How Much Do Data Breaches Cost Businesses?
Data breaches cost businesses millions in fines, lawsuits, and lost customers. Learn the true financial impact and how to reduce your risk.
Read more about How Much Do Data Breaches Cost Businesses?
What Is a Zero-Day Vulnerability?
Partner
In the realm of cyber security there are many types of attacks and vulnerability exploits that can be used by hackers to gain unauthorized access to computer systems: viruses, Trojans, malware, ransomware, phishing, and a number of different software vulnerabilities. So, what exactly is a zero-day vulnerability and what makes this type of vulnerability so attractive to hackers? A zero-day vulnerability in software code or a browser means that a software vendor has prepared a piece of programming that has a vulnerability in it that the vendor is unaware of. To say this another way, the software contains a vulnerability and is flawed from the start.
Hackers identify and exploit these vulnerabilities before the software developer can identify them and correct them with a software patch. As such, these vulnerabilities are known in the cyber security world as zero-day vulnerabilities. Since the hacker makes the first move by creating code that can exploit the vulnerability in the software, the attack is called a zero-day attack.
Hackers love to exploit zero-day vulnerabilities because they get the benefit of the first-mover advantage. The hacker can exploit the vulnerability for as long as it takes for the software developer to identify the vulnerability, create a patch to fix the vulnerability, and deploy the patch to vulnerable systems. It can take a long time for zero-day vulnerabilities to be identified. This leaves the hacker free to profit from the holes in the software code until it is fixed.
Zero-Day Vulnerability Statistics
According to Symantec, in 2015 there were 54 zero-day vulnerabilities that were identified, which is an increase of 125% over the previous year. Effectively, there was one new zero-day vulnerability identified every week in 2015. Nearly 20% of zero-day vulnerabilities were identified as being Flash Player related. It usually takes about a week from when the software developer or the public identifies a zero-day vulnerability for a patch to be developed, distributed, and deployed.
What Businesses Can Do to Help Avoid Zero-Day Attacks
Since zero-day vulnerabilities are flaws in software, there is little that businesses can do to prevent them from existing in the first place. However, businesses can help reduce their risk and exposure by monitoring for system updates. Taking immediate action to install these patches when they are distributed can help close vulnerabilities in software systems. Installing patches should be a regular component of cyber security best practices.
Legal Liability When Zero-Day Vulnerabilities Cause Data Breaches
When a zero-day vulnerability is exploited and customer data is exposed, the victimized business faces legal obligations and potential liability that arise independently of whether the business knew about the vulnerability. The legal standard is not whether a business knew about the specific flaw — it is whether the business maintained reasonable security practices that, in the aggregate, reflect an appropriate level of care for the data it holds.
The FTC’s Reasonable Security Standard
The Federal Trade Commission has long taken the position that a failure to implement reasonable data security practices constitutes an unfair trade practice under Section 5 of the FTC Act, 15 U.S.C. § 45. The FTC does not require perfection — it does not hold businesses liable merely because a sophisticated attacker found a previously unknown vulnerability. But it does require that businesses maintain security measures commensurate with the sensitivity of the data they hold, promptly apply available patches for known vulnerabilities, and maintain visibility into their systems sufficient to detect anomalous behavior that might indicate an active attack.
A business that fails to patch a known vulnerability within a reasonable time after a patch is released — even if the breach occurs through a different, unknown vulnerability — may find that its overall security posture is judged insufficient. The FTC’s enforcement actions, including against companies like Wyndham Worldwide and LabMD, demonstrate that the agency focuses on the totality of a company’s security practices rather than any single failure.
Software Vendor Liability for Zero-Day Vulnerabilities
A critical and often overlooked legal question in zero-day attacks is whether the software vendor whose product contained the vulnerability bears liability to businesses and individuals harmed by its exploitation. The answer depends heavily on the vendor’s licensing agreements and on the state where the claims arise.
