About the Author
Arnold Abraham is Principal Attorney and Founder of the CyberLaw Group (cyberlawgroup.net), a law firm focused on personal privacy and data protection. He previously served as a Senior Federal Cyber Security Executive in USCYBERCOM and the Department of Homeland Security.
Companies hit by cyber attacks are increasingly finding themselves open to potential liability from customers and third parties. The latest development was last week’s class action lawsuit against Allscripts Healthcare Solutions, the victim of a ransomware attack.
Ransomware is a growing concern, as recently highlighted by the widespread WannaCry outbreak that impacted hundreds of thousands of computers worldwide last year. However, the number of lawsuits associated with ransomware has been fairly limited to date.
The Allscripts case is the first notable U.S. class action lawsuit in response to a ransomware attack. There are a few earlier cases, however, in a similar vein. In a 2017 case, a Rhode Island law firm sued its insurer for $700,000 in lost business following a ransomware attack. The insurer claimed it had no legal obligation to cover ransomware losses beyond the policy maximum of $20,000 for losses caused by computer viruses, and that policy coverage for lost business income applied only in situations involving physical loss or damage to property at the business premises. In the Ukraine, a law firm attempted to launch a class action suit against a local company that was allegedly responsible for software that permitted the spread of NotPetya (a WannaCry clone).
Examining the Legal Impact of the Allscripts Suit
The Allscripts suit, filed on behalf of a class that includes 45,000 physician practices and 180,000 physicians, seeks monetary damages and an order compelling the company to protect its systems from future attacks. Because of the attack on Allscripts, providers were forced to treat patients without access to their medical history. Moreover, disruptions to Allscripts’ patient scheduling system led some practices to cancel surgeries and tests.
Allscripts, headquartered in Chicago, reportedly violated the Illinois Consumer Fraud Act by falsely representing its security posture. The incident was also reportedly a breach of the Health Insurance Portability and Accountability Act (HIPAA) Rules because it led to unauthorized access to protected health information (PHI). Allscripts was allegedly aware of deficiencies but, according to the plaintiff, its “wanton, willful, and reckless disregard” made it vulnerable to the disruption.
As evidenced by the mounting legal battle in response to last year’s Equifax data breach, additional suits may follow. That matter grew to include over 240 class action suits, spanning all 50 states, and it is expected to set a precedent for future large scale cyber incident litigation.
Future Business Impacts and Risk Management Considerations
Like the Equifax breach, the Allscripts case is symptomatic of the growing probability that the downstream victims of a data breach will be less likely in the future to simply absorb the detrimental business impact of a data breach or ransomware attack. Vendors and business partners can no longer take these situations sitting down.
Companies that provide business-critical services that can be disrupted through such attacks must account for the potential significant costs of customer or class action lawsuits, along with the enterprise risk management analysis that drives their cyber security investments and decision making.
The costs of the suit and reputational harm (regardless of merit) can easily outweigh the investment costs an organization must make to reduce the risk of an attack. Additionally, the negative publicity of such suits can lead to increased scrutiny by regulators and other stakeholders, including the audit departments of the breached firms’ broader customer base.
Furthermore, if the scrutiny of a lawsuit reveals that the affected vendor or service provider failed to implement or conduct basic cyber security hygiene practices – such as a formal cyber security risk analysis to identify and address vulnerabilities in business processes and supporting IT infrastructure – or ongoing monitoring of the operating environment for suspicious or malicious activity, terms such as “wanton, willful, and reckless disregard” may indeed be substantiated. This can lead to heightened awards to downstream victims, and heightened sanctions by regulators who may have become aware of and drawn into the case.
Summary
If your firm has historically chosen to roll the dice when it comes to prioritizing and funding cyber security efforts and investments, take heed. Your customers – and their lawyers – are waking up, and you can bet that increased cyber security expectations, scrutiny, and accountability will be the new order of the day.