The Lure of the Cybersecurity Practice and a Proposed Policy Response

For some time now, I have been curious about why so many prominent lawyers made cybersecurity their playground. I think that I found the answer. Paraphrasing Willie Hutton, it’s because that’s where the money is.

There are three reasons for that.

First, cybercrimes have become, quite literally, the greatest transfer of wealth in history. Some figures, compiled by Cybersecurity Ventures (and lightly editorialized by me), will put this statement in perspective:

1. Cybercrime will cost the world $6 trillion annually by 2021 (up from $3 trillion in 2015). That’s 30% of the GDP of the US, more than the GDP of France and the UK combined, and more than that of the entirety of Latin America.
2. These are just hard numbers (damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, etc.); they don’t include, for example, intangibles like pain and suffering of a child subject to cyber-bullying.

Secondly, in spite of the significant ramp up in law enforcement resources devoted to cybercrime, it remains (together with litigatory perjury) a significantly undersprosecuted type of offense. Currently, because of the sheer volume of cybercrimes perpetrated every day, law enforcement can deal only with the highest dollar-damage and most visible cases – those where the number victims of a single crime are in the thousands, if not more.

The third reason falls squarely within my area of expertise, with a little help from my cousin, Martin Abadi, a shining star of the cybersecurity field (one of those crazy Stanford Ph.D.-at-24 types), who pointed me in the direction of Alessandro Acquisti’s research to inform my own economic analysis.

The basic premise is that, while most types of damages have become formulaic and templated in our justice system, damages resulting from cybercrimes have generally not. Indeed, over time, our courts have set standards for the calculation of damages of every type, ranging from business interruption to loss of human life, and their computation entails neither much intellectual wherewithal nor creative thinking: the numbers are crunched by accountants on Excel spreadsheets and the gaps between experts are rarely unbridgeable. Thus, those cases lend themselves well to resolution and not to drag on for years.

Conversely, the value of the critical cybercrime damages has not yet been standardized. Consider, for example, the value of privacy. The privacy paradox (the apparent disconnect between most people’s stated desire for online privacy and their incautious online behavior) submits that we place simultaneously high1 and low2 value on our privacy: we cannot agree even with own selves. Much less do we agree on the value of our data with those who use it. For example, a study published in the Journal of Consumer Policy this summer found that Americans say they would be willing to pay, on average, $5 a month to delete all their personal data from the companies that have collected it. That’s certainly less than the value that tech companies, marketers, and data brokers extract from this information (Facebook alone hauls in about $30 per year in revenue per North American user, or about $2.50 per month, and, of course, it’s just one of the countless companies tracking our online behavior). So, if we take the $5 per month figure at face value, we might suspect that people don’t particularly value their privacy.

But when the question was flipped — asking how much money companies would have to pay an individual to receive full access to their personal data — the average answer was a hefty $80 per month. Multiply that by some 250 million American adults, and you’d get a value on the order of $240 billion per year for online privacy. That’s more than the combined annual revenue of Facebook and Google, including all their subsidiaries.

My conclusion is that experienced litigators identified cybersecurity as a valuable are of practice based on the combined economic incentives of:

1. Cybercrime damages are massive and, therefore, provide a strong incentive to victims to invest in pursuing their claims. The lion’s share of that investment is attorneys’ fees;
2. Law enforcement can prosecute only an infinitesimal number of the cybercrimes perpetrated every minute of the day; thus leaving victims to resort to virtual private prosecutions in the form of civil claims; and
3. Cybercrime damages are not standardized, leading to unbridgeable gaps between the victims’ and perpetrators’ respective analyses, reducing the opportunity for settlement and leading cybercrime litigation to drag on longer (and therefore accrue more attorneys’ fees) than conventional tort litigation.

While it is not my intention to take any business away from any of my many litigator friends, the sheer amount of societal harm caused by these wrongdoers requires a public policy response to address this scourge until law enforcement regains a modicum of deterrence power. My policy proposal is simple and practical; it would be limited to:

1. Shutting down services, like guerrillamail.com, which serve no purpose other than to enable malfeasors;
2. Relaxing admissibility standards for cybercrime evidence; and
3. Relaxing RICO pleading standards for cybercrimes (cybercriminals, from the petty to the state-sponsored, almost uniformly engage in a pattern of racketeering) until such time as the government achieves an acceptable level of deterrence power.

• 1 As reflected by our increased use of encrypted communications, avoidance of smart speakers, etc.
• 2 As reflected by our use of free services like Google and Facebook with business models that revolve around the exploitation of our personal data.