A court has ruled that Accenture, as a service provider to Starwood, owed a duty to prevent data breaches to Starwood’s customers
In September 2018, Bethesda, Maryland-based Marriott International’s subsidiary chain Starwood learned it had been the victim of a massive data breach involving millions of customer records. The data breach followed the usual pattern of investigation, notification, regulation and class action litigation with recrimination and blame. However, in addition to suing the hotelier, the lawyers representing the class also sued Starwood’s security consultant, Accenture, asserting that the consultant not only was negligent in the way it provided security services to Starwood, but also that it owed a “duty of due care” not just to Starwood but also to Starwood’s customers.
On Oct. 26, U.S. District Judge Paul Grimm in Baltimore, in a 50-page ruling, found that, based on the allegations in the complaint, Accenture did, in fact, have a duty of care to the people on whom the hotel chain collected data and that, if the allegations were accurate, there were grounds to find that they breached that duty and that the breach caused harm to the data subjects.
This is not the first time that a company suffering a data breach has attempted to blame its infosec provider. In the famous Heartland data breach, the company sought to blame its forensic and information security consulting companies for falsely telling them that they were “compliant” with the relevant Payment Card Industry Digital Security Standards (PCI-DSS). In the more recent Capital One data breach, the bank is blaming Amazon for the breach, not as a “consultant” so much as a provider. However, in the past, the company in “privity” of contract—that is, the company for whom the consultant performs services—will sue the security consultant for breach of contract or negligent performance of the contract. In the Marriott/Accenture case, it was the data subjects who sued the consultant directly.
Duty of Care
As an information security provider, whether you provide hardware, software, products, solutions, testing, evaluation or merely advice, you can expect that your client/customer will rely on what you say you provide. If you are hired to perform a penetration test, it’s reasonable to expect that you will perform, well, a penetration test. If you say your product provides authentication services, or access control, or log monitoring, or dDOS protection, then it’s reasonable to assume that it does what it says. The contract between the parties will typically describe what the consultant is—and, more importantly, is not—providing.
Wise consultants will also put various disclaimers, liability caps and “hold harmless” agreements in their consulting contracts. They may include language that establishes what their duty of care might be (“reasonably professional services” or services performed in “a workmanlike fashion”). They may limit their liability for incidental, consequential or “special” damages. They may cap damages as a percentage or multiple of fees paid. They may disclaim liability to third parties. They may insist that the customer indemnify them if they are sued by third parties. Most importantly, the contract needs to specify what they do not promise—words such as, “While we will perform the services in a workmanlike manner, we do not guarantee that we will find every vulnerability, or that, even if you implement every recommendation, that you will be immune from attack or compliant with any particular regulation …” You know—weasel words. Consultants should avoid language (both in sales and marketing and especially in contracts) such as “state of the art” or “best practices.” If you promise your customer that you will use the “best” practices (rather than simply reasonable practices), they might hold you to that promise. Finally, infosec consultants should, where appropriate, seek and obtain appropriate cyber insurance to cover them in case the customer suffers some damage or loss.
But most of the above discusses the consultant’s liability to their customer—the bank, the hospital, the hotel chain—for losses resulting from the consultant’s poor work or breach of contract. The consultant can also have liability for harms resulting to third parties—the bank’s customers, the hotel’s guests, the hospital’s patients or others such as the bank’s marketing company, the hotel’s data storage company and the hospital’s employees. This liability can be direct or indirect. If there’s a data breach or other loss resulting from the consultant’s failure, the foreseeable harm to the consultant’s “client” may include the costs of investigating, responding to and remediating the breach. These would likely be “first-party” claims. But the harms to the customers’ customers may be “third-party” claims. After a data breach, the hospital patient has difficulty sorting out their medical records, and suffers some injury as a result. They make a claim of damage against the hospital, which pays it. Has the hospital suffered damage or has the patient, or have they both? That’s the difference between first- and third-party claims.
