Just five weeks after former Ole Miss star Laremy Tunsil’s Twitter account was hacked during the 2016 NFL Draft, the NFL’s Twitter account experienced a high-profile cyber security breach of its own on Tuesday. Someone hacked into the NFL’s account and at 12:36 PM ET tweeted, “We regret to inform our fans that our commissioner, Roger Goodell, has passed away. He was 57. #RIP” Eight minutes later, the hacker tweeted, “Oi, I said Roger Goodell has died. Don’t delete that tweet.” A minute later, the hacker acknowledged he was a hacker, saying “OK, OK, you amateur detectives win. Good job”.
The three hacked tweets were then deleted and the NFL instantly sent out word that Goodell was fine. A Twitter account with the username @IDissEverything was the only new account followed by the NFL’s twitter account during the hacking. While this could suggest that the person behind that handle is responsible for the hacking, the user has not claimed credit and Twitter has suspended his/her account.
The NFL must investigate its social media security
The hacking and false tweeting about Goodell raises several security and legal issues for the NFL. It is noteworthy that a multi-billion dollar business like the NFL could be so vulnerable to a Twitter hacking. Tuesday’s hacking is surely embarrassing to a league that prides itself on security and integrity. More importantly, the hacking is a source of concern to the league’s business operations. This is especially the case given the growing financial importance of social media pages for professional sports leagues in reaching fans and consumers. From my vantage point, the tweet about Goodell’s death seemed instantly untrue. It would be unbelievably tactless for a league to announce by Twitter that its commissioner is dead. The tweets eight and nine minutes later only confirmed the report was false.
But what if the hacker had tweeted more plausible, but nonetheless untrue, statements about the league? What if the NFL didn’t immediately detect the falsity of the tweets? Keep in mind, Tuesday’s hacker had control of the NFL’s account for at least nine minutes, which you could argue is equivalent to hours in the Twitterverse. Further, say a more believable set of false tweets were then relied upon by corporate sponsors, media partners, teams, players, fans, player agents, DFS and fantasy players, gamblers, casinos and the many other constituencies whose businesses are somehow connected to the NFL? The potential financial harm and subsequent litigation could be extensive.
The NFL will surely investigate who knew the password to the league’s Twitter account. Normally a business will limit knowledge of its social media passwords to top executives and to a select group of employees who work in social media relations. If the NFL learns that too many league employees knew about its Twitter password, the league would be poised to limit knowledge of a new password. The NFL will also probably investigate whether its Twitter password was inappropriately simple and thus relatively easy for a trained hacker to obtain. Likewise, the league will likely review the company’s policy for changing social media passwords on a routine basis to ensure that any password leaks present a weakness for only a limited period of time.
The NFL, of course, is not the first major business or sports league to be hacked. FIFA World Cup, Fox News Politics and Chipotle have all seen their Twitter pages hacked in recent years. It’s safe to assume that others will experience the same misery. For all of these organizations, there can never be enough security for social media pages.
Potential legal fallout for the hacker and how the NFL and Goodell could sue
If he or she is identified, the hacker into the NFL’s account could face a number of legal consequences. Most seriously, he or she could be charged with violating the federal Computer Fraud and Abuse Act (CFRA). The CFRA, which carries stiff prison sentences, prohibits hacking.
Both the league and Goodell could also consider civil lawsuits against the hacker. While the hacker might lack the financial wherewithal to pay off a civil judgment, the league might reason that its interest in suing is more about “sending a message” to other potential hackers than in collecting damages. Among the potential sources of law for the NFL would be the aforementioned CFRA, which provides for civil remedies in addition to criminal penalties. Another relevant law would be invasion of privacy, which can be used by victims of hackers to recover damages. The league might struggle to prove it suffered substantial damages, as the hacked tweet was not particularly believable and it was quickly deleted. Still, the league might view even nominal damages worth pursuing as a means of deterring other hackers.
Lastly, Goodell could bring civil claims against the hacker (assuming he/she is caught). Goodell, who according to sports accountant Robert Raiola earned $142.6 million between 2011 and 2014, would not file a lawsuit because he needs monetary relief from the hacker. He would bring it to discourage and scare off future hackers.
Goodell would have a viable argument that the hacker defamed him by using an official league publication to report that he was dead. As a public figure, Goodell would likely need to establish that the hacker made the false death statement with “actual malice”—meaning he/she knew it was untrue. This would be a very easy burden for Goodell to meet. It’s even possible that Goodell would be relieved of the obligation to prove actual malice since certain defamatory statements are so egregious that they constitute “defamation per se,” which does not require a showing of actual malice. However, several federal courts have held that publication of a false report is not defamation per se.
In his/her defense, the hacker might contend that the tweets were obvious satire and not to believed. Goodell, through his @nflcommish twitter account, even made light of the hacking incident by tweeting, “Man, you leave the office for 1 day of golf w/ @JimKelly1212 & your own network kills you off. #harsh”. Then again, given that the hacker’s first tweet was somewhat serious-sounding and published by the league’s official Twitter account, a defense based on satire could be challenging to establish. The hacker might also argue that Goodell shouldn’t complain about being hacked given that Goodell awkwardly said Tunsil’s draft night nightmare was “part of what makes the draft so exciting.” This type of defense might have traction with some fans, but would do nothing in court.
Goodell could also consider an intentional infliction of emotional distress (“IIED”) lawsuit. He could assert that the hacker tried to cause him distress by having the public believe, even if momentarily, that he was dead. Usually claims under IIED are difficult to establish, but being the subject of a false death report would surely upset anyone.
Michael McCann is a legal analyst and writer for Sports Illustrated. He is also a Massachusetts attorney and the founding director of the Sports and Entertainment Law Institute at the University of New Hampshire School of Law. McCann also created and teaches the Deflategate undergraduate course at UNH. He serves on the Board of Advisors to the Harvard Law School Systemic Justice Project and is the distinguished visiting Hall of Fame Professor of Law at Mississippi College School of Law. He is also on the faculty of the Oregon Law Summer Sports Institute.