Quiz 1F — Victim Remedies and Procedural Hurdles | LawZeee — Know Your Cyber Laws Before You Break It

Question 1

A victim of a cyberattack has identified the attacker and wants to stop ongoing access immediately, even before trial. What is the most immediately available civil remedy?

AFile for statutory damages under CFAA § 1030(g) — these are available before trialBSeek a temporary restraining order (TRO) and preliminary injunction — available on an emergency basis to stop ongoing unauthorized accessCSubmit a criminal referral to the FBI and await prosecutionDFile with the FTC under Section 5 for injunctive relief

Question 2

Under Spokeo, Inc. v. Robins (2016), a plaintiff who can show only that a federal statute was technically violated — but cannot show a concrete, particularized harm — lacks what?

APersonal jurisdiction over the defendantBA valid cause of action under the statuteCArticle III standing to sue in federal courtDVenue in the correct district

Question 3

TransUnion LLC v. Ramirez (2021) further developed the standing doctrine by ruling that plaintiffs whose information appeared in an internal database (never disclosed to third parties) lacked standing for what type of relief?

AInjunctive reliefBStatutory damages under FCRACDeclaratory judgmentDBoth (A) and (C) — the ruling removed standing for all forms of relief

Question 4

In a ransomware case where the attacker is located in a country with no U.S. extradition treaty, what is often the most practically effective recovery mechanism for the victim?

AFiling a CFAA civil suit and obtaining a default judgment against the attackerBSuing the attacker's country of residence under the FSIA terrorism exceptionCParticipating in the criminal forfeiture proceeding if law enforcement seizes cryptocurrency connected to the attackDSeeking restitution from the FBI directly

Question 5

The WhatsApp v. NSO Group ruling (9th Cir. 2021) is significant because it limits which doctrine as a defense for private surveillance technology companies?

AForum non conveniensBAct of state doctrineCForeign sovereign immunity under the FSIADPolitical question doctrine

Question 6

In a data breach class action against a company, a plaintiff alleges their login credentials were stolen but provides no evidence of actual account compromise or financial loss. Under TransUnion (2021), which type of relief is most likely available to this plaintiff?

ADamages — the statutory violation is sufficient for monetary reliefBInjunctive relief — risk of future harm supports injunctive standing even without proven actual harmCNeither damages nor injunctive relief — no standing without actual harmDCriminal restitution through a parallel DOJ proceeding

Question 7

Under CFAA § 1030(g), a civil plaintiff must generally show at least $5,000 in "loss" within a one-year period. Which of the following expenses would most clearly qualify as "loss" under the statutory definition?

ALost future customer revenue projected over 5 yearsBReputational damage and brand harmCForensic investigation costs, damage assessment, and system restoration expensesDStock price decline following public disclosure of the breach

Question 8

United States v. Auernheimer (3d Cir. 2014) vacated the conviction on venue grounds. What is the practical lesson for civil plaintiffs suing hackers in data breach cases?

ACivil courts have no jurisdiction over cybercrime — only criminal courts doBVenue for cyber cases must be carefully established — distributed attacks may not "occur" in the plaintiff's chosen districtCCivil CFAA plaintiffs can sue in any district in the United StatesDVenue is not an issue in civil CFAA cases — only criminal cases face venue challenges

Question 9

Why do most data breach victims pursue civil claims against the breached organization rather than directly against the hacker?

ACFAA prohibits direct suits against hackersBThe breached organization is identifiable, reachable, insured, and has collectible assets — unlike most foreign hackers who present attribution, jurisdiction, and collection problemsCCourts require that victims sue the organization before suing the hackerDStatutory damages only apply against organizations, not individual hackers

Question 10

Under California PC § 502's civil action, what element must a plaintiff additionally prove to seek punitive damages beyond compensatory damages?

AThat the company failed to notify consumers within 30 daysBThat actual financial losses exceeded $100,000CThat the violation was willful AND committed with malice, oppression, or fraudDThat the breach affected more than 500 consumers