A welter of legal action could tumble out of Adobe’s admission yesterday that it had suffered a far greater breach of data security in a cyber attack earlier this month, leading technology lawyers warn.
The California-based software multinational acknowledged that data from some 38 million users had been compromised, far more than the 2.9 million originally estimated earlier.
The company has launched an internal investigation, and expert lawyers forecast that third-party suppliers to Adobe will fall under the spotlight. “There are likely to be significant supply chain implications with this breach,” commented Philip James, partner and joint head of technology at London and Reading law firm Pitmans. “It is by no means definite, but I would not be surprised if the breach were the fault of a third party.”
James warned that Adobe would be particularly concerned about the breach potentially coming through cloud computing, the process by which data is held on third-party servers in various jurisdictions.
“Adobe will be reviewing its contracts with suppliers,” forecast James. “And while they are a sophisticated company with a sophisticated legal department, it doesn’t necessarily follow that all their contracts are up to date – especially in relation to such a fast evolving area.”
Lawyers suggest there could be issues around notification clauses in cases of a breach, and the type of meaningful information third-party suppliers should provide in case of cyber attack.
Ashley Hurst, a technology partner at London media law firm Olswang, described the Adobe attack as “a classic case study of a serious cyber security breach, with several significant legal and PR issues”.
He pointed out that the implications will reach the UK, with the Information Commissioner’s Office keen to discover whether the hack was caused by a failure on the part of the company, or that the company failed to act quickly enough once it knew it had been hacked. Commented Hurst: “Adobe will be trying hard to convince the commissioner that that isn’t the case because if it can’t it could face substantial fines.”
Adobe is also likely to face a large bill for notify users about the breach. That is especially crucial in the US, where the company will be obliged to pay for credit monitoring for up to a year for those users whose card details were compromised.
Lawyers suggested the most significant commercial implication for Adobe is the theft of its source code. “Exploiting vulnerabilities in the application will now be much easier,” said Pitmans’ Philip James. “I suspect this is only the beginning of this story and more will emerge over time.”
Earlier this weekThe Lawyer reported how a leading City law firm had fought off sophisticated cyber attacks within the last fortnight, reinforcing fears that hackers view legal practices as a soft underbelly route to stealing sensitive client information (28 October 2013).
For more on this read our feature: Cyber Security: Lawyers are the weakest link