The Accenture Claim
In the Marriott/Accenture case, however, the customer—the hotel chain customer—sued both Marriott and Accenture, asserting that, as a consultant and provider for Marriott, Accenture had a duty of due care not just to Marriott but also to them, and that it was foreseeable that a breach of that duty might cause harm to the hotel guest. Note that, because this claim is styled in tort law (negligence) and asserts a direct duty by the consultant to the client’s customers, all that lovely language you put into the contract about limiting liability for indirect damages and capping liability, is all for naught, since the client’s customer is not a party to that contract. What might be important in the contract is the duty of the client to “indemnify and hold harmless” the consultant. But it’s unlikely that a customer will agree to indemnify and hold harmless a consultant for its own negligent acts that cause harm to the customers. Generally, clients use indemnification language to get the consultant to agree to indemnify and hold their customer harmless if the consultant’s negligence causes harm and the client is sued. That’s why it’s important for consultants to have both first-party and third-party cyber insurance that covers both claims and a duty to defend, and covers not just damages but also attorney’s fees.
The Baltimore federal judge noted: “Plaintiffs argue that Accenture is liable to them for negligence because it owed them a duty to perform its contract with Starwood reasonably, so as to protect Plaintiffs’ personal information. And, they assert, Accenture breached that duty by failing to detect the four-year long data breach and by failing to implement reasonable data security systems.” As a general rule, courts require privity of contract or, in the alternative, some kind of “intimate relationship” between the allegedly negligent party (Accenture) and the person harmed (data subject). The Baltimore court found that Accenture was on notice that Marriott’s customers were relying on Accenture’s services and expertise in protecting their data and that the Accenture “knew or should have known” that the customers were relying on them. The lawsuit asserted: “Accenture explicitly acknowledged in its contract with Starwood that ‘it [Starwood] had a duty to protect the Personal Information of end-users, defined to include “guests” and “customers” of Starwood’ and that to fulfill this duty it had an obligation to use nothing less than a ‘reasonable standard of care.'” Accenture’s promise to Starwood that it would implement measures to prevent unauthorized disclosure of personal information of end users was, in the opinion of the court, sufficient to establish a legally enforceable duty by Accenture to Marriott/Starwood’s customers. As the court noted: “If a defendant—like Accenture—is aware of a determinant class of potential claimants, whose interests as a group it contractually undertook to protect through the exercise of reasonable care, it can hardly complain when, as a result of its alleged failure to live up to its promise, a member of that class sues them.”
The court also noted that the Starwood customers were not asserting that Accenture had a general duty to the public to prevent harms created by computer hackers, but that Accenture had a specific duty to protect Starwood customers from the risk of harm created by its own negligent failure to secure the Starwood network. By analogy (mine, not the court’s), if a hotel hired an elevator mechanic to fix a hotel elevator and that mechanic was negligent, the “duty” would not just be to the hotel but also to the injured guest who could, in theory, sue the mechanic directly and not just the hotel.
Moreover, Accenture was not an ordinary “consultant.” The firm did not just give Starwood advice on what Starwood should do—essentially, Accenture ran Starwood’s data security. As a result, the court concluded, Accenture may have had a higher duty to Starwood’s customers than a mere consultant. The breach victims, therefore, argued that Accenture had a duty to them to prevent any “unfair” trade practices (by providing reasonable security to Starwood) and that the FTC Act was intended to protect consumers and establish a duty. At the end of the day, after analyzing Maryland, Connecticut and Florida laws (based on the location of the class members) the court concluded that Accenture, as a service provider to Starwood, owed a duty to prevent data breaches to Starwood’s customers.
What this means for security consultants is that they are taking on duties of due care not only to their customers but also to their customers’ customers. This clearly means that their potential legal exposure for consulting services is much greater and they cannot minimize this for the most part through caps on liability or clever lawyering—unless their customer is willing to take on and indemnify the consultant, which is unlikely. So any consultants in the infosec area, cloud providers and third-party service providers may be taking on much more liability than they think. It may be time to look into comprehensive cybersecurity policies that cover first- and third-party claims. And maybe raise the price of the service to cover the additional liability.
Oh, and try not to allow a breach to occur. That would be bad.