Back to Document View

LexisNexis™ Academic


Copyright (c) 2005 by Maine State Bar Association
Maine Bar Journal

Spring, 2005

20 Maine Bar J. 90

FEATURE: CYBERSECURITY OBLIGATIONS

by Jane Strachan

Jane Strachan is a member of the executive committee of the Technology Section of the Connecticut Bar Association and is senior legal counsel at Citigroup, Inc. The opinions in this article are solely those of the author. This article originally appeared in Connecticut Lawyer, Volume 15, Number 5. Reprinted with permission.

TEXT:
 [*90] 
 
BUSINESSES CAN NO LONGER IGNORE INFORMATION SECURITY ISSUES. One recent survey shows that 83 percent of companies responding experienced a security breach last year, up from 39 percent in 2003. n1 Implementing an effective information security program is now essential for businesses to mitigate financial losses and satisfy their responsibilities toward individuals who entrust them with personal data. Today's new reality includes the risk of a lawsuit or regulatory enforcement arising from inadequate information security practices or from a "malicious intrusion" that compromises confidentiality.



n1 Deloitte 2004 Global Security Survey, available at http://www. deloitte.com.

How should lawyers advise business clients about their legal obligations to prevent a security breach of confidential information or to disclose such a breach? Health care and financial institutions have privacy and information security standards and practices set forth in the Health Insurance Portability and Accountability Act (HIPPA) n2 and the Gramm-Leach-Bliley Act (GLB Act). n3 What steps should businesses not under the purview of these statutes take to protect personal data from worms, viruses, and hackers? What should they do if confidential information is compromised?



n2 Pub. L. No. 104-191, 45 C.F.R Parts 160, 162 and 164. See also Conn. Gen. Stat. §§ 38a-975 through 38a-999.

n3 Pub. L. No. 106-102, 16 C.F.R Part 314. See also Conn. Gen. Stat. §§ 36a-41 through 36a-45.

Businesses can't sit idly by and wait for courts or regulatory agencies to determine their information security requirements for them. This article shows that courts and agencies have already done so and businesses are now on notice. This article also provides an overview on designing and implementing an information security plan based on recent developments at the Federal Trade Commission (FTC). Finally, it provides guidelines and resources about what to do in the event of a breach.

The Emerging Duty of Care

THERE DOESN'T HAVE TO BE AN INFORMATION SECURITY breach for a matter to wind up in court--and for the court to impose its ideas about information security on your client. The most recent decision to weigh in on inadequate security is arguably the most far-reaching. In the eight-year-old class action lawsuit, Cobell v. Norton, n4 Native Americans  [*91]  have tried to force the Department of the Interior (DOI) to account for billions of dollars held in trust on behalf of 500,000 beneficiaries and their heirs for Native American-owned lands given to the government for mining, grazing, and oil and gas exploration.



n4 Elouise Cobell et al. v. Gale A. Norton, as the Secretary of the Interior (U.S. Court of Appeals, D.C. Cir.), December 3, 2004. This is not the first information security case in which injunctive relief has been imposed. See Cyber Promotions, Inc. v. Apex Global Information Services, Inc. (E.D. Pa., 1997) (temporary restraining order enforcing contract to restore customer's Internet access despite ISP's failure to perform due to attacks).

In 2001, the U.S. District Court for the D.C. District found that billions of dollars in trust accounts stored in the DOI's computer systems were vulnerable to hacking. In 2001, 2003, and again in 2004, the district court issued injunctions ordering the DOI to disconnect all information technology systems storing or accessing Native American trust accounts from the Internet and to submit for the court's approval a proposal for the secure reconnection of its systems. The interior secretary appealed the 2004 injunction, contending, inter alia, the district court's abuse of discretion.

