Today, Microsoft released patches for 44 security vulnerabilities in Windows and related products. According to Microsoft, at least one of these vulnerabilities is being actively exploited. Organizations that use Microsoft products should patch their software as soon as possible.
The release of software patches, even ones patching actively exploited vulnerabilities, is, unfortunately, not news. But we wanted to take this opportunity to remind our clients about some legal issues related to patching.
Failing to Patch Creates Liability
Updating software is essential to running a modern business. In the past, there was at least some room to debate particular patches due to the possibility that a patch could break legacy software or cause other disruptions. While patch testing and validation is still a critical part of software updates, there is very little tolerance for unpatched software. The Equifax data breach is an excellent case study.
On March 8, 2017, the United States Computer Emergency Readiness Team (US-CERT) issued an alert about a newly discovered vulnerability in software that Equifax used to manage its web applications. The next day, Equifax’s computer security team sent an email to 400 employees directing them to update their software within 48 hours in accordance with Equifax’s Patch Management Policy.
The next week, Equifax conducted an automated vulnerability scan of its network to ensure that all the relevant software was patched. Unfortunately, the scanner was not configured correctly and missed a web application, called the ACIS Dispute Portal. This portal remained unpatched for more than four months.
During these four months, attackers exploited the vulnerability (as well as some other security issues) and stole an enormous amount of personal information, including 145.5 million Social Security Numbers.
Ultimately, Equifax agreed to pay between $575 and $700 million dollars in a settlement with the FTC, CFPB, and 50 U.S. states and territories. It is subject to additional litigation, as well as significant harm to its reputation. Due to its privileged status as one of three nationwide consumer reporting agencies, Equifax will survive. Organizations that do not have such a privileged position may not survive such a widespread security failure.
There are a number of lessons we can draw from Equifax’s experience. First, an unpatched security vulnerability creates almost strict liability. Second, organizations must have systems in place to patch vulnerabilities, including policies, patch testing, and vulnerability scanners. And finally, Organizations must audit these systems regularly to ensure that they are patching their software appropriately.
Outdated Software Should Be Removed
Software has a lifecycle, and at some point, that lifecycle ends. Software that has reached its End of Life (EOL) must be replaced or otherwise protected. All software has vulnerabilities, and people will continue to discover those vulnerabilities even after software has reached EOL. What changes at EOL is that the software vendor no longer patches those vulnerabilities.
Some legal regimes, such as HIPAA, explicitly address EOL software. But even if an organization isn’t subject to one of those regimes, EOL software is unpatched software and creates the same risks that we saw in the Equifax case study.
There are ways to protect EOL software, especially in circumstances where an organization relies on proprietary software with little in the way of commercial replacement. If an organization decides to use EOL software, it must take the appropriate steps to protect that software and understand the risks involved.
Microsoft’s recent software update release is an excellent opportunity to validate existing patch management and software update programs. A program failure in these areas can create significant legal liability for companies, and the opportunities for failure abound.
If you have any questions about software patching, legal liability, or any related questions, please contact our cybersecurity legal experts at the link below.