going to try to relax these types of subpoenas is something that is promising, although we'll see how it turns out and we'll see if they're going to follow through when push really comes to shove and we're talking about something that's sensitive to the Biden administration itself, something they really care about. You know what if one of his private communications were leaked or something related to, you know, one of his policy priorities? That's when the rubber really hits the road, and we'll know whether there's been a sufficient policy change. 

Dave Bittner: Yeah. All right. Well, it's a - boy, it's a fascinating story. We'll have a link to it, the reporting over from The New York Times - Katie Benner, Nicholas Fandos, Michael S. Schmidt and Adam Goldman are the reporters on that one. So check that out if you're interested. 

Dave Bittner: Let's move on to my story this week. This comes from Forbes, article written by Thomas Brewster. It's titled "Google Geofence Warrants Endanger Privacy - Judges Now See The Threat." This caught my eye because this is the story of a judge in Kansas who pushed back on a request for a geofence warrant. Law enforcement came to this judge and said, we want to basically - we've talked about these types of things before. We want to know everybody who was in an area over a certain period of time because we suspect a crime has been committed. And in this case, the judge pushed back and said that the government had not done enough to prove that the suspect would've had a smartphone in the area at the time of the incident, but also that the amount of time that they were looking at was too broad. 

Dave Bittner: And I think part of what's interesting here is that they also had surveillance footage. They had security camera footage. And that security camera footage had time stamps on it, so they knew when the suspect was in a particular area. They had specific times when they knew, you know, this person walked through this area. And the judge was saying, it seems to me that, hey, you know when this person came through the area. That's the time stamp that you need the subpoena for, not all this time on... 

Ben Yelin: Right. 

Dave Bittner: ...Either side of that. So it's interesting to me. I'll just read part of what the judge wrote here. He said, (reading) The court simply issues this opinion to provide fair notice that geofence warrant applications must sufficiently address the breadth of the proposed geofence and how it relates to the investigation. It is not enough to submit an affidavit stating that probable cause exists for a warrant because, given broad cellphone usage, it is likely the criminal suspect had a cellphone. If this were the standard, a geofence warrant could be issued in almost any criminal investigation where a suspect is unidentified. 

Dave Bittner: I think this is fascinating, Ben. We're getting a little pushback here. What do you make of this? 

Ben Yelin: Yeah, we're finally seeing pushback from not just this particular judge, but judges across the country. I think it comes back to the general problem with geofencing as a law enforcement tactic. The Fourth Amendment has this particularity requirement, which means in order to engage in a search or seizure, you have to particularly identify the place to be searched or the persons or things to be seized. Of course, that only applies when we're talking about unreasonable searches and seizures. So, you know, that doesn't apply in every single case. 

Ben Yelin: But I think the principle of the Fourth Amendment is we don't want what they used to have in the 1600s and 1700s in Great Britain, which were these general warrants where the king and his minions would authorize a search of somebody's property, just say, find what you can find, whatever evidence you can obtain. 

Dave Bittner: Right. The old dragnet. 

Ben Yelin: Exactly. And that's what the Fourth Amendment was designed to protect against. And that kind of seems on its face what geofencing is. It's, tell us everybody who was in a particular area, even if we don't have individualized suspicion on any individual that's in the area. Now, it is a very useful law enforcement technique if they've run into dead ends in investigating a particular crime. You can at least narrow it down if you engage in geofencing. 

Ben Yelin: But I think what the judge here is saying is we can't be overbroad in authorizing this technique. It can't be the situation where the government simply has to say a crime was committed in a location in this general time frame, and since everybody has cellphones, it's reasonably likely that the person who committed the crime - their cellphone pinged in this particular area. And therefore, we can obtain those records. 

Ben Yelin: That's not enough according to this judge. And I think that's something that might develop into a more rigorous standard going forward. Hopefully, we get to the point where there's actually some sort of prescribed test for geofencing, where there has to be some identified level of particularity. Maybe you have to have some - whatever indication it is that you have a potential suspect in the area. Maybe it doesn't rise to the level of probable cause, but maybe if you have, you know - you'd have to have some type of suspicion that a particular person, a suspected criminal, is in the area that you want to geofence. 

Dave Bittner: Mmm hmm. 

Ben Yelin: Or there can be other parts of a constitutional test to determine whether you can authorize such a broad dragnet. And I hope that's the point that we get to. And it seems like since this is something that has been disparate across different judicial circuits, that maybe in a couple of years we'd see this type of case up at the Supreme Court, which, you know, I'm always looking to a final resolution of these very vexing questions because... 

