Court: Court of Appeals for the D.C. Circuit; March 30, 2018; Federal Appellate Court
Farhad Azima, an American businessman, is suing the Ras Al Khaimah Investment Authority (RAKIA), an investment entity of the UAE, for allegedly hacking his personal and business laptops from October 2015 to August 2016 and publishing the obtained information. Azima filed the lawsuit on September 30, 2016, claiming violations of the Computer Fraud and Abuse Act (CFAA) and asserting common law conversion and unfair competition. RAKIA has moved to dismiss the complaint, arguing that the Foreign Sovereign Immunities Act (FSIA) grants it sovereign immunity and that the case should be heard in the United Kingdom based on a forum-selection clause in a March 2016 Settlement Agreement between the parties.
The Court has denied RAKIA's motion, determining it has subject matter jurisdiction due to Azima's allegations of foreign commercial activities with direct effects in the U.S., falling under the FSIA's commercial activity exception. Additionally, the Court found that RAKIA did not prove the UK as an adequate forum for the case. Azima and RAKIA have a history of business dealings, including joint ventures in various industries, with over seven million dollars paid to Azima. A notable venture involved a flight training academy with RAK Airways, where disputes led to the 2016 settlement agreement.
The March 2016 Settlement Agreement includes a forum-selection clause stipulating that disputes related to the agreement are governed by English law, with exclusive jurisdiction granted to the courts of England and Wales. Azima asserts that he was engaged by RAKIA as a mediator to help resolve disputes with its former CEO, anticipating compensation for his services during 2015 and 2016. However, RAKIA disputes this claim, stating that Azima offered to act as an "honest broker" rather than a neutral mediator and that no payment or contract was established for these services. Despite this disagreement, the Settlement Agreement acknowledges Azima's informal negotiation assistance to RAKIA.
Simultaneously, Azima alleges that his computers were hacked repeatedly beginning October 14, 2015, with hackers accessing his systems from Florida and New York, monitoring his communications, deleting data, and sending fraudulent emails. He remained unaware of the breaches until August 2016 and continued discussing sensitive matters with RAKIA and his attorneys during this time. The hackers left malware that damaged his computers. Amid these events, Azima claims that RAKIA threatened him in July 2016, warning that he could become "collateral damage" in their conflict with the former CEO, shortly before disparaging websites about him emerged online.
Negative claims about Azima were published on websites allegedly associated with RAKIA, which also linked to BitTorrent sites hosting private documents from Azima's computer and his iCloud account, encompassing personal data like text messages, call history, and voicemails. On September 23, 2016, RAKIA's demand for $4,162,500 to avoid litigation was sent to Azima's counsel, citing claims based on information RAKIA claimed to have obtained from public sources. RAKIA attached confidential documents from Azima's computer to this letter and acknowledged possessing approximately 30 GB of his information, claiming it was accessed legally via BitTorrent. Azima initiated legal action on September 30, 2016, alleging that RAKIA or its agents hacked his computers, stole data, and used it for blackmail and reputational harm. RAKIA moved to dismiss the case on December 12, 2016, citing a lack of subject matter jurisdiction under the Foreign Sovereign Immunities Act (FSIA), failure to state a claim, and the doctrine of forum non conveniens. After a hearing on April 24, 2017, the court denied the motion without prejudice and permitted Azima to file an Amended Complaint, which reiterated allegations against RAKIA for hacking and extortion, asserting violations of the Computer Fraud and Abuse Act (CFAA), common law conversion, and unfair competition. Azima invoked FSIA exceptions to argue against RAKIA's immunity, seeking damages and an injunction to recover his data. RAKIA subsequently filed another motion to dismiss, maintaining that the court lacked subject matter jurisdiction and citing forum non conveniens. A hearing on this motion was held on October 27, 2017. The FSIA stipulates that foreign states are generally immune from U.S. court jurisdiction, with specific exceptions that may apply in this case.
A foreign sovereign does not enjoy immunity when engaged in commercial activities rather than sovereign acts. This principle is outlined in 28 U.S.C. § 1605(a), which details exceptions to sovereign immunity. The commercial activity exception states that a foreign state is not immune if the case arises from commercial activities conducted in the U.S. or acts connected to such activities with direct effects in the U.S. The non-commercial tort exception allows for cases seeking damages for personal injury, death, or property damage occurring in the U.S. due to tortious actions by the foreign state or its officials while acting in their official capacity.
