BreachExchange mailing list archives
The Crooked Path to Determining Liability in Data Breach Cases
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 16 Mar 2015 19:08:05 -0600
http://www.wired.com/2015/03/crooked-path-determining-liability-data-breach-cases/ FROM THE HIGH-STAKES international intrigue and political espionage of Stuxnet, to the Sony hack of late 2014, which was first tentatively credited to pranksters, and later to conceded to North Korean hackers, the past few years have showcased pretty much every existing version, and underlying motive of cyber-attack — from outright warfare to hacktivist vandalism — all over the news headlines. The tech blogging community, always rife with takes, is speculating that cyberterrorism will become the new norm, or projecting that over the next century, international conflict will be best defined by state-sponsored cyber warfare, while at the same time — and this may just be a rhetorical safety default that just lends itself to more blog content down the road — admitting that the advanced threat landscape is, and shall remain predictably unpredictable. That is, except for the surefire prediction that more breaches will likely occur, and at increasing rates of frequency. I’m right there in all three of those camps, not forgetting what I said about default safety. Meanwhile, consumers and citizens in hotbed-of-political-intrigue-type nation states, like the U.S. linger in what sometimes feels more like a refugee camp wondering, about the general stakes in all this. The assumption of at least some minimum level of legal responsibilities that should be borne by commercial agencies with whom the public voluntarily shares things like personal contact information, credit card numbers, and email addresses, in the event those agencies, fall victim to another predictably unpredictable cyber attack seem perfectly reasonable. But the exact location of that threshold scarcely makes its way into mass media coverage. In most of the man-bites-doggish coverage, it’s typically political intrigue, system downtimes, lost corporate revenues, and celebrity gossip mixed into the whole archetypal hero–villain interplay at center stage of class action lawsuits the usually result from data breach cases. Other more ordinary, dog-bites-man-man-sues-dog-owner type news reports may focus on the aftermath of contested class action lawsuits, civil proceedings, and perhaps in rare cases, questions of criminal negligence. But those types tend to find far less media traction, and fall woefully short of informing the public about prevailing legal recourse, and instead — at least for some of us — rummage back into the annals of bygone undergrad survey of law and social change, or special topics lit classes to retrieve echoes of the Kafka parable, “Before the Law.” Before the law sits a gatekeeper … so the parable goes. And in this case maybe it’s name is education, or media, or the initiatives of the powerful in a trickle-down political ecosystem. Since I’ve drawn an admittedly cliché Kafka comparison, we can call it whatever we want. That is the real beauty of invoking Kafka afterall; indeterminacy, so that must be the subject. Stay with me now as we work our way toward a conversation about the law, cybercrime, and cybercrime education, and why that should include education about cybercrime law. THE INDETERMINATE HISTORY OF CYBERCRIME LAW Back in 2010, the Obama administration initiated a top-to-bottom assessment of federal cyber security policies. The findings were published in a report titled, “Cyberspace Policy Review,” and those sparked the creation of a federal cybersecurity office. SInce then, federal cybersecurity policy initiatives are directed by a series of documents, also created as a result of the Cyberspace Policy Review. Among those is the National Initiative for Cybersecurity Education (NICE) which, apart from determining how to support coordination and tactical operation plans, also reflects The Whitehouse’s larger agenda for across-the-board cybersecurity education. The document describes cybersecurity as “much more than technological solutions to technical problems; it is also highly dependent on educated users who are aware of and routinely employ sound practices when dealing with cyberspace.” Now more than four years later, some questions remain. For one, have federal cybersecurity education initiatives become widespread, standardized, and effective enough to have negated, or at least dulled imminent threats of cybercrime? Not exactly. A decade ago, in 2005, the U.S. Bureau of Justice released its first ever report on cybercrime attacks against businesses. Of the 7, 818 business that participated in the study, 67 percent detected at least one incident of cybercrime that year. Greater than 80 percent of victimized businesses detected multiple incidents. Half of victimized businesses detected 10 or more incidents, while nearly 70 percent of cyber theft victims sustained losses of $10,000 or more. And cyber theft was just one cybercrime category. One third of victims of other types of cybercrime also suffer losses greater than $10,000. In total, cybercrimes cost those businesses that participated in the study $867 million. And according to the U.S. Department of Justice, the majority of businesses “did not report cybercrime attacks to law enforcement.” Then in 2013, Ponemon Institute conducted a cybersecurity study of 60 companies. That study concluded that the average number of successful attacks experienced by those 60 companies averaged two per week — in excess of 100 attacks annually — with an average annualized cost for those 60 businesses of $11.6 million. One distinct point made by that study was that smaller businesses tend to experience far greater per capita losses. Particular differences in the research models between those studies notwithstanding, the two reports generally establish that in spite of widespread federal initiatives to allocate resources, implement tactical planning, educate business entities that operate in cyberspace to “routinely employ sound practices when dealing with cyberspace,” cybercrime has become more widespread, and more costly. Statistics on cybercrime are far from being an indeterminate Kafka parable. What is a little Kafkaesque is the fact that most of the reports focus on losses to business, and how educating the public in best practices will help stem those losses while legislation that protects the public from negligent business practices, and education that informs the public about legal recourse in the event they’re victimized, is scarcely mentioned. So far, regulation of legal recourse for individuals damaged in cyberattacks is left up to the powers and interests of states. So yes, more needs to be done in the way of education, but not just the type of education initiatives that protect business from public ignorance. The NICE report describes the issue of cybersecurity as “much more than technological solutions to technical problems; it is also highly dependent on educated users who are aware of and routinely employ sound practices when dealing with cyberspace.” Not that it isn’t a good thing, it’s just focused to only one front. The language of NICE invokes personal responsibility of users by looking to make basic cybersecurity best practices common knowledge, which will certainly help in the long term. But what happens when people like Sony