Information Security &
Anti-Piracy Group
Liability for Unsecured
Systems
Marc J. Zwillinger
Sonnenschein Nath & Rosenthal
mzwillinger@sonnenschein.com
Background - Computer Crime &
Intellectual Property Section
(“CCIPS”)
1997-2000
• CCIPS - part of the Criminal Division of DOJ
• Investigate and prosecute Computer Intrusions & Theft of
Trade Secrets
• Investigate and prosecute Intellectual Property Violations
• Train and advise Law Enforcement Agents & Prosecutors
on obtaining electronic evidence under ECPA
• Approve Economic Espionage Act cases
• Solar Sunrise, Moonlight Maze & Mafiaboy
Information Security
Practice 2000-2003
• Immediate legal response to cyber attacks, including external
penetrations and internal investigations.
• Draft and review information security policies and procedures.
• Respond to criminal and administrative investigations involving
customers and subscribers of client companies.
• Advise clients on laws and regulations governing the storage
and exchange of electronic data over computer networks and
disclosure of electronic data.
• Represent vendors of Network Security Products and
Services.
Agenda
• Information Security Regulations
• Information Security Enforcement Actions
• Potential for Negligence Liability Based on
Security Breaches or Incident Response
Information Security Regulation
is Here to Stay
• Source of U.S. Information Security Regulation
- Health Insurance Portability and Accountability Act of 1996
(Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”)
- Gramm-Leach-Bliley Financial Services Modernization Act of
1999 (Pub. L. 106-102, “GLBA”)
– Federal agencies must establish standards relating to
administrative, technical and physical information
safeguards
– Banking agencies established safeguard rules in conjunction
with privacy rule which were effective July 1, 2001
– On May 23, 2003, the FTC “Safeguards Rule” took effect
FTC Regulations
• Designate an employee or employees to coordinate an
information security program;
• Assess risks in each area of operations;
• Design and implement a written information security
program to control these risks;
• Require service providers (by contract) to implement
appropriate safeguards for customer information
• Adapt security program in light of material changes to
business
– Employee training and management
– Information systems, including information processing,
storage, transmission and disposal
– Prevention and response measures for attacks, intrusions, or
other systems failures.
FTC Safeguards Rule
• The Safeguards Rule requires each financial
institution to “develop, implement, and maintain a
comprehensive information security program that is
written in one or more readily accessible parts and
contains administrative, technical, and physical
safeguards that are appropriate to your size and
complexity, the nature and scope of your activities,
and the sensitivity of any customer information at
issue.” See 16 CFR part 314.
California’s Bright Idea
• Require all entities who do
business in California to disclose
information security breaches to
every California resident whose
data was acquired by an
unauthorized person
• Provide exceptions when:
– Law enforcement requests no
disclosure
– The company has an Information
Security Policy and disclosure is
made under that policy
Cal. Civ. Code §1798.82(a).
Covered Entities
• All California state agencies, and any person or business that
conducts business in California and that owns or licenses
computerized data.
Covered Conduct
• When unencrypted personal information of a California resident is
believed to have been acquired by an unauthorized person.
Covered Data
• First name or first initial and last name in combination with: (1) social
security number, (2) driver’s license number or California ID card
number, or (3) account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual’s financial account,
when either the name or the data elements are not encrypted:
Cal. Civ. Code §1798.82(a)
Notice Requirements
• Notice shall be made “in the most expedient time possible and
without unreasonable delay, consistent with legitimate needs of
law enforcement . . . or any measure necessary to determine
the scope of the breach and restore the reasonable integrity of
the data system.”
• The law also permits the notification to be delayed if a law
enforcement agency determines that immediate disclosure
would impede an ongoing criminal investigation.
• Customers injured by violations of the statute are authorized to
bring private lawsuits for damages.
Cal. Civ. Code §1798.82
Notice Requirements
• (h) Notwithstanding subdivision (g), a person or
business that maintains its own notification
procedures as part of an information security
policy for the treatment of personal information
and is otherwise consistent with the timing
requirements of this part, shall be deemed to be in
compliance with the notification requirements of
this section if the person or business notifies subject
persons in accordance with its policies in the event of a
breach of security of the system.
• On June 18, 2003 - Guess, Incorporated agreed to settle
charges that it exposed consumers' personal information,
including credit card numbers, to commonly known
attacks by hackers.
