Dive Brief:

• At least two people filed class-action lawsuits Tuesday against Capital One over the bank’s data breach that exposed personal information connected to 106 million customers in the U.S. and Canada. Kevin Zosiak, a Connecticut resident, expressed in his suit that the breach violates the bank’s promise to credit-card applicants that sensitive “data transferred between Capital One and you is encrypted” by 256-bit Secure Sockets Layer technology and “cannot be viewed by any other party.”
• Attorneys general in New York, Connecticut and Illinois on Tuesday launched inquiries into the Capital One data breach that was made public Monday, affecting 106 million customers. “Though Capital One’s breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers’ names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information,” New York Attorney General Letitia James said in a statement Tuesday, according to the New York Post.
• Capital One says it caught the breach quickly enough that nothing was done with the stolen data. “We believe it is unlikely that the information was used for fraud or disseminated,” the bank said in its statement. A bail hearing for Paige Thompson, the suspect arrested in the data breach, is set for Thursday.

Dive Insight:

Zosiak, in his complaint, noted that Capital One customers received notices of previous data breaches in November 2014 and July and September 2017. Given that history — and an uptick in data breaches in general — the company was obligated to be better prepared for another incursion.

In a separate class-action suit, DuWayne Baird, an Ohio resident, alleged the company disregarded the rights of plaintiffs by “intentionally, willfully, or negligently failing to take adequate or reasonable measures” to ensure customers’ data was protected and failing to tell customers its safeguards were inadequate.

“You’d think with one data breach after another, companies would wise up and take responsibility for the data it collects from consumers, but unfortunately, they continue to shirk that responsibility,” John Yanchunis of Morgan & Morgan said in an emailed statement, according to The National Law Journal.

Massachusetts Attorney General Maura Healey said Tuesday on Twitter that her office is “in active discussions” with Capital One regarding the breach’s impact. States can also merge separate inquiries into breaches, as has been done with cases surrounding Equifax and Uber.

Because the Capital One breach involves a third party — the stolen data was stored on Amazon Web Services servers — states may also question Amazon, according to Bloomberg Law.