Are managed service providers liable for cybersecurity breaches experienced by their clients? A California lawsuit considers this legal question.
The Sacramento, Calif., law firm Mastani Halsted claims that MSP, a privately held Sacramento-based company, LanTech LLC, failed to protect itself from a ransomware attack that brought down its systems.
ChannelE2E and its affiliate site MSSP Alert reviewed the complaint, in which Mastagni seeks more than $1 million in damages. The firm employs 42 attorneys. The company is also suing backup vendor Acronis.
The law firm claims it was forced to pay an undisclosed amount to the attacker, Black Basta, to regain access to the network. The incident occurred in February 2023 and the lawsuit was filed in February 2024.
LanTech employees declined to comment when contacted by ChannelE2E and MSSP Alert by phone, saying they had no knowledge of the lawsuit. Acronis denied any responsibility for the ransomware attack.
In a statement to the Sacramento Bee, the company said: “Our investigation revealed that access credentials were compromised externally to our systems and may have been used to delete company backups and conduct ransomware attacks. ” he said. “Acronis has not accepted the lawsuit and will not be commenting further on this lawsuit.”
Black Basta, a Russian-speaking ransomware-as-a-service collective first discovered in 2022, claims to have orchestrated around 300 ransomware attacks and forced Bitcoin ransom payments of more than $100 million. It is said.
Oral agreement between LanTech and law firm
According to the complaint, the plaintiffs and LanTech entered into an oral agreement under which MSP would provide Mastani with “monitoring services, advice, installation, cloud backup sales, and software and hardware selection and sales.” .
According to the complaint, the law firm claimed that on February 24, 2023, it began experiencing “connectivity issues.” The plaintiffs then notified LanTech, which said the issue had been “resolved,” but provided no additional information about the cybersecurity risks, the complaint states.
But three days later, Mastani suffered a “massive outage” of its systems, resulting in a loss of “access to servers and data,” the lawsuit says. Mastani later claimed that LanTech's failures in cybersecurity protections were the cause of the ransomware infection.
“A group known as Black Basta then demanded a ransom from Plaintiff to restore access to that data,” the filing states. The law firm tried to restore the data through the Acronis backup system, but “found that the data backup had been deleted.”
At this time, it is not clear whether Black Basta leaked data from Mastagni. However, the data theft could lead to Mastani's own liability, and Mastani itself could be named in a lawsuit if its customers were exposed to cyberattacks as a result of the incident.
Cyber liability: More lawsuits to come
Donald Gaiter, a lawyer specializing in cybersecurity law and policy, said the lack of a written contract between the parties that specifically spells out the terms and associated responsibilities makes it difficult to see how lawsuits are resolved. “It's difficult to judge,'' he said. Work with your MSP.
“What is this? [lawsuit] “What I often see in this industry is that you have MSPs who know the technology well, and you have companies who know their business well but don’t know the technology,” he said. “There is a big difference between delivering technology and delivering cybersecurity.”
Geiter said it may be the first lawsuit of its kind, but it won't be the last.
“The reason we don't have these types of lawsuits is because these issues are often resolved through cyber insurance,” he said. “And if a large company is the client, the MSP is likely to be fired rather than sued.”
What should MSPs do?
Geiter advises MSP clients to “make sure everyone is on the same page.” For example, MSPs need to address the following questions:
- Do you have a solid contract? What types of liability limitations apply in service agreements?
- Are information security roles and responsibilities clearly specified in the contract?
- Does your target customer base offer the potential for additional responsibilities?
- Are your customers educated about cyber responsibility and doing enough to protect themselves?
- What do you know (or don’t know) about your subcontractors?
Joseph Brandsman, founder and managing member of the cyber insurance consultancy Brandsman Advisory Group, said the lawsuit is an attempt by the plaintiffs to do everything in their power to say, “Oh, we're angels, we did nothing wrong.'' He said he was trying to say, “No, this is all.” It’s the other guy’s fault,” he said in a video about the lawsuit.
Mr Brandsman advises MSPs to pay attention to the “lessons learned” from litigation and particularly contract situations.
- Make sure you have a good technical E&O (errors and omissions) policy in place and understand it.
- We contractually require our clients to purchase cybersecurity insurance.
- Be proactive and shift the responsibility back to the client.
Brunsman offered the following advice to MSPs:
- Discuss cybersecurity risks with your clients.
- Discuss with your client what additional new controls may be coming in the future.
- Talk to your clients about what you are offering. It's not just a sales pitch, it also helps to try and counter some of this responsibility.
- Consult a lawyer to have a limited liability clause included in your books.
“If you have clients who refuse basic recommendations from you, throw them out,” Brandsman said.
