According to shocking data compiled by Netcraft, a month after Heartbleed, which may very well be “the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet[,]” only 14 percent of affected websites have completed all required steps to patch the Heartbleed vulnerability. Worse, some website administrators have not properlypatched the bug. See Keys Left Unchanged in Many Heartbleed Replacement Certificates.
The legal exposure created by not patching or properly patching Heartbleed increases by the minute. If not properly patched, user data will continue to be compromised, which can result in an incalculable amount of liability. The case for common law negligence in this situation is clear. Even setting aside for a moment the general question of whether it is negligent for a technology company to use and rely on open source software to protect the privacy of client data, in the case of Heartbleed, there is a clear duty on the part of technology companies to patch the vulnerability. Businesses that have not swiftly taken remedial action will be subject to lawsuits for negligence, regulatory action, and prosecution on other legal theories. Healthcare providers should especially be aware of their obligations under HIPAA HITECH.
While it is alarming to find that so many vulnerable servers have not been patched, equally surprising is that there is very little disclosure, notice, and instructions to affected users. Though there has been much publicity surrounding the Heartbleed virus, very few affected technology companies have advised users of their status. Such inaction leaves users in a precarious state. That is, media outlets have advised users to change their website passwords. However, if the Heartbleed vulnerability has not been patched, then the user’s decision to change his password will be ineffective. Yet, the user will continue to believe that the situation has been corrected. Affected technology companies should provide notice of server updates and, more importantly, advise their users of the appropriate time to change their passwords or of other steps (such as enabling two-factor authentication) that must be taken to secure their data.