Laremy Tunsil was generally regarded as the most physically talented prospect in the 2016 NFL Draft, projected to be drafted between picks three through six in the first round, with earning potential in the tens of millions of dollars. Immediately before the draft began, however, video of Tunsil apparently smoking marijuana out of a gas mask bong appeared on Tunsil’s Twitter account. Seemingly the work of a hacker, Tunsil and his advisers went into spin control to explain the release of the video and address the critical questions of his credibility, judgment and fitness to play in the NFL. When the dust settled, Tunsil was selected with the 13th overall pick by the Miami Dolphins, perhaps costing him between $7 to 10 million in overall compensation. In a bizarre twist, while Tunsil was giving his introductory press conference during the Draft, another unauthorized social media posting, this time to his Instagram account, showed text messages between him and an athletic director at his alma mater, Ole Miss, which indicated that Tunsil asked for apparently inappropriate payments while enrolled at the school. Both of these incidents appear to be the work of unauthorized access to Tunsil’s social media accounts by a hacker, with intent to cause harm to Tunsil, and perhaps to Ole Miss.
The hijack of Tunsil’s social media accounts undoubtedly caused him significant embarrassment; he also suffered real monetary damage by falling multiple slots in the Draft. There are several remedies available if he seeks civil relief against the hacker (should the hacker be identified.) Presently, the hacker remains at large, although suspects include a former financial advisor to Tunsil.
While the hacker certainly faces criminal liability for accessing Tunsil’s social media accounts without Tunsil’s consent, various Federal and State civil statutes provide Tunsil with causes of action against the hacker. Tunsil could bring a civil suit under the Federal Computer Fraud and Abuse Act, 18 U.S.C. §1030, et seq. (CFAA), Florida’s Computer Abuse and Data Recovery Act (CADRA), Section 668.801-805, Fla., Stat., and Florida’s Computer Crimes Act, Section 815.01, et seq. (FCCA).
There are two relevant Florida statutes which could provide relief for social media hacking, assuming that venue is appropriate in Florida. The FCCA is a criminal statute which provides for penalties ranging from misdemeanor to felony punishment of up to 15 years in prison for its violation, and which provides for a civil remedy, including potential awards of damages and attorney’s fees. See §815.06 (5)(a), Fla. Stat. (2015). Florida recently enacted CADRA, which is distinct from, but offers many of the same protections as, the Federal CFAA. Although relief may be available via a claim under the CFAA, this article will focus only on the Florida law causes of action available to Tunsil.
CADRA provides a remedy for unauthorized access to a “protected computer” or information stored within a “protected computer” used in the operation of a business. See section 668.801, Fla. Stat.
To bring his claim under CADRA, Tunsil would have to prove that the computer that was hacked was a “protected computer,” that was used “in connection with the operation of a business and stores information, programs, or code in connection with the operation of the business in which the stored information, programs, or code can be accessed only by employing a technological access barrier.” CADRA would provide a remedy whether the hacker actually used a computer or mobile device owned by Tunsil without authorization, or used the hacker’s own device to access the servers hosting Tunsil’s Instagram and Twitter accounts without authorization. Tunsil could establish that those systems accessed by the hacker were used for “business” under the statute because business is defined as “any trade or business regardless of its for-profit or not-for-profit status,” and Tunsil’s use of those accounts to promote himself and his football playing prospects would likely qualify under that definition. See section 668.802(2), Fla. Stat.
To obtain relief under CADRA, those computer systems, whether local or cloud hosted, must be protected by a “technological access barrier” or TAB, which is defined to include a “password, security code, token, key fob, access device or similar measure.” See section 668.802(7), Fla. Stat. To find a violation, however, the TAB must be “reasonable,” or non-trivial. Specifically, CADRA will not provide relief if the TAB “does not include circumventing a technological measure that does not effectively control access to the protected computer or the information stored in the protected computer.” Thus, Tunsil may be denied relief if he used a simple password like “1234” or “password.”
