Software and Cybersecurity Companies Beware!
In case you haven't heard, Delta Airlines recently sued one of its software providers claiming that the provider caused a 2017 data breach.
As a quick refresher, in 2018, Delta reported that its software service provider, 7.ai, suffered a malware attack that allowed fraudsters to access Delta's customer information. Delta was then the target of class actions in California and Georgia.
After Delta determined that 7.ai was to blame, Delta demanded that 7.ai reimburse all costs incurred as a result of the data breach. 7.ai refused and, last week, Delta initiated a lawsuit against 7.ai to recoup millions of dollars.
According to the Complaint, 7.ai operates a sophisticated software, services, and technology company. It is focused on managing online customer interactions for companies in all manner of customer-facing industries. One of the services is placing a “chat” function on their clients’ websites that allows individuals visiting those websites to engage in text-based conversations with customer service representatives.
Delta engaged 7.ai to place a chat function on its website.
To implement and maintain the chat service, Delta granted 7.ai access to certain layers of the Delta website infrastructure. 7.ai placed a "tag" on Delta’s website that would monitor the activity of individuals visiting certain web pages. Through this “tag,” 7.ai could cause a chat bubble to appear on the browser of individuals visiting Delta’s website.
The Dreaded Data Breach
Delta claims that after 7.ai implemented the chat service on Delta's website, attackers accessed 7.ai's computer systems and modified the source code so that tags placed on Delta’s website not only monitored visitor activity and facilitated the chat function, but also “scraped” Personally Identifying Information (“PII”) and payment card data. The PII and payment card data was then transmitted to a third party (presumably the attacker).
Based on Delta’s investigation, the attacker potentially obtained the names, addresses, and payment card information of approximately 800,000 to 825,000 U.S. Delta customers.
As with any data breach, Delta has incurred millions of dollars in costs to: (1) investigate the breach, (2) provide notification to its customers, (3) offer identity monitoring products and call center services to potentially impacted individuals, and (4) defend consumer class action litigation arising out of the data breach.
Software Providers Beware
I saw this coming. For the past couple of years we have seen numerous class action lawsuits against companies that suffered a data breach. We are starting to see coverage litigation as insurance companies deny cyber-related claims. The next wave of litigation will be against software, website, and cybersecurity providers as companies look to recoup their losses.
Last year, I wrote a blog about Lawsuits Against Software Developers and IT Specialists, where I asked the question:
Should software developers and IT professionals have a duty to provide the public with better products and services?
I think the answer is "Yes"!
There are many stories of data breaches where the vendor, independent contractor or service provider was the cause of the breach (e.g., Target, Alpine Bank, Heartland, etc.). Companies that suffer a data incident incur millions of dollars in notification, remediation and litigation costs. It should come as no surprise that these companies are starting to seek reimbursement from their software and technology providers.
Delta's lawsuit might become the new normal as more companies transform to digital platforms and rely on software, website and cybersecurity service providers to handle customer-relations, data maintenance and security.
In fact, some companies are starting to impose contractual requirements that their software and cybersecurity providers indemnify them for a cyber incident, and maintain sufficient insurance to cover losses as a result of the incident.
As I like to say, "litigation begets litigation" - if a company (like Delta) is sued for a data breach, then the involved software or cybersecurity provider should "lawyer-up", notify its insurance carrier, and expect a process server to show up with a complaint at some point.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP