Seeking justice from Chinese hackers: Attacking N.C. businesses byte by byte
There are many challenges in exercising jurisdiction over Chinese hackers in N.C. courts.
Editor’s Note: The Campbell Law Observer has partnered with Judge Paul C. Ridgeway, Resident Superior Court Judge of the 10th Judicial District, to provide students from his International Business Litigation and Arbitration seminar the opportunity to have their research papers published with the CLO. The following article is one of many guest contributions from Campbell Law students to be published over the next two weeks.
Imagine a local software corporation in North Carolina is seeking your advice after recently discovering that their computer network has been hacked. The alleged perpetrator is a hacker from Beijing, China, who has never touched U.S. soil nor communicated with anyone from the U.S. The hacker has reproduced the corporation’s software and is making it available to the world for a reduced price online. Can you help the software corporation seek justice for its economic harm caused by the foreigners?
Rapid global advancements in technology keep creating new issues in the law. Private U.S. computer systems have increasingly been subject to cyber attacks by Chinese hackers, partially because they consist of such innovative material. Theft of intellectual property and records of U.S. companies are often the result of such attacks. The loss in value may be unrecoverable and detrimental, particularly for knowledge-intensive industries because trade secrets comprise an average of seventy to eighty percent of their information portfolio value (pdf). These losses can hurt North Carolina, particularly the triangle area, where Forbes ranked Raleigh-Cary as the fifth largest U.S. metro area where technology is booming in 2013.
Forbes ranked Raleigh-Cary as the fifth largest U.S. metro area where technology is booming in 2013.
The 2013 Verizon Data Breach Investigation Report tracked 621 confirmed breaches in the previous year. Chinese state-affiliated actors made about one-fifth of the breaches and ninety-six percent of all espionage-related breaches. In 2012, General Keith Alexander, the head of the National Security Agency (NSA) and U.S. Cyber Command, estimated that U.S. companies lose $250 billion every year due to intellectual property theft.
Officials recognize that the U.S. and China need to ensure that the internet remains secure, reliable, stable, and open. In March 2013, a U.S. National Security Adviser demanded that China block thefts from U.S. computers and agree on acceptable norms of cyberspace behavior. In May 2013, the U.S. Department of Defense described how “China is using its computer network exploitation (CNE) capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors” and how the targeted information will potentially benefit China’s high technology industries. In June 2013, President Obama warned Chinese President Xi Jinping that continued cyber theft might undermine economic ties between the two nations.
U.S. companies lose $250 billion every year due to intellectual property theft.
China frequently promotes an Information Security Code of Conduct that allows more international control over cyber activities, allowing the government to exercise sovereign authority and control over content posted online (pdf). Although it has some trade secret laws, China does not effectively enforce them in practice. Unlike China, the U.S. takes the position that international humanitarian law applies in cyberspace and addresses trade secret theft in both civil and criminal provisions. As a result of this uneven playing field of rules, foreigners have an unfair competitive advantage in the increasingly global market. As e-commerce expands, trade secret protections are weakened by their lack of enforcement in China. The tragedy is the fact that more often than not, U.S. businesses are unable to pull the foreign cyber attackers into a U.S. court’s jurisdiction to gain justice for three main reasons.
One of the most prominent factors of the inability to obtain justice is the difficulty of discovering the hacker’s identity. Hackers often use a combination of multiple computers that bounce off networks in several countries before they finally hit their target in the U.S. There have been improvements in technological capabilities to trace the origin of the attacks, but attributing particular perpetrators to certain attacks and deciding whether they are state-sponsored is still a challenge.
Foreigners are also not subject to U.S. courts due to a lack of personal jurisdiction. This is a unique and complex issue because the internet is borderless. Personal jurisdiction in a federal court sitting in North Carolina, like the U.S. District Court for the Eastern District of North Carolina, requires both authorization from federal rules or a long-arm statute and compliance with the Fourteenth Amendment’s due process clause.
Unfair and deceptive trade practices, trademark infringement, loss of potential profits, and damages to business reputation are all examples of claims constituting injuries under N.C.G.S. § 1-75.4(4)(a).
