Courthouse Steps Decision Webinar: Van Buren v. United States

Event Video

Listen & Download

On June 3, 2021, the U.S. Supreme Court decided Van Buren v. United StatesWriting for the 6-3 majority, Justice Barrett explained that an individual exceeds authorized access when he accesses a computer with authorization but obtains information in a place on the computer off-limits to him. Justice Thomas filed a dissenting opinion, in which Chief Justice Roberts and Justice Alito joined.

Former Assistant U.S. Attorney for New York's Southern District Joseph DeMarco joins us to discuss the ruling and its implications.

Featuring:

  • Joseph DeMarco, Partner, DeMarco Law PLLC

* * * * * 

As always, the Federalist Society takes no position on particular legal or public policy issues; all expressions of opinion are those of the speaker.

Event Transcript

[Music]

 

Dean Reuter:  Welcome to Teleforum, a podcast of The Federalist Society's practice groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of practice group teleforum calls, become a Federalist Society member today at fedsoc.org.

 

 

Nick Marr:  Welcome, everyone, to The Federalist Society’s virtual event. Today, we’re having a special Courthouse Steps Decision webinar on a case decided last week by the U.S. Supreme Court called Van Buren v. United States. I’m Nick Marr, Assistant Director of Practice Groups here at The Federalist Society. As always, please note that expressions of opinion, on our call today, are those of our expert.

 

We’re very pleased to be joined this afternoon by Mr. Joseph DeMarco, who’s a partner at DeMarco Law, PLLC, and a former assistant U.S. attorney for New York Southern District. Mr. DeMarco will give us some opening remarks covering the case, discussing the ruling and its implications, and then we’ll be looking to you, the audience, for questions, so feel free to submit those through the chat function as we go along or raise your hand when we get to the question-answer portion of the call. And with that, Joe, thanks very much for being with us. I’ll give the floor to you.

 

Joseph DeMarco:  Thanks very much, Mr. Marr. I really appreciate it, and thank you to everyone at The Federalist Society for supporting this webinar. It’s a real pleasure to be with everyone this afternoon, virtually. I definitely look forward to seeing many of you and some of you at in-person events when they come up.

 

      What I’d like to do today is spend a little bit of time talking about what led up to the Supreme Court’s decision, and then ultimately, what the Supreme Court decided in the Van Buren case and what are some potential implications going forward as a result of the Court’s decision. It’s actually, in my estimation, one of the Court’s more important decisions in the area of computer crime, computer security, and internet law in the last number of years and was avidly watched by a number of practitioners in the field of law, in which I practice.

 

My area of law is, full time, the law of data privacy and security, and cybercrime prevention and response, and I do that now in the context of my boutique law firm. Before that, before starting the firm 13 years ago, I was a federal prosecutor in New York. I was an assistant United States attorney, and I ran the cybercrime program there from 1997 until 2007.

 

One of the mainstays that we relied upon in prosecuting criminal cases, in which I still regularly consult in my practice today, is what’s known as the federal Computer Fraud and Abuse Act, which is Title 18 U.S.C. § 1030. Broadly speaking, it’s a law, which has been around for decades, that makes it a crime to engage in improper activities on computers, broadly speaking, connected to the internet—computers whose transmissions cross state lines.

And it really is the workhorse of criminal federal hacking prosecutions, and interestingly enough, it also has increasingly been used over the last couple of decades by civil plaintiffs because it contains a civil private right of action. So it not only is a criminal statute, which prosecutors can use to bring hacking cases, but it’s also a federally created tort which allows subject-matter jurisdiction in federal district courts for cases where people are the victims of cybercrimes, and either they’re hacked into by other people or by other companies.

 

So it’s been increasingly a tool that’s been used both obviously on the criminal side, as cybercrime has exploded, but also on the civil side, as civil litigation between companies in this area has also increased, which is one reason why this decision was so watched by a number of people in that ecosystem.

 

For many years, the question of exactly what the Computer Fraud Abuse Act covered was debated among the district courts and among the circuit courts. There was obviously debate as to what a covered computer was under the law. That’s not the subject of today’s discussion or how to calculate damages under the statute.

 

But one of the main areas of contention was whether or not the law applied exclusively to outsiders—people who had no permission being on a computer system, or no permission to have access to a certain file, or whether the law also applied to people who had permission, broadly speaking, to be on a computer system, or had permission to access a computer file but used that permission for an improper motive or an improper purpose.

