Kaseya Ransomware Attack: Does Negligence in Security Affect Liability?
Kaseya, a large technology solutions company, recently reported that its on-premises VSA product was the “victim of a sophisticated cyberattack.” (See generally, Kaseya’s announcements here). Specifically, third-parties were able to access computer endpoints using Kaseya’s VSA product and then deploy ransomware. According to its web site, Kaseya reported that only endpoints using VSA as an on-premise solution were exploited, affecting approximately 60 managed service providers and approximately 1,500 downstream users.
Julie Machal-Fulks, Partner at Scott & Scott, LLP recently published a blog explaining some of the challenges prospective litigants may face if they want to file a lawsuit against Kaseya. The terms that potential litigants will have to evaluate before filing a claim are contained in the reseller terms and conditions, which can be found here, and the End User License Agreement (“EULA”), which can be found here. There are a number of limitations and restrictions that will affect the viability of a potential claim, whether it is initiated by an MSP or an end user. If you are an MSP that has been affected by the Kaseya ransomware attacks, you should speak to an experienced attorney.
The most common claims Kaseya will likely be facing are breach of contract claims. In a typical breach of the contract claim, the parties’ responsibilities will be governed by the EULA or the reseller terms and conditions, each of which contains a number of provisions favorable to Kaseya. Two particularly troublesome provisions are the limitation of liability and indemnification provisions.
The indemnification provision requires managed services providers (“MSPs”) to indemnify Kaseya against any downstream user claims. The indemnification provision reads as follows:
13.2 Licensee Indemnification. Licensee agrees to defend, indemnify, and hold harmless each of Kaseya, its affiliates and respective officers, employees, consultants, shareholders and representative from and against any and all claims, liabilities, damages, and/or costs (including attorneys’ and expert witness fees, costs and other expenses) arising out of or related to: (a) any actual or alleged violation of this Agreement or applicable law, rule or regulation by Licensee or any person accessing or using the Software or services by or through Licensee; (b) any actual or alleged infringement or misappropriation by Licensee, or any person accessing or using the Software by or through Licensee, of any intellectual property or privacy or other right of any person or entity (except claims of infringement or misappropriation arising solely from use of the Software as provided under this Agreement); (c) any claims by any of Licensee Customers (except claims of infringement or misappropriation arising solely from use of the Software as provided under this Agreement), or arising out of or relating to Licensee’s relationship with any of Licensee Customers; or (d) Customer Data.
Essentially, if Kaseya is held liable for damages incurred by an end user, it will likely seek reimbursement from the end user’s MSP.
Equally troubling for managed service providers, is the limitations of liability provision, which restricts potential damages to a calculation of not more than two months or six months of the Licensee’s most recent licensing fees, depending on the governing document For example, the EULA has the following provision:
15. Limitation of Liability. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT OR OTHERWISE, AND EXCEPT FOR BODILY INJURY CAUSED BY GROSS NEGLIGENCE OR WILLFUL MISCONDUCT BY KASEYA’S EMPLOYEES, AND TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW, KASEYA AND ITS SUPPLIERS AND LICENSORS SHALL NOT BE LIABLE OR OBLIGATED WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT (INCLUDING WITHOUT LIMITATION INDEMNIFICATION OBLIGATIONS) OR UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY (I) FOR ANY AMOUNTS IN EXCESS IN THE AGGREGATE OF THE FEES PAID TO IT BY LICENSEE FOR THE SOFTWARE LICENSED HEREUNDER DURING THE SIX MONTH PERIOD PRIOR TO THE CAUSE OF ACTION, (II) FOR ANY COST OF PROCUREMENT OF SUBSTITUTE GOODS, TECHNOLOGY, SERVICES OR RIGHTS, OR (III) FOR ANY INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF PROFITS, LOSS OF USE OR DATA, DAMAGE TO SYSTEMS OR EQUIPMENT, BUSINESS INTERRUPTION OR COST OF COVER) IN CONNECTION WITH OR ARISING OUT OF THE DELIVERY, PERFORMANCE OR USE OF THE SOFTWARE, DOCUMENTATION, ANY OTHER MATERIALS PROVIDED BY KASEYA OR OTHER SERVICES PERFORMED BY KASEYA, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE AND STRICT LIABILITY, EVEN IF KASEYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). YOU ACKNOWLEDGE AND AGREE THAT KASEYA WOULD NOT ENTER INTO THIS AGREEMENT UNLESS IT COULD RELY ON THE LIMITATIONS DESCRIBED IN THIS PARAGRAPH.
If any litigation is commenced against Kaseya for the ransomware attacks, the applicability and enforceability of the limitation of liability and indemnity provisions are likely to be key issues. The Kaseya contracts contain Florida choice of law provisions. Under Florida law, such provisions are enforceable if they are clear and unambiguous and the parties knew what they were contracting away.
Tort Liability Arising from Contracted Parties
Given the favorable provisions in the Kaseya contracts, any plaintiff will likely include claims for both negligence and gross negligence in connection with any litigation filed against Kaseya. Any such claims will face significant challenges.
Courts have traditionally disfavored the use of common law remedies such as tort claims arising from a breach of contract. However, public policy arguments have previously been successful in pursuing tort liability as long as it can be proven that the defendant owed a separate duty of care that could be separately actionable. Jade Winds Ass’n, Inc. v. FirstService Residential Fla., Inc. (In re Jade Winds Ass’n, Inc.), CASE NO. 15-17570-BKC-RAM (Bankr. S.D. Fla. Mar. 22, 2019)
A plaintiff could argue that Kaseya had a duty of care to secure the user data and comply with several state and federal regulations in keeping that data safe. However, even if a tort claim against Kaseya survived, it is likely that any damages would be subject to the limitation of liability.
The key to proving gross negligence is establishing that Kaseya’s conduct was so reckless or wantion in care that it constituted a conscious disregard or indifference to the life, safety, or rights of persons exposed to such conduct. See Florida’s Statutes on Negligence.
Kaseya reported on its web site that the attack occurred on July 2, 2021, and it notified its customers shortly thereafter. It deployed a software tool for customers to determine whether their data had been breached and continued to provide updates on its web site and directly to licensees.
Kaseya indicated that the ransomware attack was a “sophisticated cyberattack” and its R&D team were working to identify and mitigate the vulnerability. In other words, Kaseya implied that it was unaware of the security vulnerability and therefore unable to prevent the attack. See Kaseya notice here.
Not long after the Kaseya breach was widely reported, former employees went to the public claiming that Kaseya was, in fact, warned about the vulnerability in its software prior to the hack. Ex-employees went on record with Bloomberg alleging that Kaseya did know about the vulnerability and failed to act. See Bloomberg article here.
If a plaintiff could prove that Kaseya was aware of the vulnerability in the VSA product and knowingly refused to provide a software update that could have prevented the data breach, a plaintiff might argue that it constitutes gross negligence. Establishing a gross negligence claim against Kaseya would be helpful to the arguments surrounding limitations of liability and indemnity. A court might also take Kaseya’s prior data breaches in 2014 and 2018 into consideration. Florida law also provides for punitive damages in gross negligence cases which could significantly raise the stakes of the litigation.
If you were affected by the Kaseya ransomware attack, please contact Scott & Scott, LLP for a free consultation.