Kaspersky Lab, Inc. v. U.S. Dep't of Homeland SEC. & Kirstjen M. Nielsen
909 F.3d 446
| D.C. Cir. | 2018Background
- Kaspersky Lab, a Russian-headquartered cybersecurity company, alleged the U.S. government banned its products from federal systems through (a) DHS Binding Operational Directive 17-01 (Sept. 2017) and (b) §1634 of the Fiscal Year 2018 NDAA (enacted Dec. 2017).
- DHS issued BOD-17-01 directing federal agencies to remove "Kaspersky-branded products" citing risks that Russian government access could exploit antivirus software privileges.
- Congress, after multiple hearings and an interagency assessment, enacted NDAA §1634 prohibiting federal use of hardware, software, or services developed or provided in whole or in part by Kaspersky beginning Oct. 1, 2018, and directed further review of suspect products.
- Kaspersky filed two consolidated suits: (1) APA challenge to the DHS Directive; and (2) constitutional challenge that §1634 is a bill of attainder.
- The district court dismissed the §1634 (NDAA) claim for failure to state a claim (not a bill of attainder) and dismissed the DHS Directive APA claim for lack of Article III standing because §1634 would remain and redress would be unavailable.
- The D.C. Circuit affirmed both dismissals, holding §1634 is a nonpunitive, prophylactic national-security measure and the Directive claim was not redressable.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether NDAA §1634 is an unconstitutional bill of attainder | Kaspersky: §1634 specifically targets Kaspersky and imposes punitive consequences (reputational & economic), reflecting legislative punishment | Government: §1634 is a nonpunitive, prophylactic national-security measure to protect federal networks from Russian cyber threats | Court: Not a bill of attainder — fails functional, historical, and motivational tests; statute furthers legitimate nonpunitive purpose and is not punitive |
| Whether Kaspersky has standing to challenge DHS BOD‑17‑01 (APA claim) | Kaspersky: DHS Directive caused injury by requiring removal of products and harming business; rescission would help | Government: Even if Directive were vacated, §1634 is broader and would continue the prohibition, so injunction would not redress injury | Court: Lack of redressable injury; dismissed for lack of Article III standing |
Key Cases Cited
- Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (standard for accepting allegations at motion-to-dismiss stage)
- Nixon v. Administrator of General Services, 433 U.S. 425 (historical/contextual approach to bills of attainder; "class of one" concept)
- Selective Service System v. Minnesota Public Interest Research Group, 468 U.S. 841 (three-factor test for legislative punishment)
- Foretich v. United States, 351 F.3d 1198 (D.C. Cir. bill-of-attainder analysis; functional test emphasis)
- BellSouth Corp. v. FCC, 144 F.3d 58 (D.C. Cir. treatment of specificity and business-regulation distinctions)
- BellSouth Corp. v. FCC, 162 F.3d 678 (D.C. Cir. further discussion of functional test and nonpunitive purposes)
- United States v. Lovett, 328 U.S. 303 (invalidated statute cutting pay of named federal employees — illustrative historic bill of attainder)
- United States v. Brown, 381 U.S. 437 (statute criminalizing certain group membership in employment context — historic legislative punishment)