Legal liabilities: A new dimension to information security

Readers will be familiar with the explosive global growth in data theft and data leakage incidents. But they may be less familiar with the corresponding increase in multi-million-dollar law suits flowing from such incidents, as those who are burned in the fall-out from security breaches seek compensation from the courts to cover their losses.

This brings a significant additional dimension to the risks associated with information security breaches and provides a new imperative for the effective management of risk.

Addressing these legal risks will require an increased level of engagement between the CIO and corporate legal advisers. Bridges between the disciplines of law and IT will need to be built, and lawyers and CIOs will need to break out of their respective silos of expertise to develop a coordinated response.

This will not be easy. Close collaboration between the CIO and the lawyer tends to be the exception rather than the norm because they often have little or no understanding of the core concepts that underpin each other’s respective disciplines. However, if increased levels of shared understanding are not achieved, then the response of corporate Australia to a whole new landscape of legal risk will be substantially underdone or misdirected.

The TJX case

The TJX case is a good place to start to develop an understanding of the types of legal actions that are now flowing from information security breaches. This litigation resulted in American retailer TJX paying around $US80 million in compensation following a hack in which 45 million credit cards were lost.

Before looking at the TJX case in more detail, let’s briefly deal with one furphy that might otherwise confuse the newcomer to this field. The TJX case occurred in the USA, and Massachusetts state law applied – isn’t Australian law different? The short answer is not much, particularly in the areas of law that fell to be considered in TJX. If the facts of TJX were transposed to an Australian court, the applicable laws would be very similar. Both the Australian and the USA legal systems developed originally from British common law: While there are some local differences, there is a high level of commonality across the laws of all nations with an ‘anglo’ legal heritage.

The proceedings against TJX were brought by a group of ‘issuing’ banks — ones that issue credit cards to their customers. In essence, the banks’ case followed that:

1. TJX had failed to maintain an appropriate level of information security;
2. As a result, hackers were able to break into TJX’s systems and steal millions of credit and debit card records belonging to TJX’s customers;
3. The hackers then sold those records on the internet, where they were purchased by fraudsters around the world;
4. The fraudsters used the stolen records to commit numerous online transactions;
5. The issuing banks were obliged to cover those fraudulent transactions on behalf of the innocent cardholders and were massively out of pocket as a result;
6. The issuing banks were entitled to reimbursement of their losses from TJX, since those losses flowed from TJX’s inadequate security regime.

In legal terms, this translated into the following claims against TJX;

1. Negligence
2. Breach of contract
3. Breach of the Massachusetts equivalent of section 52 of the Australian Trade Practices Act (the two pieces of legislation are very similar for practical purposes)
4. Negligent misrepresentation — for all intents and purposes the same as breach of section 52.

Other subsequent cases where organisations are being sued for operating inadequate information security regimes, discussed below, were built on the same legal foundations.

Next page: Tort of negligence, breach of contract

Page Break

Tort of negligence

In a nutshell, the tort of negligence provides the legal mechanism for X to receive compensation from Y, if the latter’s careless behaviour has caused the former to suffer loss or damage. The concept is sufficiently pliable that it can be used in just about any scenario where one party has failed to exercise ‘reasonable care’ to the detriment of another.

The surgeon who accidentally cuts off the wrong leg, the accountant who gives bad advice, the builder who erects an unsafe structure, or the food manufacturer who sends a batch of contaminated food to market are all potential examples of liability under the tort of negligence to compensate the victims for all resultant losses.

In the case of TJX, the banks claimed negligence on the basis that the retailer had ‘allowed’ itself to be hacked by running a lax information security regime. Findings following an investigation by the US Federal Trade Commission found TJX used insecure wireless protocols, weak firewall rules, had missing security patches, and failed to apply strong encryption to sensitive information.

Whether a party’s conduct is legally negligent or not, the aftermath of a security breach will depend on particular facts of each case. The judge will make an assessment on whether the organisation took ‘reasonable care’, taking into account factors such as the sensitivity of the information being held — more sensitive data requires tighter security — the likelihood of a security breach occurring, and the cost and difficulty that would have been involved in addressing the risk.

What ‘reasonable’ measures can be expected of an organisation to mitigate risk? To determine this, the CIO and the lawyer need to get their heads together, analyse the risks from a multidisciplinary perspective, and exercise their best judgment to define an information security strategy that meets the legal obligation of their organisation to exercise ‘reasonable care’.

Breach of Contract

The breach of contract claim against TJX was based on its failure to comply with VISA and Mastercard operating rules relating to protection of customer credit card information (The Payment Card Data Security Standard). These rules were in turn reflected in the contract that TJX had entered into with its bank in order to become an authorised merchant.

It was argued that a breach of these rules amounted to breach of the contract, and the issuing banks — though not themselves party to the contract between TJX and its own bank — were intended to be ‘beneficiaries’ of that contract. The legal arguments regarding breach of contract were particularly complex and turned on detailed analysis of the precise wording of the operating rules.

However, the important thing for CIOs to take on board is that security incidents can trigger law suits for breach of contract. For example, the collaborative contracts that underpin ‘extended enterprise’ business models usually involve organisations sharing confidential information, and granting partner organisations access rights to their trusted networks. So not surprisingly, cluey organisations are increasingly including specific security requirements in these contracts. If a partner organisation’s confidential information is lost as a result of a failure to comply with these contractual requirements, the result is likely to be a claim for breach of contract. And if the lost information is a core piece of intellectual property, that claim could be very large indeed.

A second is the Non Disclosure Agreement (NDA). Most NDA’s include obligations to exercise a particular duty of care with regard to the information being disclosed, which may either be quite specific, or expressed in general terms (such as a duty to exercise ‘reasonable care’ or to “use reasonable endeavours to keep the information confidential”). Either way, if information disclosed pursuant to an NDA is lost or stolen, a breach of contract action could ensue and if the information is particularly valuable — as with a breach of an extended enterprise contract – then the law suit flowing from breach of the NDA could be huge.

Next page: The Trade Practices Act, what it all means

Page Break

The Trade Practices Act

Section 52 of the Trade Practices Act (TPA) imposes a general and far-reaching obligation on Australian companies to not engage in conduct which is ‘misleading or deceptive’. This, and equivalent laws as the Massachusetts equivalent invoked in the TJX case, are often interpreted ‘creatively’ by the courts.

In particular, courts frequently find ‘implied representations’, breach of which amount to misleading conduct within the meaning of section 52. The TJX case itself provides a good illustration of this.

By taking credit and debit card payments, the presiding judge in the TJX case ruled the company implicitly represented to other players in the financial services ecosystem that it would take reasonable care of customer credit and debit card records — which it failed to do. As a result, losses flowing from that failure were recoverable as damages.

In addition to this type of implied representation, many organisations now make explicit representations on their websites about their commitment to security and their privacy policies.

While these kinds of statements may create a warm feeling amongst prospective customers, they also create legal obligations. If you state on your website that your company “takes reasonable steps to protect all information from misuse, loss, unauthorised access, modification or disclosure” then you had better do just that: If you fail to live up to your claim and customers suffer loss or damage following a security breach, you will likely be in the gun for damages under the TPA.

What it all means

The TJX case should be regarded as an indicator of things to come. In the USA, numerous organisations are seeking compensation law suits for losses suffered as a result of security breaches.

And there is nothing peculiarly ‘American’ about these cases. The legal platforms for the claims are virtually identical to those which would apply under Australian law. Given the global proliferation of data theft and data leakage, it can only be a matter of time — and a short time at that — before Australia starts to see these kinds of cases coming through the local courts.

Those interested in these developments should keep a particular eye out for the Countrywide case (an internal hack where 17 million customer records were allegedly stolen and sold on the black market), the Heartland case (similar facts to TJX, with settlement discussions currently around US$60 million), and the Register.Com. Inc. case (where an ISP allegedly fell victim to a classic social engineering attack with the result that a major commercial customer’s online store was unavailable for an extended period).

CIOs are not expected to be experts in law and lawyers are not expected to be experts on information security, but these developments make it increasingly important that between them, they understand the legal obligations arising from these new types of risks, and that appropriate responses are implemented to satisfy those obligations.

This is a whole new ballgame for both disciplines. It will require the inhabitants of each camp to move out of their comfort zones, never an easy thing to do. It’s game on; How will you go?

Nick Gifford is principal at IT law consultancy Gifford & Co. He is author of Information Security – Managing the Legal Risks, and has worked as a London-based barrister, corporate lawyer, risk and compliance manager. He can be contacted at nick.gifford@giffordco.com.au.