Legal Consequences of Breaches to Security and Privacy

Saturday, October 01, 2011

Craig S Wright

8b5e0b54dfecaa052afa016cd32b9837

If a security breach is attributable to a failure by a company to take reasonable steps to implement a robust e-security architecture, shareholders may ask questions. They may want to know what steps (if any) the directors took to prevent the breach of network security. After all, directors have a duty to exercise fiduciary care [1] and due diligence [2] in the protection of corporate assets and minimization of loss”.

For that reason, to comply with their obligations, directors must ensure that suitable measures are taken to protect the company's information systems and the data on those systems. This is only incensed when the company also maintains data belonging to another party such as in the case of an ICP.

Privacy

Privacy is a critical component of the EU data protection regime [3] with non-compliance being likely to lead to a variety of breaches both locally in the UK and Internationally [4]

The security principle of the Data protection Act [5] “requires that appropriate measures (technical and organizational) must be taken by data controllers against unauthorized or unlawful access to personal data and against accidental loss or destruction of personal data. It has significant application in an FE or HE e-learning environment. Since an e-learning system may include data such as student details, a student's submitted work and academic results; this principle makes it vital that such data are securely maintained”.

Consequently, an organization must take reasonable measures to protect the personal information it holds from misuse and loss, from unauthorized access, modification or disclosure.

Protecting the security of personal information involves implementing reasonable steps to maintain:

  1. physical security,
  2. computer and network security,
  3. the security of communications and
  4. the appropriate training of staff.

Information ought either be destroyed or de-identified when it is no longer needed for the purpose of collection, any permissible secondary purposes or for the purpose of meeting a legal requirement to retain the information.

A security policy that deals with privacy issues is essential for an organization that wants to avoid breaching the National Privacy Principles as it establishes strict systems to ensure that personal information held or processed by the organization is not subject to unauthorized access or use. For instance, in an online environment, a policy would dictate that personal data would never be stored in the clear on a transaction server.

Organizations need to become aware of the massive reputation risks related to a breach of security associated with the disclosure of personal information. In 1995 an Australian was convicted for breaking into AUSNet's network using the user account and password associated with one of AUSNet's technical directors [6].

He proceeded to alter the home page of the company and displayed a message that customer credit card information had been distributed over the internet. He subsequently published a number of credit card details belonging to selected individuals. Stevens was sentenced to three years imprisonment, with eighteen months non-parole.

The intrusion resulted in only a minor direct financial loss. The reputation of AUSNet was materially damaged and the incident is alleged to have resulted in widespread loss of consumer and business confidence costing AUSnet more than $2 million in clients and contracts after the incident.

Any ICP needs to ensure that the data it maintains on its clients is secure, but additionally, in cases where it maintains some responsibility for the security and protection of client data; it also needs to ensure that this is adequately secured.

Contract

Entities that have contractual relationships [7] with a company who suffers a breach of computer security may sue for breach of contract or under an indemnity clause if they incur loss or damage as a result.

This is more likely to happen if a party has an express obligation in relation to electronic security and the breach of security could have been prevented if reasonable steps had been taken to secure the relevant systems. Any case involving an allegation of breach of contract will largely turn on interpretation and the incorporation of terms in the contract.

Prevention is the key

The vast majority of illicit activity and fraud committed across the Internet could be averted or lease curtailed if destination ISP and payment intermediaries implemented effective processes for monitoring and controlling access to, and use of, their networks.

Denning (1999) expresses, "even if an offensive operation is not prevented, monitoring might detect it while it is in progress, allowing the possibility of aborting it before any serious damage is done and enabling a timely response” [8].

As is being noted above, there are a wide variety of commonly accepted practices, standards and means of ensuring systems are secured. Many of the current economic arguments used by Internet intermediaries are short-sighted to say the best.

The growing awareness of remedies that may be attained through litigation coupled with greater calls for corporate responsibility [9] have placed an ever growing burden on organizations that fail to implement a culture of strong corporate governance.

In the short term the economic effects of implementing sound monitoring and security controls may seem high, but when compared to the increasing volume of litigation that is starting to incorporate Internet intermediaries, the option of not securing a system and implement in monitoring begins to pale.

The introduction of contractual fines through the PCI-DSS [10] will certainly curb the economic argument against enforcing controls at an Internet intermediary. With Visa and MasterCard set to issue fines of $25,000 (US) per day for noncompliant organizations, the cost of implementing monitoring controls starts to become insignificant, at least where payment systems are concerned.

