Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades. One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files. In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files. The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.
The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:
(1) “intentionally accesses without authorization”
(2) a “facility through which an electronic communication service is provided” and
(3) “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.
However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:
- Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
- Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”
Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.
Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims. Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades. Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act. This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.