GROWING TREND OF FINDING
REGULATORY AND TORT LIABILITY
FOR CYBERSECURITY BREACHES
Mark W. Ishman, Esq.

Masters in Law in ...
WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND
EXPERTISE EXHIBITED BY COMPUTER SOFTWARE
DESIGNERS AND PROGRAMMERS, THOSE WH...
Largest Known Data Breach –
160M Credit Cards – July 2013
 Five men from Russia and Ukraine have allegedly stolen over 16...
HIPAA Breach Compromises over 4
Million People – August 2013
 Theft of Four UNENCRYPTED LAPTOPS compromises over 4
Millio...
Publicly Traded Companies’ Data
Breaches
 Sony paid $171 Million in cleanup from its April 2011
PlayStation Network breac...
Federal Trade Commission Complaints
 FTC has implemented initiatives to police computer
data breaches
 FTC Complaints ar...
How is there liability to IT
security professionals for insecure
software?
Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the...
What information security standards exist? Let’s
look at the law…
• Global

• State Laws -- Data security and
breach notif...
What is the legal and business impact of
breached information security?
 Contractual Violations

 Violation of state, fe...
What Laws Govern Insecure Software?
 HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other Acts and
their Potential...
Health Insurance Portability and
Accountability Act (HIPAA)
 HIPAA makes security a necessary prerequisite to
providing s...
Sarbanes-Oxley Act (SOX)
 SOX requires that the CEO sign filings with the SEC that certify that the
company‘s computer sy...
Gramm-Leach-Bliley Act (GLB)
 GLB is a comprehensive privacy and security law that financial
companies must adhere to.

...
Article 2 of the UCC
 Most bundled software (off-the-self or custom) fall
within Article 2 of the UCC
 a Good Thing for ...
Negligence Claim – 5 Elements
(1)

Software vendor owed a DUTY to the Plaintiff

 What type of Duties?
 Duty to design a...
Negligence Claim – 5 Elements
(2)
Duty

Standard of Care Imposed on Software Vendor by that

 Generally this means what t...
Negligence Claim – 5 Elements
(3)

Breach of Duty

 With secure software, there is no accepted tests that
exist currently...
Negligence Claim – 5 Elements
 (4)

Causation

 Two-prong test:
 Software developer‘s negligence must have been the cau...
Negligence Claim – 5 Elements
(5)

Damages

 Plaintiffs are entitled to recover ALL damages, e.g., personal
injuries, pro...
Negligence Applied to Security
Breach Liability
 Traditionally, security breaches are criminal acts of third
parties, and...
Negligence Cases
Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)

 Federal district court refused to dismiss a negligenc...
Negligence Case
Claridge v. Rockyou, Inc. (N.D. Cal. 2011)
 Rockyou is a publisher and developer of online services and a...
Negligence Case
Patco Constr. Co. Inc. v. People‘s United Bank (1st Cir. July 2012)
 Hackers installed malware on Patco‘s...
Negligence Case
Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir.
September 2013)
 Heartland had a contract w...
Today‘s recent headlines
 Negligence for theft of data from UNENCRYPTED LAPTOPS

 Hackers breaks in at a US based compan...
Professional Malpractice Law
 Professional liability has generally been applied to those who
by virtue of specific traini...
Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the...
Professional Malpractice Case
Diversified Graphics, Ltd. v. Groves (8th Cir. 1989)
 Plaintiff hired a large accounting fi...
Professional Malpractice Case
Data Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct.
App. 1986)
 Plaintiff clai...
Product Liability for Insecure Software


Product liability law is imposed on the theory that the costs of damaging event...
Federal Trade Commission Complaints
 FTC has implemented initiatives to police computer
data breaches
 FTC Complaints ar...
Federal Trade Commission
TRENDNET, Inc. Case (September
2013)
 TRENDNET alleged failed to provide reasonable security ―to...
Federal Trade Commission
In re HTC America, Inc. Case
(February 2013)
 FTC complaint alleged that HTC:
 failed to ―emplo...
Federal Trade Commission
 The FTC has begun taking action against software users whose
systems were breached by hackers a...
Counterhacking Legal???
 Computer Fraud and Abuse Act
 ‗exceeds authorized access‘ means to access a computer with
autho...
What Can You Do To Minimize Your
Risks to Liability?
 Always enter into written agreements that specifically addresses
ex...
What Can You Do To Minimize Your
Risks to Liability?
 Continuing Education is always Ongoing

 Audits – work with a secu...
Procedure:
What Constitutes a Breach?
 Was unencrypted and unredacted personal information
and/or protected health inform...
Procedure:
Is Notice Required?
 Material Breach?