When evaluating a motion to dismiss under Rule 12(b)(1) concerning the Foreign Sovereign Immunities Act (FSIA), courts can face both facial and factual challenges. A facial challenge questions the sufficiency of the allegations based solely on the complaint, treating it similarly to a Rule 12(b)(6) motion, where all allegations are accepted as true. Courts can consider documents attached to the complaint or those necessarily relied upon, even if provided by the defendant. If the allegations support an FSIA exception, the complaint survives.
Conversely, a factual challenge allows courts to examine materials outside the pleadings to assess subject matter jurisdiction. In this context, a burden-shifting framework applies: the plaintiff must initially demonstrate that an FSIA exception is relevant, after which the foreign sovereign must prove that the exception does not apply.
Motions to dismiss for forum non conveniens allow a court to decline jurisdiction even when it has the authority to hear a case, provided that the defendant shows (1) an adequate alternative forum exists for the plaintiff's claims, and (2) a balancing of public and private interest factors indicates that the alternative forum is a strongly preferred location. The defendant carries the burden to prove why the presumption favoring the plaintiff's choice of forum should not apply, and courts may consider materials outside the pleadings in this discretionary inquiry.
In the current case, the dispute centers on RAKIA's immunity under the Foreign Sovereign Immunities Act (FSIA), particularly regarding the applicability of its commercial activity and noncommercial tort exceptions. The court has determined that Azima has sufficiently alleged that RAKIA's hacking of his computers was related to foreign commercial activity and had a direct effect in the U.S., thus granting the court subject matter jurisdiction under the commercial activity exception. The court finds it unnecessary to analyze the noncommercial tort exception further.
Regarding forum non conveniens, the court concludes that RAKIA failed to prove that England is an adequate alternative forum. Consequently, RAKIA's motions to dismiss for lack of subject matter jurisdiction and for forum non conveniens are both denied. The FSIA's commercial activity exception provides independent bases for jurisdiction, allowing for claims of injurious acts connected to commercial activities that occur outside the U.S., provided they have a direct effect within the U.S. The court affirms that Azima's allegations meet these criteria, affirming jurisdiction regardless of the location of the alleged hacking.
RAKIA is considered to have engaged in extraterritorial "commercial activity" under the Foreign Sovereign Immunities Act (FSIA), as defined by actions typical of private market participants. Commercial activities encompass regular conduct or specific transactions akin to trade, such as contracting for goods or services. In contrast, sovereign acts like abductions or nationalizations do not meet the commercial activity exception. The Supreme Court instructs that the inquiry should focus on the nature of the activity rather than the sovereign's motives. Azima asserts that RAKIA's ongoing business dealings with him, including mediating disputes, satisfy the FSIA exception. RAKIA's motion to dismiss disputes this, claiming that Azima's activities are unrelated to the case and challenges his mediation role. The court must evaluate the entire record to determine if Azima has sufficiently demonstrated RAKIA's involvement in commercial activities and if RAKIA can prove otherwise. The evidence suggests a long-standing business relationship between RAKIA and Azima, dating back to at least 2007, with multiple business interactions continuing until 2016, including discussions about joint ventures and investments in various projects.
RAKIA's involvement in business negotiations is classified as commercial activity under the Foreign Sovereign Immunities Act (FSIA). The negotiations, particularly RAKIA's role as a guarantor for RAK Airways in the HeavyLift joint venture, exemplify typical commercial conduct associated with a business enterprise. RAKIA has engaged in multiple business agreements with Azima, and courts have recognized that various contractual arrangements qualify as commercial activity under the FSIA.
A contentious factual question arises regarding whether RAKIA utilized Azima's services as a mediator between summer 2015 and July 2016. Both parties present plausible narratives about Azima's role, but the court finds that Azima has sufficiently shown he acted as a mediator during this period, primarily outside the United States. Evidence, including emails from Azima, establishes that he acted as an intermediary in RAKIA's dispute with its former CEO, organizing meetings in Milan and Geneva, and meeting with RAKIA outside the U.S.
Despite RAKIA’s claims to the contrary, evidence indicates that RAKIA recognized the value of Azima's negotiation assistance, as reflected in the March 2016 Settlement Agreement that included a $2.6 million settlement acknowledging Azima's informal negotiation support. RAKIA's assertion that Azima was merely an advocate for the CEO does not counteract the evidence of Azima’s active mediation role, and documents submitted by RAKIA further corroborate his involvement in the negotiation process.
The Court concludes that Azima's potential to suggest mediation in the CEO dispute undermines RAKIA's claim that he was merely a biased outsider. Evidence indicates Azima effectively served as a mediator in negotiations between RAKIA and its former CEO, contributing to a resolution regarding the HeavyLift joint venture. RAKIA's engagement of Azima’s mediation services constitutes commercial activity under the Foreign Sovereign Immunities Act (FSIA). The Court emphasizes that mediation is widely recognized as a commercial service, irrespective of formal contracts or direct compensation. RAKIA's characterization of its mediation efforts as sovereign activities does not negate the commercial nature of these actions; the focus is on the nature of the activities rather than the motives behind them. Consequently, the Court determines that the mediation activities conducted by Azima were commercial in character, qualifying under the FSIA. Furthermore, RAKIA's alleged hacking of Azima's computers and disparagement of him are deemed connected to its foreign commercial activities, and the Court finds no basis to dismiss these claims as insufficient or implausible.
The D.C. Circuit has not defined "in connection with" in section 1605(a)(2) of the FSIA, but other Courts of Appeals have interpreted it narrowly, requiring a substantive connection or causal link to the commercial activity, as demonstrated in cases like Garb v. Republic of Poland and Adler v. Federal Republic of Nigeria. A mere tangential or attenuated connection does not satisfy this requirement. For example, the Second Circuit found that the expropriation of property had an insufficiently substantive connection to subsequent commercial activity, while the Third Circuit determined that mismanagement of a U.S. building was not intrinsically linked to an extraterritorial loan transaction.
Despite this stringent interpretation, Azima's complaint alleges sufficient factual connections to meet the FSIA standard. Specifically, it claims that RAKIA's actions aimed to undermine Azima in their commercial dealings and inflict financial harm. The complaint asserts a direct causal relationship between the hacking and the commercial interactions between RAKIA and Azima, especially noting that information obtained from the hacking was used in a demand letter accusing Azima of fraud related to past commercial activities, including a joint venture.
Moreover, the timeline of the hacking, which began in October 2015 and continued through mid-2016, coincides with Azima's mediation role between RAKIA and its former CEO. This overlap suggests a potential link between the hacking and Azima's mediation efforts. Further, as negotiations between RAKIA and the former CEO deteriorated, RAKIA allegedly threatened to make Azima “collateral damage” in their conflict, reinforcing the suggested connection between the hacking and Azima's involvement in mediation.
The complaint alleges that after mediation efforts collapsed, hackers published Azima's private information on BitTorrent sites as retaliation, linking this action to RAKIA's prior threats. These claims suggest a substantive connection between RAKIA's hacking and its commercial activities, including using Azima as a mediator and collaborating on foreign ventures. Azima argues that RAKIA's hacking aimed to influence mediation outcomes and exert control over him, fulfilling the "in-connection-with" requirement of the Foreign Sovereign Immunities Act (FSIA).
Additionally, the court must assess whether RAKIA's actions resulted in a direct effect in the United States, as outlined in 28 U.S.C. § 1605(a)(2). This involves determining if the alleged effects were immediate consequences of RAKIA's actions and whether the claims are rooted in contract or tort law. In tort cases, the focus is on the location where the tort occurred, which is typically where the plaintiff suffered injury. The court will evaluate if Azima's claims satisfy the criteria for direct effect as established in prior case law.
A tortious act is defined as an action or inaction that causes injury to another, and the determination of whether a plaintiff suffered a cognizable injury in the U.S. is crucial. Even if the tort's locus is in the U.S., the injury's effect must be more than trivial; substantial or foreseeable harm is not required, but purely trivial effects, such as minor reputational harm or financial losses from foreign torts, do not qualify as direct effects within the U.S. Azima's complaint argues that the hacking of his computers had a direct effect in the U.S. because he is an American citizen residing in Kansas City, conducting significant business from within the country. Evidence from the complaint indicates that Azima communicated frequently with associates in the U.S. and maintained U.S.-based laptops that were hacked. The court finds that the allegations sufficiently suggest that at least one laptop was in the U.S. during the hacking incidents, thus establishing a direct effect. RAKIA's argument that the complaint must detail the location of all computer equipment at all times is deemed procedurally improper, as legal standards require favorable interpretation of the plaintiff's allegations.
