In the wake of the massive ransomware attack which hit the UK’s NHS, and tens of thousands of businesses and individuals across Europe and the rest of the world, an attack which may have cost lives, but certainly cost millions of dollars, pounds, Euro, and bitcoin, one question looms over all others. At least to lawyers. Others may ask, “how did this happen?” or “who is responsible?” or “how do I prevent this in the future?” But lawyers ask (or are asked) “can I sue?”
In truth, it’s the silliest question to ask a lawyer. The rule is, “if it moves, sue it…” “If it doesn’t move, move it, then sue it…” But the truthful answer is to examine WHO can be sued, for WHAT and what is the likelihood of recovery?
Once More Into the Breach
The beginning of any legal analysis of whether there’s a legal remedy for something is to ask whether someone breached a duty, where that duty came from, and to who that duty extended.
Clearly, those who launched the ransomware attacks are subject to legal recourse – criminal and civil – for their actions. Computer hacking, threats, extortion, fraud, etc. all come to mind. But to go after them, you have to find them and find their purloined assets. Not an easy undertaking for the FBI, RCMP, Scotland Yard, and Interpol, much less Iberdrola, FedEx or other private companies attacked (or their insurers).
Next candidate for litigation? The entity that failed to patch their system. So, a UK resident who suffered damage because they failed to have their surgery, or because they got the wrong drug administered because their electronic records were inaccessible might have a lawsuit against the hospital. This is under the theory that the hospital failed to patch in a timely manner their Windows based systems, and that they had a duty to keep their “medical equipment” (which their IT systems might be) in good repair.
So that’s one problem with using the bomb that is litigation in computer crime cases – we run the risk of being hoist by our own petard. There’s always someone who wants to sue us for the same thing. Of course, this raises the question of whether there is a duty to patch systems, what the scope of that duty might be, who are the beneficiaries of that duty, and whether those individuals have a cause to sue for a breach of that duty.
Patching and patch management are an accepted part of any comprehensive information security program, so an unreasonable failure to patch might give rise to a cause of action. The question though is whether failure to patch in any individual circumstance is unreasonable?
Sure, any individual attack which arose from an unpatched or incompletely patched device is easy to point to. It’s easy – after the fact – to say “if only you had patched that one system, the harm could have been avoided or mitigated.” After the fact.
Problem is that CISOs have to patch every system all the time. And patches themselves cause problems. What’s more important than whether a particular system was patched is whether the enterprise has a reasonable process for evaluating and implementing patches, and whether that process was followed.
What about the software developer that created, sold or distributed the software that had the vulnerability (patched or unpatched) that was exploited? Can they be sued? That one is harder. You see, software sales (licensing) is subject to the End User License Agreement or EULA.
A contract between the software developer and the licensee which, in legal terms says, “this software is a piece of junk and probably won’t work very well. It’s your responsibility to maintain it, don’t use it on anything important, and most importantly, if anything goes wrong, don’t blame us.”
Of course, it says this in 27 pages of 6 point typeface, accessible only after the software is purchased and installed. To date, I am aware of no successful negligence lawsuits against software developers per se for damages resulting from patent or latent defects in the software which have lead to data breaches or ransomware, but I am sure the Interwebs can suggest some.
Take on City Hall (the NSA)
What about suing the NSA? Sure, there’s a great idea. The idea is that the NSA created these “zero day” exploits – β-Bungarotoxin designed to allow attackers to get into systems. They “negligently” failed to protect that weapon, and allowed it to get into the hands of cybercriminals who then used it to attack systems all over the world. Can you sue the NSA for negligence?
The general rule is that the sovereign (the King, Queen, Czar or the government) cannot be sued in its official capacity under the doctrine of “sovereign immunity.” It’s good to be the King. However, in the United States, the Federal Torts Claims Act is a statute allowing the federal government to be sued for torts like negligence “in the same manner and to the same extent as a private individual under like circumstances.”
Now I don’t profess to be an expert on either the FTCA or its defenses, but I can tell you that suing the NSA for failing to secure their cyberweapons is a monumental undertaking, much of which would likely be precluded by the government’s inevitable assertion of the “state secrets” or national security claims. Indeed, in DC, the Department of Defense left a neighborhood called Spring Valley riddled with World War I ordinance, including weapons leaching arsenic into the soil of unsuspecting residents – a failure to secure weapons which caused damage.
The lawsuits against the Department of Defense for negligence were mostly unsuccessful and are riddled with technical and administrative hurdles. Moreover, the plaintiffs would have to establish that the NSA had a duty to prevent the shadow brokers group from hacking them, that this duty extended essentially to the known universe, that there was a breach of this duty, and that there was no “efficient intervening cause” that caused the damages. A high burden, indeed. So let’s put this one in the realm of “unlikely, but possible.”
And that’s one of the biggest problems with tort liability and recovery when it comes to Internet-based attacks. Everyone is responsible, so nobody is responsible. Everyone is negligent (kinda) so nobody is negligent. Everyone had an opportunity to prevent or mitigate, so nobody had a duty to prevent or mitigate. If only, if only, if only.
The good news is that this is good news for lawyers. If you happen to be a cyber lawyer. Smile.