The added benefit of meeting corporate governance requirements and being able to argue that the organization has provided at least a minimum due care implementation for its systems will also provide an added defense when facing certain tortuous claims.

When the potential stipulations being sought through the “Creative Britain” strategy are added to this equation, the need for organizations, particularly Internet intermediaries, to implement secure systems and monitoring becomes essential.

What this all means

The Internet remains the wild, wild web not because of a lack of laws, but rather the difficulty surrounding enforcement. The Internet’s role is growing on a daily basis and has reached a point where it has become ubiquitous and an essential feature of daily life both from a personal perspective and due to its role in the international economy.

The “Creative Britain; new talents for the new economy” [11] framework paper that was introduced a number of years back demonstrated a reversal of many of the positions formerly held by the British government that required internet service providers to take action on illegal file sharing, as a consequence leaving intermediaries liable if they fail to take action.

This proposal carried with it the potential to create additional liabilities for Internet intermediaries. Many of these are yet to be seen but loom overhead if intermediaries do not self regulate. It is proposed that either Internet service providers engage in a voluntary code of conduct that provides security controls and monitoring, or else it is likely that the government will implement these controls.

Ideally, intermediaries will work together formulate an industry code of practice thus negating the need for government intervention and also reducing their exposure to both contractual breaches [12] and tortuous liability.

If an ISP is to be held liable as an intermediary to many of the charges noted above, it must have knowledge, or otherwise deduce that infringements are proceeding [13] on its systems. This requires that the intermediary monitor its systems.

Although, intermediaries do commonly monitor their systems and have the means to suspect when infringements are occurring, Internet intermediaries also require the authority to prevent infringement if they are to be held liable for authorization, a condition that entails an aspect of control [14].

The UK government’s proposal requires monitoring from the destination ISP places the responsibility firmly on the local provider of Internet services. Though this may seem unfair to many, as source ISPs may be located in any location in the world and can easily move when facing restrictions, holding the destination ISP responsible for monitoring content would appear as the only feasible solution as it is infeasible for the destination ISP to provide services within the UK from other locations.

It is clear that a framework similar to that proposed by Mann and Belzley [23] or by Lichtman & Posner [18] is needed to effectively control infringements over the Internet and that such a solution is economically the most effective solution.

The proposed strategy of the British government is unlikely to be popular at first. Recommendations for a French style system of three strikes [15] would require additional monitoring from the ISP and also introduce a possibility of infringing the customer’s privacy rights [16]. The concurrence of privacy legislation and the need for additional controls will make the introduction of these initiatives interesting to say the least.

The pirates are starting to replace the Cowboys, changing the wild, wild web to that of the proverbial high seas. The need for sensible legislation that will limit the increasing criminal activity while also considering the impacts on the law-abiding users of the internet is clear. The proposed strategy of the British government offers great potentials, but will come down to the implementation as to whether these are successful. The Internet is entering its final stage of development, legislative control.

Anonymity and leaky international boundaries impede the prosecution of the primary malfeasors due to both jurisdictional confusion and the ability of the malfeasor to become judgment-proof. Internet intermediaries, especially those that service end users are both easily identifiable. They also have many of their assets within well defined localities such as the UK.

Malfeasors require payment intermediaries to process their transactions. These intermediaries are primarily located in areas of well defined legal frameworks (including the US and UK). The UK’s “Creative Britain” strategy has provided little in either incentive or regulation concerning these actors. Payment intermediaries have the technological competence to avert detrimental transactions at the lowest cost of any intermediary with the largest potential payback. They are the economic least-cost provider of risk mitigation strategies.

Further, in many cases the largest effect on the Internet pirates, child pxxnographers and other malfeasors is provided through economic means. As such, the legislation should be adapted to mandate internet intermediaries control illicit transactions and consequently protect the public interest.

To do this effectively will require more than just a mandate that Internet intermediaries monitor illicit activity. It will be also necessary to regulate liability in order to protect Internet intermediaries from the actions that they are required to take in order to protect the Internet. The constant seesawing between policy positions that has occurred in respect of the Internet, not only in the UK, but in many other jurisdictions demonstrates that we have not achieved this yet.

The position of the British Government with its moves to call Intermediaries to action in the formation of a voluntary body to stop Intellectual Property violations is a start to the reforms needed not only in the UK, but internationally. The problem is well defined in this call for reform, however, the call for voluntary changes are unlikely to bring about the required changes.

