If U.S. intel was compromised in the Capitol riot, who is liable?
Law enforcement officials and privacy experts dissect the question of who may be legally at fault for cybersecurity breaches during the Capitol siege.
After a mob of Trump supporters stormed the Capitol on Wednesday, Jan. 6, the loss of life and damage to the building was almost immediately evident. Less apparent, legal experts say, is the cybersecurity risks as a result of rioting and the potential liability for any privacy incursions. Sen. Jeff Merkley (Democrat-Oregon) has reported that his laptop was one of several electronic devices stolen amid the chaos, and some of the rioters posted images in congressional leaders’ offices displaying computers with email platforms still accessible on staffers’ computer screens.
“It’s going to be a while before we fully understand all of the impacts of what this assault on the Capitol means,” said Allison Bender, of counsel at Wilson Sonsini Goodrich & Rosati in Washington, D.C. “I wouldn’t be surprised if we had a commission to study it. And I think there’s going to be people who are looking at this much more rapidly to figure out what they need to do for the inauguration.”
Despite the work ahead for federal law enforcement and information security specialists, privacy lawyers say they see a path forward for determining a relative scope of the damage and who might be legally at fault.
What the experts say
Amie Stepanovich, executive director of Silicon Flatirons Center for Law, Technology, and Entrepreneurship at the University of Colorado Law School, said the risk is quite high that some critical piece of technology or document was compromised.
“Since there are very good indications that this was a planned event, this was something that counterintelligence officials and people who work for and with other governments could have taken advantage of — they could have been among the people who breached the building,” Stepanovich said.
Michael Rhodes, Cooley’s global chair of cyber, data, privacy and internet practice groups in San Francisco, said that a forensics investigation could reveal keystrokes and mouse activity that occurred during the raid to determine what materials were accessed. The forensics investigation could help determine if there was any negligence with how staffers stored sensitive materials, Rhodes said.
Law enforcement could use biometric tools, such as Clearview AI’s facial recognition software, to discover who perpetrated any cybersecurity breaches, he said. “It wouldn’t surprise me if the FBI is looking at a variety of the images that are posted by the people themselves on social media, as well as the cameras that they have in the Capitol building to try to determine at least who the key actors are,” he said. “You wonder to what extent is biometric information being used to identify people?”
Rhodes said there’s also the potential for civil claims against those identified as ringleaders of the stampede for inciting a chain of events that resulted in an invasion of privacy claims by affected individuals. “You can imagine some information being around someone’s desk or personal space that is not intended to be seen by members of the public,” Rhodes said. “So I could see — politically motivated in some degree — civil lawsuits brought against those people for invasion of privacy, among other claims.”
Legally, who is to blame?
Bender said that determining liability could be challenging, in part, because the records likely include federal executive records and legislative branch records, so different laws and regulations would apply. However, she said, if federal personnel records were accessed, the Privacy Act would apply, which includes a private right of action. Stepanovich said the Wiretap Act and Stored Communications Act are potential avenues to bring litigation, in addition to general criminal laws for trespassing and privacy breaches. If bad actors did indeed hack private information, the Computer Fraud and Abuse Act, which has been broadly interpreted, is another pathway for litigation, she said.
But President Donald Trump and people who might’ve called for the attack on the Capitol won’t likely be hit with a privacy suit, she said, because getting around the First Amendment protections would be very difficult.
“With officials like the Trump administration, or people who called for this, you might be able to get them on incitement charges,” she said. “But those are really high bars on purpose because this country tends to favor going after criminal acts and not after speech.”
Although Bender thinks legal consequences are certainly possible, she said the political and policy impacts are likely to be much greater. She noted that the modern iteration of the Secret Service was formed after President Abraham Lincoln’s assassination, molded again after the assassination of President John F. Kennedy, and then overhauled once more after the attempted assassination of President Ronald Reagan.
“I think the Capitol Police is going to be looking at this incident as the same level of bellwether incident for them,” she said. “It hasn’t been since 1814, essentially, that the Capitol was breached — 206 years. This cannot happen again. So I think we’re likely to see significant changes in the security posture of the Capitol and changes in procedures.”
Related: