Lawsuits are likely to follow in the wake of the global ransomeware attack.
According to legal experts, businesses which failed to update their Microsoft Windows-based operating system, could be sued over lax cyber security practices, although Microsoft Corp by itself will not attract such lawsuits since it enjoys strong protection from such legal action.
The WannaCry worm has affected more than 300,000 devices running Microsoft Windows across the world since Friday and has disrupted car manufacturing plants, Britain’s National Health Service, FedEx Corp’s global shipments, among other companies.
Microsoft has made it clear, only computers that weren’t updated with its security patches were affected by the “ransomware” attack.
“Using outdated versions of Windows that are no longer supported raises a lot of questions,” said Christopher Dore, a lawyer specializing in digital privacy law at Edelson PC. “It would arguably be knowingly negligent to let those systems stay in place.”
As per Edward McAndrew, a data privacy lawyer at Ballard Spahr, businesses could potentially face legal claims if they failed to deliver services because of the attack.
“There is this stream of liability that flows from the ransomware attack,” he said. “That’s liability to individuals, consumers and patients.”
Essentially WannaCry exploits a vulnerability in Windows 7 and Windows XP. In March 2017, Microsoft had patched that vulnerability in Windows 7, however since XP was discontinued in 2014, it remained unpatched.
Over the weekend, Microsoft took the unusual step of releasing a similar patch for machines running Windows XP.
However, as per Scott Vernick, a data security lawyer at Fox Rothschild, since WannaCry did not produce a widespread disclosure of personal data, the likelihood of widespread lawsuits are minimal.
“It isn’t clear that there has been a harm to consumers,” said Vernick.
However, he went on to add, businesses who failed to update their software could face scrutiny from the U.S. Federal Trade Commission, which has previously sued companies for misrepresenting their data privacy measures.
Incidentally, the U.S. National Security Agency, whose stolen hacking tool were the basis for the WannaCry worm is also strongly protected against lawsuits.
The NSA did not immediately return a request for comment.
As per Jonathan Zittrain, a professor specializing in internet law at Harvard Law School, courts have frequently dismissed lawsuits against the NSA on the grounds that it might result in the disclosure of top secret information.