Clorox Lawsuit Underscores the Legal Risks in Cybersecurity Outsourcing

By now it is old news that many companies outsource large portions of their technology stack, including their cybersecurity responsibilities. This has led to a reality that many technology experts find uncomfortable: having to collaborate with lawyers in technology outsourcing agreements.

Whether you find yourself on the side of outsourcing functions or the side of offering products and services to organizations, being able to interface with legal teams has become a critical skill for cybersecurity experts. 

Ahead, I will detail several key considerations that often fall between the cracks when technical and legal teams work together to reach agreements in information technology outsourcing agreements. A recent lawsuit that was filed by Clorox against Cognizant alleging $380 million in damages will be referenced to highlight the importance of these issues. 

Summary of the complaint filed by Clorox

On July 22, Clorox filed a lawsuit against Cognizant, seeking $380 million in damages stemming from what the complaint describes as catastrophic security failures at the service desk level. According to the complaint, the August 11, 2023, cyberattack against Clorox was not the result of sophisticated hacking techniques or zero-day exploits. Instead, Clorox alleges that it resulted from a bad actor calling Cognizant's service desk and asking for network credentials. The service desk employee then allegedly provided the credentials without any authentication whatsoever. 

The complaint continues that this interaction between the bad actor and the service desk occurred multiple times on the same day, giving the bad actor broad access across Clorox’s internal networks, after which they were able to cause large-scale damage and disruptions to Clorox’s business. In addition, Clorox alleges that Cognizant mismanaged its response after Clorox discovered that the bad actor had gained access to their systems, which allowed them to cause further damage. 

In the complaint, which has redacted many of the salient details, Clorox states that it entered into an information technology services agreement (ITSA) with Cognizant in 2013. In addition, Clorox states that it provided updated policies and procedures to Cognizant regarding how Cognizant’s service desk employees should respond to credential reset requests from Clorox employees in February 2023. Cognizant acknowledged and indicated to Clorox that the policies and procedures had been implemented. 

Lessons to learn 

The Clorox case highlights at least the following significant considerations in technology outsourcing agreements: these agreements’ long duration, the level of operational details that are included and what happens when things go wrong. 

Long-term relationship risks — In the Clorox case, the ITSA was originally entered into in 2013 — 10 years before the attack in 2023. In 10 years, a lot of change will occur: The technology requirements are likely to have completely changed, large portions of the personnel involved will have changed and even our understanding of certain terms will have evolved — especially technical terms. 

This change necessitates that the technical and legal teams agree that the ITSA satisfies the current technical and security requirements but also leaves room for changes to be made over time. Regardless of which side of the agreement a party is on, the technical team needs to work with the legal team to identify what types of changes are likely to be made over time and to ensure that the words in the agreement match the operational procedures for implementing those changes. 

In addition, while everyone involved in the original agreement process can have a clear understanding of the agreement and a good relationship with the personnel on the other side of the agreement, new personnel entering the picture will not have the benefit of the negotiation process and may not establish good relations with existing personnel. As such, the wording needs to be as clear as possible to both technical and nontechnical people and must clearly lay out each party’s responsibilities. Relying on one’s own technical knowledge or personal relationships to determine that the wording is good enough is often not good enough when issues arise. 

Further, the meaning of words, especially technical words, changes over time. A particularly topical example is “artificial intelligence.” Even now, experts struggle to clearly define what is and is not considered artificial intelligence, and there is a huge gray area between large language models (LLMs) and basic algorithms. Looking at the Clorox case, LLMs had not even been invented in 2013, and yet by 2023, ChatGPT had taken the world by storm. 

Finally, the long duration of these agreements highlights the importance of getting it right at the start. Often, agreements are valued by the amount of money being exchanged in the initial term. However, these agreements are often renewed many times over, so their value should be viewed as a multiple of the initial term’s value. 

Looking at this from a different perspective, companies often hesitate to devote legal and technical resources to reviewing agreements that appear to have low immediate value. A more effective framework for evaluating when such resources are warranted should consider: the total anticipated duration of the agreement; the overall cost across that period; and the potential legal, technical and reputational risks it may present over time. By applying this multifactor approach, organizations can more effectively allocate review resources in a way that reflects the true, risk-adjusted importance of each agreement. 

What operational details to include — It is easy to agree to the words present in an agreement; however, it is much harder to actually do what the agreement says a party will do. This issue is where the language barrier between technical and legal teams is most at risk and where clear communication between the two teams is most magnified. Because the terms in agreements are in a legal language that incorporates technical terms, the legal team needs to be able to communicate to the technical team what is being required of them. Conversely, the technical team needs to be able to communicate back to legal what the technical team can do or what procedures are and are not currently in place. 

This issue most commonly arises in portions of the agreement that blend technical and legal responsibilities, such as requirements relating to auditing, procedures for making changes to the agreement and data rights. While it is often uncomfortable for technical leaders both in terms of time commitment and performing nontechnical tasks like contract clause review, it is critical for technical leaders to familiarize themselves with these agreements to ensure that they are accurate and do not create an avenue for unexpected burdens down the road. 

When analyzing the Clorox case, the allegations in the complaint seem to indicate that Clorox and Cognizant did have an operational framework to establish new procedures provided by Clorox to Cognizant. However, from an outsider’s perspective, questions remain about whether Cognizant had internal procedures in place to properly implement the procedures provided by Clorox, whether Clorox had internal procedures in place to ensure that its requested changes were actually implemented, and whether other personnel in each of the organizations who should have known about the requested changes actually knew of them. 

Liability burden — Almost every agreement has a clause about the limitation of liability. In addition, this clause usually has different caps of liability for different issues. Traditionally, only the legal team performs a review of this clause. However, how the caps are applied can be based on the technical portions of the agreement. In the Clorox case, Clorox is alleging $380 million in damages based on allegations of security failings both before and after the breach occurred. 

As can be seen, educating the legal team on where the failings can occur, how they occur and the potential damages that can be incurred can significantly alter the risk profile of the agreement. Properly educating the legal team on these issues can properly equip them to make informed risk-based decisions. 

Insights for the road ahead

Security leaders must move beyond simply understanding these risks to effectively communicating their business impact to legal teams. The Clorox case provides a compelling example that legal teams can easily grasp: an allegation of a basic security failure at the service desk level resulting in $380 million in claimed damages. 

Security leaders should use cases like this to demonstrate how seemingly minor technical oversights can create major legal exposure, ensuring they have a seat at the table during contract negotiations and ongoing vendor management discussions.