One of the more prominent pieces of news from the holidays was how two prominent retailers, Target and Neiman Marcus, had their credit card databases hacked (http://www.dallasnews.com/business/retail/20140117-neiman-marcus-target-credit-breaches-likely-part-of-broader-hacking-attack.ece). Experts don’t even know the entire extent of the breach. Now, both companies face law suits regarding their role in the breach (http://www.latimes.com/business/money/la-fi-mo-neiman-marcus-target-breach-20140114,0,6374207.story).
The announcement of these lawsuits, as well as the high degree of legal uncertainty, led to some interesting questions. What would be the reasoning behind the tort liability? How would an attorney establish liability under current torts law? The lawsuit mentioned by the Los Angeles Times, filed by a Seattle law firm, claims that security experts warned Target of the security flaw that the hackers exploited.
Establishing liability for negligence generally has three requirements: duty of care, breach, causation, and harm. Duty of care, in the broadest sense of the word, is a society-imposed requirement to avoid harming others by employing reasonable care. The legal system has duties that arise through common law (from previous court cases) or through statute (laws passed by a legislature). A breach occurs when the defendant didn’t avoid that harm, or caused the harm. Causation requires the defendant to somehow be the cause of the injury (though this can get very complicated). Harm means that the plaintiff must suffer some injury or damage. There is a lot more involved, but these definitions should suffice for purposes of this blog. For the time being, let’s focus on duty.
First, would the duty to protect others’ data represent a society imposed requirement? Businesses would need a duty to take reasonable care of sensitive information provided to them by their customers. At the moment, the answer to this question depends heavily on jurisdiction. A number of jurisdictions require that the injury be reasonably foreseeable before there is a duty of care. In other words, the companies can’t be held liable for breaches for newer or unknown attacks (see Secure My Data or Pay the Price: Consumer Remedy for Negligent Enablement of Data Breach, William & Mary Business Law Review, at 230., found here: http://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=1051&context=wmblr). That places a fairly firm limit on the kinds of breaches that create a duty of care, essentially eliminating Zero Day exploits (called so because the first day they are used is the first day they become known) or innovative hacking techniques. As the lawsuit against Target indicates, it does open up a possible duty of care for attacks and breaches based on publicly known exploits or security holes. Foreseeability does not serve as a perfect rule of thumb. Not every jurisdiction uses whether a duty was foreseeable as a test. California, for example, has a different test laid out in Ballard v. Uribe, (L.A. 31799, Cal Sup Ct, (Apr., 3, 1986)), which is found here (http://online.ceb.com/calcases/C3/41C3d564.htm#MA000696). Barring some kind of federal law setting a nationwide standard, the jurisdictional nature of this question will likely remain true.
Another major issue is what would constitute “reasonable care” in regard to data privacy. Reasonable care is normally defined as how a prudent person would act under the same circumstances. Court cases usually help define this concept further but, unfortunately, there are not many related to data breaches. Security standards from non-regulatory government agencies (such as the National Institute of Standards and Technology, or NIST) or relevant professional organizations (such as the Institute of Electrical and Electronics Engineers, or IEEE) represent a useful starting point for determining reasonable care (Secure My Data, at 225-6). In the case of credit card and Point of Service (PoS) security, a judge could theoretically look at the Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (a group dedicated to setting security best practices for credit cards) or NIST to determine whether the defendant’s security standards constitute reasonable care. The court could also evaluate the specific implementation of various security practices. In some cases, following or ignoring the advice of experts regarding failure to fix vulnerabilities or improve security services could serve as evidence that the company was engaged in reasonable care. Reasonable care does not require that the company have perfect security, and defendants could potentially turn to experts to determine when certain actions that would have prevented a breach are unreasonable. For example, failing to maintain strong passwords or failing to encrypt customer information might qualify render a company liable because they did not exercise reasonable care in protecting consumer data. Failing to require all employees to maintain 30 plus character passwords that they have to change every two weeks would not constitute reasonable care.
There is a lot more to this, so let’s resume with part two on Friday.