LOGO

why ‘blaming the intern’ won’t save startups from cybersecurity liability

AVATAR Chandu Gopalakrishnan
Chandu Gopalakrishnan
March 13, 2021
Topics:cybersecurityEC CybersecurityEC Future of WorkEC How ToliabilitySecuritySolarWindsStartups
why ‘blaming the intern’ won’t save startups from cybersecurity liability

SolarWinds Faces New Scrutiny Over Security Lapses

SolarWinds is once again under intense scrutiny following a shareholder lawsuit. The suit alleges inadequate security protocols enabled malicious actors to infiltrate at least nine U.S. government agencies and numerous private sector organizations.

Details of the Allegations

According to the lawsuit, a remarkably simple password – “solarwinds123” – was utilized on a critical update server. This server was then compromised by hackers, who are suspected to have originated from Russia.

During a congressional hearing in March, SolarWinds CEO Sudhakar Ramakrishna attributed the use of this weak password to an oversight by an intern.

Wider Security Concerns

While investigations continue to determine the full extent of the breach, the easily compromised password highlights significant deficiencies in the company’s overall security posture.

Questions remain regarding how such a vulnerable password was permitted to be established in the first place.

Potential Legal Ramifications

Even if the intern bears some responsibility, SolarWinds could be subject to vicarious liability. This legal principle could result in substantial financial penalties for the company.

The incident underscores the importance of robust security measures and diligent password management practices.

Experts continue to analyze the attack vector to fully comprehend the methods employed by the hackers to gain access to SolarWinds’ systems.

Understanding Vicarious Liability: A Crucial Consideration for Startups

Vicarious liability refers to the legal principle where an employer assumes responsibility for the actions of an employee. This applies when those actions occur within the scope of their employment, as explained by Martin Sloan, a partner at the U.K. law firm Brodies.

Determining a company’s liability for cybersecurity incidents stemming from employee or contractor actions is contingent upon the specific details of the event.

According to Sloan, direct liability often falls on the company for its employees’ actions. The key question is whether the employee or contractor was operating under the company’s direction or while fulfilling their job responsibilities.

Data security breaches are increasingly inevitable, and organizations can face legal consequences for damages caused by their workforce, including both employees and contractors.

Niamh Muldoon, Global Data Protection Officer at OneLogin, highlights that a breach doesn't necessarily involve external data release. Internal disclosures to contractors without proper authorization can also constitute a breach.

Such internal breaches are frequently cited in GDPR-related fines.

Key Considerations for Startups

  • Employee Actions: Companies are often directly responsible for the actions of their employees during work hours.
  • Contractor Involvement: Liability can extend to contractors if they act on the company’s behalf.
  • Internal Breaches: Data exposure within the organization, even without external release, can trigger liability.
  • GDPR Compliance: Understanding vicarious liability is vital for adhering to regulations like GDPR.

It is essential for startups to proactively address potential risks associated with vicarious liability. This includes implementing robust security protocols and ensuring employees and contractors are adequately trained on data protection practices.

Potential Extent of Financial Liability

In 2023, Capital One faced an $80 million penalty and was mandated to enhance its security protocols following a 2019 cloud data breach. This breach compromised the personal information of over 100 million individuals. The individual accused of the attack was a former engineer employed by Amazon Web Services, the cloud provider utilized by Capital One for data storage.

Conversely, the U.K. Supreme Court determined that the supermarket chain Morrisons was not held responsible for a 2014 data breach. This breach was perpetrated by an employee acting for personal financial benefit.

Sloan clarified that Capital One bore direct responsibility for the vulnerabilities that facilitated the breach. The imposed fine stemmed from a deficiency in Capital One’s implementation of robust information security measures designed to defend against external attacks. In contrast, the court ruled that Morrisons had taken all reasonable steps to prevent the incident.

Numerous instances exist where organizations have suffered significant consequences due to breaches originating with vendors and contractors throughout their supply chains.

The 2013 Target data breach stands as a prominent example of a third-party induced security failure. Attackers exploited stolen credentials belonging to a third-party HVAC contractor to access the data of millions of customers. Target ultimately settled for $18.5 million and incurred over $200 million in associated legal expenses.

Demi Ben-Ari, CTO at Panorays, a third-party security management firm, noted that despite the breach’s origin with a third party, Target was deemed accountable. This determination was based on a demonstrable lack of sufficient security safeguards.

More recently, both Quest Diagnostics and LabCorp experienced the theft of millions of customer records in 2019. The source of this compromise was a breach at their shared third-party billing provider, AMCA. AMCA subsequently filed for bankruptcy due to the substantial HIPAA penalties it faced.

Ben-Ari stated that while the full financial repercussions for Quest and LabCorp remain to be seen, significant fines are anticipated. They will undoubtedly be substantial.

Mitigating Cybersecurity Incident Liabilities for Startups

While human error is inevitable, startups can proactively minimize the risk of vicarious liability stemming from cybersecurity incidents. Demonstrating a commitment to robust security practices is crucial in these situations.

According to Sloan, consistent evaluation of both internal and partner information security protocols is paramount. This includes utilizing external vulnerability assessments and penetration testing to identify weaknesses.

Regularly applying security updates and promptly addressing discovered vulnerabilities are also essential components of a strong security posture. Furthermore, comprehensive staff training on cyber risks and internal policies is vital.

Implementing these measures not only reduces the likelihood of breaches but also provides evidence of due diligence should an incident occur. This demonstrates a reasonable effort to prevent compromise.

Resources like the U.K.’s National Cyber Security Centre offer guidance, outlining 10 steps to enhance a company’s cybersecurity defenses. Similarly, the U.S. National Industrial Security Program provides valuable information for federal contractors.

Restricting access to information based on a strict “need-to-know” basis, coupled with thorough and verifiable audit trails, acts as a significant deterrent, as noted by Tom Van de Wiele of F-Secure.

Such practices also facilitate a swift and cost-effective response when internal incidents are suspected, enabling timely investigation and mitigation.