A prominent fintech company is holding its firewall vendor responsible for a recent data breach and has initiated a lawsuit seeking damages. This trend of blaming vendors for cybersecurity incidents has emerged in recent years, raising significant concerns within the cybersecurity sector.
The plaintiff, Marquis, offers marketing and compliance solutions to over 700 banks and credit unions. On August 14, a ransomware group infiltrated Marquis's IT network, compromising client data, including personally identifiable information (PII) of customers from several of its clients. Recent reports indicate that more than 780,000 individuals may have been affected, although this figure has not been independently verified.
Initially, Marquis was unaware of how the hackers accessed its systems. However, on September 17, its firewall vendor, SonicWall, disclosed that it had experienced its own breach. Attackers accessed SonicWall's cloud backup service and stole firewall configuration files, which could facilitate further attacks on its customers. At first, SonicWall claimed that only 5% of its customers were impacted. Yet, on October 8, the company acknowledged that all customers were affected.
Feeling the repercussions, Marquis filed a complaint on February 23 with the US District Court for the Eastern District of Texas, attributing the attack to SonicWall and seeking damages.
In a response to inquiries, Marquis stated that "Not only did SonicWall fail to disclose its compromise promptly, but the company assured Marquis that its firewall protection was not affected for several weeks." The company further claimed that this lack of timely disclosure prevented it from mitigating the damage caused by SonicWall's breach.
On the other hand, a SonicWall spokesperson indicated that they have not yet found any technical evidence linking the two incidents. The spokesperson also noted that Marquis filed the lawsuit without providing documentation to support its allegations. SonicWall is currently reviewing the claims and is prepared to defend against any unproven assertions.
This lawsuit prompts an essential question: who is ultimately responsible for a data breach involving a third-party vendor?
According to Erin Jane Illman, a partner at Bradley, "Historically, most breach-related lawsuits have flowed from consumers or regulators toward the breached company. However, this case signifies a shift, with enterprises now suing their cybersecurity vendors or service providers for contributions, indemnification, or outright negligence." This change fundamentally alters the risk landscape for the industry, as vendors are now seen as potential co-defendants rather than just technical partners.
The Precedent for Suing Your Vendor
While it is quite rare for companies to sue their vendors for data breaches, Marquis is not the first to attempt this route. In 2018, a breach at email security vendor Barracuda Networks resulted in a data leak for its client, Zoll Services. Zoll subsequently sued Barracuda, but the US District Court for the District of Massachusetts ruled in favor of Barracuda. Just a few months ago, Zoll's appeal was also rejected.
There have been variations on this theme as well. In 2014, several banks filed lawsuits against Target following its infamous point-of-sale breach, and they also targeted Trustwave, which had co-signed Target's IT security just before the incident. Those cases ultimately fizzled out.
Jackson Stephens, senior cybersecurity counsel for Galactic Advisors, pointed out that the 2023 MoveIT breach led to numerous lawsuits, many of which are still pending. He noted that lawsuits against managed service providers and cybersecurity vendors are becoming increasingly common.
Regarding the case of Marquis and SonicWall, he commented that such cases rarely go to trial, as they often require arbitration or mediation, with most ending in undisclosed settlements. However, he warned that a company like SonicWall may face various legal challenges in the future, especially if its business customers experience data leaks and are subsequently sued by affected individuals.
Legal Risk to Cybersecurity Providers
Illman expressed concern that Marquis could become a notable example for other breach victims to follow. She explained that this environment creates strategic incentives for executives, who may be inclined to shift blame onto vendors in the face of shareholder lawsuits or regulatory scrutiny following a breach.
She added that this does not absolve executives of responsibility, but it does introduce a new dimension of cross-claims and indemnity disputes behind the scenes.
The criteria for negligence is fluctuating. Illman noted that plaintiffs are exploring theories such as misrepresentation, failure to warn, negligent design, or overstated security claims to challenge vendor protections. Courts may also begin to scrutinize how "reasonable cybersecurity" is defined for professional security providers, potentially holding them to a higher standard than an ordinary enterprise IT department.
It is also important to consider that organizations select their vendors and have the ability to shape the terms of these relationships through contracts. Joseph Lazzarotti, an attorney with JacksonLewis, remarked that it is not uncommon for companies to engage vendors without conducting the necessary due diligence to assess their cybersecurity measures. He also noted that service level agreements often fail to adequately account for worst-case scenarios, particularly when a vendor is responsible for an attack.
If organizations are as careless in choosing their vendors as they claim those vendors are in protecting them, Lazzarotti warned that this could lead to claims of negligence in vendor selection or monitoring, resulting in exposure to data breaches affecting the organization or its customers.
This article was updated with statements from both Marquis and SonicWall.