North Carolina’s long-arm statute, N.C.G.S. § 1-75.4 (4)(a), allows the exercise of jurisdiction in any action claiming injury to person or property within the state arising out of an act or omission outside the state so long as the defendant engaged in solicitation or services within the state around the time of injury. In Ciba-Geigy Corp. v. Barnett, the North Carolina Court of Appeals held that when a defendant knowingly submitted fraudulent information that caused substantial damage to a corporation doing business in North Carolina, and the alleged tort clearly would have its damaging effect in North Carolina, then North Carolina had personal jurisdiction over the defendant, even though the defendant caused the injury without physically entering the state. The defendant’s physical presence in the forum state is also not necessary for the defendant to solicit in the state. Unfair and deceptive trade practices, trademark infringement, loss of potential profits, and damages to business reputation are all examples of claims constituting injuries under N.C.G.S. § 1-75.4(4)(a).
A plaintiff within North Carolina’s jurisdiction must allege a claim recognized in state courts that arises out of the defendant’s activities in the state when the defendant intended to engage in business or interactions within the state. A plaintiff must show that either the defendant’s North Carolina contacts provide evidence of at least one element of the underlying claim, or that the claim would not have arisen but for the defendant’s contacts.
Defendants not residing in the U.S. typically require the plaintiff to show a stronger contact with the U.S. and with North Carolina than a resident U.S. defendant. However, if the plaintiff asserts a federal cause of action in federal court, the court can consider the non-U.S. defendant’s contacts with the U.S. as a whole to support finding that jurisdiction exists.
The analysis does not take place in a bubble; due process should reflect current social and economic realities.
If a federal court finds that it can exercise personal jurisdiction over the defendant under the North Carolina long-arm statute, it must then also fulfill the due process requirements by finding that the defendant has minimum contacts with the state. This creates a problem because no other country uses a due process analysis for personal jurisdiction. The court must have general or specific in personam jurisdiction over the defendant. General in personam jurisdiction is more difficult to obtain in foreign cyberspace cases because foreigners usually do not have continuous, systematic contact with the forum. Specific in personam jurisdiction is challenging when the parties did not have a contract. Often, the only contact the foreigner made with the forum is by means of the internet.
Federal and state courts differ on their specific jurisdiction analysis. The United States Court of Appeals for the Fourth Circuit has developed the restrictive Calder effects test. The Court requires “purposeful availment” of contacts within the state where the defendant must intend to subject himself to the forum, usually by purposefully directing activities into the state. For example, this requirement can be met if the defendant committed an intentional tort that mainly harmed a plaintiff who is known to be in North Carolina, when North Carolina was the focal point of the harm and of the tortious activity. The nature, quality, quantity, and relation of the contacts to the forum state are the focus of the analysis.
State courts in North Carolina generally use the more expansive test of foreseeability. For this test, mere awareness that the activity is being injected into the state is sufficient. Large companies in particular have expansive jurisdiction because the court often assumes that they are aware of their activity’s effects.
Specific jurisdiction requires that the plaintiff’s claim arise out of the defendant’s contacts with North Carolina. This can be satisfied when the claims arise more out of the defendant’s targeting contacts with the in-state plaintiff than with a non-North Carolina contact. In other words, “but for” the defendant targeting the North Carolina plaintiff, the defendant would not have received the intellectual property of the plaintiff.
The due process specific jurisdiction analysis also requires that all parties have personal jurisdiction, which the court exercises reasonably and consistently with notions of fair play and substantial justice. The Worldwide Volkswagen v. Woodson case points out that the court will consider the state’s litigation interests, the plaintiff’s desire to have a convenient forum, the defendant’s difficulties in litigating in the forum state, the interstate judicial system’s problems with efficiently resolving controversies, and the need to further fundamental state social policies. These factors depend on the facts of each individual case. However, China’s policies differ, and the U.S. courts give great care in considering this foreign interest. The analysis does not take place in a bubble; due process should reflect current social and economic realities.
Overall, there must be a reasonable balance between allowing independence of foreign countries and protecting the inherent right to economic self-defense.
