[ i n d u stry vi ew ]                                                             By Ben Rothke            Infosecurity N...
Upcoming SlideShare
Loading in …5

Infosecurity Needs Its T.J. Hooper


Published on

Article from March 2011 issue of Information Security magazine - Infosecurity Needs Its T.J. Hooper by Ben Rothke

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Infosecurity Needs Its T.J. Hooper

  1. 1. [ i n d u stry vi ew ] By Ben Rothke Infosecurity Needs Its T.J. HooperI ’m not a lawyer, but a good friend of As an information security professional, occasionally tries to do something—pass- mine—blogger Ron Coleman—is. A I have tried, along with others in the field, ing a watered-down Gramm-Leach-Bliley bit of jurisprudence has rubbed off to get clients to be more serious about secu- Act, for example—but has not effected the on me, and I want to tell you about rity and privacy controls. To a large extent, change needed. the T.J. Hooper case. In 1932, Judge we have succeeded. But there are still far A more pragmatic step was the PCILearned Hand heard this precedent-setting too many weak links in the security chain. Security Standards Council’s creation of thetort case and, in his ruling, devised what is Many companies’ practice regarding infor- Payment Card Industry Data Security Stan-now called the “calculus of negligence.” mation security is to do the bare minimum dard (PCI DSS). But rather than embracing The case started with two tugboats, one required. Meanwhile, millions of consumer the standard as long overdue, regulatorsof which was the T.J. Hooper, towing barges. developed a bad case ofA storm came up, the barges sank and their Stockholm syndrome.cargoes were lost. The owners of the cargo Congress held hear-sued the barge owners, who in turn sued the ings to determine whytugboat owners. They claimed the tug oper- PCI DSS had not endedators were negligent because they failed to every merchant secu-equip their boats with radios that would rity issue, even thoughhave warned them of the bad weather. it had been around for The tugboat companies used the pre- less than four years.vailing practice theory in their defense. Congress seemed toThey claimed that because other tugboat feel that PCI should beoperators in the area weren’t using radios, the security equivalentthe standard of care for the industry didn’t of David Copperfield—require their use. Judge Hand found the that it could magicallytugboat companies liable because they did make every securitynot use readily available technology to lis- problem disappear.ten for weather reports, even though the Have informationuse of radios was not yet standard practice. records are breached every week. security professionals failed or have the Hand observed that “in most cases, rea- It’s early 2011 and, in spite of the stagger- people they have been speaking to failed tosonable prudence is in fact common pru- ing quantity of security solutions available, listen? Perhaps the lawyers need to step indence, but strictly it is never its measure. companies often fail to devote the requisite and file a Hooper-style case for the informa-A whole calling may have unduly lagged in staff and budget to information security and tion security and data-protection fields thatthe adoption of new and available devices. privacy needs. This is becoming even more would compel companies to take securityCourts must in the end say what is required. critical as websites focus on personalizing seriously.There are precautions so imperative that the user’s digital experiences by aggregat- For a long time now, corporate Americaeven their universal disregard will not ing personal data. As the value of this per- has had more than enough information-excuse their omission.” sonal information increases, so does the security and privacy tools available to He ruled a defendant was negligent if potential for its misuse and the severity of obviate many of the most common secu-the cost of preventing an incident was less the consequences of that misuse. rity problems. That alone suffices to tip thethan the likelihood of causing damage mul- Hundreds of millions of personal equation toward negligence. ntiplied by the severity of that damage. This records have been breached in the last fewidea is commonly expressed as B (burden of years, often due to negligence in establish- Ben Rothke is a senior security consultant withprevention) < PL (possibility times loss). ing security and privacy controls. Congress BT Professional Services.34 www.csoonline.com March 2011 Illustration by Carl Spackler