On December 3, 2004, in Cobell v. Norton, the U.S. Court of Appeals for the D.C. Circuit lifted the 2004 injunction on narrow procedural grounds and remanded the case for reconsideration. n5 Nonetheless, the court of appeals used strong language concerning the broader issues against the DOI. The interior secretary has trust management duties that necessitate maintaining secure systems to render accurate trust accounting. Although the court of appeals recognized that the government's trust obligations stem from statutes and treaties, it emphasized that those obligations are largely defined in traditional equitable terms, not the narrower powers under administrative law. n6 The interior secretary, acting as trustee, must be judged by "the most exacting fiduciary standards." As such, the court of appeals concluded that the district court retains substantial latitude to fashion an equitable remedy in a situation where the trustees "egregiously breached their fiduciary duties." n7



n5 Id. The district court had placed the burden of persuasion on the DOI and failed to hold an evidentiary hearing. Two key DOI agencies, including the Bureau of Indian Affairs, remain offline.

n6 Id.

n7 Id.

The practical implications of Cobell v. Norton are significant. Privacy advocates now have a potentially potent tool to obtain a protective order even in the absence of an intrusion. Assuming Cobell v. Norton's relevance to non-regulatory agencies, businesses should look carefully at the information they collect and store on their systems. They may have a fiduciary duty to protect that information and therefore to implement adequate security measures. In addition, courts could take matters into their own hands and determine the type of information security program to be imposed in any given situation. Further, businesses must be mindful that there is precedent for terminating Internet connections until the court is satisfied that security is adequate.

Internet Attacks Are Foreseeable
 
IN RE VERIZON RELATED REDUCTION CLAIM, n8 AN ADMINISTRATIVE proceeding decided by the Maine Public Utilities Commission (PUC), Verizon sought a waiver of wholesale performance metrics because the Microsoft SQL Slammer Worm, which caused significant disruptions across the Internet in early 2003, had attacked Verizon's servers. As a result, Verizon could not meet its performance standards. Therefore, Verizon requested a reduction in the wholesale credits owed to AT&T Communications of New England (AT&T) and WorldCom. However, the PUC would have no part of Verizon's arguments and ordered it to pay the full amount of the credits.



n8 In re Verizon Related Reduction Claim, State of Maine Public Utilities Commission, Docket No. 2000-849 (April 30, 2003).

The PUC acknowledged that viruses and worms are a fact of life. It also noted that Microsoft used a rating system for software vulnerabilities and security threats from the Slammer Worm and recommended patches in well-known bulletins regularly published long before the attacks occurred. n9 Thus, the PUC found that Verizon had sufficient warning about potential system vulnerabilities. n10 That is, the attacks were foreseeable. The PUC also found that Verizon had not taken reasonable, prudent, or timely steps to install patches and secure its systems; AT&T and WorldCom had done so and suffered no damage due to the attacks. n11 Finally, the PUC added that Verizon did not adequately document the steps it took to test, evaluate, and install patches. n12 At the end of the day, Verizon was held accountable for its failure to act.



n9 Id.

n10 See http://www.cert.org and http://www.sans.org/top20.htm for a listing of current vulnerabilities and patches.

n11 In re Verizon. See also Weigh Systems South, Inc. v. Mark's Scales & Equipment, Inc. 68 S.W. 3d 299 (Ark. Sup. Ct. 2002) (inadequate computer security procedures meant company information was not a trade secret).

n12 Id.

Failing to have adequate security practices can be so far-reaching that fatal consequences can be the result. In Remsburg v. Docusearch, Inc., n13 a stalker used personal information obtained from a Web-based investigation service, Docusearch, to track down and kill his victim. The New Hampshire Supreme Court aggressively interpreted the foreseeability element of negligence, holding Docusearch liable for its customer's criminal acts. The court reasoned that when a party's conduct creates an unreasonable risk of criminal misconduct, it owes a duty to those foreseeably endangered. It found that Docusearch had a "duty to exercise reasonable care in disclosing a third person's personal information to a client."  [*92]  When Docusearch sold a Social Security number and other personal information, stalking and identity theft were "sufficiently foreseeable" risks. n14



n13 Helen Remsburg, Administratrix of the Estate of Amy Lynn Boyer v. Docusearch, Inc., No. 2002-225 (N.H. Sup. Ct. 2003).

n14 Id.

