When I was in the world of EMS, you rarely started a course for the next level of license without a chapter or two on the legal side. They hammered negligence into us — what it takes to lose in court on a negligence lawsuit.
It’s the same thing in IT.
And here’s what you don’t seem to get: when you refuse over and over to patch for a security update or upgrade your SQL Server to a version that’s in support and getting security patches, you are committing negligence.
Not metaphorically. Literally.
You will lose in court.
You could also lose your cyber liability coverage when the carrier flips to page 3 of the fine print and says: “See this clause? This is your responsibility. You failed here, here, here, and here. We’re not covering this claim. Good luck and don’t call us back ever.”
I’ve spoken at conferences, I’ve written blog posts, I’ve done onboarding health checks, heck I even have my team beg clients to upgrade – yet so many folks still plod along on SQL Server 2014 and below (SQL Server 2016 joins the list of “negligent to run versions of SQL Server” next July, by the way….)
So clearly, downtime, bugs, and best practices aren’t what’s going to move you. Fine. Let’s talk about the other thing: liability. When (cliche but NOT IF) you’re breached, if you’re not keeping up with the absolute minimum standard of care, you’re on the hook.
And yes, maybe not you personally (although IT folks and consultants can get named in lawsuits). But your company will be liable. And you will lose when the opposing counsel asks why you were running software that stopped getting security updates before your new hires even graduated high school. And your insurance carrier? They literally won’t even be in court with you — because you gave them an out. And they took it – because they love keeping their profits as much as your shareholders do…
That’s the game insurers play – fancy names like subrogation exist for it. They’ve got teams of people making way more than your upgrade would ever cost you, and their only job is to find reasons not to pay. Negligence is a gift-wrapped reason.
And you know you what – YOU ARE BEING NEGLIGENT. You have no excuse. You can’t say in court “well the AI said I would be fine.” You can’t say “well I didn’t realize that this wasn’t getting security updates” you can’t say “well I didn’t want to upset the apple cart or spend a little bit of money to upgrade this system that holds all of our client, or employee, or partner data…” None of that matters..
All that matters is what we had drilled into us in EMS training – the ingredients of negligence.
You need a handful of ingredients:
- Duty to Act – You have a legal/professional obligation to do something.
- Breach of Duty – You didn’t do it, or you did the wrong thing.
- Harm – Someone got hurt.
- Proximate Cause – Your breach directly caused the harm.
- Damages – The harm was measurable, meaningful, and costly.
That’s it. And it doesn’t take much thinking to imagine all the ways you can lose in a negligence suit in the back of an ambulance as a paramedic with a lot of drugs to choose from making decisions under fire. But this isn’t about the ambulance. It’s about you sitting there in your home office with cotton in your ears, ignoring the waiting crisis in your damn server room….
In IT – you have a Duty to act – it’s a reasonable set of standards that courts and juries and insurers and contracts and SLAs all have agreed to implicity and explicitly. Your “standard of care” – it includes such stupidly basic and simple things as “You will keep your servers patched from known threats and running on the latest supported versions, inside of support contracts and maintenance agreements, and you will do your best to avoid deploying things in an unsafe manner, etc.” You’ll patch your damn servers.. I mean how much more simple does it get. I’ve trained the parent in-laws to deploy their updates. Everyone on your jury will understand this. PATCH IT. And be on a version where you can.
Just this week, Microsoft released yet another patch for a series of privilege escalation exploits – CVE-2025-49758 – these are 8.8 scored – HIGH – like really high. And they don’t require webform access, etc – they just require anyone to have any access to a SQL Server and the exploit can work. Microsoft has a duty to act here also – and that duty is once they learn about an exploit – they have to fix it, test the fix, and balance prduce and rush to get that fix out. They did their part. We just sent another note to all of our clients saying “hey it’s time to patch again.” and most are already underway on the patch.
But Microsoft doesn’t have a duty to patch every version of every one of their products they ever make. That’s why they end of life and end of support their products. SQL Server 2016 and up is all inside of support to some degree – either end of mainstream support or in mainstream support but not yet end of life – so those versions get the patch.
You on SQL Server 2014, 2012, or older? You get nothing. No patch. No fix. No help. And the vulnerabilities are still there. Many of them hit those old versions just as easily.
When your breach happens, it will be public. Your “peers “friends” will discuss it at conferences, and laugh about you in reddit threads. And you’ll be sitting there liable, uninsured, and out of excuses. Not to mention out of a job and your company out of customers and cash…
Duty to act? You had it.
Breach? The moment your SQL Server went out of support.
Harm? Your customers lost data and trust.
Proximate cause? You didn’t patch or upgrade.
Damages? Millions… and you lost the lawsuit, hopefully if you were smart you lost it in a settlement before it even went to court since you don’t have your insurance company lawyers by your side.
And I’m almost at the point where I sometimes do a health check or have a chat with a client who is hesitant (STILL!) to upgrade. I want to sell the company, stop consulting, and become a professional expert witness. Instead, I’d just make a lot of money by working with well-funded insurance company legal teams to sit in an air-conditioned court with a generous travel allowance and some nice clothes and explain how the defendants should have realized they were uncovered. I mean I probably don’t want to sell the company and do that – I love what I do – but I’m mad as heck here… I’m disappointed in you. And nothing else has gotten through to you. I get it – the PE firm that bought your company only cares about one thing – but you need to get them to think of their bacon, reputation, and the $$$ they’ll lose in the lawsuit.
So screw it. Don’t upgrade for features, stability, or performance. Clearly, you don’t care about any of that. Do it because otherwise you will lose your job, cost your company a fortune, lose your insurance coverage, and get shredded in court for screwing over your customers….
And it will be public.
And it will be ugly.
And I’ll be there in the corner with popcorn, shaking my head, saying: “I told them so….”