 Would access be likely to cause substantial loss, or
injury, or resul...
Policy:
What Must the Notice Include?
 Describe the security breach (date/time)

 Describe the type of personal informat...
So What? Why do this?
 State AG fines for failure to provide notice
($250/person), up to $750,000
 FTC fines - $1,500,00...
Policy and Procedure
Practical Tips
 If you have experienced a data security breach, it may
have to comply with more than...
RESOURCES
www.IshmanLaw.com
(919) 468-3266
mishman@ishmanlaw.com


State Laws (except in AL, KY, NM, SD)


http://www.nc...
Upcoming SlideShare
Loading in...5
×

Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1

403

Published on

Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
403
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1

  1. 1. GROWING TREND OF FINDING REGULATORY AND TORT LIABILITY FOR CYBERSECURITY BREACHES Mark W. Ishman, Esq. Masters in Law in Information Technology and Privacy Law www.IshmanLaw.com | www.IshmanLegal.com (919) 468-3266 | mishman@ishmanlaw.com
  2. 2. WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND EXPERTISE EXHIBITED BY COMPUTER SOFTWARE DESIGNERS AND PROGRAMMERS, THOSE WHO DEVELOP OPERATING SYSTEMS AND SECURITY SOFTWARE ARE GENERALLY AT THE HIGHER END OF THE PROFESSION IN TERMS OF EDUCATION, TRAINING, AND EXPERIENCE. Do I have your attention? IT IS CERTAINLY POSSIBLE TO HOLD PROGRAMMERS WHO WRITE CRITICAL SOFTWARE, SUCH AS OPERATING SYSTEMS AND SECURITY SOFTWARE, TO A HIGHER STANDARD THAN THOSE WHO WRITE LESS CRITICAL CODE SUCH AS WORD PROCESSORS AND VIDEOGAMES.
  3. 3. Largest Known Data Breach – 160M Credit Cards – July 2013  Five men from Russia and Ukraine have allegedly stolen over 160 Million Credit Cards from 2005 to 2012, and sold them to others in the underground market which where then used throughout the world for ATM cash withdrawals and purchases  The defendants allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit.  The defendants are charged with hacking and malware attacks upon NASDAQ, 7Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard  It is not alleged that the NASDAQ hack affected its trading platform.  http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladi mir%20et%20al.%20Indictment%20News%20Release.html
  4. 4. HIPAA Breach Compromises over 4 Million People – August 2013  Theft of Four UNENCRYPTED LAPTOPS compromises over 4 Million patients‘ medical files that contain their personal identifiable information (Name, SSN, Address, Phone Numbers and Email Addresses), Medicare data, medical diagnoses, insurance and payment information.  2nd Largest HIPAA data breach to date (largest to date is just under 5 Million patient records compromised)  Just last month, Theft of Two UNENCRYPTED LAPTOPS compromises over 729,000 patients‘ medical files – October 2013  11th Largest HIPAA data breach to date  To date, HIPAA Feds have collected over $16 Million from 16 organizations who have been found guilty of violating HIPAA  Data from the Department of Health and Human Services.
  5. 5. Publicly Traded Companies’ Data Breaches  Sony paid $171 Million in cleanup from its April 2011 PlayStation Network breach;  Heartland Payment systems paid an estimated $140 million in its lost  Email services firm Epsilon paid an estimated $225 Million in total costs as a result of its data breach  PUBLICLY TRADED COMPANIES RETAIN OUTSIDE IT PROFESSIONAL CONSULTANTS FOR THEIR RECOMMENDATIONS AND FOR THEIR SPECIALIZED SEUCIRTY SERVICES BOTH FOR THE RETAINED SKILL SET AS WELL AS FOR LIABILITY REASONS
  6. 6. Federal Trade Commission Complaints  FTC has implemented initiatives to police computer data breaches  FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance  Most companies settle with the FTC and pay a fine  If you defend against a FTC complaint, expect LARGE litigation expenses, for example:  Large corporation Wyndham has just responded to a FTC complaint and has spent $5 Million already on discovery  Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery
  7. 7. How is there liability to IT security professionals for insecure software?
  8. 8. Top Ten List of Security Certifications??? 10. Vendor Certifications - CISCO and Microsoft specific certifications top the list. 9. CCE-Certified Computer Examiner 8. CPP—Certified Protection Professional 7. CBCP-Certified Business Continuity Professional 6. CEH-Certified Ethical Hacker 5. CSFA-CyberSecurity Forensic Analyst 4. CISA-Certified Information Systems Auditor 3. GIAC-The Global Information Assurance Certification 2. CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional
  9. 9. What information security standards exist? Let’s look at the law… • Global • State Laws -- Data security and breach notification laws • IS0 17799, 27001 • Industry • Basel II, EU Safe Harbors • Payment Card Industry – VISA, CISP, Mastercard SDP • Country Standards • Healthcare – HIPAA • National – NIST & OECD • Finance – Gramm Leach Bliley, SEC, NASD, FFIEC, OTS • Finance – CoBIT & BITS • Energy and Utility – NERC 1300, FERC, (NEI 04-04) • Federal Government • E-Commerce – FTC Ecommerce Req‘s • DOD - Rainbow Series, NIST • NSA • Presidential Directives
