The Crooked Path to Determining Liability in Data Breach Cases

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wired.com/2015/03/crooked-path-determining-liability-data-breach-cases/

FROM THE HIGH-STAKES international intrigue and political espionage of
Stuxnet, to the Sony hack of late 2014, which was first tentatively
credited to pranksters, and later to conceded to North Korean hackers, the
past few years have showcased pretty much every existing version, and
underlying motive of cyber-attack — from outright warfare to hacktivist
vandalism — all over the news headlines.

The tech blogging community, always rife with takes, is speculating that
cyberterrorism will become the new norm, or projecting that over the next
century, international conflict will be best defined by state-sponsored
cyber warfare, while at the same time — and this may just be a rhetorical
safety default that just lends itself to more blog content down the road —
admitting that the advanced threat landscape is, and shall remain
predictably unpredictable. That is, except for the surefire prediction that
more breaches will likely occur, and at increasing rates of frequency.

I’m right there in all three of those camps, not forgetting what I said
about default safety.

Meanwhile, consumers and citizens in hotbed-of-political-intrigue-type
nation states, like the U.S. linger in what sometimes feels more like a
refugee camp wondering, about the general stakes in all this. The
assumption of at least some minimum level of legal responsibilities that
should be borne by commercial agencies with whom the public voluntarily
shares things like personal contact information, credit card numbers, and
email addresses, in the event those agencies, fall victim to another
predictably unpredictable cyber attack seem perfectly reasonable. But the
exact location of that threshold scarcely makes its way into mass media
coverage.

In most of the man-bites-doggish coverage, it’s typically political
intrigue, system downtimes, lost corporate revenues, and celebrity gossip
mixed into the whole archetypal hero–villain interplay at center stage of
class action lawsuits the usually result from data breach cases.

Other more ordinary, dog-bites-man-man-sues-dog-owner type news reports may
focus on the aftermath of contested class action lawsuits, civil
proceedings, and perhaps in rare cases, questions of criminal negligence.
But those types tend to find far less media traction, and fall woefully
short of informing the public about prevailing legal recourse, and instead
— at least for some of us — rummage back into the annals of bygone
undergrad survey of law and social change, or special topics lit classes to
retrieve echoes of the Kafka parable, “Before the Law.”

Before the law sits a gatekeeper … so the parable goes.

And in this case maybe it’s name is education, or media, or the initiatives
of the powerful in a trickle-down political ecosystem. Since I’ve drawn an
admittedly cliché Kafka comparison, we can call it whatever we want. That
is the real beauty of invoking Kafka afterall; indeterminacy, so that must
be the subject.

Stay with me now as we work our way toward a conversation about the law,
cybercrime, and cybercrime education, and why that should include education
about cybercrime law.

THE INDETERMINATE HISTORY OF CYBERCRIME LAW

Back in 2010, the Obama administration initiated a top-to-bottom assessment
of federal cyber security policies. The findings were published in a report
titled, “Cyberspace Policy Review,” and those sparked the creation of a
federal cybersecurity office. SInce then, federal cybersecurity policy
initiatives are directed by a series of documents, also created as a result
of the Cyberspace Policy Review. Among those is the National Initiative for
Cybersecurity Education (NICE) which, apart from determining how to support
coordination and tactical operation plans, also reflects The Whitehouse’s
larger agenda for across-the-board cybersecurity education. The document
describes cybersecurity as “much more than technological solutions to
technical problems; it is also highly dependent on educated users who are
aware of and routinely employ sound practices when dealing with cyberspace.”

Now more than four years later, some questions remain. For one, have
federal cybersecurity education initiatives become widespread,
standardized, and effective enough to have negated, or at least dulled
imminent threats of cybercrime? Not exactly.

A decade ago, in 2005, the U.S. Bureau of Justice released its first ever
report on cybercrime attacks against businesses. Of the 7, 818 business
that participated in the study, 67 percent detected at least one incident
of cybercrime that year. Greater than 80 percent of victimized businesses
detected multiple incidents. Half of victimized businesses detected 10 or
more incidents, while nearly 70 percent of cyber theft victims sustained
losses of $10,000 or more. And cyber theft was just one cybercrime
category. One third of victims of other types of cybercrime also suffer
losses greater than $10,000. In total, cybercrimes cost those businesses
that participated in the study $867 million. And according to the U.S.
Department of Justice, the majority of businesses “did not report
cybercrime attacks to law enforcement.”

Then in 2013, Ponemon Institute conducted a cybersecurity study of 60
companies. That study concluded that the average number of successful
attacks experienced by those 60 companies averaged two per week — in excess
of 100 attacks annually — with an average annualized cost for those 60
businesses of $11.6 million. One distinct point made by that study was that
smaller businesses tend to experience far greater per capita losses.

Particular differences in the research models between those studies
notwithstanding, the two reports generally establish that in spite of
widespread federal initiatives to allocate resources, implement tactical
planning, educate business entities that operate in cyberspace to
“routinely employ sound practices when dealing with cyberspace,” cybercrime
has become more widespread, and more costly.

Statistics on cybercrime are far from being an indeterminate Kafka parable.
What is a little Kafkaesque is the fact that most of the reports focus on
losses to business, and how educating the public in best practices will
help stem those losses while legislation that protects the public from
negligent business practices, and education that informs the public about
legal recourse in the event they’re victimized, is scarcely mentioned. So
far, regulation of legal recourse for individuals damaged in cyberattacks
is left up to the powers and interests of states.

