Copyright (c) 2005 by Maine State Bar Association
Maine Bar Journal
Spring, 2005
20 Maine Bar J. 90FEATURE: CYBERSECURITY OBLIGATIONS
by Jane Strachan
Jane
Strachan is a member of the executive committee of the Technology
Section of the Connecticut Bar Association and is senior legal counsel
at Citigroup, Inc. The opinions in this article are solely those of the
author. This article originally appeared in Connecticut Lawyer, Volume
15, Number 5. Reprinted with permission.
TEXT: [*90]
BUSINESSES CAN NO LONGER IGNORE
INFORMATION SECURITY
ISSUES. One recent survey shows that 83 percent of companies responding
experienced a security breach last year, up from 39 percent in 2003. n1
Implementing an effective
information security
program is now essential for businesses to mitigate financial losses
and satisfy their responsibilities toward individuals who entrust them
with personal data. Today's new reality includes the risk of a lawsuit
or regulatory enforcement arising from inadequate
information security practices or from a "malicious intrusion" that compromises confidentiality.
n1 Deloitte 2004 Global Security Survey, available at http://www. deloitte.com.
How
should lawyers advise business clients about their legal obligations to
prevent a security breach of confidential information or to disclose
such a breach? Health care and financial institutions have privacy and
information security
standards and practices set forth in the Health Insurance Portability
and Accountability Act (HIPPA) n2 and the Gramm-Leach-Bliley Act (GLB
Act). n3 What steps should businesses not under the purview of these
statutes take to protect personal data from worms, viruses, and
hackers? What should they do if confidential information is compromised?
n2 Pub. L. No. 104-191, 45 C.F.R Parts 160, 162 and 164. See also Conn. Gen. Stat. §§ 38a-975 through 38a-999.
n3 Pub. L. No. 106-102, 16 C.F.R Part 314. See also Conn. Gen. Stat. §§ 36a-41 through 36a-45.
Businesses can't sit idly by and wait for courts or regulatory agencies to determine their
information security
requirements for them. This article shows that courts and agencies have
already done so and businesses are now on notice. This article also
provides an overview on designing and implementing an
information security
plan based on recent developments at the Federal Trade Commission
(FTC). Finally, it provides guidelines and resources about what to do
in the event of a breach.
The Emerging Duty of CareTHERE DOESN'T HAVE TO BE AN
INFORMATION SECURITY breach for a matter to wind up in court--and for the court to impose its ideas about
information security
on your client. The most recent decision to weigh in on inadequate
security is arguably the most far-reaching. In the eight-year-old class
action lawsuit,
Cobell v. Norton, n4 Native Americans
[*91] have tried to force the Department of the Interior
(DOI) to account for billions of dollars held in trust on behalf of
500,000 beneficiaries and their heirs for Native American-owned lands
given to the government for mining, grazing, and oil and gas
exploration.
n4
Elouise Cobell et al. v. Gale A. Norton, as the Secretary of the Interior (U.S. Court of Appeals, D.C. Cir.), December 3, 2004. This is not the first
information security case in which injunctive relief has been imposed.
See Cyber Promotions, Inc. v. Apex Global Information Services, Inc.
(E.D. Pa., 1997) (temporary restraining order enforcing contract to
restore customer's Internet access despite ISP's failure to perform due
to attacks).
In 2001, the U.S. District
Court for the D.C. District found that billions of dollars in trust
accounts stored in the DOI's computer systems were vulnerable to
hacking. In 2001, 2003, and again in 2004, the district court issued
injunctions ordering the DOI to disconnect all information technology
systems storing or accessing Native American trust accounts from the
Internet and to submit for the court's approval a proposal for the
secure reconnection of its systems. The interior secretary appealed the
2004 injunction, contending, inter alia, the district court's abuse of
discretion.
On December 3, 2004, in
Cobell v. Norton,
the U.S. Court of Appeals for the D.C. Circuit lifted the 2004
injunction on narrow procedural grounds and remanded the case for
reconsideration. n5 Nonetheless, the court of appeals used strong
language concerning the broader issues against the DOI. The interior
secretary has trust management duties that necessitate maintaining
secure systems to render accurate trust accounting. Although the court
of appeals recognized that the government's trust obligations stem from
statutes and treaties, it emphasized that those obligations are largely
defined in traditional equitable terms, not the narrower powers under
administrative law. n6 The interior secretary, acting as trustee, must
be judged by "the most exacting fiduciary standards." As such, the
court of appeals concluded that the district court retains substantial
latitude to fashion an equitable remedy in a situation where the
trustees "egregiously breached their fiduciary duties." n7
n5
Id.