  10. 10. What is the legal and business impact of breached information security?  Contractual Violations  Violation of state, federal and international laws  Business interruption – income loss, extra expense  Data asset loss, corruption, value reduction  Lost ROI on technology and marketing investments  Reputation losses & loss of valuation  Extortion and other crisis Management costs
  11. 11. What Laws Govern Insecure Software?  HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other Acts and their Potential Impact on Liability to Software Developers  Article 2 of the U.C.C.  Computer hardware and packaged software, as movable objects, are clearly goods and thus subject to the provisions of Article 2 – and for our conversation, Article 2 protection from Tort-related causes of action  Transactions involving primarily personal services, such as those for customization, expertise, maintenance, training, and support, are often held not to be goods, and thus NOT to fall within the U.C.C.  What about specialized ―secure‖ computer software? Does that fall under Article 2 or customized services?  Negligence  Product Liability  Professional Malpractice Liability  Federal Trade Commission Complaint for unfair and deceptive acts or practices for deceptive claims that companies were safeguarding customer data appropriately
  12. 12. Health Insurance Portability and Accountability Act (HIPAA)  HIPAA makes security a necessary prerequisite to providing services to the health industry, including the provision of any financial services.  Breach Notification Rules     Notify affected individuals Notify Business Associates Notify HHS (Federal Agency) Audits and Fines  Penalty Amount: $100 to $50,000 or more per violation, repeat violations are $1,500,000, with a Calendar Year Cap of $1,500,000
  13. 13. Sarbanes-Oxley Act (SOX)  SOX requires that the CEO sign filings with the SEC that certify that the company‘s computer systems are secure and that the company maintains, in all material respects, effective internal controls over its financial reporting.  If he‘s wrong, he faces potential prosecution for violations of SOX, with  personal fines up to one to five million dollars and/or  imprisonment for up to ten to twenty years  If the company asks its software vendors, whose products the company relies upon to provide that security and effective control, to certify that their systems meet the SOX‘s requirements, the vendors  politely decline, mumbling something about how all software has bugs and the company is not willing to assume the risk that the customer‘s system may be compromised by hackers, cyberterrorists, or perhaps just a disgruntled ex-employee.  Thus far the SEC has not taken action against any corporate executives who have signed such an undertaking that later turned out to be untrue.  We have not yet had a major accounting scandal arising from software vulnerabilities
  14. 14. Gramm-Leach-Bliley Act (GLB)  GLB is a comprehensive privacy and security law that financial companies must adhere to.  GLB covers both information handling practices and security practices for ―nonpublic personal information‖ (NPI).  GLB‘s security requirements:  You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue (emphasis added).  Also requires: 1. Exercise appropriate due diligence in selecting your service providers; 2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you
  15. 15. Article 2 of the UCC  Most bundled software (off-the-self or custom) fall within Article 2 of the UCC  a Good Thing for IT Professionals because you can use the UCC to limit your liability, e.g., disclaimer of express and implied warranties, limitation of liabilities and remedies  Standalone (unbundled), customized and expertise (security) software are determined on a case-by-case basis  Plaintiff attorneys will allege that the software vendor is the best position to take action to prevent security breaches with standalone customized software.  Plaintiff attorneys will allege that software vendors were negligent in the production or design of the computer security systems, e.g., coding of the security and encryption software
  16. 16. Negligence Claim – 5 Elements (1) Software vendor owed a DUTY to the Plaintiff  What type of Duties?  Duty to design and develop secure software  Duty to instruct the licensee on how to use its products safely  Duty to warn its licensees of the hidden dangers that the designed software may contain  Duties exist in the law is largely a policy-based determination  Foreseeability of harm of security breach  Degree of certainty between the vulnerabilities and harm  Closeness of the connection between lax Internet security practices and the injury suffered  Policy of preventing future intrusions  Burden of the IT industry  Consequences to the public of imposing a duty to maintain adequate security  Availability, costs and prevalence of security solutions  Insurance
