Many of the cases arising from the 2020 SolarWinds data breach incident stem from the allegation that the software management services company ” … [utterly failed] to implement or oversee any reasonable monitoring system concerning … cybersecurity risks …” to the services and programs they offered, according to a 2021 complaint filed in a Delaware court. Plaintiff shareholders are alleging the company knew or should have known of the cybersecurity risks inherent in its lax security practices. Defendants include the company itself and both current and former directors.
The cases raise a series of challenging issues for both corporate IT leaders and their law department colleagues: when do technology concerns become legal concerns? Whose job is it to communicate about cybersecurity situations? And (not least) who is ultimately responsible when cyber safety measures fail or don’t exist at all? Recent events provide an excellent introduction to the topic if you haven’t yet had these discussions in your corporate law department.
SolarWinds and the Sunburst Trojan
Reuters first reported the SolarWinds breach in December 2020, setting off alarm bells in the ~18,000 private clients and numerous government agencies (including the U.S. Treasury and the U.S. Justice Department) that used the company’s Orion network monitoring software management services. Cyber security experts surmise the immense size of the attack suggested a team of more than a thousand software hackers was responsible for its launch and scale. One industry leader declared it to be the “largest and most sophisticated attack the world has ever seen.”
The facts are remarkable, considering the import of the organization’s client list:
- Hackers used vulnerable passwords to enter a malicious ‘trojan horse’ – ‘Sunburst’ – into SolarWinds’ Spring 2020 update. The downloaded update gave the hackers access to SolarWinds’ client’s systems and remained undetected for months.
- The password ‘deficiencies defied elementary cybersecurity standards.’ The update’s password – “solarwinds123” – and entry credentials were posted on the corporate website for more than a year. Unsecured administrative credentials may have also opened intrusion opportunities.
- The ‘supply chain’ attack was especially damaging because it targeted the clientele of a third-party services supplier by worming through the supplier’s systems. That SolarWinds was a known third-party services provider for U.S. federal agencies almost certainly led to its selection as a target, as such attacks were on the rise in 2020.
Just 14 months into the legal fray, many cases are pending, and many more questions about legal liability, fiduciary responsibilities, and accountability for damages remain unanswered.
Sunburst as a Horrible Warning
For the corporate law department, the cases raise issues that have not yet been fully explored by either the legal profession or the courts: to what extent does the company lawyer bear responsibility for overseeing cybersecurity risks? In many companies, there remains a divide between the law department and the IT division, and matters dealing with IT concerns, including cybersecurity, often remain siloed within that IT sector. However, recent events appear to be pushing at least a cursive overview of IT and cybersecurity risks into the legal arena:
- The rise of cyber-attacks on global organizations (Microsoft, Experian, Yahoo, Facebook, and LinkedIn (twice), as examples) over the past decade or so indicate that the number and variety of cybersecurity risks continue to escalate.
- The cost of the damages those entities face is also escalating, as plaintiffs spend resources on forensic investigations to pinpoint the breach and then determine the extent of the loss.
Regardless of your business or industry, it seems apparent that the number of cybersecurity incidents is on the rise and that liability and costs for damages flowing from those incursions will also be steep. Consequently, there is no better time than now to unite your cybersecurity and legal departments.
Cybersecurity = A Risk Like Any Other Risk
An emerging perspective is that cybersecurity oversight is or should be considered as an element of the overall organizational risk management strategy and therefore an integral element of the law department’s purview. Further, the frequency and sophistication of recent attacks indicate it should also be a primary focus for the legal team, considering the scope of the breaches and the extent of their consequent losses.
In some eyes, the corporate General Counsel or Chief Legal Officer should be a fixture in the data security suite, overseeing risk management across all aspects of the company, including product development and services, compliance reporting, and breach investigations. Those companies that don’t have sufficient available resources might also consider approaching a legal staffing agency to identify a temporary attorney who can provide additional support for these critical services, including cybersecurity.
There are significant corporate values at stake when a data security breach occurs, and recent developments indicate that there is an escalating risk that an intrusion will occur within your company or one of its affiliates. Having trained and skilled legal eyes on the cybersecurity risks that may exist within your organization might reduce your chance of being attacked and help you recover faster if that unfortunate circumstance occurs.
How can flexible talent be a part of your risk management plan? Let’s talk!
More Articles of Interest