Delta Boeing 737 departing Hartsfield-Jackson Atlanta International Airport. (Courtesy photo)

Delta Air Lines Inc. is taking chatbot developer [24]7.ai Inc. to court over allegations that the vendor’s “substandard” cybersecurity protocols allowed hackers to infiltrate the airliner’s chatbot and access 800,000-plus customers’ information, including payment card information.

Lawyers not connected with the suit said the case highlights the need for companies to pay close attention to liability and cyber insurance language when negotiating vendor contracts.

“What we always tell our clients is that they shouldn’t just gloss over those indemnification provisions, especially the ones that deal with cybersecurity incidents because cybersecurity incidents have become common,” said John Lande, chairman of Iowa-based Dickinson Mackaman Tyler & Hagen’s cybersecurity, data breach and privacy practice group.

However, companies overlook those requirements “because they don’t know with certainty what will happen,” Lande added.

While cyber insurance can’t block a dispute, a vendor can look to its insurance carrier when it’s faced with a damages claim.

“It’s not a means of preventing themselves from being sued,” noted Atlanta-based Nelson Mullins Riley & Scarborough partner Tori Silas. “A customer can move forward if there is a breach, [but] the vendor has insurance in place to make that customer whole.” 

A vendor’s clients should also request to see what will be covered after a cyber incident occurs and request to be added to the vendor’s cyber insurance policy as an insured entity, Silas added.

According to the 26-page complaint filed by Delta in the U.S. District Court for the Southern District of New York, it isn’t clear what cyber insurance or other requirements Delta and [24]7 had.

Although Delta did include excerpts of [24]7’s security overview document, subscription services agreement and General Data Protection Regulation (GDPR) agreement in the complaint, the airliner asserts [24]7 was required to remain compliant with various certifications, including PCI-DSS, and provide immediate breach notification.

Instead, Delta claimed [24]7 was overly lax and didn’t follow its cybersecurity promises. Delta wrote that [24]7 didn’t require employees to use multifactor authentication or limit access to source codes operating Delta’s chatbot feature. Additionally, Delta claimed the chatbot developer learned of the breach in Oct. 12, 2017, but didn’t notify the airliner until March 28, 2018. A request for comment from [24]7 regarding Delta’s allegations was not answered by  press time.

Nelson Mullins partner Silas said the case is unusual because vendors usually insistent on alternative dispute resolution “in lieu of litigation because litigation is so time-consuming and expensive.”

Silas said that Delta’s claim that [24]7 refused to pay for the airliner’s expenses, which included hiring outside consultants to investigate the breach, providing credit monitoring and state data breach notifications, and fending off class action suits in California and Georgia, may be part of the reasons why Delta filed a lawsuit.

Likewise, the airliner’s unusual move to litigate this matter in a courtroom may point to [24]7’s contract not including an ADR requirement or cybersecurity liabilities, Silas said.

“I would think the vendor’s unresponsiveness and delayed communication even in advising Delta of the occurrence of the breach and other factors are likely the reason Delta is pursuing litigation,” she explained.