GROWING TREND OF FINDING

REGULATORY AND TORT LIABILITY

FOR CYBERSECURITY BREACHES Mark W. Ishman, Esq.

Masters in Law in Information Technology and Privacy Law

www.IshmanLaw.com | www.IshmanLegal.com

(919) 468-3266 | mishman@ishmanlaw.com

Do I have your attention?

WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND EXPERTISE EXHIBITED BY COMPUTER SOFTWARE DESIGNERS AND PROGRAMMERS, THOSE WHO DEVELOP OPERATING SYSTEMS AND SECURITY SOFTWARE ARE GENERALLY AT THE HIGHER END OF THE PROFESSION IN TERMS OF EDUCATION, TRAINING, AND EXPERIENCE.

IT IS CERTAINLY POSSIBLE TO HOLD PROGRAMMERS WHO WRITE CRITICAL SOFTWARE, SUCH AS OPERATING SYSTEMS AND SECURITY SOFTWARE, TO A HIGHER STANDARD THAN THOSE WHO WRITE LESS CRITICAL CODE SUCH AS WORD PROCESSORS AND VIDEOGAMES.

Largest Known Data Breach – 160M Credit Cards – July 2013 Five men from Russia and Ukraine have allegedly stolen over

160 Million Credit Cards from 2005 to 2012, and sold them to others in the underground market which where then used throughout the world for ATM cash withdrawals and purchases

The defendants allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit.

The defendants are charged with hacking and malware attacks upon NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard

It is not alleged that the NASDAQ hack affected its trading platform.

http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladimir%20et%20al.%20Indictment%20News%20Release.html

HIPAA Breach Compromises over 4 Million People – August 2013Theft of Four UNENCRYPTED LAPTOPS compromises over 4

Million patients’ medical files that contain their personal identifiable information (Name, SSN, Address, Phone Numbers and Email Addresses), Medicare data, medical diagnoses, insurance and payment information.

2nd Largest HIPAA data breach to date (largest to date is just under 5 Million patient records compromised)

Just last month, Theft of Two UNENCRYPTED LAPTOPS compromises over 729,000 patients’ medical files – October 2013

11th Largest HIPAA data breach to date

To date, HIPAA Feds have collected over $16 Million from 16 organizations who have been found guilty of violating HIPAA

Data from the Department of Health and Human Services. 

Publicly Traded Companies’ Data BreachesSony paid $171 Million in cleanup from its April

2011 PlayStation Network breach;

Heartland Payment systems paid an estimated $140 million in its lost

Email services firm Epsilon paid an estimated $225 Million in total costs as a result of its data breach

PUBLICLY TRADED COMPANIES RETAIN OUTSIDE IT PROFESSIONAL CONSULTANTS FOR THEIR RECOMMENDATIONS AND FOR THEIR SPECIALIZED SEUCIRTY SERVICES BOTH FOR THE RETAINED SKILL SET AS WELL AS FOR LIABILITY REASONS

Federal Trade Commission ComplaintsFTC has implemented initiatives to police computer

data breaches

FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance

Most companies settle with the FTC and pay a fine

If you defend against a FTC complaint, expect LARGE litigation expenses, for example: Large corporation Wyndham has just responded to a

FTC complaint and has spent $5 Million already on discovery

Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery

How is there liability to IT security professionals for insecure software?

Top Ten List of Security Certifications???10. Vendor Certifications - CISCO and Microsoft specific certifications top the list.

