Compliance and Security: The Four Courts and Downstream Liability
by Stephen Cobb, originally appeared in Compliance Solutions Advisor
What is the primary objective of a compliance officer when it comes to issues of data privacy and security? Is it striving for 100 percent compliance with all applicable government and non-government rules and regulations, thereby protecting the organization against fines and sanctions? If so, you might want to ask this question: Does that 100 percent compliance protect against nightmare data security scenarios, such as those recently experienced by companies ranging from Bank of America to Choicepoint, LexisNexis and SAIC?
Sloppy handling of personally identifiable information, or PII, has also turned an embarrassing spotlight on numerous public sector organizations recently, from Boston College and George Mason University on the East Coast, to the San Jose Medical Group and U.C. Berkeley on the West Coast.
In all of these incidents, sensitive PII was exposed, meaning one or more person not authorized to view the PII did in fact do so, thereby increasing the risk of identity theft for the data subjects, the persons identified by the data. For example, you might be a data subject if you used your General Motors-branded MasterCard to buy something from a Polo Ralph Lauren store in recent months (the company confirmed in April that there was a problem with its electronic sales systems exposing sensitive PII).
The Four Courts
Events of this nature are bad news for the data subject and the organization whose security was breached. Failing to protect data about people is turning out to be as damaging as failing to protect company secrets, maybe even more so. When PII has been entrusted to a company that subsequently allows it to be stolen, the fall-out is bad for the company's brand and its stock price. For example, shares in Ralph Lauren were worth over $40 in the middle of March but by the end of April they were selling for around $36. This should come as a surprise to the company. When Western Union's web site was hacked five years ago-- compromising customer credit card data--the stock price of Western Union's parent company took a ten percent hit (and speaking as someone whose card was among those compromised, I have never used their services since).
What is not clear is the compliance status of the above-named organizations and others that have suffered similar security breaches involving PII. So, your organization needs to ask: Is it possible to be in compliance with all applicable government and non-government rules and regulations and yet still suffer an embarrassing, not to mention damaging, security breach? This article attempts to shed light on the answer, beginning with the assertion that it is simplistic to think of compliance today as "abiding by the law." Organizations are held to account in different ways which can be thought of as "the four courts." After examining each one, some practical remedies will be discussed.
Courts of Law
Traditional courts, upholding laws and settling lawsuits, have been a frequent backdrop in recent years to the highly publicized arraignments of corporate executives accused of fraud at companies like Adelphia, Enron, HealthSouth, Tyco and WorldCom. So far we haven't seen any company executives on trial for computer security failures, but that day may yet arrive. In the meantime, serious security compliance obligations--sparked by these high profile cases of corporate malfeasance--have become a fact of life for many companies in the form of Sarbanes-Oxley.
However, laws tend to lag behind technology. The first convictions for computer hacking and computer virus-writing came many years after the first outbreak of these activities. The first class action lawsuits on behalf of victims of data privacy breaches are only now working their way through the courts (for example, the case involving the medical records of 300,000 military service members and retirees that were stolen from TriWest Healthcare Alliance in 2002 is still in progress).
Consider the California Database Protection Act (CDPA). This requires organizations that conduct business in California and have computerized personal information about California consumers to notify these consumers of any security breach that threatens exposure of the information. When the CDPA went into effect in 2003, security professionals, myself included, predicted that it would eventually impact companies outside of the Golden State. However, it was not until February of 2005, when the law forced Choicepoint to inform Californians affected by a security failure at the company, that the CDPA really showed its teeth.
The slow pace at which laws and legal precedents take shape poses a hidden danger for companies that seek to abide by the law: In effect you must strive to abide by what the law will become. How do you do this? In the absence of a crystal ball, the best strategy is a combination of vigilance and due care. Make sure someone in your organization is paying attention to data security related laws that are making their way through congress and cases that are working their way through the courts. Also stay apprised of the measures that your competitors are taking in this area.
Consider the issue of "downstream liability," ably documented in a paper titled "The Legal Mandate for Information Protection" by William Cook, a partner in Wildman, Harrold, Allen & Dixon, and a founding member of the U.S. Secret Service Chicago Electronic Crimes Task Force. In a seminar at the 20th Anniversary Meeting of the Information System Security Association (ISSA) last year, Cook described a shifting legal landscape in which judges and plaintiffs are more open to pursuing cases against "the allegedly negligent." These are organizations who fail to follow security best practices. According to Cook, in this context "downstream liability" means "the negligent handling of one computer system that causes damage to others." The idea is that everyone who uses the Internet has an obligation to maintain a certain amount of security and thus can be found negligent if A. they don't maintain that security, and B. something bad unknowingly happens to someone else out there as a result of A.
This idea is based in the legal concepts of liability and foreseeability. If you operate a hotel in a rough part of town it is foreseeable that your guests could become victims of crime, thus requiring you to take appropriate measures to prevent this (well-lit parking areas, surveillance cameras, security patrols, and so on). Now think of your organization's web site. If it is on the public Internet there is no way you can deny that it is in a rough part of cyber-space. Attacks against it are thus foreseeable. Inadequate efforts to protect the site will not be excused, even if the site complies with all applicable regulations.
The has been underlined by both regulators (to whom we will return later in the article) and the courts. Cook likes to cite Maine Public Utilities Commission v. Verizon Maine. When the Slammer worm took Verizon's network down for several days the company requested a prorated refund of fees from MPUC but the request was refused. The grounds? Verizon had not applied a patch to its systems that would have protected against Slammer. A judge agreed with MPUC, stating that the outage was foreseeable. Furthermore, Verizon's competitors argued that they had foreseen the problem, applied the patch, and not gone down. So why should Verizon get a break?