 

From the statute, broadly speaking, makes it a crime or a tort to engage in unauthorized access to a protected computer—again, any computer really connected to the internet—or to exceed your authorized access to that computer. And so what the courts have been wrestling with, really, for a couple of decades now is, what does it mean to access a computer without authorization or to exceed your authorized access to a computer?

 

Now, the statute contains a definition for what it means to exceed authorized access, which is the facts of the case, which we’ll get into in a moment, but unfortunately, it’s not terribly helpful. It’s a little circular. Exceeds unauthorized access means “to access a computer with authorization and to use such access to obtain information in the computer that the accessor is not entitled so to obtain.” And there was a lot of discussion and debate in the Court’s opinions on what that last clause means.

 

But broadly speaking, the question is, and the question before the Court, was whether or not the statute applies both to outsiders who hack into a system, or who have no permission being on a file, or have access to file, even though they have permission to be on a system, or whether it applies both, broadly speaking, to insiders as well—people who have permission, a username, a password, credentials to an account, permission set to a specific file, but use that permission for manifestly improper purposes.

 

      Now, these situations come up all the time. Interestingly enough, two of leading cases, including this one, involved corrupt police officials, but they also involved computer hackers. Many years ago, about 10 years ago now, there was a case prosecuted by my old office, the Southern District of New York, against a computer—well, they believed a computer—hacker named Sergey Aleynikov, who worked at Goldman Sachs, and used his privileged access and permission to Gold and Sachs’ computer systems to steal code that that company used in their high frequency trading operation.

 

The government indicted him for violations not only of the federal Theft of Trade Secrets Act, the federal Interstate Transportation of Stolen Property Act, but also a violation of 1030 because what he did was, he was on the system, which he had credentials to, and he used that system, and his permissions to that system, to take Goldman Sachs’ trade secrets and email them to himself at a personal email that [control that he account 07:19]. The Court dismissed that count prior to trial, finding that because he had access to be on the Goldman Sachs’ system and access to those files, he cannot be prosecuted under 1030.

 

A few years later, another case came along, also in the Southern District, involving a corrupt police official. The case of Gilberto Valle, who was a New York City police officer who spent a lot of time in what he claimed were fantasy chat rooms, talking about plans that he had to abduct people and to create all sorts of mayhem as part of, he argued, this fantasy role-playing that he was engaged with other people that he met online. And as part of doing what he was doing, he used his privileged access to New York City law enforcement databases to find out personal information about some of the people who he was, in his view, fantasizing about abducting and killing.

 

The government obviously did not believe that those were fantasies. They charged him with solicitation to murder, and another crimes, as well as a 1030 offense. He was convicted, and the case went up to the Second Circuit Court of Appeals. And the Second Circuit ruled that because he had permission to be on the system, the New York City law enforcement database systems that he had access to – even though he was using those permissions not part of his job, and in, obviously, flagrant violation of his job duties, because he had permission to be on those systems, he could not be prosecuted under 1030. It was 2-1 divided panel opinion. So that was the rule in a Second Circuit.

 

But other circuits had different rules as well. In some circuits, if someone was violating contractual employment terms and conditions, courts would find that they were in violation of their authorization. In other cases, courts held that where corrupt insiders, for example, before they left, were downloading proprietary confidential information to use in their next job. They could held accountable for engaging in unauthorized computer access because they were doing that either in violation of contractual terms that they had agreed to, as part of their employment, or because they had agreed to either take on fiduciary duties or the law imposed upon their fiduciary duties not to act in contravention of their employment’s interests.

So there were these two competing lines of cases: a slight majority on what I would call the Second Circuit rule, a rule ultimately adopted, as we’ll get to in a moment, by the Supreme Court; a slight minority of cases going the other way. As you might imagine, many of them were criminal cases involving corrupt insiders: people who worked, let’s say, at the social security administration who were stealing IDs to sell to identity thieves; people who were engaged in theft of trade secrets and selling information to competitors; people who were on systems destroying data that they had access to. These were again the types of cases that were prosecuted.

 

So along comes the case of United States v. Van Buren. Van Buren was a Georgia state police official, who—I won’t get into the facts, and the Court lays them out pretty clearly—in exchange for a bribe of $5,000, used his access to Georgia state law enforcement databases to look up information that someone else was interested in to try and find out if that person who’s information was in the database was cooperating with law enforcement. Obviously, something completely improper for that police official to do.