The Court determined that requiring a U.S. citizen to specify exact dates and confirm the presence of all computer equipment within the U.S. during alleged computer hacking is unreasonable for proceeding with a legal action against a foreign state under the Computer Fraud and Abuse Act (CFAA) and the Foreign Sovereign Immunities Act (FSIA). Azima's complaint sufficiently alleges that RAKIA's hacking directly affected him within the U.S., as the CFAA holds defendants liable for unauthorized access to protected computers resulting in losses exceeding $5,000. Azima asserted that the hackers accessed and damaged his U.S.-based computers and installed malware. This implies that some damage occurred while the computers were in the U.S., validating his claim of injury under the CFAA.
Additionally, Azima's claims of unfair competition due to RAKIA’s actions also demonstrate direct effects in the U.S., as they involve interference with his business operations. Although the conversion claim posed more complexity, the Court concluded that Azima provided sufficient facts for it to survive a motion to dismiss. The Court referenced legal principles concerning torts against property, noting that the location of a tort typically aligns with where the damage occurs. Under D.C. law, conversion can occur not only through outright theft but also if property is damaged while in someone else's possession. Azima's allegations included the deletion of data from his U.S.-based devices during the hacking, supporting the conclusion that the harmful actions occurred within the U.S.
Azima argues that his decision to replace his computers after a malware attack was based on expert advice, indicating that the computers were already compromised and thus the damage constitutes a direct effect under the Foreign Sovereign Immunities Act (FSIA). RAKIA's assertion that Azima's actions were an intervening factor is rejected, as the Court finds the damage to Azima's computers represents a significant direct effect in the U.S., supporting jurisdiction over his conversion claim. The Court dismisses RAKIA's claim that Azima did not experience a direct effect in the U.S. from the theft of his data, clarifying that the Second Circuit's previous statements pertained to financial losses rather than the theft of property. The Court notes that the location of the hacking, whether inside or outside the U.S., is not essential to the current ruling, which establishes that the hacking relates to commercial activities outside the U.S. causing a direct effect within it. The parties disagree on the location of the hacking, with Azima asserting that the IP addresses used were in the U.S., while RAKIA contends that the hackers were abroad. The Court emphasizes that, unlike typical tort cases, the jurisdictional implications of computer hacking are complex, as the injury occurs when the victim interacts with the compromised computer while in the U.S. Thus, both parties can present valid arguments regarding the hacking's location concerning the FSIA’s commercial activity exception.
The Court determines that it is unnecessary to resolve the dispute regarding the location of the hacking incident in this case. The Foreign Sovereign Immunities Act (FSIA) and its commercial activity exception focus on whether a foreign sovereign acted in a commercial capacity and caused harm that affects the United States, rather than requiring a specific identification of where the tortious act occurred. Jurisdiction under 28 U.S.C. § 1605(a)(2) can be established if the foreign sovereign performed commercial acts with effects inside or outside the U.S., allowing for lawsuits regardless of the act's location. The statute enables federal courts to hear cases if the tortious act occurred within the U.S. or had a direct effect on it. Thus, the Court does not need to decide the precise location of the hacking, as the allegations meet the jurisdictional requirements under the more stringent tests provided by the statute. The Court emphasizes that requiring such a determination would undermine the statute's purpose and that the complaint remains valid given its sufficient allegations supporting jurisdiction based on both possible scenarios.
When a plaintiff meets a more challenging standard in a case, the court is not required to determine whether a simpler standard applies. The court expresses confidence that its decision to avoid ruling on the location issue will not broadly expand the Foreign Sovereign Immunities Act (FSIA) to all cases of alleged foreign state hacking in the U.S. This is due to Congress's requirement that the effect must be direct for jurisdictional purposes, and the plaintiff, Azima, has claimed actual damage from the hack, which is significant enough to meet this requirement. Prior case law indicates that neither reputational harm nor financial loss constitutes a direct effect in the U.S. Furthermore, the FSIA's commercial activity exception necessitates that the harmful act must relate to the foreign sovereign's commercial activities. Thus, only hacking that impacts U.S. computers to advance foreign commercial interests falls under the FSIA.
Additionally, the court ruled that RAKIA failed to demonstrate that London is an adequate alternative forum for the case, thus preventing the dismissal of the case under the doctrine of forum non conveniens. This doctrine requires courts to evaluate various venue-related issues, including the adequacy of the proposed forum. The court must ensure that defendants are subject to service of process in the alternative forum and that the forum allows litigation of the case's subject matter. Moreover, there should be no procedural barriers, such as statutes of limitations or sovereign immunity, hindering the litigation. It is the defendant's responsibility to provide sufficient information for the court to assess the alternative forum’s adequacy, rather than the court conducting its own research.
