It's one thing to fall victim to a burglar. It's another to realize the thief got in because you left the front door wide open.
The distinction could lead to difficult legal battles for organizations affected by the WannaCry cyberattack, which crippled an estimated 300,000 of the 2 billion Windows computers worldwide in recent days, slowing factories, canceling surgeries, eating homework assignments and shuttering gas stations.
Computer security experts say Britain’s National Health Service, carmaker Renault and other victims of the ransomware attack should have foreseen the risk. By failing to update their systems to repair a vulnerability disclosed in March, they all but invited hackers, the argument goes.
“Companies don’t have the maturity and capabilities, so what ends up happening is a manual security process that is bound to take time and leave gaping holes," said Diogo Monica, security lead at software maker Docker.
The question now is whether victimized companies will bear the brunt of the blame for the spread of WannaCry, or whether accusations will instead center on
“There will be [more lawsuits] and it’s going to be a real battle,” said Dana Taschner, a Los Angeles lawyer who specializes in product liability and intellectual property.
Why WannaCry is different
People whose information has been stolen in corporate data breaches have used negligence as a foundation of lawsuits for years, filing claims against hacking victims such as Target, SuperValu and T.J. Maxx.
Some of the cases have been settled for store vouchers and other small remedies. Others have been thrown out because it wasn’t clear consumers suffered any damage, mostly because their credit card companies had already removed fraudulent charges.
But the WannaCry incident stands apart in that there was more forewarning than in most cyberattacks.
The tactic itself wasn’t innovative or surprising, exploiting a flaw in several versions of Microsoft’s Windows operating system that was well-known and well-publicized. A patch Microsoft issued in March to fix the issue could have taken businesses and organizations just a day or two to test and install.
By the time a hacking entity named Shadow Brokers released files last month — purportedly stolen from the NSA — showing how to use the vulnerability as a weapon, experts say, an attack was all but imminent.
Cybersecurity specialists issued warnings in recent weeks as they observed thousands of computers falling victim to the attack.
But not all companies took heed.
“Clearly, they didn’t properly judge the criticality of this vulnerability,” said Monica, who promotes cybersecurity for the Institute of Electrical and Electronics Engineers.
Those who suffered harm because of frozen computers — for example, hospital patients in Britain who had surgeries delayed or had to seek care elsewhere — could claim in lawsuits that the failure to update was negligent.
A case by plaintiffs or government regulators, at least in the NHS situation, would be bolstered by several factors. There’s potentially physical harm, which can be more visceral in court than financial or psychological effects. In addition, British officials say the NHS was told in late April that the patch existed.
It’s possible no lawsuits will arise from the WannaCry outbreak. Though a few patients in Britain’s healthcare service continue to be inconvenienced, they haven’t suffered major disruption to their care, U.S. and British officials say. Meanwhile, business partners and customers of companies ravaged by the ransomware haven’t come to the forefront with grievances.
But attorneys who follow cybersecurity issues say it’s illustrative of the big risks companies take when they’re slow to update their systems.
“The main theory would be that the entities are not doing what a reasonable person would do,” said Alexander Southwell, chair of law firm Gibson Dunn’s cybersecurity practice and a former federal computer crimes prosecutor.
Several laws emphasize that medical institutions, banks and other specific organizations must take reasonable care to protect private customer information. Information-privacy advocacy groups have called for broader legal protections that would prescribe specific penalties for breaches across industries. Such legislation could make it easier for affected consumers to seek redress, experts said.
Who else could be sued
Other experts put blame on the National Security Agency, which hackers say developed the WannaCry attack and then lost it to thieves, and Microsoft, which arguably could have taken additional steps to ensure compliance with security updates.
“Suing the NSA for failing to secure their cyberweapons is a monumental undertaking, much of which would likely be precluded by the government’s inevitable assertion of the ‘state secrets’ or national security claims,” Mark Rasch, an attorney and formerly security evangelist at Verizon, wrote in an online commentary.
With that insulation, it’s unlikely government agencies would be held liable, said Michael Rustad, a law professor and high-technology specialist at Suffolk University Law School in Boston.
Holding Microsoft liable would be just as difficult. Software vendors have long been able to escape claims by pointing to contracts with customers that absolve them for any defects.
The disclaimers leave the firms in what Taschner — who sued Microsoft for security issues in the early 2000s and settled — called “a liability free zone” in the case of cyberattacks.
Microsoft also has a track record of bolstering security and becoming more aggressive with its policies, which could make negligence hard to show. In addition to issuing a patch in March, Microsoft over the weekend released a fix for computers running older versions of its software that the company had ceased to support.
“They’re going to argue that these are intervening criminal acts and they’re not responsible,” Taschner said.
Rustad said the scope and severity of malware, as shown by the WannaCry attack, are getting so serious that “software has to be re-conceptualized as any other defective product because enough is enough.”
Why, he asks, should software makers and automakers be treated differently?
“By leaving security holes that have to be patched, it’s analogous to putting a car on the market with a defective fuel system,” Rustad said.
Microsoft President and Chief Legal Officer Brad Smith wrote in a blog post Sunday that the Redmond, Wash., giant would assess the WannaCry attack and collaborate with authorities before deciding how to move forward.
Justin Cappos, an assistant professor of computer systems and security at New York University, suggested one quick fix for future security updates. Rather than telling users to update their systems for a “security patch,” Windows could offer a bleak warning: “Hackers can get into your computer right now, so please update so we can fix that.”
“That’s one of the most effective ways to do it,” Cappos said. “If you’re a consumer, you’re going to be worried.”
Insurance will take care of it
If companies do face and lose WannaCry-related lawsuits, those with cybersecurity insurance are likely to dodge bearing most of the cost.
Such insurance policies, which are common at large companies, generally cover negligence by the policyholder, said Linda Kornfeld, an attorney at Kasowitz Benson Torres. Insurers have included clauses requiring timely patching, but denying claims because of security-update practices probably would be difficult without showing some deliberate, improper conduct, she said.
Companies sometimes have legitimate justifications for slow installation of updates, such as waiting until other programs become compatible with the new features. Or they want to give time to train employees on user interface changes included alongside security updates.
Smartphone makers such as Apple have made crucial security fixes “almost non-disruptive,” Monica said. But across the tech industry, “more work has to be done in that regard.”
6:35 p.m.: This article was updated with additional commentary and analysis.
This article was originally published at 1:55 p.m.