 

The FBI got wind of it. They engaged in an undercover operation. They caught him. He was prosecuted. His case went up on appeal to the Eleventh Circuit, which followed the, what I would call, the corrupt insider rule as opposed to the Second Circuit rule and his conviction was affirmed. Off the case goes to the Supreme Court.

 

I should pause for a moment to say that 1030 makes it a crime to do a number of things without authorization. It makes it a crime to obtain information from computer databases without authorization. That’s what Van Buren was accused of doing. It also makes it a crime to engage in computer damage, harming data that’s on computers without authorization. It also makes it a crime to engage in access to computers without authorization or in excess of authority to commit further crimes or torts. What we’re talking about, in the Van Buren case, was obtaining information from a protected computer.

 

So the Court heard arguments on both sides through a slew of amicus briefs filed on both sides. We were privileged to represent, in support of the government, two entities. One was the Federal Law Enforcement Officers Association, which is a fraternal organization of federal police officers and federal special agents—FBI agents, postal inspectors, secret service agents, and the like.

 

The other entity we were engaged by to file an amicus brief, in support of the government, was the Managed Funds Association, which is a trade association of the alternative investment industry. Obviously, two very, very different groups. One, obviously, keen on making sure that law enforcement databases were properly secured from potentially corrupt insider misuse of those databases. The other, obviously, very much concerned about the enormous amount of money that goes into creating intellectual property, used by the industry, and the harms that could come if that property is subject to theft without adequate recourse, either in federal criminal or federal statutory law. Our briefs are on SCOTUSblog, and obviously, if anyone wants a copy, I’m happy to send them to them individually.

 

So what were the arguments in the Supreme Court? Well, in a nutshell, it will boil down to this: the government said, “Look, what Van Buren did, in no way, shape, or form, can have been said to have been authorized.” It clearly was in excess of authorized activity. Yes, he had permission to be on those Georgia state law enforcement databases. He had a username. He had credentials.

 

Whatever it was that gave him access to those databases, he had permission to be on those databases, had permission to be on those files, but in no way, shape, or form, under any kind of common sense plain, meaning textualist sense of the term, could you say that his activities were authorized. Clearly, they were unauthorized.

 

The other side, the defendant,  , said, “Not so fast.” Let’s look at the text of the statute. The Texas statute says that you can only be accused of engaging in excess of authority if you obtain the information in a way that you are not entitled so to obtain it. And the argument that the defense deposited was that he was so obtained – he could so obtain that information by virtue of having a username and a password authorization to obtain that information.

 

And so when it comes to obtaining the information that he obtained in that way, since he was authorized to obtain it in that way, he was authorized to obtain it, and having been authorized to obtain it, the fact that he may have breached contractual, or fiduciary, or other obligations not to use it in that sense was not really germane to the question.

 

      The Court ruled 6-3 in Van Buren’s favor. The majority opinion was written by Justice Barrett, joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh. The dissent was written by Justice Thomas, joined by Justices Roberts and Alito. Notably, both the majority of the dissent really took, I would say, a plain meaning textualist approach to the question. They just came out in different ways.

 

What the majority basically adopted was Van Buren’s position, which it described as the “gates up, gates down” position, which is to say that under Van Buren’s position, which is a code-based interpretation of how the statute should be interpreted, if you have access to the computer, if you have access to the file in question, the gate is up. If the gate is up, even if you violated fiduciary duties or acted improperly, if you have an improper motive, it doesn’t matter; the gate is up, no computer hacking, no unauthorized access, no activity in excess of authorization.

 

On the other hand, if, as a matter of technology—code that is; the gate is down—the person does not have permission to be on the system as a matter of technology, does not have permission to access the file as a matter of code or technology; the gate is down, and assuming the other elements of the statute are met, the person could be prosecuted or sued civilly under 1030(g) the civil prong of the statute.

 

What’s interesting is a number of the amicus briefs touched on concerns that if the Court were to side with the defense, there could be a number of nonsensical results. For example, a defense -- an amici on the other side said, “If the Court ruled in favor of the government, anyone who went on a dating website and lied about their age or weight, because they were violating the terms laid down by the dating website, could arguably be held in violation of the statute because it’s not authorized. You’re not authorized to lie about your height and weight. Most dating websites say you must provide accurate information on that.

 

But the Court did pick up on that. Although, they didn’t go all that far with that. They just noted that that was a concern and that it was a potentially valid concern. The Court also spent a little bit of time talking about whether or not the government’s charging decisions and prosecutorial discretion could be used to weed out cases where people were engaging in otherwise non-blame-worthy conduct, which could violate the terms of use of, again, let’s say, a social media website or terms laid down by their employer.

