Every massive breach comes with a trail of lawsuits and regulatory ramifications that can last for years. Home Depot, for instance, only last month settled with a group of state attorneys general over its 2014 breach.
The SolarWinds security incident that U.S. officials have pinned on state-sponsored Russian hackers is unlike anything that came before, legal experts say, meaning the legal liability could take even longer to resolve in court.
As Congress, federal government departments and corporations reckon with the vast sweep of the SolarWinds breach, there are still many more questions than answers. Fewer pieces of it are less certain than how it might play out in court, where companies and individuals alike stand to gain or lose. Many millions of dollars, corporate blame and years of finger-pointing are on the line.
That’s because the targets — government agencies, and some major companies — aren’t the usual kind of victims, nor has anyone yet figured out the full scope of the damage and where the blame fully lies.
In this case, legal experts say, the winners and losers are especially hard to predict.
“I think it’ll be a few more months, if not years, until we really understand all the legal theories people are going to try,” said David Springer, an attorney at Bracewell for companies responding to cybersecurity incidents.
While the attack remains under investigation, numerous U.S. agencies have confirmed breaches, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned them about attackers exploiting technology from SolarWinds, an otherwise innocuous IT provider, to gather information from the federal government. Corporate firms also are among the reported victims in attacks dating back months.
Some law firms have already predictably begun fishing for plaintiffs, even as others that might have taken action by now, like state attorneys general, have remained quiet. SolarWinds itself could face lawsuits, but so could companies that use its products, and even companies several degrees removed from SolarWinds but who are tangentially involved, like Microsoft or FireEye.
“We’re getting into fourth and fifth and sixth party risk,” said Nate Smolenski, Corvus Insurance’s chief information security officer. “This is where all the scary stuff happens.”
Many court cases could fizzle for reasons that make the SolarWinds hack less like other incidents, such as the sophistication of the attack or the lack of highly personal information stolen for financial gain.
Overall, “this is quite overwhelming,” said Lisa Sotto, who chairs the cybersecurity practice at Hunton Andrews Kerth and said her firm has had dozens of clients asking them for help in their company’s investigation. “The extent of its reach is extraordinary. Normally you can put your arms around the nature and scope of an issue within short order.”
Calm before the legal storm
The most likely kind of case to come to court involves allegations of securities fraud. Several law firms have have announced investigations meant to round up investors who took a financial hit when SolarWinds stocks dropped after the company’s role became known. Stock trades some company executives made not long before the revelations — a reported $280 million worth — are feeding into that consternation.
“We’re focused on who at SolarWinds knew about the security vulnerabilities and when,” Reed Kathrein, the Hagens Berman partner leading one investigation, said in one news release. “The huge insider sales just days before the news are mind boggling.”
Those law firms will be scrutinizing the claims SolarWinds made in public filings for investors about the security steps the company took.
Another kind of claim could involve breach of contract from companies doing business with SolarWinds, should SolarWinds not have met security terms of any contractual agreements. But Sotto and Springer said they both doubted such claims would be likely, given the rarity of companies suing one another over breaches.
Yet a third potential liability could center on whether SolarWinds or its customers were negligent in their security upkeep, causing harm to those who brought the suit.
Initially, Springer said, he looked at the SolarWinds website and found evidence it did all the right things, like audits or following industry guidelines. Then came news that a security researcher had previously alerted SolarWinds that anyone could access its update server with the password “solarwinds123,” and a former company security adviser alleging that the company ignored security warnings.
The other side of that kind of suit could be harder to establish: that anyone suffered any harm as a result of the breach. The hackers apparently weren’t after credit card information or other personal data, as in many other breach cases.
“The fact that it’s just intelligence gathering, it’s going to be tough for some of the victims to show an injury for damage,” said Springer.
The cases get harder if they’re aimed at anyone outside of SolarWinds, too.
“Given the level of sophistication of the intrusion, it’s probably unlikely that many companies will face liability for failing to prevent it,” said Joseph DeMarco, a partner at DeVore and DeMarco. “For the most part, most companies understandably were not able to prevent it.”
The exception, DeMarco said, would be if companies are later breached after failing to follow basic security practices like implementing patches.
The regulatory picture
State and federal regulators, as well as state attorneys general, sometimes take aim at companies that suffer breaches. Sotto said that was inevitable here, too.
“There’s no question in my mind that those allegations are going to lead to follow up from regulators,” she said. “I would expect there will be a flurry of investigations by state and federal government agencies.”
The Federal Trade Commission will definitely take a look at whether SolarWinds maintained “reasonable” security standards, Sotto said, and the Securities and Exchange Commission will do the same for the stock trades company executives made.
Both the FTC and SEC said they do not comment on whether they’ve opened investigations.
Nor would several state attorneys general who frequently lead investigations or lawsuits related to data breaches comment to CyberScoop about whether they were pursuing any involving SolarWinds, despite routinely doing so in the days after other breaches became public.
“There are going to be lots of state regulators that will have an interest in this,” Sotto nonetheless predicted. “On the other hand this is very much a federal issue and they’re going to defer to the feds. The feds may say, ‘Hold off. We don’t want the states to get a lot of information, because it might compromise what’s going on on the federal side of the investigation.’”
But after that, anticipating what comes next requires a level of imagination that has never before come to bear.
“Because of the unique nature and unique scope of this — you had one company targeted, but in reality there are 18,000 entities, including government agencies and other companies — I don’t think anybody from a technical standpoint truly understands the full extent of this yet,” said Springer.