Sometimes the Enemy is in the House: Don't Let an Outside Vendor Control Vital Systems
Confronted with an IT vendor refusing to return passwords and data, our oil and gas producer-client had two untenable choices - shut down all operations or continue a fragile balance of blind operations hoping that a catastrophic environmental disaster or serious injury to employees or residents might not result.
We succeeded in quickly shutting down the threat through swift maneuvering in a fast-paced litigation fight.
BACKGROUND ON THE BREACH
Our client, a company that provides oil and gas collection and installation services, hired a third-party vendor to handle specialized information technology needs and perform system-wide upgrades. Once fully immersed in the company’s operations, the vendor, without authorization, entered the computer system and created passwords which prevented internal staff from accessing platforms needed to control the operations. The vendor also disabled alarms on protected systems that served to regulate the pressure of oil and gas collection units. Upon refusing to comply with repeated requests to disclose the passwords, the vendor informed company representatives that they would need to pay him in order to gain access to the systems.
LITIGATION AND THE RESULTS
We filed a motion in federal court seeking a preliminary injunction to compel the vendor to provide all passwords and files connected with the company and to prevent him from accessing, altering or deleting information from the company’s computers, servers, and other IT equipment. The motion cited violations of various federal and California laws, including the Computer Fraud and Abuse Act, the California Computer Data Access and Fraud Act, and California Unfair Competition Law.
The vendor-defendant argued that it would suffer irreparable harm if forced to reveal passwords to the code. He contended the code was proprietary material protected by copyright laws. The Federal Judge agreed with Nossaman and ruled on our client’s behalf, requiring the vendor to immediately comply with the preliminary injunction. Following failed last-minute efforts by the vendor to delay or amend the court order, our client received the demanded passwords and other access control information for its computers and systems.