  17. 17. Negligence Claim – 5 Elements (2) Duty Standard of Care Imposed on Software Vendor by that  Generally this means what the reasonably prudent person would do under the circumstance  In the IT industry, this standard of care is evolving rapidly, and methodologies, procedures, and practices have been accepted by the industry as risks are exposed  The appropriate level of care to be followed in custom software will vary depending on the nature and intensity of the perceived risk resulting from an error  Thus, software developer‘s duty under negligence law is not perfection, but only reasonableness, i.e., standard of care of a reasonable developer of security-related software under like circumstances – employing industry‘s best practices security standards
  18. 18. Negligence Claim – 5 Elements (3) Breach of Duty  With secure software, there is no accepted tests that exist currently for determining when a software developer has breached its duty
  19. 19. Negligence Claim – 5 Elements  (4) Causation  Two-prong test:  Software developer‘s negligence must have been the causein-fact of the plaintiff‘s injuries (but for or substantial factor);  Software developer‘s conduct must have been the proximate (legal) cause of the injury, i.e., a foreseeable result of the negligent act
  20. 20. Negligence Claim – 5 Elements (5) Damages  Plaintiffs are entitled to recover ALL damages, e.g., personal injuries, property damages, economic loses  Some courts do not allow recovery of economic losses, e.g., defamation  Some courts do not allow damages for data entered into the computer system by a customer because that data is not part of the software  Until recently, for security breach cases, the plaintiffs have been unable to establish the ―damages‖ requirement for negligence.  In essence, courts have ruled that a consumer taking pre-emptive actions to protect his or her credit has not suffered compensatory damages.  Even if a consumer can show that they suffered identity theft they still have to establish that the security breach was the cause of such identity theft (in theory the consumer‘s personal information could have been obtained from a multitude of sources).  Companies face the prospect of expensive attorney fees to defend these actions, and if the plaintiffs‘ bar breaks through they could face significant liability.
  21. 21. Negligence Applied to Security Breach Liability  Traditionally, security breaches are criminal acts of third parties, and a software vendor cannot be liable for third party criminal conduct unless it is determined that such criminal conduct was highly foreseeable.  With hundreds of thousands of new cybersecurity threats created every day, isn‘t third party criminal acts of hacking highly foreseeable?  Duty, Standard of Reasonable Care, Breach of Duty, Causation (foreseeability) and damages  California real estate escrow company has filed a NEGLIGENCE lawsuit against its former bank for the loss of $465,000 in an online banking hack last year http://krebsonsecurity.com/2011/07/
  22. 22. Negligence Cases Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)  Federal district court refused to dismiss a negligence claim alleging that a computer seller was negligent for recommending its program and services to the buyer when ―it knew, or in the exercise of ordinary care, it should have known, that . . . the programs and related data processing products were inadequate,‖ and because it advertised to the buyer when it knew or should have known that ―the programs furnished could not satisfy [the buyer‘s] requirements.‖  The court held that personnel in the computer industry, like personnel in other trades (doctors, accountants, lawyers), should be held to the ordinary standard of care for their trade.
  23. 23. Negligence Case Claridge v. Rockyou, Inc. (N.D. Cal. 2011)  Rockyou is a publisher and developer of online services and applications for use with social networking sites such as Facebook and MySpace  Rockyou applications allow its users to share photographs and write special text on a friend‘s page, or play game with other users.  Customers are required to sign up to use Rockyou applications by submitting personal identifiable information to it that Rockyou stores in a database  Plaintiff alleges that Rockyou promised through its website to safeguard its personal identifiable information through commercially reasonable measures …. that did not include any form of encryption  Plaintiff‘s personal identifiable information was hacked and available online  Federal district court held that plaintiff‘s negligence claim could proceed against Rockyou despite not alleging specific damages other than unauthorized and public disclosure of its personal identifiable information