Defendants often submit declarations from legal experts in alternative jurisdictions to demonstrate the adequacy and availability of those forums, which helps them meet the burden of proof regarding the adequacy of the alternative forum for resolving claims. In this case, RAKIA failed to provide such expert testimony, undermining its argument that the English High Court has jurisdiction over Azima's claims.
RAKIA's argument is further weakened by the State Immunity Act of 1978, which generally grants foreign sovereigns immunity in the UK, with limited exceptions that do not apply to this case. Although RAKIA suggests that an exception for consent might apply if Azima were to bring hacking claims in a London court, it fails to assert that it would consent to jurisdiction for these specific claims. The previous consent provided in a different lawsuit does not imply consent for the current claims, as waivers of immunity under the Act are strictly limited to related claims.
RAKIA's potential willingness to waive immunity does not guarantee that it would do so, which could leave Azima without a forum for litigation. Additionally, even if RAKIA were to waive its immunity, it has not shown that the UK would provide an adequate remedy for Azima's alleged injuries, as the mere existence of less favorable substantive law does not render a foreign forum inadequate.
RAKIA cites the U.K. Data Protection Act of 1998 to argue that remedies exist for computer breaches under English law. However, the Act regulates only "data controllers," who must be established or use equipment in the U.K. RAKIA, based in the UAE, has not demonstrated any processing of personal data in the U.K., making the Act irrelevant to Azima's dispute. Without evidence or expert declarations to support the claim that Azima could pursue a lawsuit in the U.K. for the alleged hacking, RAKIA has not met the burden of proving the U.K. as an adequate forum. RAKIA further argues for dismissal based on a forum-selection clause in a March 2016 Settlement Agreement with Azima, asserting it requires disputes to be resolved in the U.K. However, even if the U.K. were deemed an adequate forum, RAKIA mischaracterizes the Settlement Agreement, which pertains specifically to disputes related to the HeavyLift joint venture agreement, not the current hacking claims.
RAKIA cannot argue that the Settlement Agreement covers future claims unrelated to its formation, execution, or terms, such as the alleged hacking of Azima's computers and the dissemination of his personal information. The court clarifies that while the hacking may relate to the HeavyLift joint venture, Azima's claims under the Computer Fraud and Abuse Act (CFAA) and D.C. common law do not connect to the Settlement Agreement's subject matter, which governs the forum-selection clause requiring disputes to be litigated in London. RAKIA's motion for forum non conveniens hinges on the court finding that public and private interests favor London; however, the court notes RAKIA has not shown the existence of an adequate alternative forum. Thus, even if the court considered this balancing, it would likely find RAKIA has not demonstrated a strong case for shifting the forum. Ultimately, the court affirms its subject matter jurisdiction over Azima's claims and denies RAKIA's motion to dismiss.
Page-number citations in this document reference the automatic assignments by the Court's electronic filing system. The facts presented are drawn from Azima's amended complaint and the corresponding exhibits submitted by both parties, which are crucial due to a factual dispute relevant to the current motion. Typically, courts must view facts favorably to the plaintiff at the motion to dismiss stage; however, jurisdictional issues like sovereign immunity necessitate considering facts outside the complaint.
The background highlights differing interpretations of BitTorrent websites by the parties. While both acknowledge these sites can facilitate illegal activities, RAKIA argues that they can be accessed legally by the public, whereas Azima contends that only the BitTorrent creator or affiliates can access them. Despite this disagreement, the Court deems it immaterial to the resolution of the current motion. Azima's complaint would have benefited from explicitly asserting that the hacked computers were within the U.S. during the relevant timeframe, although the Court finds that the allegations allow for such an inference. RAKIA retains the option to challenge this assertion with evidence as the litigation progresses.
Additionally, courts, including those in this district, have ruled that claims for conversion of digital data do not hold, as neither District of Columbia nor Virginia law recognizes conversion for intangible property. Although RAKIA has not raised this argument in the current motion, the Court will refrain from addressing it. The commercial activity exception allows federal courts jurisdiction over actions by foreign sovereigns that occur outside the U.S., which is a distinct provision compared to the noncommercial tort exception outlined in the Foreign Sovereign Immunities Act (FSIA).
