Bernie Sanders’ Campaign’s Data Incursion
As all major media outlets reported Friday morning, the Democratic National Committee alleges the Bernie Sanders campaign improperly accessed proprietary voter data acquired by the campaign of his rival and the frontrunner for the Democratic presidential nomination, Hillary Clinton.
The information is part of a database controlled by the DNC that allows each campaign to add voter data to the DNC’s master list of Democratic voters, but information provided by each campaign is supposed to be firewall protected from access by any other campaign. Per the Sanders campaign, the intrusion was the result of a low-level staffer who accessed the data after a third-party vendor temporarily disabled the firewall. The Sanders campaign further asserts it did not copy, print, or retain any of the data. Nonetheless, as a sanction for the incursion, the DNC has temporarily suspended the Sanders campaign’s access to the DNC database pending proof from the Sanders campaign that it has not used or retained any Clinton data. Sanders’ campaign filed suit by the end of the day and recent reports indicate that Sanders’ access to the voter data has been re-established.
Fantasy Data Breach Lawsuit: Clinton v. Sanders
Mainstream media are focusing on how the disclosure of the breach will damage Sanders’ longshot Democratic nomination battle against the former first lady and secretary of state. But as a data privacy attorney, this scenario raises a more interesting (and completely academic) question: Is Bernie Sanders a hacker? Or, more specifically, in the fantasy data privacy lawsuit, Clinton v. Sanders, under the facts as we currently understand them, does Clinton have a potential civil claim under two broad anti-hacking statutes: The federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) and California’s Computer Data Access and Fraud Act (Cal. Penal. Code § 502). This litigation would, of course, never happen for various practical, legal and political reasons. But just for the fun of it, let’s take a look at what might happen from a legal standpoint if it did. Note, for purposes of our analysis, we are setting aside potential standing issues such as whether the Clinton campaign has a sufficient interest in the voter data after it was transferred to the DNC.
So, is Bernie Sanders a Hacker?
Computer Fraud and Abuse Act (CFAA): Did the Sanders campaign violate the CFAA? Although there are a number of acts that constitute CFAA violations, the most likely claim under these facts would be that Sanders (1) “intentionally” accessed a “protected computer” (which is essentially any computer connected to the internet), (2) “without authorization” or in excess of authorized access, (3) and thereby obtained information. The CFAA then provides a private cause of action to any “person who suffers damage or loss by reason of a violation of this section.”
As a threshold issue, it is unclear whether the access was intentional or whether the campaign obtained any information. Early reports from the Sanders camp are that the ingress was inadvertent and that no information was copied, printed or retained. However, the likely death knell to the Clinton campaign’s fantasy civil suit is the CFAA’s narrow definitions of “damage” and “loss.” Specifically, under the act, “damage” means “any impairment to the integrity or availability of data, a program, a system, or information” and “loss” means “any reasonable cost to any victim … or other consequential damages incurred because of interruption of service.” Nothing thus far suggests that the incursion impaired the Clinton campaign’s data (thereby causing damage), or led to an interruption of service (something that could lead to recoverable losses).
Because she likely lacks statutorily defined “loss” or “damage,” it appears as though Clinton would have a tough time under the CFAA. But could her campaign’s crafty counsel conjure a claim under state law?
California’s Computer Data Access and Fraud Act (CDAFA): Nearly every state has some form of anti-hacking legislation – and they vary in ways both subtle and dramatic – but we’ll use California’s CDAFA as just one example. Like the CFAA, the CDAFA prohibits a broad spectrum of cyber transgressions, but for our purposes the key provisions provide potential civil and criminal liability against one who (1) “knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain … data[;]” or (2) “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network.”
Unlike the CFAA, the CDAFA does not have a requirement for the plaintiff to have suffered “impairment” to its systems or data or losses attributable to an “interruption of service.” To the contrary, the CDAFA allows recovery where one knowingly and impermissibly “uses” or “copies” data. Thus, the CDAFA appears to set a substantially lower bar for liability than the CFAA does. However, taking the Sanders campaign at its word, it doesn’t appear as though Clinton could hurdle even this lower bar. After all, it’s unclear that the staffer “knowingly” accessed the data to begin with. And, there is no indication that the Sanders campaign used or copied (much less deleted, altered or destroyed) the voter data. Those would be serious hurdles to Clinton’s hypothetical CDAFA claim.
So, while Sanders is currently paying a political and logistical price for the DNC’s technical mishap and his staffer’s carelessness (or perhaps overeagerness), it does not appear the 74 year-old Senator is a “hacker” – at least under the two statutes we have examined.
It should be stressed, however, that both of these statutes prohibit considerably broader activity than is discussed in this article – and the case law applying both is voluminous and dense. Moreover, there are other laws, both statutory and common, that could apply.
This was nothing more than a fun opportunity to take a shallow dive into some heavily litigated data breach laws set against the dramatic backdrop of a high-stakes presidential campaign. I hope you enjoyed it.