Disturbing news from the legal world this week, as cybersecurity vendor Trustwave was sued because it allegedly "failed to live up to its promises or to meet industry standards," according to an article in CIO Magazine.
While I am all in favor of holding parties responsible when they are negligent or otherwise perform poorly, this lawsuit represents a tremendous problem -- creating a serious chilling effect on the cyber security market. We are just starting to turn the corner on the cyber security problem in one critical area, namely, convincing companies and their executives that they need to take proactive defensive steps. However, as I have written before, we can now expect another cyber security problem: an increased number of lawsuits following cybe rattacks.
Putting aside the incredibly vague allegation that Trustwave failed to meet "industry standards," (What the heck does that even mean?) the reality of a lawsuit like this is that even if it is unsuccessful, it is still likely going to:
- Cost significant amounts of money to defend.
- May cause existing cyber security vendors or potential innovators to second guess whether they want to enter the market.
Right now the cyber security market is one of the hottest sectors of our economy thanks to the fact that so many companies are in need of defenses, and attacks are only increasing. This lawsuit, however, may give people pause as to whether cyber security really is a good investment. Even worse, it may cause some people to look at the marketplace and say "I'm not playing in that world -- I'll focus on messaging apps, not next generation cyber defenses."
It is not as if this is conjecture on my part. All you have to do is look at what happened to the security market after 9/11. Many companies were ready to jump in feet first to the market, knowing that they could potentially sell lots of products and services. Yet initially many of the big players and great thinkers stayed away, in part because they knew that they could face massive and extraordinarily costly litigation. How much? Ask the companies sued as a result of the 9/11 attacks -- their legal bills have been enormous, reaching tens, if not hundreds of millions of dollars.
Indeed their concerns were only allayed when the U.S. government stepped in with the Terrorism Reinsurance Act and the SAFETY Act.
This news scares me. Worse yet, it upsets me. I've seen this play before: The plaintiff's bar is not shy about naming defendants, and while there may be parties at fault here, the idea that litigation awaits cyber security vendors every time there is a breach makes me cringe. Otherwise useful technologies could be shelved, and we will all suffer. It's not as if the cyber criminals are going to slow down, in fact they are making money hand over fist. That combination is a bad one for us all.
For more information about cyber threats, possible avenues of liability, tips for disclosing a breach, ways to minimize corporate exposure from cyber attacks, and more, check out Brian Finch in a live webcast Tuesday, April 1, 2014 at 1:00 p.m. Eastern, hosted by Practising Law Institute (PLI). For more information please click here.