  24. 24. Negligence Case Patco Constr. Co. Inc. v. People‘s United Bank (1st Cir. July 2012)  Hackers installed malware on Patco‘s computers and stole its banking user name and password; and used Patco‘s banking credentials to transfer money offshore from Patco‘s account (common hacking facts)  Since the hackers were attempting a large offshore transfer that was so far out of the normal conduct by Patco, it caused an alert to flag this transaction  The bank manager decided that since the password/user name combination and accompanying answers to certain challenge questions were sufficient to verify the transaction, the bank manager ignored the alter and all the money went offshore  The Federal Appellate Court held that the Bank‘s reliance on password authentication and its decision to ignore certain transaction-based flags that highlighted the unusually large offshore transfer was not necessarily a good commercial practice.  Court found that the Bank‘s reliance on answers to challenge questions that the hackers provided was not a good security practice.  Court found that the Bank‘s contract with Patco incorporated UCC requirement that the bank act in a commercially reasonable way, and found that the Bank‘s protections that it implemented were unreasonable  Afterwards, this case settled for $345,000 (the amount transferred) and $45,000 in interest.
  25. 25. Negligence Case Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir. September 2013)  Heartland had a contract with acquiring banks (plaintiffs) to provide credit card processing services.  Heartland was hacked in 2009 and lost the data from more than 160 million credit card accounts.  Because of the interlocking web of financial relationships with credit card transactions, Heartland was not the only bank affected by the hacking incident  Damages included losses from fraudulent use of the stolen data, cost of replacing credit cards and costs of providing their customers with credit monitoring services  Federal Appellate Court held that the issuing banks had a valid negligence claim against Heartland for its cybersecurity failures and that, if proven, they could recover their consequential damages from Heartland
  26. 26. Today‘s recent headlines  Negligence for theft of data from UNENCRYPTED LAPTOPS  Hackers breaks in at a US based company that brokers reservations for limousine and Town Car services nationwide that resulted in personal and financial information of more that 850,000 well to do customers, such as Fortune 500 CEOs, lawmakers and celebrities http://krebsonsecurity.com/2013/11/hackers-take-limoservice-firm-for-a-ride/  Negligence for theft of data from storing data on servers where it is known that hackers use to stash their stolen data
  27. 27. Professional Malpractice Law  Professional liability has generally been applied to those who by virtue of specific training and licensing are deemed to have a level of skills higher than that of non-professionals.  To date, courts have been reluctant to hold computer designers or programmers to the higher standard of professionals due to the lack of established educational standards or regulations governing the performance of software programmers and developers, and because they are not licensed as professionals … that is changing  Many software developers have received extensive training in the use of certain programming and testing techniques, passed rigorous tests to become ―certified,‖ reached levels of expertise not held by general programmers.  While this is not identical to the licensing requirements of state licensing boards such as state bar associations or medical boards, it may be sufficient to justify holding these certified developers to a higher, professional standard, particularly where their certifications relate to secure software development.
  28. 28. Top Ten List of Security Certifications??? 10. Vendor Certifications - CISCO and Microsoft specific certifications top the list. 9. CCE-Certified Computer Examiner 8. CPP—Certified Protection Professional 7. CBCP-Certified Business Continuity Professional 6. CEH-Certified Ethical Hacker 5. CSFA-CyberSecurity Forensic Analyst 4. CISA-Certified Information Systems Auditor 3. GIAC-The Global Information Assurance Certification 2. CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional
  29. 29. Professional Malpractice Case Diversified Graphics, Ltd. v. Groves (8th Cir. 1989)  Plaintiff hired a large accounting firm to help it locate a turnkey computer system.  When the chosen system proved inadequate for the company‘s needs, the company sued.  The court ruled that the accounting firm should be held to the American Institute of Certified Public Accountants‘ Management Advisory Service Practice Standards, which the firm had incorporated into its guidelines for internal use.  While the court refused to acknowledge a cause of action for computer malpractice, by holding the accounting firm to the AICPA standards, it achieved essentially the same result.
