Small and medium-sized organizations that lack cyber resources and response capabilities could face legal claims if they don’t react fast enough to a global hack of
Organizations using Microsoft’s Exchange software must figure out whether they or one of their vendors might have fallen victim, and what data may have been accessed or stolen.
Failing to patch the issue right away, despite warnings from the U.S. government about the hack’s urgency, could leave organizations vulnerable to legal claims that they didn’t secure their systems.
“This is a type of suit we have seen,” said Fred Cate, a vice president for research and cybersecurity fellow at Indiana University’s Maurer School of Law. “You usually have to show something other than something bad happened, but that they did something wrong,” he added.
Legal claims following the email hack could echo those made against Equifax Inc. in the wake of a 2017 data breach that compromised information on more than 140 million people, Cate said. Equifax agreed to pay up to $700 million to resolve U.S. federal and state investigations for failing to patch its network after being alerted to a critical security vulnerability.
Potential claims over a failure to patch the Microsoft cybersecurity issue could be brought under the Federal Trade Commission Act and similar state laws protecting against unfair or deceptive business practices. Regulators can use such laws to hold companies accountable for their data security, including whether a company was living up to representations it made about the security of data.
Sector-specific rules could also come into play, such as those that require financial institutions to safeguard the data they hold.
Victims of the hack could face other claims brought under state-level data breach laws that include a mandate to maintain reasonable security. What’s considered a reasonable level of security may look different for small to medium-sized organizations impacted by the hack than it would for a larger company, though they would still face the same duty to protect data.
“It doesn’t mean you can do nothing,” said Cynthia Larose, who chairs the privacy and cybersecurity practice at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.
The hacked Exchange software is often used by smaller organizations or government agencies with limited technology budgets that haven’t yet made the move to a cloud-based product like Microsoft Office 365, according to Lior Div, co-founder and chief executive officer of Cybereason, a Boston-based security company.
“Most of them didn’t have good IT hygiene to begin with,” Div said.
The potential fallout for small and medium-sized organizations increases the risk because those organizations are unlikely to have the resources needed to quickly patch the issue, Larose said.
Larose said potential victims of the Microsoft email hack would need to hire forensics experts and lawyers who previously have handled data breaches of this kind to advise on next steps.
“This just amplifies the fact that small and medium businesses are the weak underbelly for cybersecurity,” she said.
Victims of the email incident could be exposed to other cyberattacks if their systems are left unprotected, even if the hackers involved don’t exploit their access further.
“It could leave the gates open for others to come in,” said Chris Painter, former cyber diplomat for the U.S. State Department who’s now a member of the Global Commission on the Stability of Cyberspace.