Cyber attack could spark lawsuits but not against Microsoft
By Jan Wolfe
(Reuters) - Businesses that failed to update Microsoft Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security, but Microsoft Corp itself enjoys strong protection from lawsuits, legal experts said.
The WannaCry worm has affected more than 200,000 Windows computers around the world since Friday, disrupting car factories, global shipper FedEx Corp and Britain's National Health Service, among others. The hacking tool spreads silently between computers, shutting them down by encrypting data and then demanding a ransom of $300 to unlock them.
According to Microsoft (MSFT.O: Quote), computers affected by the so-called "ransomware" did not have security patches for various Windows versions installed or were running Windows XP, which the company no longer supports.
"Using outdated versions of Windows that are no longer supported raises a lot of questions," said Christopher Dore, a lawyer specializing in digital privacy law at Edelson PC. "It would arguably be knowingly negligent to let those systems stay in place.”
Businesses could face legal claims if they failed to deliver services because of the attack, said Edward McAndrew, a data privacy lawyer at Ballard Spahr. "There is this stream of liability that flows from the ransomware attack," he said. "That's liability to individuals, consumers and patients."
WannaCry exploits a vulnerability in older versions of Windows, including Windows 7 and Windows XP. Microsoft issued a security update in March that stops WannaCry and other malware in Windows 7. Over the weekend the company took the unusual step of releasing a similar patch for Windows XP, which the company announced in 2014 it would no longer support.
Dore said companies that faced disruptions because they did not run the Microsoft update or because they were using older versions of Windows could face lawsuits if they publicly touted their cyber security. His law firm sued LinkedIn after a 2012 data breach, alleging individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures. LinkedIn settled for $1.25 million in 2014.
But Scott Vernick, a data security lawyer at Fox Rothschild that represents companies, said he was skeptical that WannaCry would produce a flood of consumer lawsuits. He noted there was no indication the cyber attack had resulted in widespread disclosure of personal data. Continued...