Are managed service providers liable for cybersecurity breaches experienced by their clients? A lawsuit in California is exploring this legal question.
A Sacramento, California law firm Mastagni Holstedt is alleging that its MSP, privately-owned Sacramento-based LanTech LLC failed to protect it from a ransomware attack that took down its systems.
ChannelE2E and affiliate site MSSP Alert have reviewed the complaint in which Mastagni is seeking more than $1 million in damages. The firm employs 42 attorneys. The firm is also suing backup vendor Acronis.
The law firm alleges that they were forced to pay the attacker, Black Basta, an undisclosed sum to regain access to its network. The incident occurred in February, 2023 and the lawsuit was filed in February 2024.
A LanTech employee declined to comment when ChannelE2E and MSSP Alert reached out by telephone and said he knew nothing about the suit. Acronis denied any responsibility for the ransomware attack.
“Our investigation revealed that access credentials may have been compromised outside of our systems and used to delete the firm’s backups and execute a ransomware attack,” the company said in a statement to the Sacramento Bee. “Acronis has not been served with the lawsuit and will not be commenting further on this litigation.”
Black Basta, a Russian-speaking group ransomware-as-a-service crew first detected in 2022, is said to have orchestrated some 300 ransomware attacks that have landed it more than $100 million in bitcoin ransom payments.
Oral Agreement Between LanTech, Law Firm
The lawsuit claims that the plaintiff and LanTech entered into an oral agreement in which the MSP was to “provide monitoring service, advice, installation, selling cloud backup and picking and selling software and hardware” for Mastagni.
On February 24, 2023, the law firm alleged it began to experience “connectivity issues,” according to the complaint. The plaintiff subsequently notified LanTech, which said the problem had been “resolved” but did not provide any additional information about its cybersecurity risks, the lawsuit reads.
However, three days later, Mastagni was hit with a “major outage” of its systems that caused it to lose “access to its servers and data,” the lawsuit reads. Mastagni subsequently blamed a failure of LanTech’s cybersecurity protections for the ransomware infection.
“Thereafter, a ransom demand was made by a group known as Black Basta for plaintiff to recover access to its data,” the filing reads. The law firm attempted to recover its data through the Acronis backup system “but discovered that its data backup had been deleted.”
At this point, it's not clear if Black Basta exfiltrated data from Mastagni. However, a data heist might lead to liability for Mastagni, itself, which could be named in lawsuits by its clients should they be exposed to cyberattacks as a result of this event.
Cyber Liability: More Cases to Come
That the parties did not enter into a written contract specifically spelling out the terms of the agreement and associated responsibilities and liabilities makes it “difficult to determine” how the lawsuit will be resolved, said Donald Geiter, an attorney specializing in cybersecurity law and policy who works with MSPs.
“What this [lawsuit] brings to light is a common thing that I see in the industry is you’ve got MSPs that know technology very well and businesses that know their business well but don’t know technology,” he said. “There’s a big difference between the delivery of technology and the delivery of cybersecurity.”
While this case might be the first of its kind it won’t be the last, Geiter said.
“The reason that there aren’t any lawsuits of this kind is that often these things are resolved by cyber insurance,” he said. "And, if a large company was the client, the MSP would likely get fired, not sued."
What Should MSPs Do?
Geiter advises his MSP clients to “make sure you’re all on the same page." For example, MSPs should address the following questions:
- Do you have a solid contract? What sorts of limitation of liability are enforceable under your service contracts?
- Are roles and responsibilities relative to information security clearly identified in the contract?
- Does your target customer base bring extra liability potential to the table?
- Are your customers educated on cyber liability and doing enough to protect themselves?
- What do you know (or don't know) about your subcontractors?
Joseph Brunsman, founder and managing member of the Brunsman Advisory Group, a cyber insurance consultancy, said that the lawsuit is the plaintiff putting their best foot forward trying to say "'oh, we are angels, we have done nothing wrong, it’s all this other guy’s fault,’” he said in a video on the lawsuit.
Brunsman advises MSPs to pay attention to the lawsuit and to some “lessons learned” from the circumstances, specifically as they pertain to contracts.
- Have an appropriate tech E&O (errors and omissions) policy and make sure you understand it.
- Contractually require your clients to carry cybersecurity insurance.
- Be proactive and push liability back to the client.
Brunsman offered the following advice to MSPs:
- Talk to your clients about the cybersecurity risk.
- Talk to your clients about what additional, new controls are coming down the pike.
- Talk to your clients about what you’re offering; it’s not just a sales pitch, it’s also assisting you in trying to fight back against some of this liability.
- Talk to an attorney, get a limited liability clause on the books.
“If you have clients that refuse to take basic recommendations from you, then jettison those folks,” Brunsman said.