 

The Court was concerned about that. They were concerned about the fact that even though as stated by the government in its briefs, the DOJ has a policy against bringing those types of cases. There was no—at least, as to unauthorized access portion of the statute—no statutory prohibition against those kind of cases were the Court to adopt the government’s position.

 

The dissent just said, “Look, we should look at this from a very plain meaning sense of the view. If you think of a computer as a piece of property, with the intellectual property on it as property, what’s going on in terms of someone who abuses their permissions and acts for an improper motive is very clear what they’re doing is wrong, and that’s where the debate laid.

 

There are a couple of – or one interesting thing I thought was noteworthy about the Court’s decision—and then I’ll talk a little bit about what I think the implications are—is footnote eight of the opinion. If you just take anything away from the Court’s opinion—which again both sides, the dissent of the majorities were very well written and very well-reasoned; they just came out differently on the question—it’s footnote eight.

 

After talking about the “gates up, gate down” code-based approach, that the Court was going to ultimately adopt, the Court said the following: “For present purposes, we need not address whether this inquiry turns only on technological or code-based limitations on access or instead only looks to limits contained in contracts or policies.”

 

So what’s interesting is the Court – at the same time, it was saying it was adopting a code-based approach as distinct from, let’s say, a contract-based approach or a norms-based approach, which is another approach you could take to determining what’s authorized versus unauthorized – at the same time that it was saying we’re taking a code-based approach—the gate is either open or closed; the person either has technological access to the account or the computer or they don’t—it introduced the possibility that, at least, in the contractual setting, if there are contractual provisions in place, prohibiting the conducting question, that, at least, seems to be on the table for potential liability, criminally or civilly, under the statute.

 

And Justice Thomas picked up on that in his dissent and said, “The Court talks about nonsensical results if the government’s view is adopted, but how much sense does it make sense if you adopt a contract-based approach and allow an employer, who let’s say as a matter of contract, prohibits someone from playing games on the company computer, you allow that employment contract term to govern what is or is not unauthorized conduct. Isn’t that also arbitrary? Can’t that also lead to unfair results?”

 

So it began a debate about whether or not other things other than code should come into play. The Court didn’t really address norms. That’s another theory under which authorization can or cannot be inferred, and typically, norms relate to fiduciary duties and common understandings of what is and is not permitted online. Didn’t really talk about a norms-based approach.

 

So I think that in terms of the implications going forward and what’s going to happen going forward is I would expect to see probably more civil litigation than criminal litigation coming out of this footnote number eight and the potential ability of people to bring lawsuits where employees or others have specifically contractually, at an arm’s length, non-adhesion contract scenario agreed not to do certain things on or with the computers, and then they do those things on or with the computers. I expect to see some litigation over that.

 

I also think—and this was in our briefs—we pointed out the risks inherent in adopting the defendant’s position. Regardless of whether you’re a government agency or a law enforcement agency seeking to protect confidential information, or whether you’re a financial services company, or some other producer of intellectual property looking to protect IP and have the ability to bring a 1030 civil lawsuit or a referral to criminal prosecutors, in the event that there is a misuse of data on the systems, I think it’s now incumbent upon those organizations to do a number of things, in addition, potentially, to modifying their contractual terms of service along the lines, perhaps, suggested by Justice Barrett in footnote number eight.

 

And one of those things is to police permissions. Because right now if you take a very robust view of the majorities’ opinion, and you don’t think you’re going to have much comfort in any contractual prohibitions, the only thing separating you from having a 1030 potential criminal referral, as an owner of IP or a civil cause of action under 1030, is whether or not an employee had permission to be on a file or permission to be on the system.

 

So I definitely encourage everyone out there, that has computers that their organization is responsible for running, to double-down on policing permissions. Because the bottom line is if someone has a username and an account on your system, has access to a file, it’s going to be very hard to bring a 1030 case.

 

Now, it doesn’t mean you can’t bring a theft of trade secrets case, doesn’t mean you can’t bring an interstate transfer stolen property case—although, those are difficult as well—doesn’t mean you may not have a remedy under state computer hacking laws, which in some cases are a little bit broader, although, states typically have less resources to bring those cases criminally. But it does mean that you really need to think about permission access control assurance.

 

I also think it’s important for companies to audit permissions, audit what rights people have on files, whether its to copy, move, modify, print, whatever, and to really be on top of that. Not a bad idea from a data hygiene and a data-permissioning point of view anyway, but it just becomes incredibly more important now.

