4/13/20 - Insights
COVID19-Related Supply Chain Breakdowns Lead to Increased Risk of Cyberattacks
By Varant Yegparian and Benjamin Cohen
The coronavirus pandemic’s impact on the healthcare, travel, and hospitality industries has been severe. From ventilator shortages to empty airports to restaurant chain layoffs, the impacts of the pandemic on certain industries has been open and obvious. However, the coronavirus pandemic has placed less obvious stresses on other sectors of the economy—most notably, supply chain logistics. Reflecting this, Coca-Cola’s CEO recently stated that “the supply chain is creaking around the world.”[1] Axios has reported that the coronavirus pandemic has disrupted the supply chains of nearly 75% of companies in the US.[2] Given the global economy’s dependence on Chinese manufacturing, along with the challenges faced by domestic logistics companies, the impact of COVID-19 on supply chains cannot be overstated.
The novel challenges and demands which coronavirus has placed on logistics companies create fertile ground for cyberattacks. Now more than ever, supply chains are requiring more resources for manufacture, transportation, and fulfillment. In turn, supply chain infrastructures must change rapidly and form new connections to respond to new market conditions. And in the face of an emergency, that interconnectivity may not be accomplished in as safe and thorough a manner as would be the case in normal times. Rapidly building new connections to satisfy new demands necessarily creates vulnerabilities in the supply chain itself—creating opportunities for a variety of cyberattacks.
Highlighting these vulnerabilities, the nation’s second-largest freight-brokerage firm, Total Quality Logistics, suffered a data breach on February 23, 2020. According to the company, the breach compromised the security of its online portals for carriers, enabling hackers to gain access to information in some carrier accounts, which included tax ID and bank account numbers.[3] It is believed that approximately 20 carriers had their data compromised in the attack, prompting TQL to engage a cybersecurity firm and actively coordinate with law enforcement and the FBI in investigating the breach.[4]
Approximately one month later, a number of carriers whose data had been compromised filed a class action lawsuit against TQL in the federal court for the Southern District of Ohio.[5] The Finesse Express lawsuit is notable for a number of reasons, but at the forefront is the allegation that “the increased risk of fraud and identity theft” resulting from the data breach is
[A] significant injury … as it places each of these small business and sole proprietors in the position of having to divert company resources away from transporting freight during a [sic] urgent time of nationwide supply-chain crisis, and instead expend company resources monitoring accounts and interfacing with the understaffed IRS to prevent business identity theft and the potentially bankruptcy-inducing problems that could result.
The allegation that the increased risk of fraud and identity theft is a “significant injury” relates to the larger split amongst the courts as to whether a data breach alone, without further injury, is a compensable injury that confers standing to sue.[6]
Yet, the most notable thing about the Finesse Express complaint is not this jurisprudential split, but rather its relation to the current coronavirus crisis. The lawsuit alleges that the risks posed by the data breach have occurred at an “urgent time of nationwide supply-chain crisis” and references a March 20, 2020 article in Wired titled “As Covid-19 Spreads, Truckers Need to Keep on Trucking.”[7] In doing so, the lawsuit has framed its complaint in reference to the need to transport “[e]mergency medical supplies like masks, ventilators, and soap” to medical centers and to move “raw materials that help manufacturers build those things—paper, plastic, alcohol” to factories to produce critical supplies.[8] The Finesse Express plaintiffs make the common-sense, yet surprisingly novel, legal argument that in times of emergency a freight carrier having to deal with a data breach at all is a serious injury. Indeed, while the full effects of the TQL data breach may not have materialized yet, the class plaintiffs argue that the precious time and resources being expended to deal with the fallout from the breach should be spent moving vital supplies to address the present crisis.
The TQL data breach and resulting litigation are significant for two reasons. First, the compromise of TQL’s IT systems may be a harbinger of things to come. As American life is increasingly spent at home under “shelter-in-place orders,” the need for robust and efficient supply chains becomes ever more pressing. Americans will increasingly rely on those supply chains for items which in the past they might have bought in person—such as groceries, home supplies, medications, and numerous other products. This growing economic importance of logistics companies and carriers is likely to make these companies an increasingly attractive target for cybercriminals. It is not hard to imagine a significant increase in both ransomware attacks against supply chain infrastructure and the monetary demands of hackers. This unfortunately means that the TQL breach may be the first of many others to come.
Second, lawsuits stemming from the TQL data breach could also be a harbinger of legal change. There is a notable split amongst federal courts as to whether a data breach without additional harm (i.e., identity theft) is sufficient injury to confer the standing that a plaintiff requires to seek redress. In more normal times, many of those courts adhere to the view that a data breach on its own is not sufficient to allow a victim to have their day in court. But we are not living in normal times. As the Finesse Express complaint notes, freight or logistics companies that must deal with the aftermath of a data breach are forced to divert precious time and resources away from moving vital supplies at a time of national crisis. It remains to be seen how the courts will treat these types of claims from data breach victims. However, as the coronavirus pandemic has made American society more reliant than ever on the dependability and efficiency of supply chains, any diversion of time or resources could easily be seen as a grave injury to both logistics/freight companies and the citizens who rely upon them.
Despite the increasing risks which logistics and supply chain companies face today, cyberattacks are preventable. Businesses can take a number of steps to reduce their vulnerability to cybercrime, including:
• Developing a comprehensive cybersecurity plan in conjunction with a cybersecurity professional.
• Educating staff about the risk of phishing attacks and ensuring proper email filtering software is in place.
• Requiring that employees working from home do so through a Virtual Private Network (VPN).
• Inquiring about the data security practices of current and potential partner businesses.
• Ensuring data security policies that meet industry standards are followed, including storing confidential information in encrypted form and properly disposing of confidential information that is no longer needed.
As always, preventive measures remain the best way to avoid the losses, reputational harm, and legal liability that can result from cybercrime. Given the current crisis’s potential to spur an expansion in data breach liability, it is more important than ever for businesses to invest in common-sense measures to protect sensitive information.
1 Coca-Cola CEO says supply chain is ‘creaking around the world’ due to coronavirus, https://www.cnbc.com/2020/03/24/coronavirus-coca-cola-ceo-says-supply-chain-is-creaking.html
2 Coronavirus has disrupted supply chains for nearly 75% of U.S. companies, https://www.axios.com/coronavirus-supply-chains-china-46d82a0f-9f52-4229-840a-936822ddef41.html
3 Notice of Carrier Data Breach, https://www.tql.com/carrierhotline
4 TQL cyber breach is latest example of the industry’s vulnerability to hacking, https://www.supplychaindive.com/news/tql-cyber-breach-industry-vulnerability-hacking/573174/
5 Finesse Express, LLC v. Total Quality Logistics, LLC, Case No. 20-cv-235, Mar. 23, 2020 (S.D. Ohio).
6 Whether Data Breach is Inherent Injury Could Affect Millions, https://www.law360.com/appellate/articles/1252157
7 https://www.wired.com/story/covid-19-spreads-truckers-keep-trucking/
8 Id.