The district court had placed the burden of persuasion on the DOI and
failed to hold an evidentiary hearing. Two key DOI agencies, including
the Bureau of Indian Affairs, remain offline.
n6
Id.n7
Id.The practical implications of
Cobell v. Norton
are significant. Privacy advocates now have a potentially potent tool
to obtain a protective order even in the absence of an intrusion.
Assuming
Cobell v. Norton's relevance to non-regulatory
agencies, businesses should look carefully at the information they
collect and store on their systems. They may have a fiduciary duty to
protect that information and therefore to implement adequate security
measures. In addition, courts could take matters into their own hands
and determine the type of
information security
program to be imposed in any given situation. Further, businesses must
be mindful that there is precedent for terminating Internet connections
until the court is satisfied that security is adequate.
Internet Attacks Are Foreseeable IN RE VERIZON RELATED REDUCTION CLAIM,
n8 AN ADMINISTRATIVE proceeding decided by the Maine Public Utilities
Commission (PUC), Verizon sought a waiver of wholesale performance
metrics because the Microsoft SQL Slammer Worm, which caused
significant disruptions across the Internet in early 2003, had attacked
Verizon's servers. As a result, Verizon could not meet its performance
standards. Therefore, Verizon requested a reduction in the wholesale
credits owed to AT&T Communications of New England (AT&T) and
WorldCom. However, the PUC would have no part of Verizon's arguments
and ordered it to pay the full amount of the credits.
n8
In re Verizon Related Reduction Claim, State of Maine Public Utilities Commission, Docket No. 2000-849 (April 30, 2003).
The
PUC acknowledged that viruses and worms are a fact of life. It also
noted that Microsoft used a rating system for software vulnerabilities
and security threats from the Slammer Worm and recommended patches in
well-known bulletins regularly published long before the attacks
occurred. n9 Thus, the PUC found that Verizon had sufficient warning
about potential system vulnerabilities. n10 That is, the attacks were
foreseeable. The PUC also found that Verizon had not taken reasonable,
prudent, or timely steps to install patches and secure its systems;
AT&T and WorldCom had done so and suffered no damage due to the
attacks. n11 Finally, the PUC added that Verizon did not adequately
document the steps it took to test, evaluate, and install patches. n12
At the end of the day, Verizon was held accountable for its failure to
act.
n9
Id.n10
See http://www.cert.org and http://www.sans.org/top20.htm for a listing of current vulnerabilities and patches.
n11
In re Verizon. See also Weigh Systems South, Inc. v. Mark's Scales & Equipment, Inc. 68 S.W. 3d 299 (Ark. Sup. Ct. 2002) (inadequate computer security procedures meant company information was not a trade secret).
n12
Id.Failing to have adequate security practices can be so far-reaching that fatal consequences can be the result. In
Remsburg v. Docusearch, Inc.,
n13 a stalker used personal information obtained from a Web-based
investigation service, Docusearch, to track down and kill his victim.
The New Hampshire Supreme Court aggressively interpreted the
foreseeability element of negligence, holding Docusearch liable for its
customer's criminal acts. The court reasoned that when a party's
conduct creates an unreasonable risk of criminal misconduct, it owes a
duty to those foreseeably endangered. It found that Docusearch had a
"duty to exercise reasonable care in disclosing a third person's
personal information to a client." [*92] When Docusearch
sold a Social Security number and other personal information, stalking
and identity theft were "sufficiently foreseeable" risks. n14
n13
Helen Remsburg, Administratrix of the Estate of Amy Lynn Boyer v. Docusearch, Inc., No. 2002-225 (N.H. Sup. Ct. 2003).
n14
Id.Having an Information Security Plan COBELL V. NORTON, IN RE VERIZON, AND
DOCUSEARCH
CONJURE up traditional notions of duty of care and foreseeability, n15
raising the following question: If security breaches are foreseeable
and there's a duty to protect sensitive information and systems from
attacks, what constitutes
information security "best practices"? Recent FTC enforcements, rules, and guides are instructive in this regard and deserve a closer look.
n15
Palsgraf v. Long Island R. C., 248 N.Y. 339 (1928) and
United States et al. v. Carroll Towing, Co., 159 F.2d 169 (2d Cir.)(1947).
