Vendor accountability under scrutiny due to Kronos ransomware incident
The December ransomware attack on workforce management company Ultimate Kronos Group (UKG) has left many organizations scrambling to process payrolls, and the legal fallout is just beginning.
John Bambenek, principal threat hunter at security firm Netenrich, stated that employers are responsible for making payroll, but UKG may be liable to its customers if it couldn't provide its service. The Fair Labor Standards Act and any applicable state and local laws may be potentially violated if employers fail to make payroll. Discovery will determine who is truly responsible from a legal perspective, according to Bambenek.
Employees at Tesla, PepsiCo, Whole Foods, and the New York Metropolitan Transit Authority (MTA) are among those affected by the outage. Tesla and PepsiCo employees have filed a class action lawsuit against UKG seeking damages due to alleged negligence in data security procedures and practices. New York MTA employees filed a separate suit in the U.S. District Court for the Southern District of New York against the MTA, alleging it failed to pay overtime wages due to the Kronos outage.
The MTA and Kronos's public relations firm declined to comment on the lawsuits, but Kronos took around six weeks to restore access to core time, scheduling, and HR/payroll services for Kronos Private Cloud customers. As of March 4, Kronos was still in the process of restoring additional applications used by some KPC customers, including Citrix and Workforce Analytics.
The licensing agreements between Kronos and its public entity customers require "gross negligence or willful misconduct" to hold the company liable. Some Kronos contracts may indemnify the company for its outage. Matthew Warner, CTO and co-founder at detection and response provider Blumira, mentioned that vendors like Kronos often seek indemnification clauses in their contracts to protect themselves from legal action or damage.
Despite taking necessary security steps, Kronos may still be successfully breached, according to Bambenek. He also noted that Kronos didn't have a good business continuity plan. John Bambenek expects small settlements if people succeed in suing Kronos.
Legal culpability for the ransomware attack on Kronos is expected to remain murky until pre-trial phases for the lawsuits. The contract clauses that Kronos has with its customers are limitation of liability clauses, which define that Kronos is not responsible for damages caused by events like the ransomware attack. However, the outcome of the lawsuits may challenge these clauses and set a precedent for future similar cases.