 

I do think it also has the potential, the ruling has the potential, again, unless there is some developmental law in the lines of footnote number eight to reduce collaboration. A lot of times, organizations will give broad permissions to broad numbers of people to do broad types of things so the people that have access to data can do their jobs. They don’t have to stop, pause, and go to a colleague or supervisor to gain permission to be in a file. So I think that it has the potential, depending on how companies and organizations react of potentially reducing collaboration, reducing creativity, and reducing cooperation among people who have, broadly speaking, permissions to be on a computer system.

 

      And then finally, in terms of absurd results, well, I think one thing about the case is both sides could point to results, which just don’t really make sense if the other side’s view is adopted, and I think Justice Barrett did that on the one side, and Justice Thomas did that on the other side. I’ll just leave you with a couple, and then I’m happy to take questions. Just from our brief, we raised the possibility of what would happen if the defendant’s view of the statute was adopted, and these are three cases which I think really could now pertain. This is on page 25 of our MFA brief.

 

So case one: the firm’s IT department inadvertently changes defendant’s technical permissions a day too early, so a day before the person is, let’s say, transferred from one department in the side of a company to another a day too early, they’re technical permissions are changed. In order to complete her assigned tasks, the employee uses a coworker’s credentials to access the required confidential files.

 

Well, under the majority’s rule, since the defendant lacked technical access, gate down, their action is unauthorized. We argued in favor of a holistic approach looking at holistically speaking whether under a totality of circumstances test the conduct could be held to be authorized or not. And in our view, if you looked at the totality of circumstances, that would not be unauthorized. But in a gates up, gates down world, gates down conduct unauthorized potential 1030 criminal liability, potential 1030 civil liability.

 

Along the same lines, case two: the defendant’s transfer occurs midweek, but due to the manner in which the firm’s IT department operates, his former permissions will not be revoked until the end of the week. Defendant’s supervisor specifically reminds him that having transferred out of the department, he has no longer permission to access the departmental’s confidential systems and data and should refrain from doing so. The defendant agrees to this the limitation, which aligns with his employment agreement. Later that day, the defendant accessed the files of his former department and maliciously deletes them. Because his credentials were still valid, his actions for purposes of the CFA are ironically authorized. The gate was up.

 

Case three: due to a configuration error, the transferred defendant is inadvertently given access to the firm’s HR system. Although unrelated to his job and knowing he should not due so, he takes the opportunity to read the confidential files of several of his coworkers and alters data in those files. Because of the configuration error, his spying and his alteration of the data is considered authorized activity.

 

These things do happen. There are configuration errors all the time. It’s very hard in a large organization to police permissions. So I would just leave you with those possibilities, and I think the challenge for all of us that, as I do represent organizations committed to protecting the data on those systems, the challenge is in light of the “gates up, gates down” ruling, and in the absence of any development in the case law along the lines of footnote eight, the question is, where do we go from here, to be determined. So Mr. Marr, I’ll turn it back to you, and I’m happy to take some questions. Thank you again for having me today.

 

Nick Marr:  Great. Thanks, Joe. So we’ll take some questions now. So we have a question here that came up through the question-answer chat. Joe, in your review, does the holding place an increased burden on the private sector to voice cases of unauthorized access?

 

Joseph DeMarco:  It does. It requires, I think, increased vigilance as to who has access to your core IP, who has access to employee data, who has access to customer data. I would definitely take all those things into account. Number two, I would try, at least, to help develop the case law under footnote eight and put in place specific contractual prohibitions against certain forms of misuse—the forms of misuse you’re most concerned about.

 

And three, I would also try and analyze what other remedies you have, perhaps under state law, hacking law, or unfair competition law so that when that day comes – I get a lot of calls from clients who have IP stolen from them by insiders. You don’t have to have the conversation with me about “Well, you don’t really have many options.”

 

I get a lot of those calls from companies that have had corrupt insiders do things they shouldn't do, and we look everywhere to see where our potential remedies are. Sometimes, we had Courts of Appeals in jurisdictions where we could bring a 1030 case or do a 1030 referral. Now, we don’t, so we have to look elsewhere sometimes to state law. So I think the answer to the question is yes.

 

Nick Marr:  And we’ve got a question that came through email. You can also submit them via email at [email protected]. But it’s probably easier, right now, live, to go through the chat here. But this one says, what should employers do to maximize their ability to pursue claims under CFAA? So you have employees limited to accessing [inaudible 28:57] of they need to work. If they access info outside that [inaudible 29:00], the employee is liable.