9. CCE-Certified Computer Examiner

10.CPP—Certified Protection Professional

7.  CBCP-Certified Business Continuity Professional

6. CEH-Certified Ethical Hacker

5. CSFA-CyberSecurity Forensic Analyst

4. CISA-Certified Information Systems Auditor

11.GIAC-The Global Information Assurance Certification 

2.  CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional

What information security standards exist? Let’s look at the law…

• Global • State Laws -- Data security and

breach notification laws

• IS0 17799, 27001 • Industry

• Basel II, EU Safe Harbors • Payment Card Industry – VISA, CISP, Mastercard SDP

• Country Standards • Healthcare – HIPAA

• National – NIST & OECD • Finance – Gramm Leach Bliley, SEC, NASD, FFIEC, OTS

• Finance – CoBIT & BITS • Energy and Utility – NERC 1300, FERC, (NEI 04-04)

• Federal Government • E-Commerce – FTC E-commerce Req’s

• DOD - Rainbow Series, NIST

• NSA

• Presidential Directives

What is the legal and business impact of breached information security?

Contractual Violations

Violation of state, federal and international laws

Business interruption – income loss, extra expense

Data asset loss, corruption, value reduction

Lost ROI on technology and marketing investments

Reputation losses & loss of valuation

Extortion and other crisis Management costs

What Laws Govern Insecure Software? HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other

Acts and their Potential Impact on Liability to Software Developers

Article 2 of the U.C.C. Computer hardware and packaged software, as movable objects, are

clearly goods and thus subject to the provisions of Article 2 – and for our conversation, Article 2 protection from Tort-related causes of action

Transactions involving primarily personal services, such as those for customization, expertise, maintenance, training, and support, are often held not to be goods, and thus NOT to fall within the U.C.C.

What about specialized “secure” computer software? Does that fall under Article 2 or customized services?

Negligence

Product Liability

Professional Malpractice Liability

Federal Trade Commission Complaint for unfair and deceptive acts or practices for deceptive claims that companies were safeguarding customer data appropriately

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA makes security a necessary prerequisite to providing services to the health industry, including the provision of any financial services.

Breach Notification RulesNotify affected individualsNotify Business AssociatesNotify HHS (Federal Agency)Audits and Fines

Penalty Amount: $100 to $50,000 or more per violation, repeat violations are $1,500,000, with a Calendar Year Cap of $1,500,000

Sarbanes-Oxley Act (SOX) SOX requires that the CEO sign filings with the SEC that certify that

the company’s computer systems are secure and that the company maintains, in all material respects, effective internal controls over its financial reporting.

If he’s wrong, he faces potential prosecution for violations of SOX, with personal fines up to one to five million dollars and/or imprisonment for up to ten to twenty years

If the company asks its software vendors, whose products the company relies upon to provide that security and effective control, to certify that their systems meet the SOX’s requirements, the vendors politely decline, mumbling something about how all software has bugs

and the company is not willing to assume the risk that the customer’s system may be compromised by hackers, cyberterrorists, or perhaps just a disgruntled ex-employee.

Thus far the SEC has not taken action against any corporate executives who have signed such an undertaking that later turned out to be untrue. We have not yet had a major accounting scandal arising from software

vulnerabilities

Gramm-Leach-Bliley Act (GLB) GLB is a comprehensive privacy and security law that financial

companies must adhere to.

GLB covers both information handling practices and security practices for “nonpublic personal information” (NPI).

GLB’s security requirements: You shall develop, implement, and maintain a comprehensive

information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue (emphasis added).

Also requires:

1. Exercise appropriate due diligence in selecting your service providers;

2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and

3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you

Article 2 of the UCCMost bundled software (off-the-self or custom) fall

within Article 2 of the UCC a Good Thing for IT Professionals because you can use

the UCC to limit your liability, e.g., disclaimer of express and implied warranties, limitation of liabilities and remedies

Standalone (unbundled), customized and expertise (security) software are determined on a case-by-case basisPlaintiff attorneys will allege that the software vendor is

the best position to take action to prevent security breaches with standalone customized software.