Over
the last several years, the FTC has taken an aggressive stance toward
protecting consumer privacy. n16 The FTC has used its authority under
the Federal Trade Commission Act to prohibit "unfair or deceptive acts
or practices in or affecting commerce" n17 against companies that
promised to protect sensitive consumer data, but whose
information security practices failed to live up to their promises. n18
n16
15 U.S.C. § 46(a). The FTC's actions are significant because its scope
includes "any person, partnership, or corporation engaged in or whose
business affects commerce." Its scope does not include certain
financial institutions, including banks, savings and loan institutions,
and federal credit unions; telecommunications and interstate
transportation common carriers; and air carriers.
n17 15 U.S.C. § 45(a)(1) (commonly referred to as Section 5 of the FTC Act or "Section 5").
n18
See
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html, which
includes the FTC's Section 5 privacy enforcements. In addition, a
number of state attorneys general have successfully used state consumer
protection laws to protect online privacy.
See, for example,
In the Matter of Doubleclick, Inc.,
Agreement between the attorneys general of the states of Arizona,
California, Connecticut, Massachusetts, Michigan, New Jersey, New
Mexico, New York, Vermont, and Washington and Doubleclick (August
2002), available at http://www.org. state.
ny.us/press/2002/aug/aug26a_02.html.
Now
the FTC has new ammunition to enforce the safeguarding of non-public
and confidential customer information. n19 As of May 2003, financial
institutions under the FTC's GLB jurisdiction must comply with the
FTC's Safeguards Rule (the Rule) which implements the
information security
requirements of the GLB Act. n20 The rule covers a wide range of
entities that provide financial products and services to consumers,
including, for example, automobile dealers engaged in financing or
leasing; mortgage brokers; real estate settlement companies; retailers
that issue credit cards to consumers; income tax preparation companies;
personal financial management consultants; and financial, career, and
consumer credit counselors. To accommodate this wide range of entities,
the rule is intended to be more flexible than the security requirements
set forth in the GLB Act. As such, the rule reduces the burden on these
smaller, less sophisticated institutions. n21
n19 "Customer information" is nonpublic personal information. 16 C.F.R § 313.3(n).
n20
C.F.R. Part 314, Standards for Safeguarding Customer Information, May
23, 2002, available at http://www.ftc.gov.os/2002/05/67fr36585.pdf.
n21
Id.The
rule requires financial institutions to protect the security,
confidentiality, and integrity of customer information by developing a
comprehensive written
information security program
that contains administrative, technical, and physical safeguards
appropriate to the entity's size and complexity, the nature and scope
of its activities, and the sensitivity of the customer information it
handles, including:
(i) Designating an employee(s) to coordinate the plan
(ii)
Identifying reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of customer information and
assessing the sufficiency of any safeguards in place to control those
risks
(iii) Designing and implementing
information safeguards to control risks and regularly test or monitor
the safeguards' key controls, systems, and procedures
(iv) Overseeing service providers and requiring them to contractually commit to implement and maintain the safeguards
(v) Evaluating and adjusting the plan in light of changes to the business or resulting from ongoing monitoring n22
n22
Id. [*93]
The
FTC's guidance on the rule includes details about implementing
practices in the areas of (1) employee training and management; (2)
information systems, including network and software design and
information processing, storage, transmission, and disposal; and (3)
mechanisms to monitor for system failures. n23
n23
Financial Institutions and Customer Data: Complying with the Safeguards
Rule, available at
http://www.ftc.gov/bcp/online/pubs/bus-pubs/safeguards.htm.
Recently,
the FTC issued its first enforcement actions under the rule. Last
November, it charged two mortgage brokers with violating the rule,
Nationwide Mortgage Group, Inc., n24 and Sunbelt Lending Services,
Inc., n25 for failing to identify and assess risks, implement a plan,
protect customer data, designate or train employees, or monitor for
vulnerabilities.
n24
In the Matter of Nationwide Mortgage Group, Inc., FTC Docket No. 9319 (November 16, 2004). This case is still pending.
n25
In the Matter of Sunbelt Lending Services, Inc., Decision and Order, FTC Docket No. C-4129, January 3, 2005.
