It's one thing to be blindsided by a sucker-punch. It's another to be pummeled by a punch that came with much warning.
The distinction could lead to difficult legal battles for organizations affected in recent days by the "WannaCry" cyberattack. Computer security experts say Britain's National Health Service, FedEx and other victims of the ransomware attack should have foreseen that hackers would spread through their systems because they didn't address a vulnerability Microsoft disclosed as early as March.
In the eyes of many experts, victims' failure to update their systems is negligence. And victims' customers who suffered harm because of frozen computers _ for example, hospital patients in Britain who had surgeries delayed or had to seek care elsewhere _ could point to this negligence if they sue for damages.
That's a common tactic customers have used in data breach lawsuits for years, filing claims against hacking victims such as Target, SuperValu and T.J. Maxx. Some of the cases have been settled for store vouchers and other small remedies. Others have been thrown out because it wasn't clear consumers suffered any damage, mostly because their credit card companies had already removed fraudulent charges.
But the WannaCry incident stands apart. In this case, it's clear to outsiders that the worst damage inflicted on computer systems stemmed from an unpatched flaw in Microsoft Windows. The attack itself wasn't innovative or surprising: The flaw was well-known and well-publicized. It takes advantage of individuals who click on a link. It spread to such a wide swath of users because organizations didn't keep their software updated.
Second, in the NHS situation, there's potentially physical harm, which can be more visceral in court than financial or psychological issues.
Both of the issues could make a stronger case for plaintiffs and government regulators.
It's possible no lawsuits arise from the WannaCry outbreak. Though a few patients in Britain's health care service were inconvenienced, they didn't suffer major disruption to their care, U.S. and British officials say. Meanwhile, business partners and customers of companies ravaged by the ransomware haven't come to the forefront with grievances.
But attorneys who follow cybersecurity issues say it's illustrative of the big risks companies take when they're slow to update their systems.
"The main theory would be that the entities are not doing what a reasonable person would do," said Alexander Southwell, chair of law firm Gibson Dunn's cybersecurity practice and a former federal computer crimes prosecutor.
Several laws emphasize that medical institutions, banks and other specific organizations must take reasonable care to protect private customer information. Information-privacy advocacy groups have called for broader legal protections that would prescribe specific penalties for breaches across industries. Such legislation could make it easier for affected consumers to seek redress, experts said.
Other experts put blame on the National Security Agency, which hackers say developed the WannaCry attack and then lost it to thieves, and Microsoft, which arguably could have taken additional steps to ensure compliance with security updates.
"Suing the NSA for failing to secure their cyberweapons is a monumental undertaking, much of which would likely be precluded by the government's inevitable assertion of the 'state secrets' or national security claims," Mark Rasch, an attorney and formerly security evangelist at Verizon, wrote in an online commentary.
Holding Microsoft liable would be just as difficult. Software vendors have long been able to escape claims by pointing to contracts with customers that absolve them for any defects. Microsoft also has a track record of bolstering security and becoming more aggressive with its policies, which could make negligence hard to show.
WannaCry could spur the company to level up yet again, said Justin Cappos, an assistant professor of computer systems and security at New York University. He suggested rather than telling users to update their systems to simply apply a patch, Windows could offer a bleak warning: "Hackers can get into your computer right now, so please update so we can fix that."
"That's one of the most effective ways to do it," Cappos said. "If you're a consumer, you're going to be worried."
If companies do face and lose WannaCry-related lawsuits, those with cybersecurity insurance are likely to dodge bearing most of the cost.
Such insurance policies, which are common at large companies, generally cover negligence by the policyholder, said Linda Kornfeld, an attorney at Kasowitz Benson Torres. Insurers have tried to include clauses requiring timely patching, but denying claims because of security-update practices likely would be difficult without showing some deliberate, improper conduct, she said.
