Why ‘blaming the intern’ won’t save startups from cybersecurity liability

SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.

The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the weak password on an intern.

There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.

Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.

Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.

What is vicarious liability and why should startups care?

Vicarious liability is “the principle that an employer can be liable for the acts of an employee, if the act was something done by the employee acting in the ordinary course of their employment,” said Martin Sloan, a partner at U.K. law firm Brodies.

Whether a company is liable for cyber incidents based on the actions of employees or contractors will depend on the circumstances of what happened.

“In many cases, the company will be directly liable for the acts of its employees,”  said Sloan. “Was the employee or contractor acting on the company’s instructions or in the course of their duties? If not, is the company nevertheless vicariously liable for the acts of the employee?”

Data breaches are more a “when,” not an “if,” and businesses can still be held liable for damage caused by their employees or contractors.

“A breach that occurred does not require data to be released to people outside a company; a breach can have data released internally, often to contractors, who do not have need or rights to the data,” said Niamh Muldoon, who serves as the global data protection officer at identity giant OneLogin.

“These are quite common in GDPR breaches where fines have occurred,” she said.

How big can the liability be?

Last year, Capital One was fined $80 million and told to tighten its security after a 2019 cloud data breach that exposed the personal data of over 100 million customers. The alleged hacker is a former engineer at Amazon Web Services, which Capital One used to store customer data.

Meanwhile, the U.K. Supreme Court said supermarket chain Morrisons was “not vicariously liable” for a 2014 data breach caused by an employee, who acted for personal gain.

Sloan explained that Capital One was directly liable for the issues that led to the breach. “The fine was for a failure by Capital One to have in place effective information security procedures to protect against third-party attacks,” he said. “In the Morrisons case, the court said that there was nothing more Morrisons could have done to prevent the breach.”

There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.

Perhaps the most well-known case of a breach caused by a third-party is Target in 2013, when attackers compromised millions of customers’ data using stolen credentials from a third-party HVAC contractor. Target eventually paid an $18.5 million settlement and reportedly spent over $200 million in legal fees stemming from the breach.

Demi Ben-Ari, chief technology officer at third-party security management company Panorays, said that even though the breach was caused by a third-party, “Target was still considered responsible because of a lack of adequate security.”

More recently, laboratory giants Quest Diagnostics and LabCorp had millions of customers’ data stolen in 2019 because of a breach at its third-party billing provider, AMCA. Facing enormous HIPAA penalties, AMCA subsequently filed for bankruptcy.

“While we have yet to see what the financial fallout will be for Quest and LabCorp, there’s no question that they will face hefty fines as well,” said Ben-Ari.

How can startups avoid vicarious liabilities of cybersecurity incidents?

Humans make mistakes, but vicarious liability can be avoided if the company can show that the incident happened despite its best efforts to avoid it. Having strong cybersecurity policies in place can help prevent the most egregious issues.

“It’s essential that businesses regularly review their information security measures and those of their partners to ensure that they remain appropriate and reflect best practice,” said Sloan. “As part of this they should use third-party vulnerability and penetration testing. Businesses should also ensure that they consistently apply security patches and address vulnerabilities when they’re identified and provide staff with appropriate training on cyber risk and the business’ internal policies.”

“Taking these steps will help to prevent breaches from occurring in the first place and if they do, help the business to demonstrate that it did everything that could reasonably have been done to prevent the breach,” he added.

The U.K.’s National Cyber Security Centre has a helpful guide on 10 steps to take to improve your company’s cybersecurity posture, and the U.S. National Industrial Security Program, which governs federal contractor facility clearance and insider threat programs, also has more.

Keeping the access limited strictly on a need-to-know basis with proper and verified audit trails serves as a deterrent, said Tom Van de Wiele, principal security consultant at F-Secure.

It also ensures a timely and cost-efficient way of responding to a situation where an insider incident might be suspected, he said.