Unconfirmed reports suggest that a former financial advisor to Tunsil may have obtained the video of Tunsil from a smartphone previously used by Tunsil. If accurate, this may provide Tunsil with multiple claims under CADRA; one for (a) accessing the smartphone without authorization, and another for (b) accessing Tunsil’s social media accounts without authorization. However, if the phone was voluntarily given to the former advisor and used with authorization, (implicitly permitting that advisor to use the data stored thereon, including the access credentials for Tunsil’s social media accounts), Tunsil’s claim may fail because the advisor may be determined to have accessed the computer with authority. Further, the existence and appropriateness of the TAB restricting access to the old smartphone, or the disclosure of the TAB to the advisor, may affect Tunsil’s claims.
Under section 668.803, Fla. Stat., entitled “Prohibited Acts”, the hacker in this case would have violated the statute by “knowingly and with intent to cause harm or loss:”
2. Caus[ing] the transmission of a program, code, or command to a protected computer without authorization and, as a result of the transmission, caus[ing] harm or loss.
Thus, Tunsil must prove causation – that he was damaged as a result of the video and/or texts appearing on his social media accounts. Reports suggest that the Baltimore Ravens intended to draft Tunsil with the sixth overall pick, but did not select him based upon the publication of the video at issue. This testimony would be critical to prove that the video caused his draft position to slide, and thus, lost earnings. Under section 668.804, Fla. Stat., Tunsil would be entitled to actual damages, lost profits, economic damages, injunctive relief and attorney’s fees against the hacker for his or her violations of CADRA.
Ch. 815, Fla. Stat., known as the Florida Computer Crimes Act (FCCA), is a criminal statute which also provides for a civil remedy. The relevant criminal portion provides as follows:
Pursuant to section 815.04(4), Fla. Stat.:
(4) A person who willfully, knowingly, and without authorization discloses or takes data, programs, or supporting documentation that is a trade secret as defined in s. 812.081 or is confidential as provided by law or existing internal or external to a computer, computer system, computer network, or electronic device commits an offense against intellectual property.
Pursuant to section 815.06 (2)(a), Fla. Stat.:
(2) A person commits an offense against users of computers, computer systems, computer networks, or electronic devices if he or she willfully, knowingly, and without authorization:
(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized;
Tunsil’s smart phone that was accessed without authorization would qualify as an “electronic device,” his social media accounts accessed without authorization as “computer network[s],” and the information hacked as “confidential provided by law” under the statutes.
Both of these violations are second degree felonies, punishable by up to 15 years in prison, if, among other qualifiers, the hacker also “[c]ommits the offense for the purpose of devising or executing any scheme or artifice to defraud or obtain property.” See, §815.04(5)(b), §815.06(3)(b)(2), Fla. Stat.
Under the FCCA the following civil remedy may be available:
(5)(a) In addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, computer equipment or supplies, electronic device, or computer data may bring a civil action against a person convicted under this section for compensatory damages.
(b) In an action brought under this subsection, the court may award reasonable attorney fees to the prevailing party.
However, to bring a civil action pursuant to the FCCA, the defendant must first be convicted of the criminal wrongdoing. It is unlikely that a State Attorney would devote resources to identify, charge, and try an action against a hacker through conviction in any but the highest profile situations. Thus, there may exist a substantial bar to this civil remedy.
Based on publicly available information, Tunsil likely has colorable claims under CADRA and the FCCA against the hacker. As a public figure now employed by a beloved local sports team, Tunsil’s case may be sufficiently public to attract the attention of law enforcement and spur on an investigation, but most similar hacking events are unlikely to attract the requisite attention and merit the public resources needed to obtain a conviction under the FCCA.
Tunsil may also allege various tort claims, including: fraud; trespass to chattel; intentional infliction of emotional distress; and tortious interference, among others. Assuming the former financial advisor is the hacker, he may explore claims for breach of fiduciary duty as well.
Claims related to defamation or slander would likely be unsuccessful given that Tunsil has already admitted that he is the person in the video, and that the text messages are authentic. However, the hacker’s intentional publication of private communications may give rise to tort claims for invasion of privacy.
Social media is used by corporations large and small to reach customers. Tunsil’s unfortunate NFL draft day is an expensive lesson in the pitfalls of social media use. Businesses must protect their social media accounts from unauthorized access due to the potential for real reputational and goodwill damage should those accounts be breached. With the recent enactment of CADRA, the Florida remedies available to companies if they are hacked and suffer damages have become more robust. However, as in most things, an ounce of proper management and prevention is better than a pound of cure, in the form of claims against a hacker.