• According to the FTC press release, the settlement
requires Guess to establish and maintain a
comprehensive information security program that must be
certified by an independent professional within a year, and
every other year thereafter.
• On January 18, 2002 - Federal Trade Commission
(FTC) settled with Eli Lilly regarding the unauthorized
disclosure of sensitive personal information through
Eli Lilly's Prozac.com website.
• Eli Lilly agreed to establish and maintain a four-stage
information security program designed to establish and
maintain reasonable and appropriate administrative,
technical, and physical safeguards to protect consumers'
personal information against any reasonably anticipated
threats or hazards to its security, confidentiality, or integrity,
and to protect such information against unauthorized
access, use, or disclosure.
New York AG/ACLU Settlement
• On January 14, 2003, New York AG’s settlement agreement
with the ACLU resulting from an incident in which ACLU
customers' personal information -- including name, address,
phone number, e-mail address and a record of purchases -was accessible through the search mechanism on the
organization's website.
• ACLU’s conduct breached specific representations in the
organization's privacy policy.
•
• ACLU required to “establish and maintain an information
security program that includes appropriate administrative,
technical and physical safeguards.” and undergo annual,
independent compliance reviews over the next five years.
Sample Presentation
Sample Presentation
Sample Presentation
• January 28, 2003, class-action filed against Tri-West for
negligence.
• TriWest's customers seek damages for alleged negligence,
breach of contract and violations of the federal Privacy Act.
• The lawsuit stems from a Dec. 14, 2002 theft of several server
hard-drives containing files on 562,000 military personnel,
retirees and family members who have health care through
TriWest.
• The data included Social Security numbers, birth dates, and
other information that could be used by identity thieves.
Most Cases = Contract Theory
• Most computer-security related cases are based on breach of
contract
– Specific standard of conduct against which to measure
– Damages are usually monetary (tort theories do not compensate
for economic losses)
– In absence of contract, hard to articulate a duty
– Intervening criminal act usually breaks the chain of causation
• Not in cases where clear duty - see landlord cases
• Problem: Contract claims are generally limited to those with privity
of contract (must be party to the contract).
Principles of Tort Law
• Intentional Computer Misconduct is a tort by the perpetrator
• Negligent failure to secure computer systems would require:
–
–
–
–
A duty to secure the system
Breach of duty (failure to live up to standard of care)
Breach is the proximate (foreseeable) cause of the harm
Victim suffers harm/damages
• Economic Analysis - Who is the lowest cost avoider?
– Is Cost greater or less than probability of harm * likely loss
• Economic Loss doctrine traditional bars recovery of economic
loss unless there has been damage to people or property
Alternatives
Does holding only perpetrator liable deter wrongful acts,
compensate injured parties, promote better Internet security?
Alternatives
• Owners of systems used for attacks are also liable if owners did not
take adequate precautions to secure systems.
• ISPs carrying traffic on systems used to launch attacks could be
liable if ISPs did not help owners secure systems.
• Vendor’s failure to ship a system in a state known to be secure.
Legal Analysis
–
–
–
–
A duty to secure the system (NOW THERE MAY BE A DUTY)
Breach of duty (failure to meet standard of care)
Breach is the proximate (foreseeable) cause of the harm
Victim suffers harm/damages as a result of the breach
NRC Recommendations
• January 16, 2002, - Computer Science and
Telecommunications Board of the National Research
Counsel - "Cybersecurity Today and Tomorrow: Pay Now or
Pay Later."
• Report recommends that legislators "[c]onsider legislative
responses to the failure of existing incentives to cause the
market to respond adequately to the security challenge.
Possible options include steps that would increase the exposure
of software and system vendors and system operators to liability
for system breaches and mandated reporting of security
breaches that could threaten critical societal functions."
What Does the Future Hold?
•
•
•
•
Increased litigation based on security breaches
Erosion of “reciprocity is hell” limiting factor
Application of security standards to non-regulated entities
Application of security standards as a prerequisite to
obtaining cyber-insurance
• Application of security standards in contractual
relationships / outsourcing
• More scrutiny on incident handling and incident
response
Questions
You may submit your questions to Marc by clicking on the
Ask a Question link on the lower left corner of the screen.
His answers will be e-mailed back to you.
Thank you
Thank you for participating
in this SearchSecurity.com on-demand webcast.
If you have comments or suggestions for future webcasts,
e-mail the moderator at webcast@searchSecurity.com.