The
requirements imposed on Nationwide and Sunbelt are essentially the same
as the FTC's most recent deceptive practices enforcement against a
non-financial company, online retailer Petco Animal Supplies, Inc. n26
Last November, the FTC charged that Petco's Web site misrepresented its
online privacy promise because personal information, including credit
card numbers, was stored unencrypted and was thus vulnerable to
commonly known injection attacks even though defenses were readily
available. As a result, a hacker was able to penetrate Petco's Web site
and access credit card numbers stored in clear text. Under the Consent
Order, Petco must establish and maintain a written comprehensive
information security
program, conduct a risk assessment, design and implement safeguards,
designate employees to be accountable for the program, conduct ongoing
monitoring, and implement changes, if required. In addition, within six
months of the Consent Order and biennially for twenty years thereafter,
Petco must obtain an independent third-party audit of its security
program certifying that the program is sufficient to protect the
security, confidentiality, and integrity of personal information. n27
n26
In the Matter of Petco Animal Supplies, Inc., Agreement Containing Consent Order, FTC File No. 032-3221.
n27
Id. [*94]
Petco's
"obedience training" is nearly identical to the FTC enforcements
against mortgage brokers Nationwide and Sunbelt and the provisions set
forth in the rule itself. Given the similarities, businesses should
consider that the rule applies, practically speaking, not just to
certain specific types of financial institutions under the FTC's GLB
jurisdiction. All businesses subject to the FTC's general jurisdiction
n28 should make privacy promises they can keep, review the rule and the
guidance noted here, and implement an
information security program that will help keep them out of the FTC's doghouse.
n28
See notes 16 and 17
supra and accompanying text.
Full Disclosure EVEN
THE BEST SECURITY PLANS ARE SUBJECT TO MALICIOUS attacks. In the past,
most businesses have been reluctant to tell the world about security
intrusions. n29 Now, however, it is appropriate that they give serious
consideration to "fessing up" in the event that sensitive data is
compromised. A new California law requires any person or business
conducting business in California to expeditiously notify California
residents when their unencrypted computerized personal information has
been or is reasonably believed to have been acquired by an unauthorized
person. n30 This disclosure law applies whether the computer intrusion
occurs in California, Connecticut, or any other state, and whether the
company is located in California or elsewhere--provided the
individual's name in addition to his or her Social Security number,
driver's license number, or financial account number belong to a
California resident and are not encrypted.
n29
2004 CSI/FBI Computer Crime and Security Survey, available at
http://www.cogsi.com (organizations fear negative publicity will hurt
stock or image).
n30 Cal. Civ. Code Sees.
1798.29 and 1798.82 to 1798.84. Last year, organizations began
notifying California residents that unencrypted personal information
had been compromised. See "Texas Hosting Company Reveals Hacks,"
SecurityFocus News, March 14, 2004, available at http://www.securityfocus.com/news/8240.
Specifically,
the law requires that the notice be (1) in writing, or electronic if
consistent with federal law regarding electronic signatures (15 U.S.C.
7001); (2) by substitute notice (e.g., e-mail, Web posting, or major
statewide media) if the cost to provide notice would exceed $ 250,000,
the number of individuals affected exceeds 500,000, or contact
information is not sufficient; and (3) made without unreasonable delay.
n31 Although penalties for nondisclosure are not set forth in the law,
it provides for a private right of action and allows the California
attorney general or a district attorney to sue for damages. n32
n31
Id.n32
Id.California's Office of Privacy Protection has issued detailed Recommended Practices concerning protecting
information security
and preparing for notification in the event of a breach as well as
specifics on the notification and coordination with consumer credit
reporting agencies. Sample notice letters are also included. n33 The
new California law may well become the nationwide
de facto standard of care and best practices standard for customer information due to an
information security breach. n34
n33
Recommended Practices on Notification of Security Breach Involving
Personal Information, dated October 10, 2003, available at
http://www.privacy.ca.gov/recommendations/secbreach.pdf. The FTC also
has guidance on steps to take if personal information is compromised;
it is available at http://www.ftc.gov.
n34
California has been the trendsetter with regard to privacy laws. The
security breach notification law was the model for similar federal and
state laws introduced, but never passed. Last September alone,
California enacted laws addressing spyware (Cal. Business &
Professional Code Sec. 22947), security obligations for personal
information (Cal. Civ. Code 1798.81), collecting medical information
for direct marketing purposes (Cal. Civ. Code 179891), and restrictions
on displaying Social Security numbers on paychecks (Cal. Labor Code
226(a). See also the federal bank regulatory agencies have issued for
public comment a proposed "Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice,"
including
(inter alia) "procedures for notifying customers
about incidents of unauthorized access to customer information that
could result in substantial harm or inconvenience to the customer."
