The security breach news cycle continues. There remains a deluge of news stories about point-of-sale terminals being compromised, the ease of magnetic stripes being cloned, and the need for Chip and PIN technology being deployed on credit cards. The legal ramifications of all these events is just starting to become apparent – and it’s complicated. Individual liability is beginning to develop.
Before addressing legal issues, the question (mostly as a result of the Wyndham case) as to what constitutes “reasonable security” should be addressed. Fortunately, the law doesn’t require perfect information security. To do that would be to encase your computers and data in a block of amber and toss them to the bottom of the Marianas Trench – which makes them useless. So, for the rest of us who actually want to do business, the question is what do you do to have “reasonable security”?
The FTC has spent a pretty good amount of time going through what they consider “reasonable security”. Unfortunately, it isn’t a laundry list of “…do this and everything will be all right.’ One of the major take-aways of the Wyndham case is that the variable nature of the security threats which are out there demands that the FTC have the ability to evaluate reasonable security on a case-by-case basis. Practically this means you need to have a three-pronged strategy: 1) Risk Assessment (and you have to do this regularly – not just once, and think you are done); 2) implementation of controls to mitigate the threats identified in the first step (not just the ones that the media, or your vendor says you need to use); and 3) incident response protocols.
In general, the usual cause of a breach is a failure to do the first step. If you don’t know what your actual risk is (or how it has changed – remember, this isn’t a static environment), it won’t matter what you do in the control phase as you won’t cover all the actual risks that are there.
With a breach, the default approach of res ipsa loquitor is rearing its ugly head. In other words, the plaintiff’s bar would have the mere existence of the breach be a violation of a duty. Interestingly enough, much like other res ipsa cases, determining who is the culpable party is just as difficult. Who was responsible for the breach? Who has standing to sue? Which part of an organization had the obligation to protect against breaches?
If a large company has a breach, someone is going to sue them. Either the people who had their data compromised, or the shareholders who have stock that has gone down in price. As I have commented in other posts, officers and directors have a duty of care they must adhere to. However, the usual cause of action which can affect the individual manager has been limited to the data subject, or the shareholder as the plaintiff. While this remains true, there is an additional party who is starting to prosecute individuals – the FTC.
In February of this year, the 4th Circuit upheld a $163 million judgment against an individual executive at a company accused of defrauding consumers via a “scareware” scheme. While not directly the same as a security breach, the defendant’s argument in this case centered around a challenge to the legal standard the lower court applied in finding individual liability under the FTC Act. Specifically, that a person could be held individually liable if the FTC proves that the individual participated directly in the deceptive practices or had authority to control them, and had knowledge of the deceptive conduct.
This standard comes from securities fraud jurisprudence and requires proof of an individual’s authority to control the alleged deceptive practices, coupled with a “failure to act within such control authority while aware of apparent fraud.” This proposed standard would permit the commission to pursue individuals only when they had actual awareness of specific deceptive practices and failed to act to stop the deception, i.e., a specific intent/subjective knowledge requirement”.
However, the 4th Circuit said this standard would effectively leave the FTC with the “futile gesture” of obtaining “an order directed to the lifeless entity of a corporation while exempting from its operation the living individuals who were responsible for the illegal practices” in the first place.
While the 4th Circuit’s holding is related to a very obvious fraud scheme, the usual cause of action the FTC asserts against a company for a security breach is under the “deceptiveness” prong of Section 5, liability for a security breach is starting to creep outward to those who are actually responsible for the security posture of a company.