Data breach victims typically focus lawsuits against the primary party responsible for their personal information, and most cybersecurity software vendors are able to minimize any liability through contractual clauses, attorneys say.
Biden, in a new national cybersecurity strategy issued Thursday, proposed federal legislation that would limit contract protections and raise security standards for vendors operating in high-risk areas like critical infrastructure.
The White House didn’t propose any specific provisions for a bill. A divided Congress is unlikely to send a measure to his desk any time soon that would empower lawsuits against software companies. For now, those companies will still be able to employ a variety of tools to fend off such litigation.
Still, the strategy is a fresh look at who should be held most responsible for cyber incidents, said David Straite, a partner practicing in privacy and cybersecurity for DiCello Levitt LLC.
“We can no longer say that it’s even possible for small actors, small banks, or small businesses and those sized companies to be able to protect your data. They’re going to use software and other devices,” Straite said.
Disclaiming liability for cyberattacks by pointing to contracts is a common defense used by software providers, said Jane Horvath, co-chair of Gibson, Dunn & Crutcher LLP’s cybersecurity group.
Software companies drafting contracts typically try to reduce their liability as much as possible, Horvath said. The administration’s push to boost the liability risk for such companies is aimed at spurring them to make their products less vulnerable to hackers, she said.
“When a company is looking at the economics of something, cybersecurity has been an afterthought and what they want to do is basically increase the incentive to make cybersecurity one of the primary drivers and make it an economic imperative,” Horvath said.
Vendors can create a challenge for companies, as they sometimes don’t implement reasonable security measures, she said.
Cybersecurity vendors often include a limitation clause that caps the monetary liability they can be held responsible for at the amount of the services a company pays them for, Straite said.
Legal claims traditionally brought after a data breach—such as common law negligence—can also be difficult to prove, according to Bloomberg Law analyst Robert Dillard.
Despite such hurdles, some software makers have faced lawsuits over cyber incidents.
The board for SolarWinds Corp.—a software company that provides IT management and remote monitoring services—faced a derivative lawsuit in 2021 accusing it of oversight failures that led to Russian hackers compromising many of its clients’ systems, including those of several US federal agencies.
SolarWinds ultimately defeated the lawsuit, with a Delaware Court of Chancery judge ruling that the company’s charter protected the board from negligence liability and that the allegations weren’t enough to prove an oversight claim.
Cloud services provider Blackbaud Inc. was hit with a 2020 class action accusing it of negligently failing to prevent a cyberattack that exposed data about nonprofit memberships.
A South Carolina judge denied Blackbaud’s motion to dismiss and plaintiffs are now seeking class certification.
“The fact that we can just go on one hand and count Blackbaud, SolarWinds as exceptions to the general rule really underscores that it’s a very rare thing,” Straite said.
Legislation to address concerns about software protections would need to establish clear standards that could be referenced in contracts, said Evan Wolff, co-chair of Crowell & Moring LLP’s privacy and cybersecurity group.
One such standard legislators may consider establishing is defining what software developers need to include in a software bill of materials, a structured list of the components comprising a product, said Andrew Pak, senior counsel practicing in cybersecurity at Perkins Coie LLP.
“But in order to get to that point, you have to have a concrete understanding of what needs to be included in there and then people have to be made aware of that,” Pak said. “That process has been ongoing for some time, but I think that’s going to take a while,” he added.
Biden is also proposing the development of a “safe harbor framework” to shield companies that are engaging in secure system development and maintenance from liability.
That idea is crucial to enabling a government and private sector partnership addressing an issue that “needs to be evolved but needs to be evolved carefully,” Wolff said.
Phil Venables, CISO of Google Cloud, said the company is “very, very supportive” of the new cybersecurity strategy, saying there are many products in the market that don’t have basic protections built in.
Venables said the strategy could level the playing field by forcing companies that seek to undercut competitors by providing cheaper products without security protections to meet minimum cybersecurity standards.
“We’ll naturally partner with them to figure what the right framework is,” Venables said about the administration’s aim to hold companies liable for unsafe technology by endorsing new legislation.
Danielle Jablanski, a strategist at cybersecurity software provider Nozomi Networks, said a minimum standard of care for software products is long overdue.
“I think people that want to make this overly controversial just don’t want to do the work,” Jablanski said. “Security should be competitive and if you want to be competitive in the market, you should have better security.”
—With assistance from Katrina Manson
To contact the reporter on this story:
To contact the editors responsible for this story: