Tort of negligence
In a nutshell, the tort of negligence provides the legal mechanism for X to receive compensation from Y, if the latter’s careless behaviour has caused the former to suffer loss or damage. The concept is sufficiently pliable that it can be used in just about any scenario where one party has failed to exercise ‘reasonable care’ to the detriment of another.The surgeon who accidentally cuts off the wrong leg, the accountant who gives bad advice, the builder who erects an unsafe structure, or the food manufacturer who sends a batch of contaminated food to market are all potential examples of liability under the tort of negligence to compensate the victims for all resultant losses.
In the case of TJX, the banks claimed negligence on the basis that the retailer had ‘allowed’ itself to be hacked by running a lax information security regime. Findings following an investigation by the US Federal Trade Commission found TJX used insecure wireless protocols, weak firewall rules, had missing security patches, and failed to apply strong encryption to sensitive information.
Whether a party’s conduct is legally negligent or not, the aftermath of a security breach will depend on particular facts of each case. The judge will make an assessment on whether the organisation took ‘reasonable care’, taking into account factors such as the sensitivity of the information being held — more sensitive data requires tighter security — the likelihood of a security breach occurring, and the cost and difficulty that would have been involved in addressing the risk.
What ‘reasonable’ measures can be expected of an organisation to mitigate risk? To determine this, the CIO and the lawyer need to get their heads together, analyse the risks from a multidisciplinary perspective, and exercise their best judgment to define an information security strategy that meets the legal obligation of their organisation to exercise ‘reasonable care’.
Breach of Contract
The breach of contract claim against TJX was based on its failure to comply with VISA and Mastercard operating rules relating to protection of customer credit card information (The Payment Card Data Security Standard). These rules were in turn reflected in the contract that TJX had entered into with its bank in order to become an authorised merchant.It was argued that a breach of these rules amounted to breach of the contract, and the issuing banks — though not themselves party to the contract between TJX and its own bank — were intended to be ‘beneficiaries’ of that contract. The legal arguments regarding breach of contract were particularly complex and turned on detailed analysis of the precise wording of the operating rules.
However, the important thing for CIOs to take on board is that security incidents can trigger law suits for breach of contract. For example, the collaborative contracts that underpin ‘extended enterprise’ business models usually involve organisations sharing confidential information, and granting partner organisations access rights to their trusted networks. So not surprisingly, cluey organisations are increasingly including specific security requirements in these contracts. If a partner organisation’s confidential information is lost as a result of a failure to comply with these contractual requirements, the result is likely to be a claim for breach of contract. And if the lost information is a core piece of intellectual property, that claim could be very large indeed.
And there is nothing peculiarly ‘American’ about these cases.
A second is the Non Disclosure Agreement (NDA). Most NDA’s include obligations to exercise a particular duty of care with regard to the information being disclosed, which may either be quite specific, or expressed in general terms (such as a duty to exercise ‘reasonable care’ or to “use reasonable endeavours to keep the information confidential”). Either way, if information disclosed pursuant to an NDA is lost or stolen, a breach of contract action could ensue and if the information is particularly valuable — as with a breach of an extended enterprise contract – then the law suit flowing from breach of the NDA could be huge.
Next page: The Trade Practices Act, what it all means
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.