  30. 30. Professional Malpractice Case Data Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct. App. 1986)  Plaintiff claimed that the defendant was negligent in designing an accounting and data processing software system.  The state appellate court stated in dictum that ―[t]hose who hold themselves out to the world as possessing skill and qualifications in their respective trades or professions impliedly represent they possess the skill and will exhibit the diligence ordinarily possessed by well informed members of the trade or profession.‖  The court concluded that ―[t]he situation here is more analogous to a client seeking a lawyer‘s advice or a patient seeking medical treatment for a particular ailment than it is to a customer buying seed corn, soap, or cam shafts.
  31. 31. Product Liability for Insecure Software  Product liability law is imposed on the theory that the costs of damaging events due to defectively dangerous products can best be borne by the enterprisers who make and sell these products.  With insecure software, an examination of whether the software insecurity is due to a design defect or a manufacturing defect  Software development generally goes through a number of phases before reaching the user, such as (i) the design phase, (ii) the coding phase, (iii) the testing phase, and (iv) the replication and distribution phase  defect introduced into the product during the design phase would be deemed a design defect.  defect introduced into the product at the replication and distribution phase would be deemed a manufacturing defect.  Coding phase??? Grey Area  Vendors would generally argue that everything before the replication and distribution phase is part of the product design process, hence, a negligence standard should apply to insecure software, except in the rare case where the defect occurred in the replication process.  Licensees would argue that the design defect standard should apply only to defects introduced in the design phase, and that everything thereafter should be deemed part of the manufacturing phase—and subject to a strict liability standard.  No cases on point, but that is not say that they are not on their way …
  32. 32. Federal Trade Commission Complaints  FTC has implemented initiatives to police computer data breaches  FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance  Most companies settle with the FTC and pay a fine  If you defend against a FTC complaint, expect LARGE litigation expenses, for example:  Large corporation Wyndham has just responded to a FTC complaint and has spent $5 Million already on discovery  Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery
  33. 33. Federal Trade Commission TRENDNET, Inc. Case (September 2013)  TRENDNET alleged failed to provide reasonable security ―to prevent unauthorized access to sensitive information‖  FTC Consent Order required TRENDNET to engage in  "secure software, development, and testing" risk assessments as well as "reasonable and appropriate software security testing techniques‖  Conduct an initial, and thereafter biennial, assessments and reports – for Twenty years – performed by a third-party CSSLP or CISSP or ―a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission….‖
  34. 34. Federal Trade Commission In re HTC America, Inc. Case (February 2013)  FTC complaint alleged that HTC:  failed to ―employ reasonable and appropriate security in the design and customization of the software on its mobile devices.‖  failed to (1) implement an ―adequate program to assess the security of products it shipped to consumers,‖ (2) provide ―adequate privacy and security guidance or training for its engineering staff,‖ (3) ―conduct . . . reviews, or tests to identify potential security vulnerabilities in its mobile devices,‖ and (4) ―implement a process for receiving and addressing security vulnerability reports from third-party researchers.‖
  35. 35. Federal Trade Commission  The FTC has begun taking action against software users whose systems were breached by hackers and third party confidential information was disclosed.  These recent FTC decisions suggest a new willingness by the FTC to hold software makers liable for  failing to design security into their products from the start and  to test and discover security vulnerabilities before releasing the product into the market for advanced beta testing by paying customers who not only thereby pay for the "privilege" of testing the vendor‘s product (saving the vendor enormous R&D costs) but who previously had little or no remedy beyond a replacement of the product (if that).  Most victims still do not receive real recourses from FTC actions because the FTC doesn't even investigate much less act in all in most cases and limits on private recourse and practical barriers to enforcement obstruct private remedies.  Plaintiffs attorneys will take over and advance negligence, strict product liability and professional malpractice causes of action against software developers
