Who is responsible for the damage from a ransomware attack and who has to pay for it? That's a question that's been at the top of mind for MSPs and MSSPs, particularly following a recent lawsuit where a client sued its MSP after suffering a ransomware attack.
That lawsuit may have been the first of its kind for MSPs, but it probably won't be the last. A new report from Bloomberg Law, "Ransomware Attacks: Litigating a Growing Threat," shows an increasing volume of ransomware-related lawsuits across all major industries seeking billions of dollars in damages for everything from lost business profits to personal privacy violations.
The dramatic increase in ransomware-related lawsuits is related to the increase in ransomware attacks themselves and underscores the growing legal challenges businesses, MSSPs and MSPs included, face in the wake of cyberattacks. Negligence is a top claim.
"Negligence and negligence per se causes of action are included in nearly every ransomware-related complaint researched for this report," authors Travis Yuille and Bridget Roddy wrote in the report. "Generally, in these cases, the plaintiff claims the defendant should have been aware that it was likely to be the target of a cyberattack."
What's more, the plaintiffs typically blame the entity that was entrusted to protect the data.
"In ransomware cases, plaintiffs typically allege that the businesses and vendors entrusted with their data owed them a duty to safeguard the data from foreseeable attacks," the authors wrote.
Yet there are steps that MSPs and MSSPs can take to protect themselves against legal trouble following ransomware attacks. For instance, MSP attorney Eric Tilds recommends every MSP and MSSP have a signed written managed services statement of work with specific language about what the MSP will do, what they won't do, and what the customers responsibilities are. Read the rest of Tilds' recommendations here.
Trends and Implications of Ransomware Litigation
The report shows that the surge in ransomware attacks has led to a significant rise in lawsuits in the U.S. In fact, federal complaints mentioning ransomware increased sevenfold from 2021 to 2023, and the first half of 2024 has seen a record number of ransomware complaints, Bloomberg Law reports.
Key findings from the report include:
- Most-Litigated. The most-litigated ransomware attack of 2023–2024 is the breach of Progress Software's file-sharing platform MOVEit, which has resulted in 279 federal lawsuits so far.
- Four Lawsuit Types. Nearly every case analyzed falls into one of four categories: Consumer v. Business, Consumer v. Vendor, Business v. Vendor, and Business v. Hacker.
- Common Claims. Negligence is a prevalent cause of action in nearly all ransomware-related lawsuits, with plaintiffs often citing the failure of businesses to safeguard data against foreseeable attacks.
- Healthcare Targets. The healthcare sector has been particularly hard hit, with significant breaches affecting major companies in this space.
- Vendor Vulnerabilities. Many lawsuits have been filed against third-party vendors, highlighting the risks associated with outsourcing data management.
Ransomware Incidents Give Rise to Lawsuits
The growth of the global ransomware business has led to a proliferation of ransomware-related lawsuits. An extensive analysis of Bloomberg Law Dockets reveals that 2022 and 2023 saw a sharp rise in complaints filed in federal courts mentioning “ransomware” and “RaaS” in the context of data breaches compared to previous years.
Complaints mentioning these terms more than doubled from 2021 to 2022, and then more than doubled again from 2022 to 2023. The rapid growth has caused 2023 to be the first year in which complaints mentioning ransomware accounted for more than half of all complaints mentioning data breaches.
In ransomware cases, plaintiffs typically allege that the businesses and vendors entrusted with their data owed them a duty to safeguard the data from foreseeable attacks. Plaintiffs often point to the increase in ransomware attacks in recent years to bolster their claims that the attacks were reasonably foreseeable, especially in industries where attacks are more common, Bloomberg Law said.
Courts Siding with Plaintiffs
Defendant corporations have argued that they don’t have a duty to protect others from the criminal acts of a third party, Bloomberg Law said. But in tort actions, plaintiffs rebut this by arguing that the corporation’s data security practices were lacking to the point of negligence, violating the common law duty imposed on parties whose negligent acts created the risk of third party injury.
Courts have generally sided with plaintiffs on this point, Bloomberg Law reports. For example, the report notes the April 2018 the Pennsylvania Supreme Court ruling that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personally identifiable information (PII) stored on the employer’s network. Other courts have also held that data controllers owe a duty of care to data subjects to protect against foreseeable cyberattacks.
Business vs. Vendor Breaches Examined
Business versus vendor claims are unique among data breach cases, as the damages sought are related to lost profits and interruptions of regular business related to their vendors being unable to meet their contractual obligations. Because the damages in these cases are tangible, standing isn’t an obstacle to recovery as it is in many consumer suits, Bloomberg Law said.
The Change Healthcare breach is often cited as the most impactful ransomware event of 2023, according to Bloomberg Law. While the attack only accessed 8 terabytes of data — a small amount compared to the 300 terabytes of data access by threat actors in the 23andMe breach — the attack forced Change’s systems offline, resulting in severe limitations on critical functions in the health care industry.
Bloomberg Law conducted a dockets search on June 11, 2024, shows that 79 complaints have been filed in federal courts since 2023 mentioning the Change Healthcare data breach. Sixteen name Change Healthcare as the sole defendant, while a further 19 name Change as a co-defendant alongside United HealthCare Group and Optum, Inc.
U.S. Businesses a Prime Ransomware Target
As for ransomware attacks, it appears that the United States has a target on its back. Citing Anne Neuberger, the U.S. Deputy National Security Adviser for Cyber and Emerging Technologies, the report shows that the U.S. accounted for nearly half of all ransomware attacks worldwide in 2023.
However, cases filed against threat actors rarely make it to discovery, according to Bloomberg Law. That’s because most defendants operate beyond U.S. borders and can’t be hauled into court. Therefore, most of these cases end with an entry of default in favor of the plaintiff. Without a treaty in place between the U.S. and the foreign country where the defendant is located, enforcement of the judgment is unlikely.
