The Evolution of Legal Risks Pertaining to Patch Management and Vulnerability Management (Duquesne Law Review)

It has been reported that up to 60% of cyber data breaches are caused by unpatched vulnerabilities. Each year, software and hardware vendors release thousands of updates to patch vulnerabilities in their software. Over the past 20 years, the number of vulnerabilities has largely increased each year. Companies that rely on the software and hardware to run their businesses must sift through the deluge of notifications and determine which patches should be prioritized and quickly implemented in order to prevent a hacker from exploiting an unpatched vulnerability and using it to get inside the company network.  

Writing for the Duquesne Law Review, Jones Day partner and former federal prosecutor Jimmy Kitchen notes that while the process of prioritizing and implementing patches is technical and typically not the responsibility of an organization's legal department, unpatched software presents a legal risk for organizations. With the evolution of cybersecurity regulation and litigation, legal liability relating to vulnerability and patch management is no longer theoretical. Because software vendors typically notify their customers about vulnerabilities in their software and the availability of updates, regulators may take the position that companies that use the software are generally on notice of the vulnerabilities. However, as company lawyers may not be sufficiently technically knowledgeable to understand the IT department's approach to vulnerability and patch management, it can be a blind spot for the legal department. Conversely, the IT department may not understand the legal implications of the work they do in this arena.  

This article attempts to bridge that gap by describing, in nontechnical terms, the tools generally available and processes implemented for vulnerability management and patch management; identifying some of the evolving security standards that regulators and plaintiffs may rely on to show that companies are legally required to have vulnerability management and patch management; and identifying U.S. legal implications of vulnerability management and patch management.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.