Dave Bittner: (Laughter). 

Ben Yelin: ...I completely understand how courts could come to differing interpretations. So I'd like to see this definitively solved, perhaps with some type of very straightforward, workable standard where you have to have some level of particularity. 

Dave Bittner: Well, when you're on the Supreme Court, Ben, you can prioritize these types of cases and, you know, make it so. 

Ben Yelin: Yeah. I hope you testify for me at my confirmation hearing, despite all the things I've said to you privately. 

Dave Bittner: Oh, you don't want me. You don't want me. I know too much. 

Ben Yelin: You do know too much. Yeah. And I hope our listeners wouldn't sabotage me at my confirmation hearings. 

Dave Bittner: (Laughter) That's right. That's right. That's right. Now, it seems to me as though this judge - this was sort of a slap on the wrist, you know, like, to say - he's not saying go away and don't come back - right? - to the law enforcement folks. 

Ben Yelin: Right. 

Dave Bittner: He's saying come back... 

Ben Yelin: Do better. 

Dave Bittner: ...With something - yeah, this is too broad. You can do better than this, which I guess is what we want. Right? 

Ben Yelin: It is. Yeah. I mean, that's exactly why we have judicial review in the first place 'cause otherwise law enforcement would always be too broad. Their jobs would be much easier if they could just say, oh, a crime was committed in New York City. Let's get all the cellphone records for lower Manhattan between October 1 and November 1 and, you know, just go on a little fishing expedition and see what we can find. 

Dave Bittner: Right. 

Ben Yelin: That would be great for law enforcement. It's not so great for the civil liberties of the people whose records are being collected. And that's exactly what the judge is saying here. He's not closing the door. He's not saying I'm not going to authorize any type of geofencing information that you're requesting. He's saying, come back with something a little bit more specific. You want geofencing information on two busy public streets and a large building complex where there is a - two large employers. That's too broad. That's too much information that you're seeking. So you have to try and narrow it down. You have to try and narrow it down to something where the potential dragnet is as limited as is humanly possible. And I think that is what's required under our constitutional system. 

Dave Bittner: Right. All right. Well, we will have a link to that story as well in our show notes. We would love to hear from you if you have a question for us. You can email us to caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Tiana Demas. She is from Cooley LLC (ph). And our conversation centered on a recent 2nd Circuit decision concerning identity theft, specifically whether or not folks have standing. Here's my conversation with Tiana Demas. 

Tiana Demas: As a practitioner in New York, it's not so frequent that you get a 2nd Circuit decision that kind of clearly lays out the requirements for standing in what I guess you could call a data breach case, although this is really - Carlos Lopez is really not a typical data breach case because it was an inadvertent mass email. So we thought it was important to put out a blog post and explain to Cooley clients, the world writ large, what the decision said and what it means going forward because there has been a lot of back and forth between the different federal circuits about what is required to have federal standing to sue in cases involving data breaches and cyberattacks. 

Dave Bittner: Well, let's go through some of the details together. Can you give us a little overview of what the case was about? 

Tiana Demas: Sure. So this was a case - I'll just give you the facts first. 

Dave Bittner: Yeah. 

Tiana Demas: Carlos Lopez & Associates is a veteran and mental health services provider. Someone at the company accidentally sent an all-company email with a spreadsheet that contained 130 of the company's current and former employees' Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees and dates of hire. And so all 65 people who worked at Carlos Lopez & Associates received the email. And three of those employees whose information was in the spreadsheet brought a proposed class action claiming that the company was negligent and had violated certain consumer protection laws by sending out this inadvertent mass email. 

Tiana Demas: Now, they did not claim that the disclosure of their information resulted in any identity theft, fraud or misuse by a third party. And they did not claim that anybody outside the company had obtained or misused their personal information. But to get over the standing hurdle - which I'm happy to talk about in a little more detail - they said they faced an imminent risk of identity theft based on the exposure of their information, including their Social Security numbers. And they also claimed that they had taken steps after this mass email was sent out to prevent identity theft, which included such things as buying identity theft protection services, canceling credit cards and spending time assessing if they should apply for new Social Security numbers. But they did not actually do that. 

Dave Bittner: Well, let's dig in then to this whole notion of standing. Can you educate us - what is this hurdle of standing that you referred to? 

