A Bad Year for Information Security
2005 has been a bad year for corporate IT security. The list of companies announcing security failures goes on and on: ChoicePoint, of course, Bank of America, Wachovia Bank, PNC Bank, Commerce Bancorp, Lexis-Nexis, and T-Mobile. Some are more obscure: Canadian Imperial Bank of Commerce, SAIC, Polo Ralph Lauren, DSW Shoes and innumberable of universities. 2005 may also be the year for litigation over security failures. ChoicePoint faces multiple class action lawsuits in California, which seek damages for ChoicePoint’s allegedly negligent sale of personal data to identity thieves posing as legitimate businessmen and for violating credit reporting laws. Just days ago, Bank of America was hit with a class action lawsuit when individuals arrested in connection with the illegal sale of bank data to debt collectors by bank employees were found in possession of a New Jersey customer’s personal information. Up north, the Canadian Imperial Bank of Commerce faces a class action lawsuit in Ontario for violating Canada’s privacy law by repeatedly faxing customers’ personal information to business in West Virginia.
For a long time, information security professionals have looked for security breach-related lawsuits to scare businesses into investing in improving information security: the information security market has been waiting to grow up to its potential. As Neohapsis’s CEO, Kelly Hansen, puts it, information security’s time has been “just around the corner” for six years now. Now, as these lawsuits hit the courts, information security pros wonder if 2005 finally be the year that information security gets its due?
Looking for Change in All the Wrong Places
If 2005 turns the information security market around, it will be becaue of commercial litigation between businesses, not consumer litigation. Consumer lawsuits face a number of handicaps in American courts. In the absence of a legislative solution, most consumer claims will have to prove a duty (that the defendant had a legal obligation to secure the consumer’s information), damage (that the consumer suffered some kind of harm), and causation (the relationship between the security breach and the consumers’ damage). Many courts do not yet impose general duty to keep personal information safe, even though the harm from disclosing such information is clear. Courts may also refuse to recognize purely economic damage from identity theft (which includes the time and cost in repairing a credit record, and the costs for credit monitoring and identity theft insurance) because of the economic loss doctrine. Finally, proving causation will be remarkably difficult: a plaintiff would have to trace a particular identity theft back to a firm’s security breach, and prove that the fraudulent use of the plaintiff’s information was caused by that security breach. It may be impossible to locate the identity thieves, or to reconstructing the trail of the consumer’s personal information, like a credit card number, through the black market for identity thieves.
Of course, these pitfalls will not stop consumer lawsuits forever. Clever plaintiffs’ lawyers will find ways around these difficulties. If they do not, legislatures could respond to public pressure and provide consumers with legal remedies. But this could take years still. Consumer lawsuits will not be the seachange the information security market is looking for.
Peer Pressure
Information security is going to improve when regulators and other businesses crack down on information security failures, rather than consumer lawsuits. Regulators have already made their mark. Federal financial regulators’ recently issued final Guidance on the security standards in the Gramm Leach Bliley Act are thoughtful, flexible, and tough where they need to be. And the FTC has repeatedly held firms responsible for failed information security promises (as has the New York Attorney General, on occasion).
But the most effective force improving information security today is peer pressure from other businesses. Even if consumer litigation ends up costing firms money, corporate decision-makers will be slow to change if they discount it as as a gambit by greedy plaintiffs’ lawyers. Likewise, legislators and regulators will not win over the hearts and minds of executives if they are perceived as meddling. But firms can’t ignore demands for improved security from their peers like predatory litigation or overregulation; at that point, security is a legitimate cost of doing business. The most prominent example of corporate peer pressure is the information security standards imposed by Visa, MasterCard, American Express, and Discover on merchants and third-party card processors. (These rules have evolved over time; the most recent standard is the uniform Payment Card Industry Data Security Standard.)
In fact, litigation over these standards is already here. The credit card processing system in BJ’s Wholesale stores inadvertantly stored information encoded on the magnetic strip on the back of customers’ credit cards. Criminals somehow gained access to this accidental database (which contained an large number of credit card numbers) and began to use the card numbers and to trade them with other criminals. After discovering the breach, a number of banks cancelled the compromised cards, reissued them. Of course, the cardholder’s banks were left holding the bag for any fraudulent charges. Several banks have since sued BJ’s, which estimated in a recent SEC filing that there were approximately $10 million in outstanding claims against it.
Where the ChoicePoint plaintiffs must rely on common law torts and fair credit statutes that are ill-suited to remedying the risk of identity theft, the BJ’s plaintiffs have a contract that explicitly spelled out security requirements that BJ’s allegedly breached. This largely eliminates the duty and economic loss issues that bedevil consumers’ lawsuits. (On the other hand, proving causation will still present difficulties and the BJ’s plaintiffs may face problems because their contract was with Visa, not BJ’s.) Still, the BJ’s case is a better model for future information security breach lawsuits than the ChoicePoint litigation. Businesses have more money and a better legal standing to sue their partners over information security failures than consumers.
The Real Legacy of ChoicePoint
Instead, the lesson most companies are likely to take home from ChoicePoint case is how not to disclose a security breach. ChoicePoint discovered that a ring of identity thieves purchased personal information on nearly 150,000 people through a series of front businesses; law enforcement agents supposedly cleared ChoicePoint to disclose the incident a few months later. Although individuals from every state were effected, ChoicePoint limited its initial notification to California residents: California law (specifically, SB 1386) requires businesses to disclose unauthorized access to personal data. (Some speculate that 2005’s torrent of security breach annoucements reflects SB 1386’s notification requirements, not an increased rate of security incidents.) Only after some prodding by state attorneys general did ChoicePoint notify affected consumers in the other 49 states. All this adds up to the general perception that ChoicePoint handled the disclosure poorly: certainly, no company has attempted a California-only notification since. On the other hand, ChoicePoint’s dilemma is obvious: companies that disclose security breaches not only expose themselves to lawsuits, but risk market discipline. Customers who are security-sensitive will avoid companies that fail to make security a priority. Information security professionals might come to the conclusion that the risks of notification are a more powerful incentive for information security improvements to companies than even the threat of litigation.
Legislatures are also learning from the ChoicePoint debacle: companies cannot always be trusted to protect consumers without laws prompting them to do the right thing. SB 1386 replicas have sprouted up in state legislatures across America. Arkansas, Georgia, Indiana, Montana, North Dakota, and Washington have actually passed laws that closely resemble SB 1386. Illinois’s law is waiting for the governor’s signature. (Unfortunately, pending bills in Congress threaten to preempt these laws. Companies want a single, national standard, instead of a set of standards that vary from state to state. The problem is that the current versions of the federal bills do not have strong notification provisions.)
Ethan Preston is an attorney practicing ecommerce and privacy law. He previously wrote The Global Rise of a Duty to Disclose Information Security Breaches and maintains a blog. He lives in in Chicago, Illinois.
