Legal Scholar Warns of Fragility in Global Cybersecurity Infrastructure

Last Friday, a critical IT outage wreaked havoc across the globe, impacting airlines, emergency services, and retail businesses. The disruption began when cybersecurity firm CrowdStrike released a faulty software update, causing widespread system failures. Although the issue was eventually resolved, the aftermath continued to disrupt operations over the weekend, leaving passengers stranded, surgeries postponed, and retailers grappling with unexpected closures.

Andrew D. Selbst, a visiting assistant professor at Harvard Law School with expertise in technology and the law, commented on the incident's implications for both cybersecurity and legal accountability in Harvard Law Today.

"The CrowdStrike snafu illustrates how fragile our infrastructure is," said Selbst. "There are only a few companies that manage much of the world's software, and that poses significant risks."

Selbst pointed out that while tech companies traditionally face limited liability for software bugs, the CrowdStrike incident could lead to substantial lawsuits, especially from larger business clients with negotiated contracts. Smaller companies, however, might face more challenges as their contracts typically include broad liability disclaimers.

The incident underscores the vulnerability of modern technology, a concern that extends to data breaches. Despite substantial investments in cybersecurity, companies like CrowdStrike often struggle to prevent attacks. The recent class action lawsuit against AT&T highlights ongoing issues; plaintiffs allege that the company’s inadequate cybersecurity measures allowed hackers to access their private call and text records.

Selbst discussed the limited recourse available to consumers following data breaches. Current regulatory frameworks include breach notification laws, negligence lawsuits, and regulatory actions by entities such as the Federal Trade Commission (FTC). However, Selbst noted that most individuals receive minimal compensation from negligence suits, often settling for credit monitoring services or small monetary settlements. The real focus, he argued, should be on enforcing existing laws more effectively and holding companies accountable for their cybersecurity practices.

In response to whether the type of data stolen affects a company’s liability, Selbst explained that financial harm typically constitutes a legally recognized injury, while non-financial losses, such as embarrassment, are less likely to result in compensation. He emphasized that while data breaches cannot be entirely avoided, companies must implement reasonable safeguards to minimize risk.

Looking ahead, Selbst advocated for a reevaluation of current legal and regulatory approaches. "We need to use the laws we have — and enforce them," he stated. "There’s no need for an entirely new legal framework; instead, we should apply and update existing laws to address the evolving technological landscape."

As the frequency of sophisticated cyberattacks increases, the legal system faces mounting pressure to balance liability and enforcement while encouraging companies to enhance their cybersecurity measures. The CrowdStrike incident serves as a stark reminder of the need for robust and effective regulatory and legal responses to safeguard our increasingly interconnected world.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.