‘HACT’ would put foreign states on hook for hacks

67221240_SThe United States has recently suffered a number of highly damaging cyberattacks – and the attacks are likely to continue, according to U.S. intelligence reports.

With evidence mounting that these actions were sponsored by adversarial states such as Russia and China, victims are wanting justice against Moscow, Beijing and their hired hackers, including through civil action.

Problem is this: It is not easy to sue a foreign government. The Foreign Sovereign Immunities Act (FSIA) shields foreign governments from being sued in U.S. courts, except in the cases of terrorism or when the governments are acting in a commercial capacity, rather than as a sovereign entity.

In what was up until then the most notorious – and politically harmful – attack, FSIA shielded Russia from being sued over the hacking of the Democratic National Committee in 2016.

Russian operatives also inserted malware into software supply chains, most famously in 2017 in the NotPetya attack that cost companies around the world an estimated $10 billion in losses. More recently, Russia appears to have sponsored the massive hack into Austin-based cybersecurity firm SolarWinds Corp., an attack that compromised information in America’s national security apparatus, including the departments of Homeland Security, State, Treasury and Energy.

A congressman from Texas has introduced the Homeland and Cyber Threat Act (cleverly known as HACT), which would create another exception to immunity for cases in which a foreign state actor causes harm through cyberattacks.

The HACT Act would make foreign states potentially liable for acts such as:

  • Gaining “unauthorized access” to a computer or to “confidential, electronic stored information” in the United States.
  • Introducing a damaging “program, information, code or command” to the United States.
  • Sharing information obtained through a hack.
  • Providing “material support or resources” to cyberattack.

Plaintiffs could claim “personal injury, harm to reputation, or damage to or loss of property,” according to the text of the legislation. This could lead to multi-million claims against foreign states and official state actors.

The bill appears to have growing bi-partisan support in Congress, but it remains to be seen how it will be received by the Executive Branch, which historically resists private actions against states as a complicating interference in foreign policy. The Biden Administration, however, has promised a quick response to the SolarWinds attack with “a mix of tools seen and unseen.”

If your company has been the victim of cyberattacks, contact the international litigation experts at Ehrenstein|Sager to better understand your options.