The sluggishness of the legal system poses another threat. There can be a sizable gap between news of a security breach and the conviction of the breacher. This creates an adverse one-two PR punch. For example, the man who hacker into Arkansas-based Acxiom Corp. was sentenced in March of 2005, for crimes committed more than two years earlier (even though he pled guilty without a trial). Acxiom makes its money from warehousing consumer data and is trying to get government security work, so news of this conviction meant an unwelcome renewal of the adverse media attention that accompanied disclosure of the breach in the first place.
The Court of the Press
The press may refer to itself as the fourth estate but it is really the second court you have to worry about when your organization suffers a data security breach. How you handle the press in the early stages of an incident can make all the difference, for victims, employees, stockholders, and future earnings. If you don't already have a clear and tested plan for responding to an incident, get one. A good place to start a product called IMCD, from Contingenz. This helps you prepare your incident management plan and advises strict policies controlling who is allowed to talk to the press and under what circumstances.
As a compliance officer you may be called upon early in the response process to comment, either internally or to the press, on the compliance status of the organization. Be careful how you respond. Saying the company is in 100 percent compliance with government regulations may sound good to you and your bosses. But think of how that might sound to someone whose identity has been stolen as a result of a security breach at your company.
Consider what happened when Choicepoint--a company that touts the fraud-prevention benefits of its data aggregation and analysis products--lost a whole bunch of consumer data to some people who deceived it. Within days the Chief Information Security Officer was complaining to the press that the data theft was erroneously referred to as a hack: "This is not an information security issue...people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day. Our systems were not hacked."
Technically, he might have been correct about the use of the term hacking, but he was definitely wrong to claim that handing over PII to bad people is not an information security issue. It was also insensitive to the victims of the theft. Besides, if your company sells anti-fraud solutions, you don't want one of your executives publicly stating that: "This type of fraud happens every day."
The People's Court
Which brings us to the third court of concern to compliance officers and information security officers alike: the court of public opinion. At times it may appear that public opinion to be shaped by the press, but in reality the press largely reflects public opinion. Consider the growing number of newspaper articles about consumers who are so unhappy with the Internet that they are disconnecting. The press is not telling these consumers--who often cite security as part of their disillusionment with email and e-commerce--to pull the plug on the Internet. The press is simply reporting a trend that reporters have observed.
Public opinion affects companies directly, in terms of product sales, brand image, and even stock price. Yet public opinion also drives regulatory action and oversight, the fourth of the four courts. For example, state attorneys general such as New York's Elliot Spitzer have found there's really no political downside to coming down hard on companies that don't do enough to protect PII.
The Court of Standards and Regulations
Politicians have been getting an earful lately from constituents who are concerned about data privacy, leading to talk of new laws. In turn these could lead to new regulations with which companies will have to comply. However, that process takes time so the pressure for immediate action may well mean tougher enforcement of existing regulatory regimes such as Gramm-Leach-Bliley, HIPAA, and the FTC.
If you don't think of the Federal Trade Commission as a privacy and security regulatory body, think again. It has a variety of remits in this area, including the very broad responsibility to prevent deceptive and unfair business practices. And the FTC has shown ample willingness to act in the area of privacy and security. Remember the issue of foreseeability? In June of 2003, the FTC forced a settlement on Guess, Inc. after alleging that the company exposed consumers' personal information to "commonly known attacks by hackers." The agency alleged that Guess "didn't use reasonable or appropriate measures to prevent consumer information from being accessed at its Web site, Guess.com."
This type of regulatory action has a lot of companies asking: What constitutes an acceptable level of data security? This question is not only being asked by IT staff, but also by compliance staff. After all, when you look to Gramm-Leach-Bliley and HIPAA and Sarbanes-Oxley, you don't see many specifics. There are no checklists telling you exactly what you have to do to "be in compliance." This may seem like regulators ducking the issue. A classic example is the change between the draft version of the HIPAA Security Rule and the final. While the draft required all personally identifiable medical data sent over the Internet to be encrypted, the final rule merely stated that encryption was "addressable."
As frustrating as such lack of specifics might be, it does point to the core challenge of information security: implementing appropriate responses to well-understood risks. No reputable security professional is going to tell you what you should or shouldn't do to protect sensitive data without fully understanding your business model. Fortunately this points the way to some practical remedies.
Remedies
In his ISSA seminar, William Cook made it clear that a company’s best defense against claims of negligent handling of PII was a solid business case for what the company actually had done to protect it. If you can document that your organization has made a concerted effort to implement and adhere to a respectable security standard, based on an informed risk assessment, limited only by the practical bounds of profitability and human nature, then you will likely get a sympathetic ruling in a court of law. A good press campaign is going to succeed in its spin and you stand at least a 50/50 chance that the public will be understanding.
So what constitutes a "respectable" security standard? The answer for a lot of companies today is ISO 17799, which has the advantage of being internationally recognized and directed at information security management as a whole instead of just a sub-set such as information system security. There are other standards. One that is necessarily limited in scope but does go into specifics is the Payment Card Industry Data Security Standard. If your company handles credit card transactions (on or off the Internet) you should be working on compliance with this standard. However, when it comes to protecting information about people, try to avoid the pitfalls of focusing too narrowly on compliance at the expense of the big picture. Stay on guard against new threats that are not yet codified in regulations but nevertheless may pose a threat to your company, its reputation, and its profits.
Stephen Cobb