Software Makers May Face Greater Liability in Wake of MOVEit Lawsuit
In light of one of the largest breaches in recent history – the MOVEit supply chain attack – it is possible new case law may be developed.
The typical lawsuits that come out of breaches are damage claims from victims who say that the breach of their data caused them pain and suffering.
Except that the plaintiffs in these case are the likes of Shell and British Airways, among hundreds and hundreds of major businesses including large financial institutions. They are unlikely to be worried about their credit cards getting hacked.
In this case, Progress Software, the makers of the MOVEit file transfer software are being hit with negligence and breach of contract claims. If they are successful, other class action attorneys will start using similar claims, raising the pain for all software makers.
The suits claim that Progress software failed to properly secure and safeguard personally identifiable information, exposing plaintiffs to a current and future risk of identity theft and other risks.
If the class action attorneys win, it will likely set future precedent for software maker’s liability for not fixing bugs before hackers can exploit them. The objective here is to get software makers to understand that they have real liability – something software makers try to distance themselves with using their software license agreements.
Software makers – like Accellion after their file transfer software breach – try to settle out of court. For one thing, that means they don’t have their dirty laundry aired in a courtroom. For another, hopefully, it makes them disappear out of the news cycle more quickly. The Accellion case was also based on negligence, breach of contract and invasion of privacy, so the precedent has already started. But, since they settled out of court, there is no jury verdict to use going forward. This is not an accident.
While Accellion settled for a few million, this case is way bigger.
What may be a cornerstone to this case is how long Progress Software knew about the bug, which, according to reports, existed since 2021. If they did know about it and did not fix it, that would not bode well for them at trial.
If a true zero-day, unknown, bug constitutes negligence – and it might if their software development and testing practices SHOULD have caught it – well, then, a lot of software makers are in trouble.
MOVEit will likely try to settle this case outside of court. Depending on the number, that might be easier said than done.
This fits in smoothly with the federal National Cybersecurity Strategy, which recommends increasing software maker’s liability. If there is more liability there is more incentive to look harder and fix bugs.
There are almost no other products that you buy for which the vendor has zero liability. Software makers would like to remain a unicorn. That seems less and less likely to happen.
If software makers do face additional liability over the next few years, how much liability they face will depend on how comprehensive their internal cybersecurity and bug hunting practices really are.
If you sell software and need help improving your cybersecurity and bug hunting practices – independent of potential future lawsuits, please contact us.
Credit: Dark Reading