Until recently, courts were hesitant to recognize the harm caused by cyberattacks. But after repeated hacking incidents, courts have recognized that hackers often have the power to cause real damage to consumers. Most data breach lawsuits now end in a settlement, with companies paying victims in lieu of costly court battles. According to Solove, many lawsuits are resolved without a plaintiff proving actual harm. The reason courts are more willing to accept these cases is that many of them have been sparked by a hack that was not a ‘typical’ cyberattack.
Capital One will pay $190 million to end litigation sparked by a 2019 hack
After a massive hack that affected 100 million Americans’ financial data, Capital One has agreed to pay $190 millions to settle a class-action lawsuit filed against the bank. The lawsuit, filed by customers of the bank, aimed to hold the bank accountable for the hack. In response, the company moved some of its operations to the cloud and restructured its network to protect customer data.
In March 2019, Capital One disclosed that its network was compromised. The data breach occurred when a software engineer working for a cloud-based computing company AWS gained access to the personal information of millions of customers. After releasing a public notice about the hacking, many people filed lawsuits against the bank. The decision came about in response to a plaintiff’s motion to compel the production of a cyber-forensic report detailing the technical problems that allowed a bad actor to penetrate Capital One’s network. The bank argued that it did not need to produce the report because it was requested by a law firm.
As part of the settlement, Capital One will pay Mandiant a retainer for its computer security incident response assistance. The company paid Mandiant through its cyber budget but reclassified the expenses in December 2019 as legal expenses. The Law Firm received the Mandiant Report and distributed it to the legal department, fifty Capital One employees, the company’s accountant, and four regulators.
GRU military spy agency is a defendant in a hacking lawsuit
The GRU military spy agency has been accused of hacking the Democratic National Committee, various anti-doping organizations, and the Organization for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. The spy agency is also accused of poisoning former GRU colonel Sergei Skripal, a British citizen who was poisoned in a UK gas chamber.
In 2009, a former GRU officer named Oleg Penkovsky was arrested and accused of dumping 5,000 GRU documents to the CIA. He was working for the GRU’s ITAR-TASS bureau, and he was arrested by the CIA. He told investigators that he had dropped the intelligence at different locations in Moscow, including the Vagankovo Cemetery, and the grave of Russian poet Sergey Yesenin. He told investigators that he had been a dead drop signal for the Russian military spy agency and walked the embankment with a cigarette in his mouth. He also walked with a book wrapped in a white wrapper.
The GRU military spy agency has been accused of hacking the US election in 2016. In this case, nine former officers were identified as part of the operation. The agents worked for two GRU units – Unit 26165 and Unit 74455 – which engaged in cyber operations and published stolen content. A separate indictment was announced on July 13 in the U.S. against the nine officers.
Illinois law allows plaintiffs to proceed without alleging an actual injury
The state of Illinois permits plaintiffs to proceed in a hacking lawsuit without proving actual injury. As of December 29, 2018, the Northern District of Illinois dismissed consolidated BIPA cases because plaintiffs failed to allege actual injury. The courts cited the Illinois Biometric Information Privacy Act as a basis for dismissing the cases. As a result, plaintiffs have three years from the date of the incident to file a complaint.
As a result, the U.S. District Court for the Northern District of Illinois ruled that plaintiffs did not need to allege actual injury to bring a hacking lawsuit against Barnes & Noble. Because the plaintiffs failed to allege actual injury, the court may spare the retailer from paying damages for data breaches. In its ruling, the 7th Circuit rejected the plaintiffs’ argument that they did not suffer pleading standards related to the actual injury.
The district court held that the Plaintiffs failed to establish standing under Illinois law because their theory of future injury was speculative and did not satisfy the well-established requirement of imminent injury. Plaintiffs had not adequately described concrete and particularized harms. Moreover, the court’s opinion cited the opinions of data security experts in supporting their position that the Plaintiffs did not need to allege actual injury in order to establish standing.