Who is responsible for the damage from a ransomware attack and who has to pay for it? That's a question that's been at the top of mind for MSPs and MSSPs, particularly following a recent lawsuit where a client sued its MSP after suffering a ransomware attack.That lawsuit may have been the first of its kind for MSPs, but it probably won't be the last. A new report from Bloomberg Law, "Ransomware Attacks: Litigating a Growing Threat," shows an increasing volume of ransomware-related lawsuits across all major industries seeking billions of dollars in damages for everything from lost business profits to personal privacy violations.The dramatic increase in ransomware-related lawsuits is related to the increase in ransomware attacks themselves and underscores the growing legal challenges businesses, MSSPs and MSPs included, face in the wake of cyberattacks. Negligence is a top claim."Negligence and negligence per se causes of action are included in nearly every ransomware-related complaint researched for this report," authors Travis Yuille and Bridget Roddy wrote in the report. "Generally, in these cases, the plaintiff claims the defendant should have been aware that it was likely to be the target of a cyberattack."What's more, the plaintiffs typically blame the entity that was entrusted to protect the data."In ransomware cases, plaintiffs typically allege that the businesses and vendors entrusted with their data owed them a duty to safeguard the data from foreseeable attacks," the authors wrote.Yet there are steps that MSPs and MSSPs can take to protect themselves against legal trouble following ransomware attacks. For instance, MSP attorney Eric Tilds recommends every MSP and MSSP have a signed written managed services statement of work with specific language about what the MSP will do, what they won't do, and what the customers responsibilities are. Read the rest of Tilds' recommendations here.
Trends and Implications of Ransomware Litigation
The report shows that the surge in ransomware attacks has led to a significant rise in lawsuits in the U.S. In fact, federal complaints mentioning ransomware increased sevenfold from 2021 to 2023, and the first half of 2024 has seen a record number of ransomware complaints, Bloomberg Law reports.Key findings from the report include:- Most-Litigated. The most-litigated ransomware attack of 2023–2024 is the breach of Progress Software's file-sharing platform MOVEit, which has resulted in 279 federal lawsuits so far.
- Four Lawsuit Types. Nearly every case analyzed falls into one of four categories: Consumer v. Business, Consumer v. Vendor, Business v. Vendor, and Business v. Hacker.
- Common Claims. Negligence is a prevalent cause of action in nearly all ransomware-related lawsuits, with plaintiffs often citing the failure of businesses to safeguard data against foreseeable attacks.
- Healthcare Targets. The healthcare sector has been particularly hard hit, with significant breaches affecting major companies in this space.
- Vendor Vulnerabilities. Many lawsuits have been filed against third-party vendors, highlighting the risks associated with outsourcing data management.