employees, who didn’t click malicious links or set weak passwords, have their personal data fall into abusive hands because of company negligence? Employees’ lack of security education was not the dime the Sony data breach turned on. And yes, Sony, as an entity, probably suffered more net damages from their failure to establish better advanced threat defense than any single employee stands to lose even if they have their identities stolen. Does that make the legal process that is available to them less worthy of becoming common knowledge? The people pushing for an equal measure of federal legislation and/or execution to set across-the-board legal standard to protect individual rights say best practices should go both ways. THE LINE WHERE THE GATEKEEPER STANDS The Personal Data Protection and Breach Accountability Act of 2014. Just over a year ago, in the wake of the Target and Nieman Marcus attacks, Senator Richard Blumenthal (D) Ct., introduced the Personal Data Protection and Breach Accountability Act of 2014. The bill was not enacted, and was reintroduced several times throughout 2014. The data protection bill, which will probably be enacted in some version eventually, would provide severe civil and criminal penalties for concealing when a security breach occurs that puts an individual’s personally identifiable information at risk. The act applies to government agencies and interstate businesses with the exemption of financial institutions subject to the Gramm-Leach-Billey Act and businesses bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Services providers that act as intermediary agents in transmitting, routing and data storage are also exempted. Congress responds to security breaches. The large-scale data breaches at Target, Neiman Marcus, Home Depot and Chase prompted the federal government to take action and impose severe penalties for companies that fail to properly report breaches. Public pressure has added fuel to the fire and numerous bills have been introduced in an attempt to answer the data security issue. The change in tack now includes criminal penalties for those who knowingly fail to report a security breach. The Personal Data Protection and Breach Accountability Act of 2014 includes fines and possibly jail time of up to five years for serious infractions. In 2013 alone, there were nearly 600 data breaches that affected consumers. Increased accountability for businesses. Under the new legislation, companies that want to avoid charges must now notify individuals in the event of a security breach. The new law applies to any company that maintains personally identifiable information on 10,000 or more United States citizens. The act grants the Attorney General powers to bring civil actions or request injunctive relief against any businesses that violate any of the legislated statutes. Additionally, individuals affected by a breach can bring a civil action against a company to recover personal injuries, including emotional distress, brought on by the breach. Requirements for businesses. The act requires any agency or instate business that uses personally identifiable information about U.S. citizens to maintain procedures designed to alert individuals without delay. Law enforcement agencies may block notifications if alerting the affected individual would get in the way of an ongoing criminal investigation or intelligence activity. There are two ways to avoid the need for a notification. If the business is contacted by the U.S. Secret Service or FBI and is asked to withhold notifications, or if the company works with the FTC to conduct a risk assessment. In the latter case, the FTC may provide an exemption and not require the business to go forward with notifications. If notifications are mandated, businesses can do so by sending written notice to the last known mailing address or email address. However, electronic notification is only allowed if more than 5,000 individuals are involved. Remedies required by businesses. In the event of a breach, companies are required to provide two years of a credit monitoring service, compensation for any damages and a security freeze on the consumer’s credit report. Because of the potential cost of compensating customers, it has become more important than ever to have a qualified and alert IT administrative staff. Since the act only requires one person to be affected by the security breach, this should be a wakeup calls to companies that no security breach is acceptable. Limits on information. The bill is clearly designed to prevent businesses from mining information from consumers. It’s clear that if a company doesn’t take the proper precautions to encrypt or obscure customer information, that the federal government is going to be intent on pursuing restitution from the company. The measure enacted by Congress puts limits on the type of information that a company can collect in the first place. Additionally, strict timelines require that companies must purge information after a certain amount of time. This could put companies that engage in quasi-financial operations, such as companies that act solely as merchant processors, at risk of losing valuable information on specific individuals. For example, a merchant processor like PayPal is not a financial institution, so it may be required to purge information from inactive users after a certain period of time. Sensitive personally identifiable information. The act clearly lays out what is considered sensitive personally identifiable information. It makes sense for companies to only collect the bare information needed to provide services to customers. The first and last name or first initial and last name along with a home address, telephone number, mother’s maiden name or the month, day, and year of birth are considered identifiable information. Additionally, full social security numbers, driver’s license numbers, passport numbers, alien registration numbers or other government assigned identification numbers. Information about an individuals geographic location, biometric data and a long list of other factors that could potentially identify an individual. Internet technology, as a public utility — God willing — is the primary driving vehicle of commerce, but that shouldn’t make it a free ride for businesses. Because the primacy of IT continues to grow, IT Security has never been more pressing an issue. Moving forward, companies will come to understand that they must establish advanced threat defenses for their networks, and establish strict protocols for methods of collecting and storing customer information. Either that, or suffer consequences. Ultimately, it would be up to the business to safeguard and protect consumer information. In civil lawsuits filed by former employees against Sony, the media giant is arguing that data theft isn’t a harm in and of itself, and so the persistent threat now facing employees whose personal information was compromised, warrants no penalty. Public eyes are more focused on ISIS and Ebola because that’s what they’ve been educated to focus on. Senator Blumenthal’s bill hasn’t yet found enough support to even make it to a vote. And in the Kafka parable, the protagonist dies of old age at the gatekeeper’s feet before figuring out what to do. What will we do?
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The Crooked Path to Determining Liability in Data Breach Cases Audrey McNeil (Mar 26)