District Court (Wash.) Allows Defendant in Criminal Trial Arising from Data Breach to Introduce Evidence of Corporate Victim’s CyberSecurity Vulnerability

In United States v. Thompson, No. CR19-159-RSL, 2022 U.S. Dist. LEXIS 101558, at *3-7 (W.D. Wash. June 7, 2022), Judge Lasnik denied the Government’s Motion in Limine to exclude evidence regarding cyber-security vulnerabilities at the corporate victim or other victim entities that are unrelated to the specific vulnerability that defendant allegedly exploited in the case at hand

The government moves the Court to exclude evidence regarding cyber-security vulnerabilities at Capital One or other victim entities that are unrelated to the specific vulnerability that defendant allegedly exploited in the case at hand. The government argues that such evidence would be irrelevant and would confuse the issues, mislead the jury, waste time, and risk unfair prejudice. Dkt. # 282 at 2 (citing Fed. R. Evid. 401-403). In particular, the government argues that such evidence would be irrelevant because the existence of other vulnerabilities does not “bear on any issue involving the elements of the charged offense[s].” Id. at 2 (quoting United States v. Dean, 980 F.2d 1286, 1288 (9th Cir. 1992)).  The Court disagrees with the government. The government’s argument is hung on the legal proposition that victim negligence is not a defense to wire fraud. The government, however, makes an unsupported leap to the conclusion that victim negligence is also not a defense to CFAA violations, and the security vulnerability evidence must therefore be excluded as irrelevant.  In the CFAA context, evidence that access to a computer was open to the general public is highly relevant. See hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1197-98 (9th Cir. 2022) (“The CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given.”). Further, the Ninth Circuit has implied that computer access may be deemed open to the general public even if a particular access method is restricted. See id. at 1185, 1186, 1201 (acknowledging that LinkedIn took technological steps to protect the data on its website from the scraping engaged in by hiQ, but nonetheless finding that access was open to the general public where LinkedIn profiles were “made visible to the general public”). Therefore, under Rules 401 and 402, evidence of security vulnerabilities apart from the one that defendant allegedly utilized is relevant and admissible to the CFAA charges for accessing a computer without authorization because it conceivably goes to whether access to the computer was open to the general public. Because this evidence may be highly relevant, it likewise passes Rule 403’s balancing test.  Regarding the wire fraud charge, the government is correct that victim negligence is not a defense to wire fraud. United States v. Lindsey, 850 F.3d 1009, 1015 (9th Cir. 2017) (“We join several of our sister circuits in holding that a victim’s negligence is not a defense to wire fraud.”).1 Evidence of victim negligence is thus irrelevant to the wire fraud charge. See United States v. Click, 807 F.2d 847, 850 (9th Cir. 1987) (Relevant evidence “must be probative of the proposition it is offered to prove, and . . . the proposition to be proved must be one that is of consequence to the determination of the action.”). Therefore, to the extent that defendant seeks to introduce evidence regarding cyber-security vulnerabilities at Capital One or other victim entities unrelated to the specific vulnerability that defendant allegedly exploited here to show victim negligence as a defense to wire fraud, she may not do so. Defendant argues that “Lindsey fully permits the defense to introduce evidence of cybersecurity industry standards and make inferential arguments from such evidence.” Dkt. # 292 at 4 (citing Lindsey, 850 F.3d at 1016-17). The Court agrees that Lindsey permits defendant to introduce evidence of industry standards to disprove objective materiality. See Lindsey, 850 F.3d at 1016. This, however, allows in evidence of industry practices generally, not victim practices generally, and it is unclear to the Court how evidence of victim vulnerabilities other than the one that defendant allegedly exploited would be relevant to this argument. Defendant also argues that “[t]he question of whether the information was essentially public is also relevant as to whether Ms. Thompson had the requisite intent to defraud the alleged victims.” Dkt. # 292 at 3. Defendant’s arguments to this point, however, go to whether access was “without authorization,” which is a question relevant to the CFAA, not to wire fraud. See id. The Court is therefore unable to resolve this issue at this time.  Finally, defendant argues that evidence of the victims’ prior cybersecurity vulnerabilities is relevant “to dispel the government’s allegation that Ms. Thompson copied ‘confidential business information.'” Dkt. # 292 at 4. Defendant’s argument to this point is made without context. However, the Court understands this argument to go to whether the data that defendant allegedly downloaded qualifies as property under the wire fraud statute. See Dkt. # 202 at 7-9. “Confidential business information has long been recognized as property,” and accordingly meets the “property” requirement in the wire fraud statute. Carpenter v. United States, 484 U.S. 19, 25-26, 108 S. Ct. 316, 98 L. Ed. 2d 275 (1987). In Louderman, the Ninth Circuit found that “confidential internal information concerning telephone customers or post office box holders” was property under the wire fraud statute where “the object of the scheme to defraud here was . . . to obtain intangible, commercial information which the telephone company and post office chose to keep confidential and which its customers expected would remain confidential.” United States v. Louderman, 576 F.2d 1383, 1386-87 (9th Cir. 1978). Therefore, to the extent that defendant seeks to introduce evidence of the victims’ prior cybersecurity vulnerabilities to argue that the data was not “confidential business information,” she may do so, but only if such evidence goes to the specific data that defendant allegedly obtained in this case. Evidence that other data was not confidential business information due to security vulnerabilities would be irrelevant.

