Recent coverage of data breach and cybersecurity litigation has focused on developments concerning Article III standing and inventive Plaintiff’s counsel seeking to rely on a cyberattack to bring quintessential consumer pricing class actions. However, there is a new development looming on the horizon that has received little attention so far: the threat posed by so-called “killware” and what it may mean for data privacy and cybersecurity.
Killware is the newest form of cyber threat, as Secretary Alejandro Mayorkas of the U.S. Department of Homeland Security recently advised. It involves hackers maliciously targeting and exploiting the interconnectedness of critical aspects everyday life (think electronic medical devices, infrastructure, transportation networks and the like) for the express purpose of causing individuals serious physical harm. It can occur through cybercriminals hijacking, for instance, a car and deliberately forcing a malfunction.
The threat of cyberattacks to patient safety has been of concern to the healthcare community for some time. At a 2018 CyberMed summit, physicians had mere minutes to respond to a training scenario where a patient’s pacemaker had been hacked to misfire. Saving the patient required resorting to measures that are rarely used to manage faulty pacemakers in the decades since the devices became widespread.
This year there have already been serious threats to public safety caused by killware-like attacks, although at the time these incidents were overshadowed by other developments. For instance, this February, hackers attacked a water treatment facility in Florida, attempting to change the chemical composition in the water to levels that would have been deadly had the attack not been stopped in time. And earlier this year, the Wall Street Journal reported on a cyberattack attack directed at an Alabama hospital that resulted in the death of an infant. In that report, the Journal indicated that cyberattacks are increasingly focused on hospitals for ransomware attacks, as cybercriminals anticipate that hospital executives would prioritize the lives of patients over any reluctance over providing cybercriminals a cash payout.
While the traffic light hacking sequence in the 2003 movie The Italian Job at the time was entertaining, the scene viewed today in light of killware takes on a sobering new dimension. To put it simply, if the killware threat materializes, it will be a game changer going forward. Protecting the public’s health is the utmost priority and preempting killware requires strengthening the public and private sectors’ cyber-defenses, among other measures. However, a fulsome understanding of potential impact of killware also requires consideration of its legal implications. Killware has the potential to transform the landscape of data breach and consumer privacy litigation by essentially turning cyberattacks into another form of mass torts.
For instance, the days of courts in cybersecurity litigations engaging in protracted disagreements regarding Article III standing based upon future speculative harm would become altogether irrelevant. Similarly, defendants’ reliance on the economic loss doctrine to defeat cybersecurity class actions would also be eliminated. The reason for this is that negligence claims based on physical harm caused by killware attacks would bypass the economic loss doctrine, under which there is no cause of action for allegations of negligence that only result in economic loss, without any physical damage or damage to property. Similar shifts would also be anticipated in relation to certain arguments regarding causation and damages in cybersecurity litigation, as well as class certification.
As new threats are posed by increasingly sophisticated technology and technical capacities, consumer privacy litigation has continued to evolve. It remains to be seen whether the killware threat will materialize. However, killware has already proven to be a tangible threat to public health and infrastructure that could once again reshape entirely this legal landscape.