The Kaseya Malware Attack: When Is a Company Legally Liable for a Data Breach?
Security should always be the top priority when selecting remote management software. For that reason, the recent announcement that Kaseya, a popular virtual systems administration tool, suffered a second cryptocurrency mining attack in four years is more than a little concerning. As reported by eSentire on January 29, malware tied to the Monero cryptocurrency platform “leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets” starting on January 19.
This was no doubt déjà vu for some long-term Kaseya customers. Four years earlier, Kaseya disclosed (but now deleted from their page) that some customers were targeted by malware related to Litecoin, another cryptocurrency. Following the 2014 attack, Kaseya said there was “nothing to suggest that this malware was harvesting personal, financial, or any other kind of sensitive information, or that any individual’s information has been misused as a result of this attack.” The company issued a similar statement following the more recent security breach, stating it saw “no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information.”
Data Theft May Constitute a Legal Injury
There is an important legal reason for Kaseya to categorically deny that specific customer data was “harvested” by these attacks. Such an admission would open Kaseya up to potential lawsuits. In recent years a number of federal courts have held that businesses can be held liable for data breaches, even in cases where the compromised data has not necessarily been used by the attacker.
For example, in 2015 the U.S. Seventh Circuit Court of Appeals–a federal court that has jurisdiction over Illinois, Wisconsin, and Indiana–held that luxury department store Neiman Marcus could be sued after a malware attack exposed 350,000 customer credit card numbers. The store argued that the affected customers lacked “standing” to sue because they could not establish that the stolen data had been used to commit identity theft. But as the Court explained, there was still a “substantial risk” of “imminent harm,” and that was sufficient to establish legal standing. After all, the judges asked rhetorically, “Why else would hackers break into a store’s database and steal consumers’ private information?”
Similarly, the Sixth Circuit Court of Appeals, which oversees federal courts in Michigan, Kentucky, Ohio, and Tennessee, said in a 2016 decision that even when it is not “literally certain” that data acquired in a malware attack will be “misused,” when customers “already know that they have lost control of their data, it would be unreasonable to expect [them] to wait for actual misuse–a fraudulent charge on a credit card, for example–before taking steps to ensure their own personal and financial security.” And customers are entitled to sue to recover the costs of taking such steps.
Do Mining Attacks Create an “Imminent” or “Speculative” Risk to Customers?
The Kaseya attacks may, however, present a scenario that American courts have not dealt with before. Cryptocurrency malware targets the processing power of the target servers rather than its data. So if, as Kaseya maintains, no customer data was directly “harvested” or collected, have customers suffered a legal injury the courts will recognize?
The U.S. Supreme Court has said that purely “hypothetical future harm” is not enough to establish standing to bring a lawsuit. The justices expressed this opinion as part of a 2015 challenge to the National Security Agency’s (NSA) authority to engage in warrantless surveillance. A number of nonprofit organizations alleged the NSA’s actions compromised their private data in violation of their constitutional rights. The Supreme Court said this “alleged injury” was “too speculative” to justify standing. The fact the government might collect and misuse personal data did not establish an “imminent” harm.
In a similar vein, if customers sued Kaseya, the company might argue that absent any evidence of actual identity theft or misuse of customer data, a crypto-mining malware attack only creates a “hypothetical” risk of future injury, rather than an imminent risk of likely harm. Then again, the courts could turn around and decide that when a company suffers two breaches in four years, that might be sufficient to support a lawsuit, particularly if customers are forced to spend money to protect themselves against future attacks.
This blog is provided for informational purposes only. Lawrence Technology Services is not a law firm and nothing on this blog constitutes legal advice. Always consult with a licensed attorney before relying on information you obtain from any online source.
Post by https://skipoliva.com/
Further reading on this topic https://skipoliva.com/post/federal-courts-continue-to-define-the-scope-of-liability-for-corporate-data-breaches/