Plaintiff attorneys will allege that software vendors were negligent in the production or design of the computer security systems, e.g., coding of the security and encryption software

Negligence Claim – 5 Elements (1) Software vendor owed a DUTY to the Plaintiff

What type of Duties? Duty to design and develop secure software Duty to instruct the licensee on how to use its products safely Duty to warn its licensees of the hidden dangers that the designed

software may contain

Duties exist in the law is largely a policy-based determination Foreseeability of harm of security breach Degree of certainty between the vulnerabilities and harm Closeness of the connection between lax Internet security practices

and the injury suffered Policy of preventing future intrusions Burden of the IT industry Consequences to the public of imposing a duty to maintain

adequate security Availability, costs and prevalence of security solutions Insurance

Negligence Claim – 5 Elements(2) Standard of Care Imposed on Software Vendor by that Duty

Generally this means what the reasonably prudent person would do under the circumstance

In the IT industry, this standard of care is evolving rapidly, and methodologies, procedures, and practices have been accepted by the industry as risks are exposed

The appropriate level of care to be followed in custom software will vary depending on the nature and intensity of the perceived risk resulting from an error

Thus, software developer’s duty under negligence law is not perfection, but only reasonableness, i.e., standard of care of a reasonable developer of security-related software under like circumstances – employing industry’s best practices security standards

Negligence Claim – 5 Elements(3) Breach of Duty

With secure software, there is no accepted tests that exist currently for determining when a software developer has breached its duty

Negligence Claim – 5 Elements(4) Causation

Two-prong test:Software developer’s negligence must have been the

cause-in-fact of the plaintiff’s injuries (but for or substantial factor);

Software developer’s conduct must have been the proximate (legal) cause of the injury, i.e., a foreseeable result of the negligent act

Negligence Claim – 5 Elements(5) Damages

Plaintiffs are entitled to recover ALL damages, e.g., personal injuries, property damages, economic loses Some courts do not allow recovery of economic losses, e.g.,

defamation Some courts do not allow damages for data entered into the

computer system by a customer because that data is not part of the software

Until recently, for security breach cases, the plaintiffs have been unable to establish the “damages” requirement for negligence. In essence, courts have ruled that a consumer taking pre-emptive

actions to protect his or her credit has not suffered compensatory damages.

Even if a consumer can show that they suffered identity theft they still have to establish that the security breach was the cause of such identity theft (in theory the consumer’s personal information could have been obtained from a multitude of sources).

Companies face the prospect of expensive attorney fees to defend these actions, and if the plaintiffs’ bar breaks through they could face significant liability.

Negligence Applied to Security Breach Liability

Traditionally, security breaches are criminal acts of third parties, and a software vendor cannot be liable for third party criminal conduct unless it is determined that such criminal conduct was highly foreseeable.

With hundreds of thousands of new cybersecurity threats created every day, isn’t third party criminal acts of hacking highly foreseeable? Duty, Standard of Reasonable Care, Breach of Duty,

Causation (foreseeability) and damages

California real estate escrow company has filed a NEGLIGENCE lawsuit against its former bank for the loss of $465,000 in an online banking hack last year http://krebsonsecurity.com/2011/07/

Negligence Cases

Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)

Federal district court refused to dismiss a negligence claim alleging that a computer seller was negligent for recommending its program and services to the buyer when “it knew, or in the exercise of ordinary care, it should have known, that . . . the programs and related data processing products were inadequate,” and because it advertised to the buyer when it knew or should have known that “the programs furnished could not satisfy [the buyer’s] requirements.”

The court held that personnel in the computer industry, like personnel in other trades (doctors, accountants, lawyers), should be held to the ordinary standard of care for their trade.

Negligence CaseClaridge v. Rockyou, Inc. (N.D. Cal. 2011)

Rockyou is a publisher and developer of online services and applications for use with social networking sites such as Facebook and MySpace

Rockyou applications allow its users to share photographs and write special text on a friend’s page, or play game with other users.

