Understanding the MOVEit data breach: navigating long tail liability risks in the wake of cyber incidents

The fallout from the 2023 MOVEit data breach has sent reverberations throughout the legal landscape, serving as a stark reminder of the long-tail liability risks faced in an increasingly digital world. Here, Clyde & Co’s Rosehana Amin and Adam Leese consider the key implications arising from this and other cyber incidents.

Triggering a cascade of lawsuits across the US, the MOVEit data breach not only targeted Progress Software, the owner of the comprised MOVEit software, but also the numerous organisations utilising it as part of their services. As litigation developed into a Multidistrict Litigation (MDL), it underscored the escalating volume and value of class actions in the US stemming from data breaches. Claimants do, however, face challenges in gaining class certification.

The MOVEit data breach: the facts

The vulnerability discovery:

In June 2023, hackers from Russian cybergang Clop discovered a security vulnerability in MOVEit, a file transfer software owned by Progress Software. Clop allegedly discovered the security vulnerability in 2021, but only began exploiting it in May 2023. MOVEit, which is marketed as software that “guarantees the security of sensitive files both at rest and in-transit”, was at the centre of a data breach.

The stolen data:

The security vulnerability allowed Clop to steal data from Progress Software as well as third-party organisations using MOVEit. This included private, personal information of individuals, including social security numbers. Clop sent ransom notes to executives at companies that were hacked, threatening to leak the data by publishing on its website if companies failed to pay the ransom fee.

Supply chain implications:

Many organisations affected by the breach relied on MOVEit to handle data received from third parties. Consequently, the MOVEit data breach cascaded through the supply chain, impacting various parties. Financial services companies, government agencies and other entitles found themselves impacted. Reports state that more than 60 million individuals have been affected, with around 80% of impacted organisations being in the US.

Ensuing litigation

Plaintiffs in the US are suing both Progress Software and those organisations that used MOVEit in respect of the breach of data, bringing claims of negligence, alleging failures to:

• Take adequate steps to secure customer data;
• Monitor and maintain basic network safeguards;
• Maintain adequate data retention policies;
• Comply with industry standards of data and security; and
• Properly encrypt users’ information.

In a 4 October 2023 decision, the US Judicial Panel on Multidistrict Litigation consolidated more than 240 lawsuits across the US into a singular action. The panel determined that, at their core, each lawsuit revolved around the same central issue, that being MOVEit’s security vulnerability.

Class action litigation arising from cyber attacks

Data shows that data breach class actions in the US increased dramatically in volume in 2023 when compared with 2022, and the value of settlements in data breach class actions also increased. However, it is only a minority of data breach claims commenced that were granted class action certification. This uncertainty regarding classification of data breach class actions can impact the long-tail liability risks arising from a cyber incident.

Uncertainty contributes to long-tail liability risk

The uncertain terrain surrounding class certification underscores the protracted nature of legal battles following cyber breaches. This uncertainty could mean there is a long period of time between the initial data breach and the lawsuit commencing; or a drip feeding of lawsuits, with plaintiffs bringing claims one by one, potentially leading to even more uncertainty, both with regard to the final outcome and a greater risk of increasing time and cost spent dealing with the claims.

The MOVEit MDL has the potential to set a standard for data breach lawsuits involving third-party vendors, so we will be keeping a close eye on its progress.

Remember

The MOVEit data breach serves as a stark reminder of the importance of robust security measures. As organisations grapple with evolving threats, proactive steps such as vulnerability assessments, employee training, a review of policies and procedures, and supply chain scrutiny, are crucial.

Contributed by Rosehana Amin, partner, and Adam Leese, trainee solicitor, at Clyde & Co