Can an American citizen or business whose emails were hacked by a foreign government successfully sue the foreign government for damages?
All of a sudden, it's a bipartisan issue.
The Democratic National Committee garnered headlines earlier this year when it sued Russia in federal court in New York, alleging that Russia had stolen emails from John Podesta, who was the chairman of Hillary Clinton's presidential campaign.
And Elliott Broidy, who was deputy finance chairman of the Republican National Committee, is suing Qatar in federal court in California, alleging that Qatar launched a sophisticated cyber-attack on his company's email accounts and leaked the information it obtained to the press. President Trump had publicly acknowledged and praised Broidy at an event at which Trump also spoke of a U.S.-Qatar "dispute" over Qatar's funding terrorism.
The legal complaints by both the DNC and Broidy claim that they should be allowed to go forward under existing exceptions to the Foreign Sovereign Immunities Act, a 1976 law that generally grants foreign states immunity from American courts. Qatar's lawyers, led by Mitchell Kamin of the firm Covington & Burling LLP, argue in a June 27 court filing that the exemptions do not apply.
"This is precisely the kind of intrusion into the affairs of sovereign nations that the Foreign Sovereign Immunities Act of 1976 was designed to prevent," Kamin writes in a memo to Judge John F. Walter of the U.S. District Court for the Central District of California, urging that the case be dismissed. "Qatar's sovereign interests in this case lie at the heart of the FSIA's fundamental purpose: protecting sovereign functions from harassment by foreign litigants."
Kamin argues that upholding sovereign immunity in the Broidy-Qatar case "is crucial to fostering respect and reciprocal treatment of the United States government in courts abroad."
Broidy's complaint, filed by Lee Wolosky of the firm Boies Schiller Flexner LLP, argues that many of the actions against Broidy took place within the U.S.
"This case presents the issue of whether a nation state can orchestrate and execute a criminal conspiracy directed against a United States citizen on United States soil and then invoke sovereign immunity to avoid liability, accountability and exposure," Wolosky writes.
A hearing before Judge Walter is scheduled for July 30 in Los Angeles.
The DNC-Russia case is moving more slowly than the Broidy-Qatar one, but similar issues are likely to arise. In both cases, while there are plenty of signs pointing to foreign official involvement, nothing has yet been proven to American legal standards.
If courts rule that foreign hackers or their American hired hands are immune from American civil suits under current law, don't be surprised to see Congress step in to try to close the loophole.
I first learned about the Foreign Sovereign Immunity Act in the 1990s, when I was a reporter in Washington and Leonard Garment, who had been Richard Nixon's White House counsel, alerted me to a legislative effort to make it clear that FSIA was not a shield to protect, say, the government of Libya from lawsuits by parents who had lost children in the terrorist bombing of Pan Am Flight 103.
Such legislation was indeed enacted as part of the Antiterrorism and Effective Death Penalty Act of 1996.
Back then, I sympathized with the intention of holding terrorist-sponsoring states accountable for their actions. I felt that ideally, however, this was a function for the American national security apparatus, rather than plaintiff's lawyers. It was the Clinton era, when plaintiff's lawyers were in some cases more fearsome than the American military, and their private jets seemed to outnumber those of the U.S. Air Force.
More than 20 years later, our military is relatively stronger and the trial lawyers are relatively weaker. Cyberattacks seem to have replaced airplane bombings at the cutting edge of asymmetric warfare.
Today's questions, though, are similar to those in the 1990s. Maybe the American government needs to step up. Maybe it's an issue for private litigation. Maybe existing law is sufficient, or maybe Congress needs to act.
It is hard to defend the proposition that some foreign country, or its agents, should be able to able to hack into the email of a prominent American and make the information public without paying some sort of severe price. It's not that different from getting away with state-sponsored terrorism.
Foreign sovereign immunity is an outgrowth of the diplomatic immunity that allows American ambassadors overseas to do their jobs without having to worry much about getting arrested or sued. There's a certain logic to it. But if the courts rule that logic means a free pass for cyberattacks, they can expect a hard push back from the public. For all the warnings about not putting anything important or sensitive in email, allowing foreign governments to just come and get it seems like asking for trouble.