In a March 4, 2014 article, Inside Cybersecurity quoted Venable partner Dismas Locaria and associate Jason Wool on what the liability landscape looks like for software developers tied to critical infrastructure hit by cyber attacks. Locaria and Wool explained that “it is all but certain that these developers will be parties to lawsuits when and if successful attacks against critical infrastructure occur that have an impact on third-parties that are not in privity with the developers” – especially in cases “where an unpatched vulnerability is directly connected to the attack.”
They added, “The more people that are affected by a successful cyber attack, the more likely it is that plaintiffs will bring claims against as many potentially culpable entities as possible – which could include the makers of software that arguably allowed the incident to occur because of inadequate security or unpatched vulnerabilities. Simply being named in such a complaint could require significant expenditures on the part of developers.”
Only time will tell whether liability will increase for the [software] companies, they concluded.
They added, “The more people that are affected by a successful cyber attack, the more likely it is that plaintiffs will bring claims against as many potentially culpable entities as possible – which could include the makers of software that arguably allowed the incident to occur because of inadequate security or unpatched vulnerabilities. Simply being named in such a complaint could require significant expenditures on the part of developers.”
Only time will tell whether liability will increase for the [software] companies, they concluded.