LastPass, a cloud-based password manager, has been hacked – because of course it has.
As The Independent reports, hackers were able to make off with a treasure trove of passwords. Luckily, the data was encrypted so they shouldn't be able to read the files.
Nonetheless, this breach offers a lesson in errors and omissions liability for tech professionals. Let's take a look at what happened and how the company handled the incident.
LastPass, You Had One Job (and Now You May Have E&O Liability)
LastPass just gave its trolls all the ammunition they could possibly want. Its only task: to protect user passwords. But it just coughed up the goods to hackers who breached the company. This is pretty much the definition of errors and omissions liability.
When an IT company fails to provide the service it promises to its customers, it could be liable for errors and omissions, which can lead to lawsuits.
E&O liability is defined even more broadly than that. Clients can slap you with a lawsuit, alleging you should have…
- Installed better IT software.
- Implemented better preventative measures.
- Informed them about potential problems.
As we wrote in "Report: 70% of Data Breaches Should Have Been Prevented," after a breach, it's easy to find a flaw and point to mistakes the company made with its security. This ever-present risk of security incidents and miscues is the reason that so many IT companies carry Errors and Omission Insurance.
Okay, so LastPass messed up and its passwords were hacked (though still encrypted) – but there's a second layer of risk that follows a data breach. LastPass's reputation has taken a serious hit.
Imagine you're a consumer looking to sign up for a password management service. Which one are you going to choose: the one that got hacked or the one that didn't?
What LastPass Did Right in its Data Breach Response
Give credit to LastPass – it handled the data breach response well.
Its blog post alerting customers about the breach clearly explains what happened and comforts consumers by pointing out that its passwords are run through 5,000 rounds of an algorithm that makes them extremely hard to crack. The company provides concrete details to reassure its users and tells them what they can do next (change their master password and enable two-factor authentication).
Though the breach was a blow to the security-focused company, its response helped limit damage and restore customer trust.
Life after Breach: 3 Takeaways for IT Consultants
So what can IT consultants learn from the security incident at LastPass?
- Prepare for potential litigation. If your client's reputation takes a hit, you could be sued. Whether it's a security incident or an IT problem that causes outages, clients can sue you for the subsequent damages and lost sales.
- Take a transparent approach. LastPass has done a nice job of owning up to the breach, clarifying what has and hasn't occurred, and reassuring its customers. See our "Checklist: How to Respond to a Data Breach" for more tips on breach response.
- Address professional liabilities. If your IT fails, your clients are hacked, or a client alleges you made other mistakes, Errors and Omissions Insurance may cover your legal expenses.
For more on cloud liability issues, see our blog posts on cloud security.