January 18, 2022

Volume XII, Number 18

Advertisement
Advertisement

Killware: The New Cyber Threat and What It May Mean for Data Breach and Cybersecurity Litigations

Recent coverage of data breach and cybersecurity litigation has focused on developments concerning Article III standing and inventive Plaintiff’s counsel seeking to rely on a cyberattack to bring quintessential consumer pricing class actions.  However, there is a new development looming on the horizon that has received little attention so far: the threat posed by so-called “killware” and what it may mean for data privacy and cybersecurity.

Killware is the newest form of cyber threat, as Secretary Alejandro Mayorkas of the U.S. Department of Homeland Security recently advised.  It involves hackers maliciously targeting and exploiting the interconnectedness of critical aspects everyday life (think electronic medical devices, infrastructure, transportation networks and the like) for the express purpose of causing individuals serious physical harm.  It can occur through cybercriminals hijacking, for instance, a car and deliberately forcing a malfunction.

The threat of cyberattacks to patient safety has been of concern to the healthcare community for some time.  At a 2018 CyberMed summit, physicians had mere minutes to respond to a training scenario where a patient’s pacemaker had been hacked to misfire.  Saving the patient required resorting to measures that are rarely used to manage faulty pacemakers in the decades since the devices became widespread.

This year there have already been serious threats to public safety caused by killware-like attacks, although at the time these incidents were overshadowed by other developments.  For instance, this February, hackers attacked a water treatment facility in Florida, attempting to change the chemical composition in the water to levels that would have been deadly had the attack not been stopped in time.  And earlier this year, the Wall Street Journal reported on a cyberattack attack directed at an Alabama hospital that resulted in the death of an infant.  In that report, the Journal indicated that cyberattacks are increasingly focused on hospitals for ransomware attacks, as cybercriminals anticipate that hospital executives would prioritize the lives of patients over any reluctance over providing cybercriminals a cash payout.

While the traffic light hacking sequence in the 2003 movie The Italian Job at the time was entertaining, the scene viewed today in light of killware takes on a sobering new dimension.  To put it simply, if the killware threat materializes, it will be a game changer going forward.  Protecting the public’s health is the utmost priority and preempting killware requires strengthening the public and private sectors’ cyber-defenses, among other measures.  However, a fulsome understanding of potential impact of killware also requires consideration of its legal implications.  Killware has the potential to transform the landscape of data breach and consumer privacy litigation by essentially turning cyberattacks into another form of mass torts.

For instance, the days of courts in cybersecurity litigations engaging in protracted disagreements regarding Article III standing based upon future speculative harm would become altogether irrelevant.  Similarly, defendants’  reliance on the economic loss doctrine to defeat cybersecurity class actions would also be eliminated.  The reason for this is that negligence claims based on physical harm caused by killware attacks would bypass the economic loss doctrine, under which there is no cause of action for allegations of negligence that only result in economic loss, without any physical damage or damage to property.  Similar shifts would also be anticipated in relation to certain arguments regarding causation and damages in cybersecurity litigation, as well as class certification.

As new threats are posed by increasingly sophisticated technology and technical capacities, consumer privacy litigation has continued to evolve.  It remains to be seen whether the killware threat will materialize.  However, killware has already proven to be a tangible threat to public health and infrastructure that could once again reshape entirely this legal landscape.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 307
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Christina Lamoureux Litigation Attorney Squire Patton Boggs Washington DC
Associate

Christina Lamoureux is an associate in the Litigation Practice in the Washington DC office. She represents a wide variety of clients in complex commercial matters.

Admissions

  • District of Columbia, 2020

Related Services

  • Litigation
202-457-6095
Elizabeth Helping Columbus Ohio Litigation Liability Associate Attorney Squire Patton Boggs
Associate

Elizabeth P. Helpling is a member of the Litigation Practice, where her practice focuses on complex and general litigation matters, including commercial liability matters, alternative dispute resolution and insurance litigation. She is also a member of the Judicial Release Coalition, and her pro bono work focuses on criminal justice reform and advocacy.

614 365 2821
Advertisement
Advertisement
Advertisement