Hackers may have used NSA tools to execute this week's global cyberattack, but lawyers say it would be nearly impossible for the victims, which include law firms, to sue the agency.

The attack, which crippled operations at DLA Piper offices in Europe and across the United States, had something in common with the massive “WannaCry” attack that plagued companies and organizations last month. It appears hackers in both instances executed the attacks by exploiting flaws in Microsoft software originally exposed when tools used by the National Security Agency were hacked and dumped online. In a blog post last month, Microsoft said the leaks illustrate why “stockpiling of vulnerabilities by governments is such a problem.”

But some lawyers say it's not the type of problem DLA Piper, or any other victim, can solve in a courtroom. Between the sovereign immunity doctrine, the secretive nature of the NSA and the sheer difficulty of proving any guilt on the NSA's part, suing the agency for allowing its tools to be stolen would be a tough sell.

“One could file that lawsuit, but whether it would go anywhere is another question,” said Joe Swanson, a former assistant U.S. attorney and of counsel at the firm Carlton Fields.

The government does face lawsuits over data breaches, but the contours of those suits are clearer. For example, several class action lawsuits have been filed against the Office of Personnel Management over the massive data breach there, which exposed millions of federal workers' personal data. But in those cases, the plaintiffs allege the agency broke the 1974 Privacy Act, which requires the government to use certain safeguards to protect records kept on individuals.

In the NSA's case, records for individuals were not stolen. Rather, it was the agency's tools or methods that were leaked.

“A helpful analogy would be like if your neighbor stores a gun, negligently, and a bad guy comes into the house, steals it, and many months later, uses that gun to harm you,” Swanson said. “So it would be difficult to recover a negligence claim.”

Most claims against the government are barred by the sovereign immunity doctrine. Daniel Girard of Girard Gibbs represents government employees in the data breach lawsuit against OPM pending in a D.C. federal court. He said that in order to bring a claim against the NSA, a plaintiff would need to find a specific waiver of sovereign immunity—a specific instance in which the government gave consent to be sued.

The best option would probably be to file under the Federal Tort Claims Act, which allows lawsuits against government employees if they cause property damage, injury or death due to negligence or a wrongful act. Still, it would be difficult to prove the NSA's negligence caused any injury or harm, Swanson said.

Plus, the discovery involved to prove such a claim would likely be drawn out and expensive since nearly every document a plaintiff may request from the NSA is probably classified.

“[The difficulty] is made only worse by the fact that you'd be pursuing one of the most secretive agencies in the country, if not the world,” Swanson said.

Swanson added that for victims of the breach, the best option is for companies to take their own vulnerabilities seriously.

“The way in which [the malware] operates illustrates the fact that you really cannot be complacent when it comes to cybersecurity,” Swanson said.

Related Articles:

|

Hackers may have used NSA tools to execute this week's global cyberattack, but lawyers say it would be nearly impossible for the victims, which include law firms, to sue the agency.

The attack, which crippled operations at DLA Piper offices in Europe and across the United States, had something in common with the massive “WannaCry” attack that plagued companies and organizations last month. It appears hackers in both instances executed the attacks by exploiting flaws in Microsoft software originally exposed when tools used by the National Security Agency were hacked and dumped online. In a blog post last month, Microsoft said the leaks illustrate why “stockpiling of vulnerabilities by governments is such a problem.”

But some lawyers say it's not the type of problem DLA Piper, or any other victim, can solve in a courtroom. Between the sovereign immunity doctrine, the secretive nature of the NSA and the sheer difficulty of proving any guilt on the NSA's part, suing the agency for allowing its tools to be stolen would be a tough sell.

“One could file that lawsuit, but whether it would go anywhere is another question,” said Joe Swanson, a former assistant U.S. attorney and of counsel at the firm Carlton Fields.

The government does face lawsuits over data breaches, but the contours of those suits are clearer. For example, several class action lawsuits have been filed against the Office of Personnel Management over the massive data breach there, which exposed millions of federal workers' personal data. But in those cases, the plaintiffs allege the agency broke the 1974 Privacy Act, which requires the government to use certain safeguards to protect records kept on individuals.

In the NSA's case, records for individuals were not stolen. Rather, it was the agency's tools or methods that were leaked.

“A helpful analogy would be like if your neighbor stores a gun, negligently, and a bad guy comes into the house, steals it, and many months later, uses that gun to harm you,” Swanson said. “So it would be difficult to recover a negligence claim.”

Most claims against the government are barred by the sovereign immunity doctrine. Daniel Girard of Girard Gibbs represents government employees in the data breach lawsuit against OPM pending in a D.C. federal court. He said that in order to bring a claim against the NSA, a plaintiff would need to find a specific waiver of sovereign immunity—a specific instance in which the government gave consent to be sued.

The best option would probably be to file under the Federal Tort Claims Act, which allows lawsuits against government employees if they cause property damage, injury or death due to negligence or a wrongful act. Still, it would be difficult to prove the NSA's negligence caused any injury or harm, Swanson said.

Plus, the discovery involved to prove such a claim would likely be drawn out and expensive since nearly every document a plaintiff may request from the NSA is probably classified.

“[The difficulty] is made only worse by the fact that you'd be pursuing one of the most secretive agencies in the country, if not the world,” Swanson said.

Swanson added that for victims of the breach, the best option is for companies to take their own vulnerabilities seriously.

“The way in which [the malware] operates illustrates the fact that you really cannot be complacent when it comes to cybersecurity,” Swanson said.