Customers are required to sign up to use Rockyou applications by submitting personal identifiable information to it that Rockyou stores in a database

Plaintiff alleges that Rockyou promised through its website to safeguard its personal identifiable information through commercially reasonable measures …. that did not include any form of encryption

Plaintiff’s personal identifiable information was hacked and available online

Federal district court held that plaintiff’s negligence claim could proceed against Rockyou despite not alleging specific damages other than unauthorized and public disclosure of its personal identifiable information

Negligence CasePatco Constr. Co. Inc. v. People’s United Bank (1st Cir. July 2012)

Hackers installed malware on Patco’s computers and stole its banking user name and password; and used Patco’s banking credentials to transfer money offshore from Patco’s account (common hacking facts)

Since the hackers were attempting a large offshore transfer that was so far out of the normal conduct by Patco, it caused an alert to flag this transaction

The bank manager decided that since the password/user name combination and accompanying answers to certain challenge questions were sufficient to verify the transaction, the bank manager ignored the alter and all the money went offshore

The Federal Appellate Court held that the Bank’s reliance on password authentication and its decision to ignore certain transaction-based flags that highlighted the unusually large offshore transfer was not necessarily a good commercial practice.

Court found that the Bank’s reliance on answers to challenge questions that the hackers provided was not a good security practice.

Court found that the Bank’s contract with Patco incorporated UCC requirement that the bank act in a commercially reasonable way, and found that the Bank’s protections that it implemented were unreasonable

Afterwards, this case settled for $345,000 (the amount transferred) and $45,000 in interest.

Negligence CaseLone Star Bank, et. al v. Heartland Payment Systems (5th Cir. September 2013)

Heartland had a contract with acquiring banks (plaintiffs) to provide credit card processing services.

Heartland was hacked in 2009 and lost the data from more than 160 million credit card accounts.

Because of the interlocking web of financial relationships with credit card transactions, Heartland was not the only bank affected by the hacking incident

Damages included losses from fraudulent use of the stolen data, cost of replacing credit cards and costs of providing their customers with credit monitoring services

Federal Appellate Court held that the issuing banks had a valid negligence claim against Heartland for its cybersecurity failures and that, if proven, they could recover their consequential damages from Heartland

Today’s recent headlines

Negligence for theft of data from UNENCRYPTED LAPTOPS

Hackers breaks in at a US based company that brokers reservations for limousine and Town Car services nationwide that resulted in personal and financial information of more that 850,000 well to do customers, such as Fortune 500 CEOs, lawmakers and celebrities http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

Negligence for theft of data from storing data on servers where it is known that hackers use to stash their stolen data

Professional Malpractice LawProfessional liability has generally been applied to those who

by virtue of specific training and licensing are deemed to have a level of skills higher than that of non-professionals.

To date, courts have been reluctant to hold computer designers or programmers to the higher standard of professionals due to the lack of established educational standards or regulations governing the performance of software programmers and developers, and because they are not licensed as professionals … that is changing

Many software developers have received extensive training in the use of certain programming and testing techniques, passed rigorous tests to become “certified,” reached levels of expertise not held by general programmers.

While this is not identical to the licensing requirements of state licensing boards such as state bar associations or medical boards, it may be sufficient to justify holding these certified developers to a higher, professional standard, particularly where their certifications relate to secure software development.

Top Ten List of Security Certifications???10. Vendor Certifications - CISCO and Microsoft specific certifications top the list.

9. CCE-Certified Computer Examiner

10.CPP—Certified Protection Professional

7.  CBCP-Certified Business Continuity Professional

6. CEH-Certified Ethical Hacker

5. CSFA-CyberSecurity Forensic Analyst

4. CISA-Certified Information Systems Auditor

11.GIAC-The Global Information Assurance Certification 

2.  CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional

Professional Malpractice CaseDiversified Graphics, Ltd. v. Groves (8th Cir. 1989)

Plaintiff hired a large accounting firm to help it locate a turnkey computer system.

When the chosen system proved inadequate for the company’s needs, the company sued.

