This is not the first lawsuit filed against SolarWinds related to the 2020 security breach, however, past derivative suits related to cybersecurity have resulted in a mixed bag of dismissals and settlements.
In October, the Delaware Chancery Court dismissed a cybersecurity derivative suit against Marriot and its alleged lack of oversight leading to a data breach for procedural issues. In 2019, Yahoo! agreed to $29 million to settle multiple derivative suits levied against the company related to massive data breaches between 2013 and 2016. In 2017, Home Depot agreed to settle a derivative suit, after it was originally dismissed and appealed, by agreeing to implement various cybersecurity measures such as regular testing, oversight procedures, incident response plans, and monitoring procedures.
Recently, the federal government—which was also a victim of the SolarWinds breach—moved to enforce cybersecurity standards on government contractors, such as SolarWinds, through the False Claims Act. However, even in the wake of new privacy laws, private individuals or entities that are directly or indirectly affected by lapses in cybersecurity are limited in the recourse they can seek.
Earlier lawsuits focused on allegations that SolarWinds made material misrepresentations with regard to its cybersecurity. Those lawsuits, however, failed to advance.
The complaint against current and former SolarWinds directors alleges the board of directors failed to properly mitigate against obvious cybersecurity risks leading up to, and likely resulting in, the security breach. Therefore, the plaintiffs allege the directors breached their fiduciary duties of loyalty, care, and good faith.
In Spring 2020, SolarWinds sent out an update for its popular and widely used software Orion. The update, which was routine to fix any bugs and patch any errors and gaps, unwittingly allowed hackers to put malicious code into the Orion Software and then onto thousands of businesses’ systems through the update download.
Malicious code can refer to trojan horses, viruses, malware, or any code used to allow unauthorized access, use, or modification to computer systems and information. In this case, the hackers used a malicious code called “Sunburst,” which is a sophisticated trojan horse that granted them backdoor access to SolarWinds customers’ systems.
When customers went to download the update file, the hackers swapped the actual update with the Sunburst trojan horse. If the customer downloaded and deployed the update, the hackers then were able to access any of their systems that were using the Orion Software.
Additionally, the Sunburst trojan horse was able to shield the hackers from being detected as their unauthorized access continued.
Ironically, Orion is software designed to help businesses in their cybersecurity efforts; specifically providing a network monitoring solution. Network monitoring software inevitably touches every part of a business’s information technology systems. Therefore, through Orion, the hackers were able to gain access to the entirety of a customer’s computer and information technology systems.
This style of attack is commonly referred to as a supply chain attack because it targets a large third-party service provider and then uses that third-party service provider to gain access to its customer’s systems.
It is estimated that 18,000 businesses were affected. Beyond private businesses, government agencies were also targeted, including the Treasury Department and the Department of Homeland Security.
The hackers went undetected on SolarWinds systems and customers’ systems for over a year.
The first lawsuits against SolarWinds related to this security breach relied on class action securities claims. This lawsuit relies on fiduciary claims and a type of lawsuit called a derivative suit.
A derivative suit is a type of legal action by which the shareholders can assert the corporation’s rights on the corporation’s behalf, rather than asserting their own rights as shareholders. In essence, the corporation is suing its board of directors for neglect.
Generally, plaintiffs in a derivative suit must make a demand to the board of directors to provide the board an opportunity to determine whether the suit is in the Corporation’s best interest. This procedural requirement is why the Marriot case was dismissed by the same Delaware court. However, the demand requirement is excused if such demand would be considered futile due to the conflicting interests of the members of the board of directors with regard to the suit. If excused, the plaintiffs can skip the demand requirement and go straight to filing a complaint.
In Delaware, the courts look to a three-part test in determining whether demand is futile; whether (1) the directors received a material personal benefit from the alleged misconduct; (2) the directors themselves likely face liability on any of the claims; and (3) the directors lack independence from a third party who received a material personal benefit from the alleged misconduct, or who is likely to face liability on any of the claims.
If at least half of the directors fall into one of the three above buckets, the plaintiffs do not need to make a demand to the board and can skip straight to filing a complaint. In this case, the main plaintiffs cited the fact that most of the current board of directors are named as defendants in the suit, therefore making demand futile.
Specifically, the plaintiffs claim the board of directors breached their fiduciary duty of loyalty and care through their bad faith failure to enact proper oversight of SolarWinds’ cybersecurity.
Generally, directors of a corporation owe a fiduciary duty of care and loyalty, among other things. Under a duty of care claim, the question becomes whether the directors were informed of all material information reasonably available on the specific, relevant topic, and whether they acted on that information as a reasonably prudent person would. Under a duty of loyalty claim, the question becomes whether the directors acted in the best interest of the corporation.
The lack of oversight, which the plaintiffs cite in this case, is a subset of the duty of loyalty. Success on such a claim will often boil down to whether the plaintiff(s) can prove whether (1) the directors knew or reasonably should have known of a risk; (2) the directors took no, or inadequate, remedial steps; and (3) if such inaction was a proximate cause of the claimed injury.
To bolster their claim, the plaintiffs cited the fact that supply chain hacks are on the rise and that “trusted, widely used software tools” such as the SolarWinds software solutions are likely to be targets of such attacks. According to the plaintiffs, any board of directors “reasonably familiar with SolarWinds’ … business must have known that leading cybersecurity organizations in the public and private sectors were widely publicizing the catastrophic and surging risks that supply chain cyberattacks posed.”
Those public and private reports included FBI Cyber Division alerts, NIST reports, and various news articles.
The plaintiffs claim that despite this knowledge, or knowledge that should have been reasonably known if not obvious, the board of directors failed to implement even “elementary cybersecurity standards” for any business, let alone one in SolarWinds’ position.
The alleged poor security practices and failure to oversee the cybersecurity of SolarWinds includes substandard password controls and management. Specifically, the plaintiffs allege SolarWinds used “solarwinds123” as a password for their software download website over the course of multiple years. That password was publicly available online in along with credentials. The complaint also outlines that the board of directors was warned a hacker could use this to upload malicious code.
According to the U.S. Cybersecurity and Infrastructure Security Agency, the SolarWinds hackers likely used password guessing, spraying, or unsecured administrative credentials to gain access for the hack.
The board of directors also ignored relevant guidance specific to their alleged duty to oversee SolarWinds’ cybersecurity, according to the complaint. Plaintiffs point to a 2018 SEC guidance stating that companies are required to maintain “appropriate” cybersecurity controls and that such controls are “best achieved when a company’s directors … are informed about the cybersecurity risks and incidents that the company” faces.
Where cybersecurity is central to a company, the SEC guidance goes on to place affirmative obligations on a company’s board of directors by requiring that they disclose (1) the nature of the board of director’s oversight role; (2) how the board of directors engages managers and employees to address cybersecurity risks; and (3) the company’s cybersecurity risk management program.
The plaintiffs are seeking damages on behalf of the company and are also seeking to enforce an overhaul of the company’s cybersecurity policies and oversight.