Having an Information Security Plan
 
COBELL V. NORTON, IN RE VERIZON, AND DOCUSEARCH CONJURE up traditional notions of duty of care and foreseeability, n15 raising the following question: If security breaches are foreseeable and there's a duty to protect sensitive information and systems from attacks, what constitutes information security "best practices"? Recent FTC enforcements, rules, and guides are instructive in this regard and deserve a closer look.



n15 Palsgraf v. Long Island R. C., 248 N.Y. 339 (1928) and United States et al. v. Carroll Towing, Co., 159 F.2d 169 (2d Cir.)(1947).

Over the last several years, the FTC has taken an aggressive stance toward protecting consumer privacy. n16 The FTC has used its authority under the Federal Trade Commission Act to prohibit "unfair or deceptive acts or practices in or affecting commerce" n17 against companies that promised to protect sensitive consumer data, but whose information security practices failed to live up to their promises. n18



n16 15 U.S.C. § 46(a). The FTC's actions are significant because its scope includes "any person, partnership, or corporation engaged in or whose business affects commerce." Its scope does not include certain financial institutions, including banks, savings and loan institutions, and federal credit unions; telecommunications and interstate transportation common carriers; and air carriers.

n17 15 U.S.C. § 45(a)(1) (commonly referred to as Section 5 of the FTC Act or "Section 5").

n18 See http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html, which includes the FTC's Section 5 privacy enforcements. In addition, a number of state attorneys general have successfully used state consumer protection laws to protect online privacy. See, for example, In the Matter of Doubleclick, Inc., Agreement between the attorneys general of the states of Arizona, California, Connecticut, Massachusetts, Michigan, New Jersey, New Mexico, New York, Vermont, and Washington and Doubleclick (August 2002), available at http://www.org. state. ny.us/press/2002/aug/aug26a_02.html.

Now the FTC has new ammunition to enforce the safeguarding of non-public and confidential customer information. n19 As of May 2003, financial institutions under the FTC's GLB jurisdiction must comply with the FTC's Safeguards Rule (the Rule) which implements the information security requirements of the GLB Act. n20 The rule covers a wide range of entities that provide financial products and services to consumers, including, for example, automobile dealers engaged in financing or leasing; mortgage brokers; real estate settlement companies; retailers that issue credit cards to consumers; income tax preparation companies; personal financial management consultants; and financial, career, and consumer credit counselors. To accommodate this wide range of entities, the rule is intended to be more flexible than the security requirements set forth in the GLB Act. As such, the rule reduces the burden on these smaller, less sophisticated institutions. n21



n19 "Customer information" is nonpublic personal information. 16 C.F.R § 313.3(n).

n20 C.F.R. Part 314, Standards for Safeguarding Customer Information, May 23, 2002, available at http://www.ftc.gov.os/2002/05/67fr36585.pdf.

n21 Id.

The rule requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the entity's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles, including:


(i) Designating an employee(s) to coordinate the plan

(ii) Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assessing the sufficiency of any safeguards in place to control those risks

(iii) Designing and implementing information safeguards to control risks and regularly test or monitor the safeguards' key controls, systems, and procedures

(iv) Overseeing service providers and requiring them to contractually commit to implement and maintain the safeguards

(v) Evaluating and adjusting the plan in light of changes to the business or resulting from ongoing monitoring n22





n22 Id.

 [*93] 

The FTC's guidance on the rule includes details about implementing practices in the areas of (1) employee training and management; (2) information systems, including network and software design and information processing, storage, transmission, and disposal; and (3) mechanisms to monitor for system failures. n23



n23 Financial Institutions and Customer Data: Complying with the Safeguards Rule, available at http://www.ftc.gov/bcp/online/pubs/bus-pubs/safeguards.htm.

Recently, the FTC issued its first enforcement actions under the rule. Last November, it charged two mortgage brokers with violating the rule, Nationwide Mortgage Group, Inc., n24 and Sunbelt Lending Services, Inc., n25 for failing to identify and assess risks, implement a plan, protect customer data, designate or train employees, or monitor for vulnerabilities.



n24 In the Matter of Nationwide Mortgage Group, Inc., FTC Docket No. 9319 (November 16, 2004). This case is still pending.

n25 In the Matter of Sunbelt Lending Services, Inc., Decision and Order, FTC Docket No. C-4129, January 3, 2005.

