Customers of Kesaya, an IT security software provider, are responding to a massive ransomware attack launched at Kesaya users over the July 4 holiday weekend.
Kesaya announced that it was investigating reports of a ransomware attack on its customers on July 2, as the holiday weekend was getting started. In a series of updates over the next few days, Kesaya kept its customers apprised of its investigation and its work to prepare a security patch. Kesaya had planned to distribute its security patch on July 6, but later that day announced that the release was being delayed indefinitely.
Kesaya’s customers, not surprisingly, are reviewing their agreements. Depending on their circumstances, some customers may be looking for refunds and others may be looking to terminate long-term agreements that require ongoing payments. According to the New York Times, the Kesaya exploit has affected “hundreds” of businesses. As a result, the software company is likely to face a great number of customer demands for relief.
Kesaya’s published End User License Agreement purports to bind the customer to a minimum license term of three years. The EULA does not permit the customer to terminate the deal early if the Kesaya software fails or even if Kesaya breaches the contract. Terms like these are likely to produce controversy in the coming weeks.
Attorneys at Taylor English Duma are working with clients who use the Kesaya software with strategies to respond to the ransomware attack.