In 2016, ransomware incidents were reported to have increased by over 300% – with the number of attacks still on the rise. Ransomware is a form of malware that blocks a user's access to its system or files through encryption until a ransom is paid, although payment doesn't always guarantee returned access.
As demonstrated by the recent WannaCry attack (affecting in excess of 100 countries globally), ransomware attacks can effectively shut down entire organisations causing significant damage to the ransomed and those who depend on the services they provide. It has just been reported that a South Korean company has paid over USD1m to regain access to its files after they were encrypted with ransomware.
It is rarely possible to locate the perpetrators of a ransomware attack; malware is often routed through practically untraceable networks and the ransom payments made in the encrypted digital currency, Bitcoin. So, where does that leave those who suffer loss as a result?
Many businesses now seek to protect against these costs through insurance. However, in this article, we explore the question of whether a ransomware attack could give rise to potential claims between third parties, rather than the perpetrators themselves.
Failure to perform
As shown by WannaCry, when a ransomware attack encrypts critical files and systems, it can terminally disrupt the operations of a business. Businesses may then find themselves unable to perform obligations under their commercial contracts, whether these are the manufacture and delivery of goods or the performance of services.
In these circumstances, businesses may find themselves in breach of their commercial agreements and potentially liable for any losses the client or counterparty suffers as a result.
In such cases, the potential scope of liability will inevitably depend on the underlying terms of the contract. In particular, the parties may agree to limit liability arising from certain events (for example, arising from the criminal act of a third party), to apply a cap on the maximum level of such liability, or to exclude liability for specific types of loss (for example, loss of profits, reputation and so on).
Contracts will often include force majeure clauses. These relieve a party from performing an obligation under a contract where circumstances beyond its control prevent it from doing so. It is important to bear in mind that not all force majeure clauses are alike. The extent to which such a clause may protect a party affected by ransomware will depend on the exact wording of the clause and the circumstances behind the attack. For example, it is unlikely that a party will be protected from liability under a force majeure clause where it could have easily prevented the attack by adopting basic cybersecurity measures but failed to do so.
Passing malware on
The next question is whether an organisation may face liability in cases where its systems infect those of another. Where organisations operate interconnected systems or networks, some types of ransomware will automatically look for vulnerabilities to spread to new systems, as was the case with WannaCry. If an organisation negligently fails to implement appropriate safeguards against ransomware that ultimately leads to compromising the systems of a third party, it could be argued that the organisation responsible should be liable for the losses that the third party suffers.
The fundamental question regarding liability in these circumstances is likely to be whether the organisation owed a duty to the third party not to (negligently) allow its systems to be compromised so as to cause damage to that third party. In the absence of an express term in a contract, or some other basis for establishing a duty of care, this is likely to be difficult to establish.
In addition, this is an area where factors such as (i) the sophistication of the ransomware attack, (ii) the third party's own security measures and (ii) its response to its systems being compromised are likely to have a significant impact on the extent to which it could recover any of these losses from the organisation through which it was infected.
In other jurisdictions, parties have sought to attach liability on a basis similar to nuisance under English law (commonly referred to as Rylands v Fletcher liability). This is a strict liability for foreseeable damages on someone who brings onto his land an inherently dangerous thing which subsequently escapes. However, there are a number of legal difficulties with applying this analysis to malware such that it is unlikely to form a basis of liability under English law.
As with most things in life, when dealing with exposure to ransomware, prevention is better than cure. As such, businesses are increasingly turning to IT security specialists to audit their IT systems, identify vulnerabilities and advise on security measures.
These are, of course, sensible precautions for businesses to take to practically protect themselves from cybersecurity threats. However, they should bear in mind that conducting regular cybersecurity audits will not automatically absolve them of potential liability to third parties – even where the loss claimed results from a risk that the audit failed to identify and which the business would have been able to prevent if it had done so.
Whilst there is no "industry standard" approach, many IT security specialists attempt to contractually limit or exclude their liability if the report is inaccurate, even as a result of the specialists' negligence. Therefore, where businesses are relying on these reports to determine their cybersecurity status, it is important to ensure that they have appropriate protections in place (see our article).
On the other side, IT security specialists should consider the limitations and exclusions of liability in their engagement terms carefully. A significant ransomware attack against a business could lead to substantial losses far in excess of the remedial costs or ransom amount. As explained above, the business itself could be exposed to third party claims, losses of profits or commercial opportunities and significant reputational damage.
IT security specialists should seek to carefully define the scope of the review or audit being provided, those who are entitled to rely on the report and for what purpose. In the absence of such limits, such specialists may find themselves liable not just to their client in the event of an error, but to third parties as well.
The extent to which any party may have, or be exposed to, potential claims following a ransomware incident will depend on the specific incident in question and the relevant contracts. Ransomware can take a variety of forms and spread in a variety of ways. In any event, it is important that businesses ensure that they have appropriate technical and procedural safeguards in place to protect against these risks and consider the options available to them in the event that a breach occurs.