Tiana Demas: In federal court, for a person to bring a civil claim, you have to have what is called standing. And that's basically a right to sue in federal court. And this is rooted in Article 3 of the Constitution, which limits the jurisdiction of federal courts to actual cases or controversies. And it reflects separation of powers, principles. It's meant to prevent the judicial process from being used to usurp the powers of the political branches. So before a federal court will agree to hear a case, it has an obligation to make sure that a plaintiff or plaintiffs have standing to sue. 

Tiana Demas: And so the test for standing, which has been developed over the years by the Supreme Court, has a few parts. And the first is that a plaintiff has to have suffered an invasion of a legally protected interest, which is called an injury in fact. And that injury has to be concrete, particularized and actual or imminent. And it must also be traceable to the challenged action of the defendant. And finally, that injury must be capable of being remedied by a favorable ruling. 

Tiana Demas: Now, as I mentioned, in this case, the plaintiffs did not claim that anyone outside the company had obtained or misused their data. So the standing inquiry in McMorris focused on whether the injury was imminent. And on this point, the Supreme Court has said that a threatened injury needs to be certainly impending, and allegations of future injury are not enough. So this is what the 2nd Circuit was really wrestling with when it put forth the test for standing in Carlos Lopez. 

Dave Bittner: Well, so let's go through this and continue down this path. How did this particular case either meet or not meet those standards? 

Tiana Demas: At the district court level - and it's worth talking about the history of this case because before it got to the 2nd Circuit, plaintiffs filed their claim in district court. And the defendant had moved to dismiss on the ground that there was no standing. Then before that motion could be decided, they decided to settle the case. But in order to settle a case, the district court has to approve the settlement. And so the district court judge, Judge Furman, ordered briefing on the question of standing before he would approve the settlement. 

Tiana Demas: Judge Furman found that there was no standing because the plaintiffs had failed to alleged facts showing that they faced a certainly impending risk of identity theft or fraud. And he also pointed out that the plaintiffs did not claim that their data had been misused or compromised. There's also language in the district court's opinion about it being a misnomer to call this case a data breach case at all because, at best, the data was misplaced by an internal employee. 

Tiana Demas: So at that point, Judge Furman dismisses the case. And then, the plaintiffs appealed to the 2nd Circuit. And so in its decision, the 2nd Circuit, as always happens, had the benefit of the district court's reasoning. And it also surveyed the law in other circuits and, I think, could best be described as trying to harmonize what were actually kind of disparate approaches to standing in the data breach context and pull those disparate factors, or ways of approaching standing, into a three-part test that kind of harmonize the whole. And so the court put together a non-exhaustive, which means, you know, these are not all the factors that need to be considered. It put forth this non-exhaustive three-factor test for courts to consider in the context of an unauthorized disclosure of data. 

Tiana Demas: And so the first is - was the data compromised as a result of a targeted attack intended to obtain plaintiffs' data? The second is = has some portion of the compromised data already been misused, even if the plaintiffs' data had not been misused? And then, the third factor is whether the compromised data is of a type that is likely to expose plaintiffs to a perpetual risk of identity theft or fraud once exposed? So those are the factors the 2nd Circuit set forth. But then it, obviously, has to apply the facts of the case to those factors. And when it looked at the facts of the McMorris case, it found the plaintiffs did not have standing because, one, it was not a targeted attack - this was just an inadvertent mass email - two, no evidence that the data was misused and, three, on the question of, you know - was the compromised data of a type likely to expose them to this perpetual risk of identity theft or fraud? - the court found that the plaintiffs had not shown that they were at a substantial risk of future identity theft or fraud. 

Tiana Demas: And its analysis of that third factor was particularly interesting because, obviously, Social Security numbers are considered fairly sensitive personal information, but that was not enough. And the court pointed to the fact that the plaintiffs had not alleged any facts suggesting that their information was intentionally taken, that it was misused or anything of that nature. And so the court found that the sensitivity of the data standing alone was not enough to get them over the standing bar. 

Dave Bittner: Yeah, this was fascinating to me - and I must admit that I had to read through it twice because the name of the article is "Second Circuit Rules Individuals Have Standing," but then they ruled that this particular case did not have standing. So is it more that they have established what it would take to get standing, that the standing is possible in these sorts of cases - here are some of the tests you should apply? 