  36. 36. Counterhacking Legal???  Computer Fraud and Abuse Act  ‗exceeds authorized access‘ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.‖  Put another way, you exceed authorized access if you obtain or alter information you‘re not entitled to obtain or alter.  Who controls the computer? The data owner or the computer owner?  Are you entitled to take back your stolen data from a computer, but not sell the computer at a pawn shop?  So can Disney hack into everyone‘s computers in pursuit of pirated videos?  Can future amendments recognize counterhacking right to gather evidence but not to harm innocent third parties? Will there be distinquishment between 99-cent music files and competitive business data?
  37. 37. What Can You Do To Minimize Your Risks to Liability?  Always enter into written agreements that specifically addresses express and implied warranties and limitation of liabilities  Always have your written agreements state what law controls the agreement. Be sure to make it a state that does not have any cases where it has found software to be a service and the UCC not applicable, or cases finding tort liability for insure software  Always use Beta Agreements or Beta Language when launching new or customized software, as software is always launched with glitches requiring patches/maintenance issues  Always have your written agreements state who is responsible for maintenance services and whether such service requires additional fees
  38. 38. What Can You Do To Minimize Your Risks to Liability?  Continuing Education is always Ongoing  Audits – work with a security team to identify security issues and determine what else can done (e.g., encryption, passwords, additional firewalls, etc.)  ―shall act with the care of an ordinary prudent person or agency in like position would exercise under similar circumstances‖  Policies & Procedures: Create an security incident response and notification Plan  Response team, contact police/local FBI, and document response  Consider great malpractice and cyber-insurance coverage (typically covers notification costs) and utilizing it when in question
  39. 39. Procedure: What Constitutes a Breach?  Was unencrypted and unredacted personal information and/or protected health information accessed?  Personal Information means the first name or first initial and last name linked to one or more of the following data elements of a resident of this state:  SSN  Driver License Number  Account number, credit card/debit card number, in combination with security code/access code/password
  40. 40. Procedure: Is Notice Required?  Material Breach?  Would access be likely to cause substantial loss, or injury, or result in identity theft?  How many to notify?  Cost?  Duty to notify as expeditiously as practical without undue delay
  41. 41. Policy: What Must the Notice Include?  Describe the security breach (date/time)  Describe the type of personal information that is the subject of unauthorized access/use  Describe what you have done to protect data from further security beaches  Include a telephone number where a notice recipient may obtain assistance or additional information  Remind recipients in the Notice of the need to remain vigilant for incidents of fraud and identity theft  MAY have to notify consumer reporting agencies  By mail, telephone, electronic means?
  42. 42. So What? Why do this?  State AG fines for failure to provide notice ($250/person), up to $750,000  FTC fines - $1,500,000  Civil Remedy under state/federal law      State trade practices statutes Breach of contract (terms/privacy policy) Breach of implied covenant of good faith and fair dealing Breach of implied contract Negligence/negligence per se  Ruined Reputation
  43. 43. Policy and Procedure Practical Tips  If you have experienced a data security breach, it may have to comply with more than one state‘s laws if it has customers that reside there  Where health information is stored, requirements for notification are far greater  Know that class actions are out there, and increasing  http://www.informa0onweek.com/security/client/ linkedin‐security-breach‐triggers‐mill/240002407
  44. 44. RESOURCES www.IshmanLaw.com (919) 468-3266 mishman@ishmanlaw.com  State Laws (except in AL, KY, NM, SD)  http://www.ncsl.org/issues-research/telecom/security‐notification‐laws.aspx  Many states of identity theft statutes that may be applicable when there is a security breach issue  Federal law proposals on data breach notification requirements, but nothing enacted YET  International   Federal Trade Commission   – http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html Biggest Data Breaches in 2013   Canada‘s Personal Information Protection and Electronic Documents Act (PIPEDA) http://www.crn.com/slide-shows/security/240159149/the-10-biggest-data-breaches-of2013-so-far.htm 10 Biggest HIPAA Data Breaches in the U.S.  http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breachesunited-states
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×