Information Security & Anti-Piracy Group Liability for Unsecured Systems Marc J. Zwillinger Sonnenschein Nath & Rosenthal mzwillinger@sonnenschein.com Background - Computer Crime & Intellectual Property Section (“CCIPS”) 1997-2000 • CCIPS - part of the Criminal Division of DOJ • Investigate and prosecute Computer Intrusions & Theft of Trade Secrets • Investigate and prosecute Intellectual Property Violations • Train and advise Law Enforcement Agents & Prosecutors on obtaining electronic evidence under ECPA • Approve Economic Espionage Act cases • Solar Sunrise, Moonlight Maze & Mafiaboy Information Security Practice 2000-2003 • Immediate legal response to cyber attacks, including external penetrations and internal investigations. • Draft and review information security policies and procedures. • Respond to criminal and administrative investigations involving customers and subscribers of client companies. • Advise clients on laws and regulations governing the storage and exchange of electronic data over computer networks and disclosure of electronic data. • Represent vendors of Network Security Products and Services. Agenda • Information Security Regulations • Information Security Enforcement Actions • Potential for Negligence Liability Based on Security Breaches or Incident Response Information Security Regulation is Here to Stay • Source of U.S. Information Security Regulation - Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”) - Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (Pub. L. 106-102, “GLBA”) – Federal agencies must establish standards relating to administrative, technical and physical information safeguards – Banking agencies established safeguard rules in conjunction with privacy rule which were effective July 1, 2001 – On May 23, 2003, the FTC “Safeguards Rule” took effect FTC Regulations • Designate an employee or employees to coordinate an information security program; • Assess risks in each area of operations; • Design and implement a written information security program to control these risks; • Require service providers (by contract) to implement appropriate safeguards for customer information • Adapt security program in light of material changes to business – Employee training and management – Information systems, including information processing, storage, transmission and disposal – Prevention and response measures for attacks, intrusions, or other systems failures. FTC Safeguards Rule • The Safeguards Rule requires each financial institution to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” See 16 CFR part 314. California’s Bright Idea • Require all entities who do business in California to disclose information security breaches to every California resident whose data was acquired by an unauthorized person • Provide exceptions when: – Law enforcement requests no disclosure – The company has an Information Security Policy and disclosure is made under that policy Cal. Civ. Code §1798.82(a). Covered Entities • All California state agencies, and any person or business that conducts business in California and that owns or licenses computerized data. Covered Conduct • When unencrypted personal information of a California resident is believed to have been acquired by an unauthorized person. Covered Data • First name or first initial and last name in combination with: (1) social security number, (2) driver’s license number or California ID card number, or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, when either the name or the data elements are not encrypted: Cal. Civ. Code §1798.82(a) Notice Requirements • Notice shall be made “in the most expedient time possible and without unreasonable delay, consistent with legitimate needs of law enforcement . . . or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” • The law also permits the notification to be delayed if a law enforcement agency determines that immediate disclosure would impede an ongoing criminal investigation. • Customers injured by violations of the statute are authorized to bring private lawsuits for damages. Cal. Civ. Code §1798.82 Notice Requirements • (h) Notwithstanding subdivision (g), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system. • On June 18, 2003 - Guess, Incorporated agreed to settle charges that it exposed consumers' personal information, including credit card numbers, to commonly known attacks by hackers. • According to the FTC press release, the settlement requires Guess to establish and maintain a comprehensive information security program that must be certified by an independent professional within a year, and every other year thereafter. • On January 18, 2002 - Federal Trade Commission (FTC) settled with Eli Lilly regarding the unauthorized disclosure of sensitive personal information through Eli Lilly's Prozac.com website. • Eli Lilly agreed to establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. New York AG/ACLU Settlement • On January 14, 2003, New York AG’s settlement agreement with the ACLU resulting from an incident in which ACLU customers' personal information -- including name, address, phone number, e-mail address and a record of purchases -was accessible through the search mechanism on the organization's website. • ACLU’s conduct breached specific representations in the organization's privacy policy. • • ACLU required to “establish and maintain an information security program that includes appropriate administrative, technical and physical safeguards.” and undergo annual, independent compliance reviews over the next five years. Sample Presentation Sample Presentation Sample Presentation • January 28, 2003, class-action filed against Tri-West for negligence. • TriWest's customers seek damages for alleged negligence, breach of contract and violations of the federal Privacy Act. • The lawsuit stems from a Dec. 14, 2002 theft of several server hard-drives containing files on 562,000 military personnel, retirees and family members who have health care through TriWest. • The data included Social Security numbers, birth dates, and other information that could be used by identity thieves. Most Cases = Contract Theory • Most computer-security related cases are based on breach of contract – Specific standard of conduct against which to measure – Damages are usually monetary (tort theories do not compensate for economic losses) – In absence of contract, hard to articulate a duty – Intervening criminal act usually breaks the chain of causation • Not in cases where clear duty - see landlord cases • Problem: Contract claims are generally limited to those with privity of contract (must be party to the contract). Principles of Tort Law • Intentional Computer Misconduct is a tort by the perpetrator • Negligent failure to secure computer systems would require: – – – – A duty to secure the system Breach of duty (failure to live up to standard of care) Breach is the proximate (foreseeable) cause of the harm Victim suffers harm/damages • Economic Analysis - Who is the lowest cost avoider? – Is Cost greater or less than probability of harm * likely loss • Economic Loss doctrine traditional bars recovery of economic loss unless there has been damage to people or property Alternatives Does holding only perpetrator liable deter wrongful acts, compensate injured parties, promote better Internet security? Alternatives • Owners of systems used for attacks are also liable if owners did not take adequate precautions to secure systems. • ISPs carrying traffic on systems used to launch attacks could be liable if ISPs did not help owners secure systems. • Vendor’s failure to ship a system in a state known to be secure. Legal Analysis – – – – A duty to secure the system (NOW THERE MAY BE A DUTY) Breach of duty (failure to meet standard of care) Breach is the proximate (foreseeable) cause of the harm Victim suffers harm/damages as a result of the breach NRC Recommendations • January 16, 2002, - Computer Science and Telecommunications Board of the National Research Counsel - "Cybersecurity Today and Tomorrow: Pay Now or Pay Later." • Report recommends that legislators "[c]onsider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions." What Does the Future Hold? • • • • Increased litigation based on security breaches Erosion of “reciprocity is hell” limiting factor Application of security standards to non-regulated entities Application of security standards as a prerequisite to obtaining cyber-insurance • Application of security standards in contractual relationships / outsourcing • More scrutiny on incident handling and incident response Questions You may submit your questions to Marc by clicking on the Ask a Question link on the lower left corner of the screen. His answers will be e-mailed back to you. Thank you Thank you for participating in this SearchSecurity.com on-demand webcast. If you have comments or suggestions for future webcasts, e-mail the moderator at webcast@searchSecurity.com.