 

Joseph DeMarco:  Yeah. And I think one thing I should add too is monitoring. And obviously, there are limits, and rules, and laws, and best practices related to employee monitoring. It has to be done the correct way. It cannot be creepy or privacy-invasive, but I think the earlier a company or organization detects potential misuse, the more remedies it has at its disposal, for sure.

 

Nick Marr:  So just another reminder, if you’d like to ask a question, either raise your hand or submit through chat. We don’t have any right now. I’m going to ask, how does the opinion and the breakdown of the justices, an interesting one – how does it compare and track with your expectations coming out of oral argument?

 

Joseph DeMarco:  Having listened to oral argument, I knew it was an uphill battle for the government and for the size that we filed our amicus briefs on. I was a little wondering about where Justice Alito would come down because the comment from oral argument, that stuck with me, was – his comment towards the end, which is – he said, “I find the brief spectacularly unhelpful in deciding this issue,” or some words to that effect. So I thought he could go either way. Then, again, obviously, I’m not surprised ultimately.

 

I think again, both sides took a very straightforward approach. What is the text of the statute? How do we get at what these words mean? When the statute says that someone is not entitled “so to obtain something,” it’s kind of quirky way of saying something, right? What does the “so” refer to? You have to grapple with that. The whole case really did come down to what “so” referred to, which is not usual. Usually, there are more words in play than that.

 

I guess I wasn’t surprised at the outcome. Somewhat surprised at the breakdown. Another possibility too that I think’s worth mentioning is the potential for congressional reform. A few years ago, I believe it was the Second Circuit—I don’t think it was the Supreme Court—made a key ruling in the Economic Espionage Act case, which made it much harder for companies to bring trade secret referrals, either criminally or civilly. Within six months, Congress amended the statute to fix the gap identified by the Court.

 

It wouldn't surprise me here if there’s requests from IP producers, from the government, from anyone really that owns computers and cares about the data on those computers to reform the statute. And I will say interestingly enough, I think both – one thing that’s interesting, if you look through the amicus briefs, in this case, Epic and EFF were on different sides. So it’s not often that these two very well-known, online privacy, civil liberty groups are on different sides of the case, but the way it all netted out, EFF was on one side, and Epic was on the other.

 

If you’re going to read any of the amicus briefs in the case, other than the ones we filed, I would say those are the ones to read because they also highlight the question of, how is it best to police potential government misconduct as it relates to data that the government collects?

 

Remember, Van Buren was a corrupt police official. Alberto Valle was a corrupt police official. There are other cases where 1030 prosecutions are brought against corrupt government insiders who have access to data that the government has collected on citizens, and even though they have technical permission, gates up, to be on those systems, they’re using that access for flagrantly improper purposes.

 

So I think that’s what one of those groups picked up on. The other group picked up on the other point, which is let’s not make criminals out of people who lie about their height and weight on dating websites. So it’s a fascinating case.

 

Nick Marr:  Well, I see no other questions. Mr. DeMarco, I’ll give you the chance for any closing remarks you might have, and we’ll close out a bit early this afternoon.

 

Joseph DeMarco:  Great. Well, thank you. Again, for those of you that follow this stuff, I’d say watch the appellate litigation, watch the news blogs, talk to people who might be hearing what companies and organizations are doing in light of this. We’ll obviously be providing our own advice to our clients on this. I’ve given you a high-level overview of what that might be.

 

And do expect further litigation because dollars to donuts, the civil litigants that want to get into federal court on 1030(g)—which again gives you subject matter jurisdiction; you don’t have to worry about diversity, gets you statutory damages, gets you all the benefits of being in federal court—they’re going to try and use footnote eight.

 

So I would say that’s where you want to watch the case law develop. Thank you very much, and happy to field any questions obviously that people reach out to me directly. I’m happy to answer any questions people might have.

 

Nick Marr:  Okay. Well, thanks very much for being with us, Mr. DeMarco, and the benefit of your time and valuable expertise this afternoon, and, of course, for the audience for calling in for your good questions. As a reminder, we welcome your feedback by email at [email protected]. So anything about this program or any others.

 

Also, keep an eye on your email and our website for announcements about upcoming events like this one and Supreme Court coverage as we get towards the end of the term here. So with that, thanks very much for being with us, and until next time, we’re adjourned.

 

[Music]

 

Dean Reuter:  Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s practice groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at fedsoc.org.