Businesses that failed to update their Windows-based computer systems, making them vulnerable to the massive WannaCry ransomware attack over the weekend, could face lawsuits over their lax cybersecurity, claim legal experts.
Microsoft says the affected Windows computers did not have security patches or were running the older Windows XP system that is no longer supported by the company.
Data privacy lawyer Edward McAndrew from Ballard Spahr told Reuters that businesses could be sued if they failed to deliver services because of the attack. "There is this stream of liability that flows from the ransomware attack," he said. "That's liability to individuals, consumers and patients."
Christopher Dore, a lawyer at Edelson PC, said companies hit by the ransomware since they did not have the Microsoft update or were using the older Windows version could face lawsuits.
Dore said: "Using outdated versions of Windows that are no longer supported raises a lot of questions. It would arguably be knowingly negligent to let those systems stay in place."
Scott Vernick, a data security lawyer at Fox Rothschild, said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission. The FTC previously sued companies for misrepresenting their data privacy measures.
Microsoft unlikely to face lawsuit
According to legal experts, it is highly unlikely that Microsoft would face any legal trouble over the ransomware attack.
Michael Scott, a professor at Southwestern Law School, said Microsoft sells software under a licensing agreement that states the company is not liable for any security breach.
Alex Abdo, a staff attorney at the Knight First Amendment Institute at Columbia University, noted that software companies including Microsoft have settled lawsuits that could lead to court rulings.
"This area of law has been stunted in its growth. It is very difficult to hold software manufacturers accountable for flaws in their products," said Abdo.
WannaCry has affected more than 200,000 Windows computers worldwide, disrupting major businesses including car factories, FedEx and the UK's National Health Service. The ransomware shut down the systems by encrypting data and then demanding $300 as ransom to unlock them.
WannaCry exploits a vulnerability in older versions of Windows including Windows 7 and XP. Microsoft issued a security patch in March that stopped WannaCry and other malware in Windows 7. Over the weekend, the company released a similar software patch for Windows XP.