The Court allowed introduction of evidence of the OCC’s civil penalty imposed on the corporate victim, but precluded evidence of the civil class action settlement.

The government moves the Court to exclude evidence of the fact that the OCC imposed an $80 million fine on Capital One following defendant’s alleged breach. Dkt. # 282 at 8. In particular, the government argues that the Court should exclude all evidence relating to the imposition of the penalty pursuant to Federal Rules of Evidence 401 and 403 and should exclude the OCC consent order itself as hearsay. Id. Defendant argues that evidence of the OCC fine is critical to its cross-examination of Capital One witnesses, as Capital One has a strong interest in blaming the data breach on defendant. See Dkt. # 292 at 7. Defendant further argues that the consent order is not hearsay because it is falls under the public record exception to the hearsay rule. See Dkt. # 292 at 8-9. The Court agrees with defendant that evidence of the OCC fine is relevant cross-examination evidence, and this use outweighs the danger of unfair prejudice, confusing the issues, and misleading the jury. See Fed. R. Evid. 403. The Court therefore declines to exclude evidence of the OCC fine pursuant to Rules 401 and 403.   The Court next considers if the OCC consent order is excludable hearsay. “‘Hearsay’ means a statement that (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in the statement.” Fed. R. Evid. 801(c). There is an exception to the rule against hearsay for “[a] record or statement of a public office if . . . it sets out . . . factual findings from a legally authorized investigation.” Fed. R. Evid. 803(8)(A)(iii). The OCC is a public office, and the consent order sets out the OCC’s factual findings. See Dkt. # 282-1 at 3-4. The OCC consent order therefore fulfills this requirement and is not inadmissible hearsay.  D. Motion in Limine No. 4: Capital One Class Action Settlement Pursuant to Federal Rules of Evidence 401, 403, and 408, the government moves the Court to exclude all evidence relating to Capital One’s proposed $190 million class action settlement stemming from the data breach. Dkt. # 282 at 10-11.  First, the government argues that because the only thing the class action settlement could potentially prove is Capital One’s negligence (and other wrongdoings), it is irrelevant, and the Court should therefore exclude it pursuant to Rule 401. Id. at 11. As explained above, supra Part II.A., the Court disagrees that such evidence is inadmissible across the board. The Court therefore declines to exclude the settlement on this ground.  Second, the government argues that any probative value of the evidence would be substantially outweighed by the danger of unfair prejudice, confusion of the issues, and misleading the jury, and the Court should therefore exclude it pursuant to Rule 403. Dkt. # 282 at 11. The government argues this is true for three reasons: first, Capital One did not admit to any wrongdoing in the settlement, so it would therefore be impossible for the jury to discern the facts that lead to it. Id. Second, the settlement is for a very large sum – $190 million — and this sum alone may mislead and confuse the jury into believing that Capital One, not defendant, was at fault. Id. at 11-12. Finally, the legal claims addressed in the settlement are distinct from those in the indictment, and therefore may mislead and confuse. Id. at 12. The defense does not confront the government’s arguments regarding Rule 403. The Court agrees that the proposed settlement is properly excluded under Rule 403. Under Rule 403, “The court may exclude relevant evidence if its probative value is substantially outweighed by a danger of one or more of the following: unfair prejudice, confusing the issues, misleading the jury, undue delay, wasting time, or needlessly presenting cumulative evidence.” Fed. R. Evid. 403. A settlement is not a reliable indicator of misconduct, and the jury may be unduly swayed by the large amount of money involved and the fact that Capital One agreed to the settlement. Accord In re Tenet Healthcare Corp. Sec. Litig., No. CV 02-8462-RSWL(RZX), 2007 U.S. Dist. LEXIS 97821, 2007 WL 5673884, at *2 (C.D. Cal. Dec. 5, 2007). The settlement is therefore unduly prejudicial under Rule 403. Because the Court concludes that evidence of the proposed class action settlement is properly excluded pursuant to Rule 403, the Court does not consider the parties’ arguments pursuant to Rule 408.