Anticipating legal cases, a new challenge for cyberattack victims

Companies that have been cyberattacked risk losing their data but also ending up in court. More and more “collateral” victims are seeking damages from the “main” targets.

The InterContinental Hotels Group (IHG) is an example of this phenomenon. A cyberattack in early September, 2022, took out the booking system for the group’s establishments. The company was unable to take new reservations, which slashed its revenue.

On September 17, 2022, hackers told BBC journalists that they gained access to the company’s booking software by entering a very easy-to-guess password: QWERTY1234. This revelation was all the more resounding as it took place just two days after managers of hotel franchises in the US filed a complaint to this effect. The latter pointed to the inadequacy of IHG’s cybersecurity measures.

The hotel group is not an isolated case. End of 2021, a study by the Norton Rose Fulbright firm showed the number of American companies deeming themselves likely to be indicted in case of a cyberattack increased from 44% in 2020 to 66% in 2021.

What are cyberattack victims accused of?

In the United States, 36 companies and individuals sued in 2021. This represents a 44% increase over the previous year. The reasons given range from false advertising, insofar as the offending organization was unable to guarantee the level of cybersecurity it promoted, to non-compliance with American laws about protecting personal medical (Fair Credit Reporting Act) or financial (Health Insurance Portability and Accountability Act) data.

Negligence is also often grounds for charges. A business is accused of not performing a mandatory task when failure to do so has caused damages to the prosecution. The latter then sues for reparations.

What constitutes said damages? For a company, this may be a loss of income due to a shutdown, which is what happened after the attack on IHG and the one on Colonial Pipeline, in May, 2021. Gas station managers had to close shop and give up on their main source of income, i.e. retail distribution.

If the cyberattack is caused by a personal data leak, individuals may claim damages for the harm done to their reputation following the disclosure of sensitive data like their state of health or a request for a loan. The stress caused by a cyberattack is also taken into account in assessing the scale of damages.

Finally, businesses and individuals in a class action suit may include the fees required to deal with the cyberattack as damages. In May, 2021, players in the automotive industry, who were forced to pay more for gas, sued Colonial Pipeline.

For the prosecution, the challenge lies in demonstrating that the damages suffered were caused by the defendant’s negligence, and that they may be compensated when judgment is rendered. With these trials, a precedent has been set to outline conditions under which this correlation can be established.

In 2021, the Supreme Court gave a ruling on a case that opposed the TransUnion company to 8,000 of its customers. The latter had filed a class action lawsuit following a cyberattack against the company, in which hackers had managed to falsify TransUnion records, framing plaintiffs as FBI suspects involved in the drug trade and financing of terrorism.

Of the 8,000 plaintiffs, only 1,853 had their profiles passed on to third parties as a result of the hack. Judges considered only the latter could claim damages due to a lack of protection from TransUnion’s computer system.

Such a leak cannot, in itself, justify compensation. The defendant must be proven guilty of violating a law (federal or not). In another suit filed after the Colonial Pipeline hack, a US federal court considered, in July 2022, that even if the company’s computer security measures were insufficient regarding the standards for this type of infrastructure, this did not constitute an offense (abuse of dominance, breach of statutory duty…). Charges were therefore dismissed.

However, a recent bill to better protect American businesses provides for new requirements. In March of 2022, the Cyber Incident Reporting for Critical Infrastructure Act made it mandatory for US companies targeted by a cyberattack to submit a report to CISA. The bill also endows the agency with new powers providing for the implementation of cybersecurity measures according to the size and significance of a company.

Can such trials take place in Europe?

Such legal cases are not restricted to the United States. European businesses are also subject to cybersecurity requirements established by the EU. The NIS2 Directive mandates cybersecurity measures for operators of essential services so that member States are not helpless in the event of a cyberattack

Additional requirements are also provided for by DORA about financial sector players. Furthermore, the new European Representative Actions Directive, which was made law by EU member States over the course of 2022, allows European consumer associations to bring class action suits against corporations that do not comply with EU regulations.