The court ruled that the accounting firm should be held to the American Institute of Certified Public Accountants’ Management Advisory Service Practice Standards, which the firm had incorporated into its guidelines for internal use.

While the court refused to acknowledge a cause of action for computer malpractice, by holding the accounting firm to the AICPA standards, it achieved essentially the same result.

Professional Malpractice CaseData Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct. App. 1986)

Plaintiff claimed that the defendant was negligent in designing an accounting and data processing software system.

The state appellate court stated in dictum that “[t]hose who hold themselves out to the world as possessing skill and qualifications in their respective trades or professions impliedly represent they possess the skill and will exhibit the diligence ordinarily possessed by well informed members of the trade or profession.”

The court concluded that “[t]he situation here is more analogous to a client seeking a lawyer’s advice or a patient seeking medical treatment for a particular ailment than it is to a customer buying seed corn, soap, or cam shafts.

Product Liability for Insecure Software Product liability law is imposed on the theory that the costs of damaging events

due to defectively dangerous products can best be borne by the enterprisers who make and sell these products.

With insecure software, an examination of whether the software insecurity is due to a design defect or a manufacturing defect

Software development generally goes through a number of phases before reaching the user, such as (i) the design phase, (ii) the coding phase, (iii) the testing phase, and (iv) the replication and distribution phase

defect introduced into the product during the design phase would be deemed a design defect.

defect introduced into the product at the replication and distribution phase would be deemed a manufacturing defect.

Coding phase??? Grey Area

Vendors would generally argue that everything before the replication and distribution phase is part of the product design process, hence, a negligence standard should apply to insecure software, except in the rare case where the defect occurred in the replication process.

Licensees would argue that the design defect standard should apply only to defects introduced in the design phase, and that everything thereafter should be deemed part of the manufacturing phase—and subject to a strict liability standard.

No cases on point, but that is not say that they are not on their way …

Federal Trade Commission ComplaintsFTC has implemented initiatives to police computer

data breaches

FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance

Most companies settle with the FTC and pay a fine

If you defend against a FTC complaint, expect LARGE litigation expenses, for example: Large corporation Wyndham has just responded to a

FTC complaint and has spent $5 Million already on discovery

Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery

Federal Trade Commission TRENDNET, Inc. Case(September 2013)

TRENDNET alleged failed to provide reasonable security “to prevent unauthorized access to sensitive information”

FTC Consent Order required TRENDNET to engage in "secure software, development, and testing" risk

assessments as well as "reasonable and appropriate software security testing techniques”

Conduct an initial, and thereafter biennial, assessments and reports – for Twenty years – performed by a third-party CSSLP or CISSP or “a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission….”

Federal Trade CommissionIn re HTC America, Inc. Case (February 2013)

FTC complaint alleged that HTC: failed to “employ reasonable and appropriate

security in the design and customization of the software on its mobile devices.” 

failed to (1) implement an “adequate program to assess the security of products it shipped to consumers,” (2) provide “adequate privacy and security guidance or training for its engineering staff,” (3) “conduct . . . reviews, or tests to identify potential security vulnerabilities in its mobile devices,” and (4) “implement a process for receiving and addressing security vulnerability reports from third-party researchers.”

Federal Trade Commission The FTC has begun taking action against software users whose

systems were breached by hackers and third party confidential information was disclosed.

These recent FTC decisions suggest a new willingness by the FTC to hold software makers liable for failing to design security into their products from the start and to test and discover security vulnerabilities before releasing the

product into the market for advanced beta testing by paying customers who not only thereby pay for the "privilege" of testing the vendor’s product (saving the vendor enormous R&D costs) but who previously had little or no remedy beyond a replacement of the product (if that).

Most victims still do not receive real recourses from FTC actions because the FTC doesn't even investigate much less act in all in most cases and limits on private recourse and practical barriers to enforcement obstruct private remedies.

