SolarWinds Corp. faces potential lawsuits following a suspected nation-state cyberattack that is said to have exposed a range of U.S. federal agencies and corporations.
The company, which said its Orion software product was likely attacked “by an outside nation state,” could see suits from affected business partners and agencies that feel their contracts with SolarWinds were broken. It could also be slapped with class action litigation, possibly under securities laws.
How successful such claims prove to be depends in large part on details surrounding the attack that hadn’t materialized as of Monday, said Erik Weinick, an attorney at Otterbourg P.C. in New York.
“It’s very early,” Weinick said. “The allocation of liability is going to be fought over for many years because of an event like this.”
Software agreements generally include provisions about security practices as well as more general representations and warranties, alleged violations of which could potentially be used as claims against SolarWinds, Weinick said.
SolarWinds is more likely to face liability from its contracts with business partners than from claims alleging negligence or torts, as is common with consumer-focused data breaches, said David Springer, a cybersecurity attorney at Bracewell LLP in Austin, Texas.
Agencies targeted in the attack could also sue SolarWinds, but Springer said that seems unlikely, given that the federal government appears to be treating the company as a victim and “not any kind of wrongdoer.”
“Courts and regulators are going to be sympathetic to a company that appears to have done the right things but was targeted by an extraordinarily sophisticated group,” Springer said.
SolarWinds president and CEO Kevin Thompson said Monday in a statement that “security and trust in our software are the foundation of our commitment to our customers.”
The company said Monday in a Securities and Exchange Commission filing it couldn’t predict what legal or other setbacks it may face.
“At this time, SolarWinds is unable to predict any potential financial, legal or reputational consequences to the Company resulting from this incident, including costs related thereto,” it said in its filing.
Businesses are probably more likely to renegotiate contracts or update existing agreements before pursuing litigation alleging contract violations, said Melissa Krasnow, a privacy and cybersecurity attorney at VLP Law Group LLP in Minneapolis.
But SolarWinds is likely to face class action litigation stemming from the attack, Krasnow said.
Class action lawyers may seize on the event to pursue securities litigation against SolarWinds, Krasnow said. Plaintiffs could allege violations of federal securities law because the company is publicly traded, she said, and high-ranking SolarWinds employees also could be targeted.
“When you have these class actions, it’s very easy to sue the directors and officers on top of it,” she said. “I wouldn’t be surprised if they were separately sued under these arguments.”
Companies that end up being affected by the attack may not be able to rely on cyber insurance to cover costs if a nation-state actor is confirmed to have been responsible, Springer said.
“There are a number of policies floating out there that exclude ‘hostile or warlike actions by a government or sovereign power,’” he said. “Insurance might cover this differently.”
Companies should run checks on software vendor security, Springer said. Although the vulnerability in the attack appeared to come from a SolarWinds software update, companies should regularly ensure their systems and devices are up to date, he said.
Businesses should also take stock of existing vendor agreements and have processes in place to regularly review those terms, Krasnow said.