X

Patch or Pay – Can You Be Sued for Negligence If You Fail to Patch Vulnerable Systems?

    Categories: InfoSec Strategies

The single most critical and effective measure for reducing cyber security risk is a robust patch management program that allows you to quickly and efficiently apply vendors’ software patches. Known vulnerabilities are a hacker’s favorite attack points, and many of the most popular exploits target longstanding vulnerabilities that have had patches available for years.

The Importance of a Robust Patch Management Program

Just patching the vulnerabilities in your environment that are more than one or even two years old would protect against the majority of today’s attacks. If you’re able to install patches within a week or two of their availability, you’d be immune to the vast majority of other threats, such as the highly successful WannaCry ransomware that recently swept the planet. Microsoft released the patch for that vulnerability (MS17-010) two months before the hack was unleashed.

But despite the overwhelming and undeniable argument for making patching the top cybersecurity priority, many organizations patch haphazardly or inefficiently, and/or are way behind in their patching. Others flirt with disaster by continuing to use end-of-life, unsupported or even bootleg software that makes them sitting ducks.

Are such organizations liable to be fined by regulators? Or sued for negligence by customers, consumers or other stakeholders who suffer damage as a result of a data breach that could have been prevented by a simple software patch? Is there a legal duty to patch systems, and to what level?

Legal Risk

Expert opinion indicates that the jury is still out (pun intended) but the possibility undoubtedly exists. Data breach lawsuits, in general, are numerous and sometimes spectacular, with Target’s recent $18.5 million settlement of some 90 lawsuits stemming from its 2013 breach being the current poster child for this scenario.

Pertaining to regulations, US financial services companies subject to Gramm-Leach-Bliley (GLBA) are required to “Protect against any anticipated threats or hazards to the security or integrity of [customer] information…” HIPAA similarly mandates healthcare organizations “Protect against any reasonably anticipated threats or hazards to the security of [health] information…” Attacks targeting known and patchable vulnerabilities could well be deemed to fall into these categories—in effect requiring regulated entities to implement a reasonable patch management program to maintain compliance.

Organizations such as health care providers or banks could also face legal actions if they failed to deliver services as the result of a data breach, and this directly resulted in bodily or financial harm. Companies most likely to face lawsuits might be those that claim via advertising or other public statements that they were secure and are then proven not to be.

Even businesses that seek to reduce the risk exposure associated with data breaches by purchasing cyber liability insurance (CLI) could find themselves out of luck (and outside of coverage) if a breach results from preventable negligence, such as failure to patch a known vulnerability that was later exploited.

Demonstrate Your Security – Now

No one can argue that patching is a cornerstone of any information security program. But does the failure to patch in a given specific circumstance expose an organization to legal action after the fact? The ability to demonstrate that you have a patch management program in place and routinely follow it could be your best defense.

To talk about how to make patching a routine and effective part of your information security program, contact Pivot Point Security.

For more information on vulnerability patching and data breach lawsuits:

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times