[BreachExchange] Can Law Firms Sue NSA for Data Breaches? Lawyers Say Good Luck

Thu Jun 29 03:02:37 EDT 2017

http://www.nationallawjournal.com/id=1202791824342/Can-Law-Firms-Sue-NSA-for-Data-Breaches-Lawyers-Say-Good-Luck?slreturn=20170529025901

Hackers may have used NSA tools to execute this week’s global
cyberattack, but lawyers say it would be nearly impossible for the
victims, which include law firms, to sue the agency.

The attack, which crippled operations at DLA Piper offices in Europe
and across the United States, had something in common with the massive
“WannaCry” attack that plagued companies and organizations last month.
It appears hackers in both instances executed the attacks by
exploiting flaws in Microsoft software originally exposed when tools
used by the National Security Agency were hacked and dumped online. In
a blog post last month, Microsoft said the leaks illustrate why
“stockpiling of vulnerabilities by governments is such a problem.”

But some lawyers say it’s not the type of problem DLA Piper, or any
other victim, can solve in a courtroom. Between the sovereign immunity
doctrine, the secretive nature of the NSA and the sheer difficulty of
proving any guilt on the NSA’s part, suing the agency for allowing its
tools to be stolen would be a tough sell.

“One could file that lawsuit, but whether it would go anywhere is
another question,” said Joe Swanson, a former assistant U.S. attorney
and of counsel at the firm Carlton Fields.

The government does face lawsuits over data breaches, but the contours
of those suits are clearer. For example, several class action lawsuits
have been filed against the Office of Personnel Management over the
massive data breach there, which exposed millions of federal workers’
personal data. But in those cases, the plaintiffs allege the agency
broke the 1974 Privacy Act, which requires the government to use
certain safeguards to protect records kept on individuals.

In the NSA’s case, records for individuals were not stolen. Rather, it
was the agency’s tools or methods that were leaked.

“A helpful analogy would be like if your neighbor stores a gun,
negligently, and a bad guy comes into the house, steals it, and many
months later, uses that gun to harm you,” Swanson said. “So it would
be difficult to recover a negligence claim.”

Most claims against the government are barred by the sovereign
immunity doctrine. Daniel Girard of Girard Gibbs represents government
employees in the data breach lawsuit against OPM pending in a D.C.
federal court. He said that in order to bring a claim against the NSA,
a plaintiff would need to find a specific waiver of sovereign
immunity—a specific instance in which the government gave consent to
be sued.

The best option would probably be to file under the Federal Tort
Claims Act, which allows lawsuits against government employees if they
cause property damage, injury or death due to negligence or a wrongful
act. Still, it would be difficult to prove the NSA’s negligence caused
any injury or harm, Swanson said.

Plus, the discovery involved to prove such a claim would likely be
drawn out and expensive since nearly every document a plaintiff may
request from the NSA is probably classified.

“[The difficulty] is made only worse by the fact that you’d be
pursuing one of the most secretive agencies in the country, if not the
world,” Swanson said.

Swanson added that for victims of the breach, the best option is for
companies to take their own vulnerabilities seriously.

“The way in which [the malware] operates illustrates the fact that you
really cannot be complacent when it comes to cybersecurity,” Swanson
said.