The Difficulties of Litigating Cyber Crime

By Melissa McDonough

The past several decades brought many new challenges to law enforcement, particularly due to the emergence of new technology. One such issue is cyber crime, which has been a challenge for law enforcement in both establishing laws against the activity, as well as providing tools for law enforcement officers to combat cyber crime. This article will review some difficulties for law enforcement officers at the state and local level in litigating cyber crimes affecting businesses and private citizens.

Cyber security remains a vital issue for U.S. businesses and organizations. As of late 2015, the Ponemon Institutea study by the Ponemon Institute revealed the average cost of a data breach rose to $6.5 million per incident, an 8 percent increase from the previous year. This study examined 62 U.S. companies of varying size across 16 industries. According to the study, financial, health, technology, pharmaceutical, and service organizations were the most at risk of a cyber attack.

While companies and organizations continue to be the main target of attacks from cyber criminals, the general public is also at risk. As of 2014, 47 percent of Americans had experienced a loss of personal identifiable information (PII) due to a cyber breach.

As the number of cyber attacks continues to grow, litigation rates of cyber crime, both criminal and civil, are dropping. Litigation rates (percent of data breaches litigated in federal court) dropped approximately 5 percent from the previous year, despite increased rates of attacks (see below graph).


litigation rate

According to an interview with Michael Whitener in Inside Counsel Magazine, data breach and privacy lawsuits are usually settled out of court, and class action lawsuits, which are most appropriate for cases such as privacy violations and data breaches due to the large number of individuals affected, are difficult to prosecute.

In order to have a viable lawsuit, victims of data breaches need to prove “injury in fact,” i.e. that the harm they suffered was “concrete and particularized and actual or imminent, not conjectural or hypothetical,” which is oftentimes difficult with compromises of personal information. While some victims have been able to prove negligence on the part of the company holding PII, this legal requirement for these lawsuits prevents many cases from even forming.

There are many challenges in taking a cyber crime case to trial. First, attribution and detection is difficult: cyber criminals usually disguise their originating location by using various tools and methods of concealment, such as the use of virtual private networks, anonymizing network Tor, or other types of proxy servers. Second, because crimes are digital, they span country borders and a large majority of hackers operate internationally, which prevents law enforcement officers from prosecuting these individuals without extradition. As of 2013, approximately 18 percent of cyber attacks originated in the United States, with 30 and 28 percent of attacks originating in China and Romania respectively. Of the total, 25 percent of the attacks were not attributable to any specific country of origin. The international nature of cyber attacks continues to present a significant challenge to law enforcement officers.

Despite these difficulties, law enforcement officers have had some success in breaking up hacking rings and other groups involved in cyber attacks. Multiple hackers from the hacking ring “Anonymous” and its splinter group, “Lulzsec,” have been charged with committing cyber crime over the past five years. Most of the hackers caught during these investigations were located in the United States and were caught when the hackers forgot to conceal their IPs.

Catching international cyber criminals is even more challenging. One method used to catch cyber criminals abroad is through offering large rewards for capture. This was recently made famous when the FBI offered $3 million for the capture of Evgeniy Bogachev, aka “Slavik,” who the US Government alleged stole $100 million from U.S. banks through the use of a computer attack network known as GameOver Zeus. Unfortunately, Bogachev was hailed a hero in his native Russia, and has yet to be caught.

Other attempts to extradite hackers abroad have achieved some success, such as the case of Aleksandr Panin, aka “Gribodemon,” a young Russian hacker who created the SpyEye Trojan virus. Panin was arrested while traveling to the Dominican Republic, a country that shares extradition reciprocity with the United States. Although representatives from the Russian Government claimed Panin’s arrest was “unacceptable and inadmissible,” the United States will likely continue to use this strategy in seeking justice for cyber criminals worldwide.

Cyber crime presents many challenges for law enforcement and civilians. As privacy violation and data breach incidents become more prolific, finding ways in which to both litigate hackers and keep companies accountable for cyber security practices will continue to be a concern for law enforcement officers at the local and state levels.


IACP Conference