See 68 Fed. Reg. 47954 (August 12, 2003).
Conclusion INFORMATION SECURITY IS A KEY COMPONENT OF INFORMAtion privacy. The legal obligations of
information security
are here to stay. As such, counsel should keep a watchful eye on this
fast-moving area of the law, especially on further enforcements,
customer notification issues, and new threats posed by spyware, adware,
and malware. n35 Counsel should also advise clients about the
importance of (1) proactively implementing
information security
policies and practices, (2) reviewing current policies and practices to
ensure they remain current with technology and with the law, and (3)
acting appropriately in the event of a security breach.
n35 Detailed explanations available at http://en.wikipedia.org.wiki/spyware.
Highlights of In re VerizonWe
find that Verizon has not met the standards contained in the
Performance Assurance Plan (PAP) for granting a waiver for "situations
beyond Verizon ME's control" from performance metrics with absolute
standards. ...
While the Slammer Worm
attack was certainly a serious occurrence, we agree with WorldCom that
it is not the type of extraordinary event that is contemplated by the
waiver section of the PAP. While they do not appear on a frequent
basis, Internet viruses and worms have unfortunately been the
instrument of numerous attacks in the past, and the Slammer Worm is
just the latest version of the genre. The fact that Microsoft more or
less regularly issues security bulletins is evidence that events of
this type are an all too frequent occurrence that requires constant
vigilance. ...
With respect to its actions
taken to prevent or minimize worm attacks, we find that Verizon did not
take all reasonable and prudent steps available to it. ... By failing
to provide specific evidence about its knowledge and analysis of the
vulnerabilities of its systems to the Slammer Worm, Verizon failed to
make the clear and convincing demonstration required in II (J) of the
PAP. ...
More examples of cybersecurity shortcomings abound ...CONCERN
ABOUT THE SAFETY OF DATA collected by corporations about individuals is
widening, fueled by shortcomings highlighted in recent news articles
about ChoicePoint Inc. and Bank of America Corp., among others.
In late February, according to the
Boston Globe,
Bank of America Corp. announced that it had lost tapes containing
personal financial information for 1.2 million accounts of federal
employees, including U.S. senators and Defense Department employees.
The newspaper said the tapes contain such personal information as
Social Security numbers, addresses, and account numbers for employees
in several government agencies. "The lost information, which the bank
was transporting to a backup data center, could make those customers
vulnerable to identity theft," the
Globe noted.
Senator
Charles E. Schumer, Democrat of New York, said he was told by the
Senate Rules Committee that the data backup tapes were probably stolen
off a commercial plane by baggage handlers in December. But a Bank of
America spokeswoman said the bank and law-enforcement officials believe
that the tapes were lost.
The Bank of
America disclosure came on the heels of a similar disclosure by
ChoicePoint Inc., a data warehouser in Georgia, which said in
mid-February that that it unwittingly sold sensitive personal
information on nearly 145,000 people to criminals.
Before
the month had ended, a Calfornia woman filed a lawsuit alleging that
ChoicePoint engaged in "fraudulent, negligent and unfair business
practices, which has resulted in the release of highly sensitive
personal information and the loss of millions of dollars to consumers
nationwide." She was seeking class-action status for her suit to cover
the thousands of other victims of ChoicePoint's data breach.
And
in March, the LexisNexis Group said about thirty thousand of its
records--including names, addresses and Social Security numbers of
individuals--may have fallen into the hands of thieves. The Federal
Bureau of Investigation and the Treasury Department are investigating,
people close to the inquiry told the
New York Tmes.LexisNexis
said the breach involved databases acquired last July through its
purchase of Seisint, a Florida-based compiler of consumer background
and asset information. Exactly how thieves gained access to the Seisint
databases remains murky, the
Times said. Lexis-Nexis said the
breach was discovered during "an ongoing extensive review of the
verification, authorization and security procedures and policies."
GRAPHIC:PICTURE, no caption