In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense: necessity. In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”
On April 19, 2014, the defendant and his alleged conspirators purportedly initiated a DDOS attack against BCH’s Massachusetts server for at least seven days, taking BCH’s website out of service. The attacks disrupted the entire BCH community by impeding the ability of physicians to communicate and access patient records. The cyber attack also occurred during a period of important fundraising which was severely impacted. Responding to and mitigating the damage from the attack purportedly cost BCH more than $300,000 in addition to lost fundraising estimated at $300,000.
In the face of serious criminal charges, this defendant argued that it was reasonable to anticipate a direct, causal relationship between his cyberattack and the harm he sought to avert — in particular, he proffer (unconvincing) evidence that the cyber attack largely achieved the intended effect of raising awareness of the story of what he viewed as the inappropriate treatment of a particular BCH patient.
With great seriousness, the court rejected this defense and concluded that “Defendant … fail[ed] to elucidate that there were no legal alternatives to the alleged cyber attack.”