United States:
Killware: The New Cyber Threat And What It May Mean For Data Breach And Cybersecurity Litigations
To print this article, all you need is to be registered or login on Mondaq.com.
Recent coverage of data breach and cybersecurity litigation has
focused on developments concerning Article III standing
and inventive Plaintiff’s counsel seeking to rely on a cyberattack to bring
quintessential consumer pricing class actions. However,
there is a new development looming on the horizon that has received
little attention so far: the threat posed by so-called
“killware” and what it may mean for data privacy and
cybersecurity.
Killware is the newest form of cyber threat,
as Secretary Alejandro Mayorkas of the U.S. Department of Homeland
Security recently advised. It involves hackers maliciously
targeting and exploiting the interconnectedness of critical aspects
everyday life (think electronic medical devices, infrastructure,
transportation networks and the like) for the express purpose of
causing individuals serious physical harm. It can occur
through cybercriminals hijacking, for instance, a car and
deliberately forcing a malfunction.
The threat of cyberattacks to patient safety has been of concern
to the healthcare community for some time. At a 2018 CyberMed summit, physicians had mere minutes
to respond to a training scenario where a patient’s pacemaker
had been hacked to misfire. Saving the patient required
resorting to measures that are rarely used to manage faulty
pacemakers in the decades since the devices became widespread.
This year there have already been serious threats to public
safety caused by killware-like attacks, although at the time these
incidents were overshadowed by other developments. For
instance, this February, hackers attacked a water treatment
facility in Florida, attempting to change the chemical composition
in the water to levels that would have been deadly had the attack
not been stopped in time. And earlier this year, the Wall Street Journal reported on a cyberattack
attack directed at an Alabama hospital that resulted in the death
of an infant. In that report, the Journal indicated that cyberattacks are increasingly
focused on hospitals for ransomware attacks, as cybercriminals
anticipate that hospital executives would prioritize the lives of
patients over any reluctance over providing cybercriminals a cash
payout.
While the traffic light hacking sequence in the 2003 movie
The Italian Job at the time was entertaining, the scene
viewed today in light of killware takes on a sobering new
dimension. To put it simply, if the killware threat
materializes, it will be a game changer going forward.
Protecting the public’s health is the utmost priority and
preempting killware requires strengthening the public and private
sectors’ cyber-defenses, among other measures. However, a
fulsome understanding of potential impact of killware also requires
consideration of its legal implications. Killware has the
potential to transform the landscape of data breach and consumer
privacy litigation by essentially turning cyberattacks into another
form of mass torts.
For instance, the days of courts in cybersecurity litigations engaging in protracted disagreements regarding Article III standing based upon future speculative harm would become
altogether irrelevant. Similarly, defendants’
reliance on the economic loss doctrine to defeat cybersecurity
class actions would also be eliminated. The reason for this
is that negligence claims based on physical harm caused by killware
attacks would bypass the economic loss doctrine, under which there is
no cause of action for allegations of negligence that only result
in economic loss, without any physical damage or damage to
property. Similar shifts would also be anticipated in
relation to certain arguments regarding causation and damages in
cybersecurity litigation, as well as class certification.
As new threats are posed by increasingly sophisticated
technology and technical capacities, consumer privacy litigation
has continued to evolve. It remains to be seen whether the
killware threat will materialize. However, killware has
already proven to be a tangible threat to public health and
infrastructure that could once again reshape entirely this legal
landscape.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States