Tiana Demas: Exactly. So - yeah. The interesting part about this case is that it set forth this three-factor test, so that is what is going to apply in the 2nd Circuit. But it gives courts a lot of leeway to determine, based on the facts of a particular case, whether plaintiffs have met that bar. And so we're still in a place where it's a fact-dependent inquiry as standing analysis is no matter what, but I do think that in the inadvertent mass email context, it does make establishing standing a lot harder. And I agree that that should be the case. We're talking about things that happen all the time with no ill intent because somebody at a company or wherever just accidentally hits reply all or accidentally, you know, puts a Z-list - or however companies set it up - that, you know, send emails to way more people than anticipated. And so I think the court was practically thinking that this kind of situation is not what state negligence statutes or invasion of privacy statutes - which was not at issue in this case - invasion of privacy statutes were meant to cover. 

Dave Bittner: So does this strike you as being at all controversial or is it, as you say, a practical solution to something that we're - we see people facing more and more these days? 

Tiana Demas: I don't think it's controversial at all. You know, what I think will be interesting is that you still have some circuits where just the mere allegation of sensitive data being exposed is sometimes enough to clear the standing hurdle. And again, it's always very fact-dependent, but there are circuits where courts have taken a more lenient stance. And so what I expect may happen is that, even though they're not bound by the 2nd Circuit's decision, you may see other circuits, like the 9th Circuit and the D.C. Circuit, looking at the McMorris test and kind of adopting it as a way to harmonize how to approach data breach cases. 

Tiana Demas: I will add that there are certain things that the McMorris opinion just did not cover. So the court did not address the question of whether, you know, the exposure of really sensitive information would be enough to establish a present injury based on an invasion of privacy type of claim. And so you can think about that in the context of nation-state hacking. Right? And I have personal experience with this, having been a government employee during the OPM breach. And I received all the notices. And so - and there's pending litigation in that case. And so it's interesting because, you know, courts have tended in the past, I think, because for a long time, especially in the '90s, early 2000s, cybercrime tended to be - at least the cybercrime that got press - tended to be profit-driven. Right? Stealing identities for the purpose of getting money in whatever form, whether it's opening credit cards, draining money from bank accounts. 

Tiana Demas: And then you have these days, particularly in the last, I would say six years, much more public knowledge about nation-state cyberattacks, which are not typically geared towards financial gain, although there may be a combination of that. And we've seen lots of indictments where, you know, on the one hand, hacking groups are conducting intrusions for the purpose of espionage activity - right? - getting information, but at the same time doing more criminal-type cyber to fund their operations. So they can be related. But when it comes to the context of a pure nation-state cyberespionage attack that is geared towards obtaining information, that can be a little bit more hard for courts to grapple with without saying that there's actually - you know, that there is standing based on the invasion of a legally protected privacy right. And we've seen the D.C. Circuit go down that path in the OPM case, which is AFGE v. OPM. 

Tiana Demas: So McMorris doesn't really say much about that, except you have this first factor, where it says, was data compromised as a result of a targeted attack intended to obtain plaintiffs' data. So there's definitely room in the factors for a nation-state attack. But I would say that the way that most nation-state attacks work are that there's a collection of a lot of data for the purpose of getting specific data out of that collection. So it would be very hard for a plaintiff to say - oh, no, no, it was my data that, you know, these nation-state hackers wanted versus somebody else's. 

Dave Bittner: All right, Ben. What do you make of this issue? 

Ben Yelin: You know, it's so interesting to compare the case here with the equivalent case in the surveillance world, which was Clapper v. Amnesty International. In that case, the Supreme Court said that you can only have standing to sue on alleged surveillance if you have some level of specificity. It can't be a generalized suspicion that you yourself have been surveilled. It has to be based on something much more specific, some type of impending certainty. This is obviously a different topic because we're talking about identity theft and not surveillance. But it seems that the standard here is significantly lessened. 

Ben Yelin: What the 2nd Circuit is talking about in this case is, you know, you don't have to have that type of impending certainty. You just have to know that the data was compromised, know that some of that compromised data was misused - even if you can't allege that your data was misused - and that, you know, the type of information that has been released would potentially be harmful. So that's a really interesting finding from the court on this issue of identity theft. And I wonder, because the Supreme Court was so reluctant to grant standing in the surveillance context without that type of impending certainty, how they would view that issue in the context of identifying identity fraud. 

Dave Bittner: Yeah. 

Ben Yelin: So very interesting discussion and very interesting case. 

Dave Bittner: Yeah, really interesting stuff. Of course, we want to thank Tiana Demas for joining us. And we want to thank all of you for listening. 

Dave Bittner: That is our show. The "Caveat" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Cybereason
Cybereason

Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. Learn more.