The requirements imposed on Nationwide and Sunbelt are essentially the same as the FTC's most recent deceptive practices enforcement against a non-financial company, online retailer Petco Animal Supplies, Inc. n26 Last November, the FTC charged that Petco's Web site misrepresented its online privacy promise because personal information, including credit card numbers, was stored unencrypted and was thus vulnerable to commonly known injection attacks even though defenses were readily available. As a result, a hacker was able to penetrate Petco's Web site and access credit card numbers stored in clear text. Under the Consent Order, Petco must establish and maintain a written comprehensive information security program, conduct a risk assessment, design and implement safeguards, designate employees to be accountable for the program, conduct ongoing monitoring, and implement changes, if required. In addition, within six months of the Consent Order and biennially for twenty years thereafter, Petco must obtain an independent third-party audit of its security program certifying that the program is sufficient to protect the security, confidentiality, and integrity of personal information. n27



n26 In the Matter of Petco Animal Supplies, Inc., Agreement Containing Consent Order, FTC File No. 032-3221.

n27 Id.

 [*94] 

Petco's "obedience training" is nearly identical to the FTC enforcements against mortgage brokers Nationwide and Sunbelt and the provisions set forth in the rule itself. Given the similarities, businesses should consider that the rule applies, practically speaking, not just to certain specific types of financial institutions under the FTC's GLB jurisdiction. All businesses subject to the FTC's general jurisdiction n28 should make privacy promises they can keep, review the rule and the guidance noted here, and implement an information security program that will help keep them out of the FTC's doghouse.



n28 See notes 16 and 17 supra and accompanying text.

Full Disclosure
 
EVEN THE BEST SECURITY PLANS ARE SUBJECT TO MALICIOUS attacks. In the past, most businesses have been reluctant to tell the world about security intrusions. n29 Now, however, it is appropriate that they give serious consideration to "fessing up" in the event that sensitive data is compromised. A new California law requires any person or business conducting business in California to expeditiously notify California residents when their unencrypted computerized personal information has been or is reasonably believed to have been acquired by an unauthorized person. n30 This disclosure law applies whether the computer intrusion occurs in California, Connecticut, or any other state, and whether the company is located in California or elsewhere--provided the individual's name in addition to his or her Social Security number, driver's license number, or financial account number belong to a California resident and are not encrypted.



n29 2004 CSI/FBI Computer Crime and Security Survey, available at http://www.cogsi.com (organizations fear negative publicity will hurt stock or image).

n30 Cal. Civ. Code Sees. 1798.29 and 1798.82 to 1798.84. Last year, organizations began notifying California residents that unencrypted personal information had been compromised. See "Texas Hosting Company Reveals Hacks," SecurityFocus News, March 14, 2004, available at http://www.securityfocus.com/news/8240.

Specifically, the law requires that the notice be (1) in writing, or electronic if consistent with federal law regarding electronic signatures (15 U.S.C. 7001); (2) by substitute notice (e.g., e-mail, Web posting, or major statewide media) if the cost to provide notice would exceed $ 250,000, the number of individuals affected exceeds 500,000, or contact information is not sufficient; and (3) made without unreasonable delay. n31 Although penalties for nondisclosure are not set forth in the law, it provides for a private right of action and allows the California attorney general or a district attorney to sue for damages. n32



n31 Id.

n32 Id.

California's Office of Privacy Protection has issued detailed Recommended Practices concerning protecting information security and preparing for notification in the event of a breach as well as specifics on the notification and coordination with consumer credit reporting agencies. Sample notice letters are also included. n33 The new California law may well become the nationwide de facto standard of care and best practices standard for customer information due to an information security breach. n34



n33 Recommended Practices on Notification of Security Breach Involving Personal Information, dated October 10, 2003, available at http://www.privacy.ca.gov/recommendations/secbreach.pdf. The FTC also has guidance on steps to take if personal information is compromised; it is available at http://www.ftc.gov.

n34 California has been the trendsetter with regard to privacy laws. The security breach notification law was the model for similar federal and state laws introduced, but never passed. Last September alone, California enacted laws addressing spyware (Cal. Business & Professional Code Sec. 22947), security obligations for personal information (Cal. Civ. Code 1798.81), collecting medical information for direct marketing purposes (Cal. Civ. Code 179891), and restrictions on displaying Social Security numbers on paychecks (Cal. Labor Code 226(a). See also the federal bank regulatory agencies have issued for public comment a proposed "Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice," including (inter alia) "procedures for notifying customers about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer." See 68 Fed. Reg. 47954 (August 12, 2003).

