Protecting against cyber attacks requires coordination between data collectors and their vendors who assist in protecting that data. Typically, vendors include public relations professionals, forensic experts and security experts to assist after the breach. It is important to keep in mind that a vendor’s work may be controlled through contracts or agreements that place a number of obligations on a data collector. That is, in order to receive the vendors’ assistance, a data collector may have to agree to various conditions including indemnifying the vendor and having all disputes resolved through arbitration. In short, data collectors will need to be fully aware of their obligations before they enter into vendor agreements.
One recent example of a data collector getting sideways with its vendor was seen in the fallout after the Orange County Transportation Authority (“OCTA”) suffered a ransomware attack in 2016. (The Privacy Risk Report addressed this breach and its consequences in greater detail on August 16, 2016 [1]). After the ransomware incident, the OCTA and its vendor that assisted with the response disagreed over whether OCTA’s claims should be arbitrated or litigated in court. After analyzing the arbitration agreement between the parties, the federal court rejected the OCTA’s argument that its misrepresentation and negligent performance claims fall outside the arbitration clause in its vendor agreement and dismissed the OCTA’s lawsuit.
- The Ransomware Attack
The OCTA suffered a ransomware attack that shut down a number of its computers, causing more than $600,000 in damages. Specifically, the OCTA reportedly paid nearly $300,000 in labor costs and $218,000 for emergency contracts for technical assistance with the incident. The attack is said to have cut off access to 88 servers that limited access to a number of programs including e-mail, voicemail, intranet, employee assignments and payroll. Rather than pay the requested $8,500 ransom, OCTA worked for days to restore the servers, find the malware and secure the servers against future attacks. OCTA officers stated that services were uninterrupted and no credit card or other personal information was compromised during the attack.
In defending the decision to not pay the ransom, the OCTA spokesperson stated, “[t]he FBI opposes paying ransom for cyber attacks, and so does [the Transportation Authority]. If we pay ransom to a criminal, there is no guarantee that our servers would be released, and the agency would likely be a target again because the attackers know they pay up.” All things considered, the OCTA’s response to the ransomware attack was a success.
- Insurer’s Subrogation Action
While the response to the attack may have been successful, the OCTA immediately ran into a dispute with one of its vendors after the attack. This dispute between the OCTA and its vendor, Sharepoint 360, ultimately ended up in the District Court for the Southern District of California in a case entitled Nat’l Union Fire Ins. Co. of Pittsburgh, As Subrogee of The Orange County Transportation Authority v. Sharepoint 360, Inc., 2019 WL 1382894 (Mar. 27, 2019 S.D. Cal. 2019). It is important to note that the OCTA assigned its claims against Sharepoint to its insurer, National Union, after National Union paid OCTA’s damages related to the ransomware attach under its insurance policy. After stepping into the shoes of its insured the OCTA, National Union claimed Sharepoint breached its contract with the OCTA, sought indemnity from Sharepoint and further claimed Sharepoint was negligent in providing its services in response to the ransomware incident.
While National Union conceded the breach of contract and indemnity claims were subject to arbitration under an agreement executed by the OCTA and Sharepoint, National Union argued “the gross negligence claim [was] not arbitrable because it is based on ‘an independent duty that is … not dependent upon the contract.’”
In rejecting National Union’s position by finding the entire action against Sharepoint should be arbitrated, the District Court first noted that the arbitration clause in the agreement between OCTA and Sharepoint states that “[a]ny dispute or controversy arising from or related to this Agreement or the rights of the parties to this Agreement shall be settled by binding arbitration ….” The District Court held “[t]his language does not limit arbitration to the literal interpretation or performance of the Agreement.” Consequently, the District Court dismissed National Surety’s entire lawsuit in order to allow the claims be arbitrated.
The District Court found support for its dismissal of National Surety’s action in Simula, Inc. v. Autoliv, Inc., 175 F.3d 716, 721 (9th Cir. 1999), where the Ninth Circuit Court of Appeals held: “To require arbitration, [Plaintiff’s] factual allegations need only ‘touch matters’ covered by the contract containing the arbitration clause and all doubts are to be resolved in favor of arbitrability.” Based on this reasoning, the District Court found National Union’s complaint should be dismissed to the extent “[t]he facts alleged in support of the gross negligence claim describe [Sharepoint’s] performance of the Agreement, i.e., failure to monitor software and firewalls, failure to patch their vulnerabilities, and failure to properly provide archival and backup copies of data.”
While this incident originally showed the importance of being prepared for ransomware, this latest development shows the importance of carefully considering all terms and conditions in contracts with vendors that will assist with pre-breach and post-breach security. In short, the best strategy involves data collectors and vendors working together before there is an incident to understand their obligations during the stress of responding to a cyber incident.