Seven Things MSPs Should Know Before Filing a Lawsuit Against Kaseya for the Recent Ransomware Attack
As most MSPs have likely heard, Kaseya and many of its customers recently experienced a wide-spread ransomware attack. As victims are learning more about the potential impact of the attack, many are evaluating whether they can hold Kasey legally responsible for any damages that were incurred. Before rushing to the courthouse, MSPs should review the Kaseya license terms, including the reseller terms, and their agreements with their end users. Here are seven things for MSPs to consider when performing their litigation analysis.
1. The Kaseya Subscription License Agreement and Reseller Terms and Conditions are not friendly to MSPs.
It is not uncommon for MSP’s channel partners to have some unfavorable terms that put most of the responsibility on the MSP, rather than on the partner. Kaseya is no different. There are many provisions that attempt to shield Kaseya from responsibility, and Kaseya will likely rely on those provisions (or at least it will try to do so) as a defense to any litigation instituted by an MSP.
2. The case must be brought in Florida, and Florida law will apply.
Regardless of where the MSP or its end users are located, Section 16.7 of the Kaseya Subscription End User License Agreement (“EULA”) (a copy of which is located here) requires all claims against Kaseya to be brought in Florida. For MSPs located outside of Florida, this can be time-consuming, inconvenient, and expensive.
3. The EULA and reseller terms contain extremely small limitations of liability.
If you are seeking recovery under the EULA and its limitations of liability sections are enforced, section 15 limits Kaseya’s liability to the payments received for the last six months. The limitation of liability section under the reseller terms is even more onerous – section 7.3 limits Kaseya’s liability to the two months of fees. A copy of the reseller terms is located here.
4. The License Agreement contains a purported class-action waiver.
In the event that several MSPs were thinking of getting together to file a class action lawsuit against Kaseya, such a case may face be an uphill battle. Section 16.7 of the EULA, contains the following waiver: “In addition, the parties agree that they may only bring claims against the other in their individual capacities and not as a plaintiff, class representative or member in any purported class or representative proceeding.” Most of the time, class-action waivers are used in conjunction with provisions requiring the parties to arbitrate all or most of their claims. It is considerably rare for parties to waive class-action litigation without a corresponding arbitration agreement. But, will that make the class-action waiver unenforceable?
Although it is not entirely clear, in Florida it appears that stand-alone class-action waivers can be enforceable. Typically, without a statutory non-waivable right to a class-action lawsuit, litigants are required to argue that the class-action waiver is unconscionable. Florida law requires parties claiming unconscionability to show both procedural and substantive unconscionability. Woebse v. Health Care & Ret. Corp. of Am., 977 So. 2d 630, 632 (Fla. 2d DCA 2008). Because it is difficult in Florida to demonstrate both procedural and substantive unconscionability, Florida courts that have considered the issue have generally found that the class-action waivers are enforceable.
5. There is no requirement that Kaseya indemnify and hold the MSP’s harmless for claims brought by end users.
In many instances, the MSPs were not directly injured by the ransomware attack, the attack impacted the MSP’s customers or end users. Kaseya purports to take no contractual responsibility for these types of injuries and instead, if any end-users make any claims against Kaseya directly, section 7.1 of the reseller terms and section 13.2 of the EULA require the MSP to defend Kaseya and pay for any damages. Although the MSP may try to argue that these provisions are not enforceable, there may be a lengthy argument over who is responsible.
6. There is no provision allowing the prevailing party to get attorneys’ fees (although there is a provision saying Kaseya gets its fees in the event that it files a lawsuit).
Florida, like many states, does not have a provision allowing for a winning litigant to recover its attorneys’ fees. Section 16.7 of the EULA contains a provision that purports to allow Kaseya to recover its attorneys’ fees, regardless of whether it is the winning party. Fortunately, under Florida statute 57.150(7), where there is a provision allowing one party to recover attorneys’ fees, the court may also award attorneys’ fees to the other party. It is important to note that the statute says “may” and not “must.” This means that the court does not have to award attorneys’ fees to the winning party if it does not wish to do so.
7. Litigation disrupts business operations and is stressful.
Before filing any litigation, MSPs should remember that a typical lawsuit lasts for a number of years. There is a tremendous amount of preparation involved, and if the MSP is not located in Florida, there will be travel associated with discovery, pre-trial hearings, and trial. That being said, sometimes litigation is important to enforce your rights and get compensation for injuries caused by the other party. MSPs should carefully consider the impact to their business and the nature and value of their claims before proceeding.
If you are an MSP impacted by ransomware attacks through Kaseya please call Scott & Scott, LLP for a free consultation.