Taylor Swift’s clever response to the recent hack of her Twitter and Instagram accounts shows her nonchalant attitude towards the intrusion of her privacy, but let’s get real, what legal action can she, or other victims for that matter, take against anonymous hackers? Unfortunately, quippy responses might be the only recourse available considering the difficult nature in tracking down hackers and forcing them to respond in a legal forum.

Taylor is just the most recent victim of an anonymous hacker. In the past, celebrities such as Scarlett Johansen, Emma Watson, and Mila Kunis have been victims, and not to mention “Celebgate” of 2014 where hundreds of celebrities photos were hacked from Apple’s iCloud. And unfortunately, most of the time the result is a huge violation of personal privacy in addition to unauthorized access of various companies such as Apple, Twitter, Instagram etc.

As far as taking legal action against the hackers themselves, the options are rather limited from both a civil and criminal perspective. The fact of the matter is the identities of hackers are difficult to ascertain; thus, the attempts to locate these individuals, particularly when they reside abroad, presents a host of problems. Further, assuming that someone was able to track down the hacker, who’s to say that the hacker is actually worth suing from a civil standpoint? Instead, the burden seems to be shifting towards the companies and websites that were subject to the hack in the first place and/or are involved in the continued distribution of hacked content.  The question then becomes what type of information was hacked and how has it been manipulated over the Internet?

A prime example of the hack and subsequent distribution of personal information over the Internet is the recent Sony Pictures scandal. Sure enough, several former employees have brought suit against the entertainment company for negligence, claiming that Sony should have instituted preventative measures considering the prior hacks committed against Sony and the PlayStation Network, which demonstrated the vulnerability of Sony’s system.  The suits are in the very early stages, but more likely than not, Sony is going to be forced to settle with the plaintiffs similar to a class action suit brought against the company after a large-scale PlayStation hack in 2011. Indeed, just days ago news broke that in the final settlement for the 2011 matter, Sony could be liable for up to $15 million in damages and $2.75 million in attorney’s fees. You can find the lengthy settlement agreement here.

Celebgate offers an example of the type of litigation available for the continued distribution of hacked images, with Google in the hot seat. On October 1, 2014, a forceful letter from counsel was sent to Google threatening litigation based on copyright infringement, astutely noting that “Google’s motto ‘Don’t be evil’ is a sham.” At issue in the letter is the Digital Millenium Copyright Act (“DMCA”), which amended various provisions of 17 U.S.C. § 101 et. seq., and basically limits the liability of providers of internet services from copyright infringement. In short, alleging copyright infringement might not prove a viable legal option, especially if Google ultimately removes the images.

Defamation offers yet another basis for legal action against the hacker or site for statements associated with unauthorized hacking. For example, let’s say Taylor’s hacker tweeted nasty comments about her or others using her own account, and those statements were retweeted. Given the First Amendment issues at play, there is an actual malice standard that applies to public figures, which means that a celebrity (or any public official for that matter) has to prove that the statements were published with knowledge of falsity or reckless disregard for the truth. New York Times Co. v. Sullivan, 376 U.S. 254 (1964); Gertz v. Robert Welch, Inc., 418 U.S. 323 (1974). If a non-public figure is defamed by a hacker, the burden is lower and they only need to prove that the hacker was negligent in posting the defamatory statement online. But, both of these scenarios assume that the hacker can actually be identified, and moreover, the victim has resources to bring suit.  Further, companies like Twitter, Facebook, and their users are likely protected under the Communications Decency Act (“CDA”), 47 U.S.C. § 230, for republishing material of others because they are not treated as the actual publisher of the harmful comment. Thus, this shields social media sites and its users for redistribution of defamatory statements.

In sum, there are some legal avenues which allow recourse to hacking victims. However, given the anonymous nature of hackers, the ones facing the legal consequences of their actions tends to be the corporations that are likewise victims of their conduct. This translates to a legal anomaly of sorts: hackers are going to hack, and corporations are going to pay the price.

The author of this blog is Margaret S. Ververis, an Associate with Ferrari & Associates, P.C. focusing on federal litigation in the landscape of modern technology. For more information regarding this post, please contact her at (202) 440-2581 or ververis@ferrariassociatespc.com.