Photo of Margaret A. Dale

Margaret Dale is a seasoned trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries and sectors, including consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. A former vice-chair of the Litigation Department, she has been recognized since 2017 in Benchmark Litigation's Top 250 Women in Litigation.

Margaret’s practice covers the spectrum of complex commercial disputes, including matters involving contracts, bankruptcy and insolvency, securities, corporate governance, asset management, M&A, intellectual property, and privacy and data security.

Margaret regularly counsels clients before litigation commences to assess risk, develop strategies to minimize or avoid disputes, and resolve matters outside of the courtroom.

Margaret is a frequent writer, including authoring the chapter titled “Privileges” in the treatise Commercial Litigation in New York State Courts (Haig, 5th ed.), the chapter titled “Data Breach Litigation” in PLI’s Proskauer on Privacy, and the chapter titled “Perfecting the Appeal” in PLI’s Principles of Appellate Litigation. She also serves as the lead editor of Proskauer’s blog on commercial litigation, Minding Your Business Litigation. For over 10 years, Margaret co-authored a regular column on corporate and securities law in the New York Law Journal.

Margaret maintains an active pro bono practice advocating on issues relating to reproductive rights, women, children, and veterans. She serves on the Board of Directors of CFR (Center for Family Representation), VLA (Volunteer Lawyers for the Arts), and the City Bar Fund.

As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.

The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.

The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion.  However, the number of organizations impacted may be even higher.  Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers.  And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.

It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion.  “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.

While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation.  While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.

There are two sobering consequences from this recognition.  First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature.  Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection.  Accordingly, it may be necessary to revisit prior incidents thought long resolved.