Ransomware Attack Justifies Cybersecurity Warnings

As lawyers, we are notorious for anticipating a “list of horribles” as a mechanism to warn potential parties and provide guidance about ways to prevent such events from materializing.  This was the goal that we had in mind in December 2014 when we reported on the U.S. Food and Drug Administration’s final guidance advising medical device manufacturers of the need for “effective cybersecurity to assure medical device functionality and safety.”  See article.   The focus of that article encouraged medical device manufacturers to protect against cybersecurity vulnerabilities that could target their products, especially after being deployed to independent hospital networks.  In December of last year, we again reported on the government’s increased attention on cybersecurity and the Internet of Things (IoT).  See article.

Unfortunately, a ransomware cyberattack spread across the European and Asian continents last month.  It was reported that over 100 countries were affected and the attack had particularly significant impacts on the public health system in Britain, raising questions about whether the public will now pay greater attention to cyber-vulnerabilities—especially those affecting the public health systems and the products that are essential to their operations.

The mid-May cyberattack came in the form of ransomware.  Ransomware is a type of malicious software that carries out an extortion attack by blocking access to data until a ransom is paid.  In this case, victims experienced a pop-up window on their systems that stated their files were encrypted and that they would need to transmit $300 in bitcoin to unlock the encryption.  Bitcoin is a cryptocurrency and digital payment system.  It was reported that the pop-up window had a countdown for the ransom and threatened destruction of all files if not paid in the allotted timeframe.

The attack locked more than 200,000 computers across the globe.  See article.  This form of attack, while distinct from one where a perpetrator attempts to gain overt control over web-based systems, has significant impacts that could precipitate legal liability.  For example, hospitals had no use of their telephone systems and were locked out of computers.  The practical impact of this technological shut down meant that patients were turned away and entire hospital wards were closed.  Hospitals were unable to provide necessary treatments without access to patient records.

In the United States, legal liability goes hand-in-hand with duty.  Thus, identifying where there is a duty and the origin of that duty can often direct us to the likely parties that may be held liable when such attacks strike.  Identifying the responsible parties is of greater importance when such harms affect large public institutions, like hospitals, charged with caring for thousands of private citizens.  In the case of the recent cyberattack, cybersecurity experts are highlighting that companies using outdated software were some of the main targets of the attack.  Returning to our previous reports, the United States government has signaled that failure to build security into product design can lead to legal liability.  Plaintiffs may make the argument that knowingly using outdated software is analogous to failing to build security into product design.  The question of legal liability is also complicated by the fact that some software companies have noted there is a danger in using pirated or copycat versions of their software because it prevents them from releasing necessary antivirus software and updates for associated computers.

We will continue to monitor this important and developing area of the law to identify where liability is alleged and whether such claims gain traction in courts.