By many accounts, 2017 is the 35th anniversary of widely propagating computer viruses. The recent “WannaCry” and “NotPetya” ransomware outbreaks demonstrate that computer viruses (or more broadly, “malware”) are still evolving, developing, and posing new threats. But IT contracts don’t move at the same pace. Contract provisions that address computer virus risk have become commonplace in form contracts for software and cloud computing, and in the long list of representations and warranties applicable to M&A transactions, but those provisions have evolved little since their introduction.
Standard contract language may not meet current needs. It is time to review, update and revise contract considerations for computer malware.
Although the concepts behind computer viruses can be traced back decades earlier, it was a 1982 event that is generally credited as starting today’s line of malware. That year, a 15-year-old from Pittsburgh, Pennsylvania launched the “Elk Cloner” virus, which propagated through the sharing of floppy disks on Apple II computers. Since then, the means of propagating viruses has expanded to exploit modern network computer systems and the effects have evolved from simple prank messages to become a threat to daily business operations, information security and even business continuity.
“WannaCry” and “NotPetya” are not unique but are powerful examples of several of the ways in which malware has evolved. Both of these viruses utilized a flaw in an operating system sub-component that provided a path to get past antivirus defenses. Importantly, that vulnerability had been detected and a corrected version made available so that up to date and patched computers were well defended, but so many computers had not been patched that the outbreak was still quite damaging.
There are many reasons why a particular computer system might not have been patched. While it could be that there was an oversight, there are also many reasons for a failure to patch that are independent of any negligence or malfeasance of the owner of the computer:
- Unsupported software. It may be that the vulnerable software was contained in an older version of a third party system (for example, a computer operating system) that the vendor stopped supporting. While the vendor might provide a fix for the latest version, older versions would remain vulnerable. In the WannyCry case, a key software provider did break its own protocol and provide an update for the old software that remained in use, but that was an exceedingly rare occurrence.
- Compatibility with obsolete software. Closely related to the issue above, it often happens that a company builds additional software that is dependent on a particular version of an operating system. The company would then be unable to update the operating system without having to re-engineer their custom software. This leaves the combined system exposed to the vulnerability in the older underlying operating system.
- Embedded software unable to update. Software may be built into industrial or medical equipment (or “internet of things” devices) that is not simply designed to promptly receive updates. In the WannyCry case, expensive hospital equipment, such as MRI scanners, were afflicted, likely for this reason.
- Unmanaged equipment. In certain equipment, even if there is a technical mechanism by which software updates can be made, the equipment may be managed by non-IT staff so that knowledge of the requirement and the skills to carry out the update may not be brought to bear.
- Lack of resources. Even where none of the above concerns apply, it can often be the case that the necessary resources are not simply not available to an organization or that an organization does not apply the necessary resources to carry out necessary security updates to software in a timely manner.
The failure to patch and the occurrence of these other factors are not always addressed by the common sort of antivirus warranty seen in many IT and transactional contracts. Common contract language focuses on the status of IT systems, that is, whether or not a virus is present, and focuses on whether steps are taken to avoid the introduction of viruses. Common language generally does not address the resilience of a system to withstand the introduction of a virus or other malware. It is also unusual for the scope of the language to encompass all the smart devices in an enterprise.
To address these broader concerns, it is time to update typical anti-malware language to address the broader risks of un-supported software and software known to be vulnerable, both within and outside of the IT department. Here is a checklist of topics to cover in modernized antivirus warranties:
- Absence of any systems that are dependent on software that no longer has appropriate security updates available.
- Absence of any systems that are engineered to depend on software such that future security updates are unable to be applied.
- Processes in place and carried out to apply all necessary software updates.
- Scope of warranty expanded to include all systems that may be vulnerable, whether or not they are an IT component.