Conclusion
 
INFORMATION SECURITY IS A KEY COMPONENT OF INFORMAtion privacy. The legal obligations of information security are here to stay. As such, counsel should keep a watchful eye on this fast-moving area of the law, especially on further enforcements, customer notification issues, and new threats posed by spyware, adware, and malware. n35 Counsel should also advise clients about the importance of (1) proactively implementing information security policies and practices, (2) reviewing current policies and practices to ensure they remain current with technology and with the law, and (3) acting appropriately in the event of a security breach.



n35 Detailed explanations available at http://en.wikipedia.org.wiki/spyware.

Highlights of In re Verizon

We find that Verizon has not met the standards contained in the Performance Assurance Plan (PAP) for granting a waiver for "situations beyond Verizon ME's control" from performance metrics with absolute standards. ...

While the Slammer Worm attack was certainly a serious occurrence, we agree with WorldCom that it is not the type of extraordinary event that is contemplated by the waiver section of the PAP. While they do not appear on a frequent basis, Internet viruses and worms have unfortunately been the instrument of numerous attacks in the past, and the Slammer Worm is just the latest version of the genre. The fact that Microsoft more or less regularly issues security bulletins is evidence that events of this type are an all too frequent occurrence that requires constant vigilance. ...

With respect to its actions taken to prevent or minimize worm attacks, we find that Verizon did not take all reasonable and prudent steps available to it. ... By failing to provide specific evidence about its knowledge and analysis of the vulnerabilities of its systems to the Slammer Worm, Verizon failed to make the clear and convincing demonstration required in II (J) of the PAP. ...

More examples of cybersecurity shortcomings abound ...

CONCERN ABOUT THE SAFETY OF DATA collected by corporations about individuals is widening, fueled by shortcomings highlighted in recent news articles about ChoicePoint Inc. and Bank of America Corp., among others.

In late February, according to the Boston Globe, Bank of America Corp. announced that it had lost tapes containing personal financial information for 1.2 million accounts of federal employees, including U.S. senators and Defense Department employees. The newspaper said the tapes contain such personal information as Social Security numbers, addresses, and account numbers for employees in several government agencies. "The lost information, which the bank was transporting to a backup data center, could make those customers vulnerable to identity theft," the Globe noted.

Senator Charles E. Schumer, Democrat of New York, said he was told by the Senate Rules Committee that the data backup tapes were probably stolen off a commercial plane by baggage handlers in December. But a Bank of America spokeswoman said the bank and law-enforcement officials believe that the tapes were lost.

The Bank of America disclosure came on the heels of a similar disclosure by ChoicePoint Inc., a data warehouser in Georgia, which said in mid-February that that it unwittingly sold sensitive personal information on nearly 145,000 people to criminals.

Before the month had ended, a Calfornia woman filed a lawsuit alleging that ChoicePoint engaged in "fraudulent, negligent and unfair business practices, which has resulted in the release of highly sensitive personal information and the loss of millions of dollars to consumers nationwide." She was seeking class-action status for her suit to cover the thousands of other victims of ChoicePoint's data breach.

And in March, the LexisNexis Group said about thirty thousand of its records--including names, addresses and Social Security numbers of individuals--may have fallen into the hands of thieves. The Federal Bureau of Investigation and the Treasury Department are investigating, people close to the inquiry told the New York Tmes.

LexisNexis said the breach involved databases acquired last July through its purchase of Seisint, a Florida-based compiler of consumer background and asset information. Exactly how thieves gained access to the Seisint databases remains murky, the Times said. Lexis-Nexis said the breach was discovered during "an ongoing extensive review of the verification, authorization and security procedures and policies."

GRAPHIC:
PICTURE, no caption