Skip to Content

The Ever-Expanding Liability of Cyber-Breaches

on Wednesday, 27 March 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

In a recent court case filed in Superior Court in California[1], a law firm alleges that a managed service provider (“MSP”) is partly to blame for the loss of their data as a result of a cyber-breach. The law firm’s complaint states that the MSP was hired in part to increase their cybersecurity and the firm’s resilience in case of a cyber-attack.  

The plaintiff and defendant entered into an oral agreement[2] for the services.  The plaintiff claims that the defendant presented their skills as specializing in “analyzing, integrating, and maintaining crucial IT systems, the cloud and local backups, spam filtering, cybersecurity, networking and domain administration, web management, and network monitoring.”  But, despite the defendant’s efforts, the plaintiff suffered a cyber-attack.

During the attack the plaintiff’s servers, computers, and computer network were taken offline.  It was later determined that the servers had been completely breached, and ransomware had been installed.  Shortly thereafter, a ransom demand was made by Black Basta, a sophisticated ransomware attack group known for many high-profile attacks.  The group claimed to have stolen the firm’s documents and encrypted what remained. 

The data lost included backup data from a cloud-based backup system.  The loss of the backups meant the plaintiff was unable to recover files from the attack.  In the end the plaintiff had to pay a ransom to recover their data because their backups were deleted.  The plaintiff alleges that the backup system used was the recommendation of the defendant.  The plaintiff originally had used an offline backup server, but, at the recommendation of the end MSP, they switched to the cloud-based backup system.  During the cyber-attack the backups we’re encrypted because the cloud-based system was vulnerable to such an attack.

In part, the plaintiff alleges the defendant was negligent for the following:

  • Advising the firm to switch to a cloud-based backup system;
  • Failing to implement multi-factor authentication;
  • Failing in preparations to protect the firm and detect the intrusion; and
  • Failing to maintain a backup of deleted files for at least 30 days.

Cyber-attacks by sophisticated groups, and especially state-sponsored groups, will only continue to increase.  Such groups are known to quickly exploit published vulnerabilities, as well as discover new vulnerabilities.  And, despite any security firm’s best efforts, even if there were unlimited cybersecurity funds and every cybersecurity procedure were implemented, a cyber-attack may very well result in the loss of all information.  Thus, cybersecurity firms operating without disclaiming all warranties against a cyber-attack are accepting a great risk.

The lawsuit should serve as a cautionary example of the potential for liability from a cyber-attack.  As attacks continue to rise, victims and their insurance companies, will attempt to recoup their losses by holding others accountable.  Companies engaged in cybersecurity would be wise to include language in their contracts to limit liability or disclaim any warranties against cybersecurity attack.  MSPs should have:

  • Written contracts which limit liability, set expectations, and force the parties to carry cyber insurance;
  • Errors and omissions insurance for negligence claims; and
  • A disclaimer that despite best efforts a cyber-breach may occur.

The suit and the description of the attack should also serve as a warning to all that despite everyone’s best efforts, the only true defense against a ransomware attack is an off-line, air-gapped, back-up.  Any on-line or internet accessible back-up is at risk of destruction or encryption during an attack.

[1] MASTAGNI HOLSTEDT, A.P.C., v. LANTECH, LLC, et al., 24 CV 003400, Superior Court of California, Sacramento

[2] The fact that the agreement was oral and not written is noteworthy.  The lack of a written contract makes the outcome of the case much less predictable.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500