Most commercial software licenses contain broad disclaimers of warranty and limitations on consequential damages that significantly constrain a customer’s ability to sue the vendor for losses caused by a security vulnerability in the software. Courts have generally enforced these contractual limitations. However, some courts have recognized that a vendor’s disclaimer of the implied warranty of merchantability may be unconscionable in cases where the software is marketed for security-sensitive applications and the defect is fundamental.
The emerging area of software liability is receiving increasing legislative and regulatory attention. The Biden administration’s 2023 National Cybersecurity Strategy explicitly called for shifting liability to software vendors for knowingly releasing products with security defects, and the concept has been debated in Congress. While comprehensive federal software liability legislation has not yet been enacted, the trajectory of the policy debate suggests that vendor liability for zero-day vulnerabilities will become a more prominent legal issue in the years ahead.
State Data Breach Notification Obligations
When a zero-day attack results in unauthorized access to personal information, state data breach notification laws are triggered. All 50 states have enacted notification statutes, and the obligations arise from the fact of the breach, not from the business’s fault in causing it. A business that suffers a zero-day attack must still notify affected individuals, and in many states must notify the state attorney general, within the timeframes specified by each applicable state law.
Several states have enacted particularly rigorous requirements. Florida requires notification within 30 days of determining a breach occurred. Colorado requires notification within 30 days of discovery. New York’s SHIELD Act requires notification in the “most expedient time possible and without unreasonable delay,” and also requires notification to state agencies when 500 or more New York residents are affected. The fact that the breach was caused by an unknown vulnerability is not a defense to failure to notify — it may be relevant to penalty determinations, but it does not eliminate the notification obligation.
Zero-Day Attacks in the Regulatory Context
Regulated industries face sector-specific obligations when zero-day attacks cause breaches. Financial institutions subject to the GLBA Safeguards Rule, 16 C.F.R. Part 314, must notify the FTC within 30 days when a breach affects 500 or more customers, regardless of how the breach occurred. Healthcare covered entities must comply with the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414, which requires individual and HHS notification within 60 days of discovery. Financial institutions regulated by the OCC, FDIC, or Federal Reserve must comply with the interagency guidance on response programs for unauthorized access to customer information, which requires notification to regulators within 36 hours of determining that a notification incident has occurred.
Notable Zero-Day Attacks and Their Legal Aftermath
Several high-profile breaches caused by zero-day vulnerabilities illustrate the legal exposure these attacks create. The 2011 RSA Security breach, which compromised SecurID authentication tokens used by thousands of government contractors and financial institutions, was carried out using a zero-day exploit in Adobe Flash. The breach ultimately cost RSA’s parent company, EMC, approximately $66 million in remediation and resulted in widespread litigation by affected companies.
The 2014 Sony Pictures breach, while involving multiple attack vectors, exploited several vulnerabilities in Sony’s network infrastructure that were unknown at the time of the attack. The breach exposed the personal and financial information of approximately 47,000 current and former employees. Sony faced class action litigation by affected employees asserting negligence claims based on Sony’s alleged failure to maintain adequate security practices even before the specific zero-day vulnerabilities were exploited.
Contact a Data Breach Attorney
If you have been hacked due to a zero-day vulnerability, you should speak with an experienced data breach lawyer to determine your legal options and obligations under the law after a system hack. Contact the attorneys at Revision Legal using the form on this page or call us at 855-473-8474.
Extra, Extra!
Related Posts
Top Data Breaches of 2020: Ransomware on the Rise
Ransomware dominated 2020’s biggest data breaches. A look at the most damaging incidents and the cybersecurity lessons every business should learn.
Read more about Top Data Breaches of 2020: Ransomware on the Rise
Repurposing Pandemic Data: Legal Risks Businesses Face
Data collected during the COVID pandemic for one purpose cannot simply be repurposed. Here’s what businesses need to know about the legal risks.
Read more about Repurposing Pandemic Data: Legal Risks Businesses Face