Computer laws have different functions internationally and domestically. The international purpose is to prevent U.S. foreign policy frustration by private business organizations. Domestically, the purpose is to preserve and maintain free competition. Applying domestic legal principles internationally may be inconsistent with fairness and the U.S. interest in encouraging foreign commerce. Also, domestic law cannot be applied when the defendant was required to comply with a sovereign nation – the validity of a foreign sovereign’s act within its territory cannot even be challenged (pdf). Comity principles give deference to foreign governments’ official acts and recognize that foreign policy is mainly the executive branch’s concern. Overall, there must be a reasonable balance between allowing independence of foreign countries and protecting the inherent right to economic self-defense.
There is no international treaty governing economic espionage; however, the U.S. and China are negotiating the Trans-Pacific Partnership Agreement and a Bilateral Investment Treaty to ensure trade secret protection. Federal U.S. computer crime laws imposing civil and criminal liability include the Economic Espionage Act of 1996, which criminalizes misappropriation of trade secrets to benefit foreign governments, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. Civilly, North Carolina recognizes its own version of the Unfair and Deceptive Trade Practices Act, known as the North Carolina Trade Secrets Protection Act. Trade secret protection is more appealing than patent law to many modern businesses because it extends beyond domestic territories.
A private party can still sue for trade secret theft even if the federal government files a criminal case, e.g., under the Economic Espionage Act. The party may still end up in federal court if the state law claim would be more time consuming to resolve or otherwise more significant than the federal claim. An important factor is whether the plaintiff’s claims arose from the same nucleus of operative facts, requiring substantially the same proof.
N.C. Gen. Stat. § 66-152 prohibits the misappropriation of trade secrets and provides civil remedies. One cannot acquire, disclose, or use another’s trade secret without consent. Trade secrets are business or technical information, which derive independent commercial value from being kept a secret and are subject to reasonable efforts to maintain their secrecy. Examples include customer lists, sensitive marketing information, software, formulas and recipes, techniques, and processes. Remedies may include injunctive relief, damages, and attorneys’ fees. Injunctive relief is a court order for the defendant to stop violating the plaintiff’s rights, and can include stopping publication of someone’s trade secrets. Damages to remedy the economic harm suffered may include the plaintiff’s losses and the defendant’s profits. Willful or malicious intentions may lead to punitive damages and attorney’s fees.
The risk of an attack on intellectual property and business information is so great in its harm that companies should be advised to take reasonable precautionary steps.
Recently, China-based cyber spies reportedly stole the trade secrets of at least thirty-four companies, including Google, Northrop Grumman, Symantec, Yahoo, Dow Chemical, and Adobe Systems. Despite these allegations, China denies that the sovereign nation itself has ever hired a civilian to hack and seek source code to benefit its economic and military pursuits. China can use the Foreign Sovereign Immunity Act to state its immunity to both state and federal courts except when the foreign state has waived its immunity, or if the action is based on a commercial activity that is in or directly connected to the U.S.
For example, in 2011, a U.S. software business was hacked into by the People’s Republic of China and several Chinese companies. The plaintiff claimed conspiracy to misappropriate and disseminate its copyrighted computer software. The federal court located in California had personal jurisdiction over the foreign defendants and stated that the alleged theft, misappropriation, and distribution of the copyrighted software code satisfied the intentional prong of the Calder effects test.
The risk of an attack on intellectual property and business information is so great in its harm that companies should be advised to take reasonable precautionary steps. Good practice would include maintaining up-to-date software, password protection, accessing a secured network, and not allowing access to social networking sites because they are potential access points for cyber spies.
Law firms are especially vulnerable to hacking. While firms are moving to paperless offices, the information law firms store is more likely to be confidential. In a relevant example, China hacked into seven Canadian firms in order to destroy a corporate deal over a few months beginning in September 2010. The Chinese hackers destroyed data and stole sensitive client information. When the use and types of electronic information assets increase, so do the means in which they may be stolen.
Cybersecurity awareness is not just good practice, it is also an ethical responsibility. Failing to take precautionary steps to avoid unauthorized access to secret information could result in civil liability.