Understanding Cyberattack Liabilities
Earlier this month cyberattacks dominated the news as 16 health care facilities (mostly major hospitals in the U.K. ) lost access to patient data to hackers who demanded payment in exchange for its "return." Rather than simply creating a risk and inconvenience by accessing what was supposed to be secure, confidential information (read: credit card data) as previous hacks have done, in this case, the culprits placed lives in jeopardy because of the critical information they "data-napped." Sadly, in the case of this particular hack, Microsoft warned users of an identified vulnerability and provided a patch to address it two weeks before the attack.
Savvy IT professionals who stay on top of software patches and updates made patch installation a priority, while others, for any number of reasons, did not take those same steps. By not installing recommended software patches, attorneys for hungry and angry plaintiffs can easily make the argument that vulnerable entities were negligent by not taking prompt action. Inaction by IT staffs has created a wide open net for regulatory intervention and litigation, including potentially lethal class action suits, all of which can get very expensive, very quickly. And these costs start adding up only after an organization has already paid the ransom for its data.
The legal issues that these circumstances present fall directly into the category of negligence because of the fact that organizations were made aware of the vulnerability and were provided with the tools to fix the problem and chose to do nothing about it. That is, the argument will be that any reasonable ("reasonable" is a legal term of art) entity had the opportunity to apply the patch and prevent the problem. For whatever reason, including a simple failure to act, it made a conscious decision not to apply the patch. Simply not getting around to it because of other priorities is not likely to be a winning argument for an entity whose data was hacked and where harm was caused.
While ransomware attacks do happen at small businesses, larger enterprises (which have vast amounts of records containing confidential and time-critical information as well as the ability to pay to get them back once they've been seized) are more likely to be targeted and penetrated than smaller ones. The larger the company, the more vulnerabilities it has because of the number of endpoints. And the more endpoints there are, the more likely it is that some of them are not as up to date as others. It's even possible (horrors!) that there are devices within the enterprise that are still running Windows XP (which even Microsoft no longer supports) instead of Windows 10. Hackers often tend to go after targets that have something of value -- that is, where they'll get the biggest bang for the buck. A device running XP is nowhere near as secure as one that's running a more current operating system.
And here's another important point. Many enterprises have now secured insurance against hacks and ransomware. While costly, these policies can be effective. However, as is always the case with such policies, knowing what's in the fine print including, most notably, where the exclusions are, is imperative. As is always the case, a network is only as strong as its weakest link. Marc Voses, a partner at Kaufman Dolowich Voluck LLP, warned specifically about this issue in a recent law journal article. In querying him about his statement, Voses shared me with via email: "If a company has told its insurance carrier that the most recent version of Windows is running but the company has terminals running Windows XP and that exposes the entire organization to a cyberattack like this, that's likely to be unacceptable under the insurance policy contract."
Potential v. Real Harm
While plaintiffs in the past have claimed injury resulting from the unauthorized release of sensitive information, courts, including the U.S. Supreme Court, have been reluctant to award damages absent proof of a "concrete injury" (see Spokeo, Inc. v. Robins, decided just one year ago ). In this case, the Supreme Court determined that in order for a consumer to proceed with a case (which involved inaccurate personal information contained in Spokeo's information about the plaintiff), the harm and cause of the defined harm in the relevant section of the law (Fair Credit Reporting Act, 15 U.S.C. Section 1681e(b)) had not been met. While the case was returned to the Ninth Circuit, the decision has had a chilling effect on potential plaintiffs who have not suffered "'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'"
The takeaway is that enterprises must be vigilant -- not just for their largest and most sophisticated systems, but for the smallest as well. Available patches can't wait until next week -- they must be installed as soon as they're available, and it's up to someone on an IT staff to monitor software and hardware updates so that lapses do not occur. Further, while purchasing insurance is helpful, it's critical to have a clear understanding of precisely what types of attacks are covered in the policy. Finally, identifying vulnerabilities and protecting against them must be an ongoing process. There must be vigilance from the highest to the lowest levels in order to mitigate -- if not eliminate -- the damage that either an outright hack or a ransom event can cause.