It may come as a bit of a surprise to many people, but America is a bit of a litigious nation. No seriously, I’m not kidding.
People and companies are regularly sued in America for all sorts of things. You spill coffee on yourself? Sue the restaurant. Car crash? Sue the car company.
Litigation also regularly arises after some very serious, world-altering events. After the terrible events at the World Trade Center in 1993 and 2001, a multitude of lawsuits were filed. Somewhat surprisingly, much of the litigation was directed not at the terrorists who actually conducted the attacks, but rather the victims of the attacks. Following the 1993 World Trade Center bombing, the victims sued the owners of the World Trade Center, alleging that they were negligent in their provision of security at the Towers.
Shockingly, a jury agreed with those allegations. In fact, when assigning responsibility for the attack, the jury found that the World Trade Center owners bore two-thirds of the responsibility, with the rest falling to the terrorists. Think about that – the bombing victims were responsible for the losses. That’s the functional equivalent of the “stop hitting yourself” trick of older brothers everywhere.
While the World Trade Center ultimately escaped liability due to a technicality regarding its status as a government entity, the pattern was set. After the horrific 9/11 attacks, similar litigation was filed against the airlines whose planes were hijacked, the airports, plane manufactures and other entities for providing lax security and poorly designed airframes. The vast majority of the claims were settled with the defendants paying out millions and millions of dollars to 9/11 victims.
That figure doesn’t include the hundreds of millions of dollars in costs associated with litigating the cases. To put it simply, the corporate victims are looking at potentially hundreds of millions of dollars in legal costs after a terrorist attack. Yikes.
Fortunately – in every sense – terrorist attacks in the United States are relatively few and far between. But do you know what is happening, basically non-stop? Cyberattacks of all flavors. Attacks to steal money or intellectual property, attacks to disrupt operations and websites, and then there is the holy grail – attacks intended to destroy facilities and harm people.
What’s that smell, you ask? Plaintiffs lawyers getting all excited about a whole new class of lawsuits that could be filed. Uh oh.
That’s right, sadly. The next big frontier in crazy lawsuits will likely be for damages suffered from cyberattacks. Never mind that companies already are spending huge amounts of money to protect themselves, or that some of the most dangerous attacks come from nation-states? We will see lawsuits after cyberattacks, and lots of them.
The thought of that is more than a little maddening. We constantly hear about a “cyber Pearl Harbor”. But you know what did not happen after Pearl Harbor? Mass tort lawyers lining up at the Hawaiian courthouse to sue radar companies and the manufacturers of anti-aircraft guns for providing negligently designed or defective equipment. Yet, in today’s litigious world, you could easily expect that to happen after a major cyberattack.
In fact, this has already occurred. Adobe is being sued after it disclosed the fact that it had suffered a serious cyberattack, resulting in the loss of source code and customer information. The loss of source code, according to some security experts, was quite troubling as it could lead to the development of new attacks that most security systems would not detect.
All sorts of allegations have been slung at Adobe, including an abysmal security record, failure to use industry “best practices”, and that there was a serious question as to whether its security record rose to the level of negligence.
To be fair, these are all just allegations that have to be proven in court. But it is also not the first time such allegations have been raised. The Federal Trade Commission is currently suing Wyndham Hotels, alleging that it had deceptive business practices based on the fact that it represented that it had privacy/security policies in place, but kept suffering the same kinds of data breaches. The FTC in particular said that Wyndham:
- Failed to use readily available security measures to limit access between and among its systems;
- Failed to implement adequate information security policies and procedures;
- Failed to remedy “known security vulnerabilities”;
- Failed to adequately inventory computers;
- Failed to follow proper incident response procedures; and
- Failed to adequately restrict 3rd party vendors’ access networks property management systems.
That case too is currently being litigated, and there are more like it out there.
Thus far, the defendants in these lawsuits have been lucky because of technicalities (the plaintiffs have failed to show they actually suffered a loss, etc.). However, luck will run out one day.
When it does, it will get ugly. So many companies are struggling with protecting themselves from cyber threats, and to throw in the possibility of back-breaking lawsuits that second guess their decisions could push these companies over the edge. Companies will basically never know if they are doing enough to protect themselves from cyber threats, and that will drive their risk management and security costs through the roof. Not exactly the economic stimulus one would hope for these days.
What does all this mean? Prepare for the onslaught of “Were you harmed by a cyberattack? If so, we will fight for your legal rights” commercials during game shows and afternoon talk shows.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.