Plaintiffs attorneys will take over and advance negligence, strict product liability and professional malpractice causes of action against software developers

Counterhacking Legal??? Computer Fraud and Abuse Act

‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  

Put another way, you exceed authorized access if you obtain or alter information you’re not entitled to obtain or alter.

Who controls the computer? The data owner or the computer owner?

Are you entitled to take back your stolen data from a computer, but not sell the computer at a pawn shop?

So can Disney hack into everyone’s computers in pursuit of pirated videos?

Can future amendments recognize counterhacking right to gather evidence but not to harm innocent third parties? Will there be distinquishment between 99-cent music files and competitive business data?

What Can You Do To Minimize Your Risks to Liability?

Always enter into written agreements that specifically addresses express and implied warranties and limitation of liabilities

Always have your written agreements state what law controls the agreement. Be sure to make it a state that does not have any cases where it has found software to be a service and the UCC not applicable, or cases finding tort liability for insure software

Always use Beta Agreements or Beta Language when launching new or customized software, as software is always launched with glitches requiring patches/maintenance issues

Always have your written agreements state who is responsible for maintenance services and whether such service requires additional fees

What Can You Do To Minimize Your Risks to Liability?

Continuing Education is always Ongoing

Audits – work with a security team to identify security issues and determine what else can done (e.g., encryption, passwords, additional firewalls, etc.) “shall act with the care of an ordinary prudent person or agency

in like position would exercise under similar circumstances”

Policies & Procedures: Create an security incident response and notification Plan Response team, contact police/local FBI, and document response Consider great malpractice and cyber-insurance coverage

(typically covers notification costs) and utilizing it when in question

Procedure: What Constitutes a Breach?

Was unencrypted and unredacted personal information and/or protected health information accessed?Personal Information means the first name or first

initial and last name linked to one or more of the following data elements of a resident of this state: SSN Driver License Number Account number, credit card/debit card number, in

combination with security code/access code/password

Procedure:Is Notice Required?

Material Breach?

Would access be likely to cause substantial loss, or injury, or result in identity theft?

How many to notify?

Cost?

Duty to notify as expeditiously as practical without undue delay

Policy:What Must the Notice Include?

Describe the security breach (date/time)

Describe the type of personal information that is the subject of unauthorized access/use

Describe what you have done to protect data from further security beaches

Include a telephone number where a notice recipient may obtain assistance or additional information

Remind recipients in the Notice of the need to remain vigilant for incidents of fraud and identity theft

MAY have to notify consumer reporting agencies

By mail, telephone, electronic means?

So What? Why do this?

State AG fines for failure to provide notice ($250/person), up to $750,000

FTC fines - $1,500,000

Civil Remedy under state/federal lawState trade practices statutesBreach of contract (terms/privacy policy)Breach of implied covenant of good faith and fair dealingBreach of implied contractNegligence/negligence per se

Ruined Reputation

Policy and Procedure Practical Tips

If you have experienced a data security breach, it may have to comply with more than one state’s laws if it has customers that reside there

Where health information is stored, requirements for notification are far greater

Know that class actions are out there, and increasing

http://www.informa0onweek.com/security/client/linkedin‐security-breach‐triggers‐mill/240002407

RESOURCESwww.IshmanLaw.com(919) 468-3266mishman@ishmanlaw.com State Laws (except in AL, KY, NM, SD)

http://www.ncsl.org/issues-research/telecom/security‐notification‐laws.aspx

Many states of identity theft statutes that may be applicable when there is a security breach issue

Federal law proposals on data breach notification requirements, but nothing enacted YET

International Canada’s Personal Information Protection and Electronic Documents Act

(PIPEDA)

Federal Trade Commission – http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html

Biggest Data Breaches in 2013 http://www.crn.com/slide-shows/security/240159149/the-10-biggest-data-breach

es-of-2013-so-far.htm

10 Biggest HIPAA Data Breaches in the U.S. http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-bre

aches-united-states