Kaspersky Lab, Inc.v. United States Department of Homeland Security, No. 18-5176 (D.C. Cir. 2018)Annotate this Case
Kaspersky, a Russian-based cybersecurity company, provides products and services to customers around the world. In 2017, based on concerns that the Russian government could exploit Kaspersky’s access to federal computers, the Secretary of Homeland Security directed federal agencies to remove the company’s products from government information systems. Congress later broadened and codified (131 Stat. 1283) that prohibition in the National Defense Authorization Act. Kaspersky sued, arguing that the prohibition constituted an impermissible legislative punishment, a bill of attainder prohibited by the Constitution, Article I, Section 9. The D.C. Circuit affirmed the dismissal of the suit. Kaspersky failed to adequately allege that Congress enacted a bill of attainder. The court noted the nonpunitive interest at stake: the security of the federal government’s information systems. The law is prophylactic, not punitive. While Kaspersky is not the only possible gap in the federal computer system’s defenses, Congress had ample evidence that Kaspersky posed the most urgent potential threat and Congress has “sufficient latitude to choose among competing policy alternatives.” Though costly to Kaspersky, the decision falls far short of “the historical meaning of legislative punishment.” Relying just on the legislative record, Kaspersky’s complaint fails to plausibly allege that the motivation behind the law was punitive.