So yes, more needs to be done in the way of education, but not just the
type of education initiatives that protect business from public ignorance.
The NICE report describes the issue of cybersecurity as “much more than
technological solutions to technical problems; it is also highly dependent
on educated users who are aware of and routinely employ sound practices
when dealing with cyberspace.” Not that it isn’t a good thing, it’s just
focused to only one front. The language of NICE invokes personal
responsibility of users by looking to make basic cybersecurity best
practices common knowledge, which will certainly help in the long term. But
what happens when people like Sony employees, who didn’t click malicious
links or set weak passwords, have their personal data fall into abusive
hands because of company negligence? Employees’ lack of security education
was not the dime the Sony data breach turned on. And yes, Sony, as an
entity, probably suffered more net damages from their failure to establish
better advanced threat defense than any single employee stands to lose even
if they have their identities stolen. Does that make the legal process that
is available to them less worthy of becoming common knowledge?

The people pushing for an equal measure of federal legislation and/or
execution to set across-the-board legal standard to protect individual
rights say best practices should go both ways.

THE LINE WHERE THE GATEKEEPER STANDS

The Personal Data Protection and Breach Accountability Act of 2014. Just
over a year ago, in the wake of the Target and Nieman Marcus attacks,
Senator Richard Blumenthal (D) Ct., introduced the Personal Data Protection
and Breach Accountability Act of 2014. The bill was not enacted, and was
reintroduced several times throughout 2014. The data protection bill, which
will probably be enacted in some version eventually, would provide severe
civil and criminal penalties for concealing when a security breach occurs
that puts an individual’s personally identifiable information at risk. The
act applies to government agencies and interstate businesses with the
exemption of financial institutions subject to the Gramm-Leach-Billey Act
and businesses bound by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). Services providers that act as intermediary agents in
transmitting, routing and data storage are also exempted.

Congress responds to security breaches. The large-scale data breaches at
Target, Neiman Marcus, Home Depot and Chase prompted the federal government
to take action and impose severe penalties for companies that fail to
properly report breaches. Public pressure has added fuel to the fire and
numerous bills have been introduced in an attempt to answer the data
security issue. The change in tack now includes criminal penalties for
those who knowingly fail to report a security breach. The Personal Data
Protection and Breach Accountability Act of 2014 includes fines and
possibly jail time of up to five years for serious infractions.

In 2013 alone, there were nearly 600 data breaches that affected consumers.

Increased accountability for businesses. Under the new legislation,
companies that want to avoid charges must now notify individuals in the
event of a security breach. The new law applies to any company that
maintains personally identifiable information on 10,000 or more United
States citizens. The act grants the Attorney General powers to bring civil
actions or request injunctive relief against any businesses that violate
any of the legislated statutes. Additionally, individuals affected by a
breach can bring a civil action against a company to recover personal
injuries, including emotional distress, brought on by the breach.

Requirements for businesses. The act requires any agency or instate
business that uses personally identifiable information about U.S. citizens
to maintain procedures designed to alert individuals without delay. Law
enforcement agencies may block notifications if alerting the affected
individual would get in the way of an ongoing criminal investigation or
intelligence activity. There are two ways to avoid the need for a
notification.

If the business is contacted by the U.S. Secret Service or FBI and is asked
to withhold notifications, or if the company works with the FTC to conduct
a risk assessment. In the latter case, the FTC may provide an exemption and
not require the business to go forward with notifications. If notifications
are mandated, businesses can do so by sending written notice to the last
known mailing address or email address. However, electronic notification is
only allowed if more than 5,000 individuals are involved.

Remedies required by businesses. In the event of a breach, companies are
required to provide two years of a credit monitoring service, compensation
for any damages and a security freeze on the consumer’s credit report.
Because of the potential cost of compensating customers, it has become more
important than ever to have a qualified and alert IT administrative staff.
Since the act only requires one person to be affected by the security
breach, this should be a wakeup calls to companies that no security breach
is acceptable.

Limits on information. The bill is clearly designed to prevent businesses
from mining information from consumers. It’s clear that if a company
doesn’t take the proper precautions to encrypt or obscure customer
information, that the federal government is going to be intent on pursuing
restitution from the company. The measure enacted by Congress puts limits
on the type of information that a company can collect in the first place.
Additionally, strict timelines require that companies must purge
information after a certain amount of time. This could put companies that
engage in quasi-financial operations, such as companies that act solely as
merchant processors, at risk of losing valuable information on specific
individuals. For example, a merchant processor like PayPal is not a
financial institution, so it may be required to purge information from
inactive users after a certain period of time.

Sensitive personally identifiable information. The act clearly lays out
what is considered sensitive personally identifiable information. It makes
sense for companies to only collect the bare information needed to provide
services to customers. The first and last name or first initial and last
name along with a home address, telephone number, mother’s maiden name or
the month, day, and year of birth are considered identifiable information.
Additionally, full social security numbers, driver’s license numbers,
passport numbers, alien registration numbers or other government assigned
identification numbers. Information about an individuals geographic
location, biometric data and a long list of other factors that could
potentially identify an individual.

Internet technology, as a public utility — God willing — is the primary
driving vehicle of commerce, but that shouldn’t make it a free ride for
businesses. Because the primacy of IT continues to grow, IT Security has
never been more pressing an issue. Moving forward, companies will come to
understand that they must establish advanced threat defenses for their
networks, and establish strict protocols for methods of collecting and
storing customer information. Either that, or suffer consequences.
Ultimately, it would be up to the business to safeguard and protect
consumer information.

In civil lawsuits filed by former employees against Sony, the media giant
is arguing that data theft isn’t a harm in and of itself, and so the
persistent threat now facing employees whose personal information was
compromised, warrants no penalty. Public eyes are more focused on ISIS and
Ebola because that’s what they’ve been educated to focus on. Senator
Blumenthal’s bill hasn’t yet found enough support to even make it to a
vote. And in the Kafka parable, the protagonist dies of old age at the
gatekeeper’s feet before figuring out what to do. What will we do?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!