Intermediaries have the capability to stop many of the transgressions on the Internet now, but the previous lack of a clear direction and potential liability associated with action rather than inaction [17] remains insufficient to modify their behavior. Even in the face of tortuous liability, the economic impact of inaction is unlikely to lead to change without a clear framework and the parallel legislation that will provide a defense for intermediaries who act to protect their clients and society.

Although the Internet has changed the backdrop of the economy and society, it has not radically changed the nature of either civil or criminal transgressions. Rather it has added a layer of complexity through the speed and volumes of transactions that it has enabled.

The issue for the law and society is not an introduction of new crimes or new transgressions, but an enhanced capability both to engage in these activities and also the increased capacity to find them. Here again another issue develops with the juxtaposition of security and privacy.

The increased ability of the intermediaries to monitor and control our actions is directed by the need to protect personal liberty. The incorrect balance of these forces leading to both too little security and a possible finding of negligence (or worse) or the breach of controls designed to protect society and the possible criminal effects of these actions.

Either the intermediaries will create order, or it will be forced upon them through legislation. The latter is not the desired outcome and requires a level of international political uniformity rarely achieved. the former requires diverse parties to act together.

References

[1] Hospital Products Ltd v United States Surgical Corp (1984) 156 CLR 41 at 96

[2] UK; Section 180 of the Corporations Act 2001 (Australia, Commonwealth): "A director or other officer of a corporation must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise"

[3] See: Walden “Data Protection” in Reed and Angel (Eds.), Computer Law (5th Ed. 2003, Chapter 11); Oxford University Press; London, UK;

[4] The Privacy Amendment (Private Sector) Act 2000 ("Privacy Amendment Act") contains the provisions for ensuring privacy in Australia. Also see the Directive 95/46/EC (Data Protection Directive); The Irish Data Protection Acts 1998 and 2003; Article 8 of the European Convention on Human Rights; The UK Regulation of Investigatory Powers Act 2000; US 'Safe Harbour' Rules; Employers' Data Protection Code of Practice; Model Contracts for Data Exports; The UK Interception of Communications (Lawful Business Practice) Regulations 2000; Electronic Communications Directive; The UK Anti-Terrorism, Crime & Security Act 2001; Directive 2002/58/EC (the E-Privacy Directive); and The UK Privacy & Electronic Communications (EC Directive) Regulations 2003.

[5] 1998, UK

[6] R v Stevens [1999] NSWCCA 69 (15 April 1999).

[7] A number of offer and acceptance issues that had not been completely resolved remain. The question of online software downloads generates its own difficulties. For instance, does the downloading of software constitute acceptance, installing the software, etc? Many software vendor licenses for instance state that the “loading of the software onto a computer indicates your acceptance of the following terms... ” The terms of the agreement are likely to be enforceable if the software company is able to demonstrate that the user had an opportunity to view the terms prior to installing the software.

[8] Dorothy E. Denning, Information Warfare and Security, ACM Press, New York, 1999

[9] See for instance Hazen (1977); Gagnon, Macklin & Simons (2003) and Slawotsky (2005)

[10] Details of the PCI-DSS are available online at http://www.pcicouncil.org.

[11] Department for Culture, Media and Sport, 22 Feb 2008

[12] The major uncertainty with electronic contracts stems from the facts of the individual dispute. This can lead to breaches as parties who do not understand the issues surrounding the contract seek to get around them. Fundamentally; offer, acceptance and consideration to fill the requirements of creation of the contract. Being that the offeror may stipulate the method of acceptance, it would be prudent for the contracting parties to agree to the form of acceptance prior to the conclusion of the contractual negotiations.

[13] Ibid, Gibbs J at 12-13; cf Jacobs J at 21-2. See also Microsoft Corporation v Marks (1995) 33 IPR 15.

[14] Ibid, University of New South Wales v Moorhouse, supra, per Gibbs J at 12; WEA International Inc v Hanimex Corp Limited (1987) 10 IPR 349 at 362; Australasian Performing Right Association v Jain (1990) 18 IPR 663. See also Lim YF, 199-201; S Loughnan, See also BF Fitzgerald, “Internet Service Provider Liability” in Fitzgerald, A., Fitzgerald, B., Cook, P. & Cifuentes, C. (Eds.), Going Digital: Legal Issues for Electronic Commerce, Multimedia and the Internet, Prospect (1998) 153.

[15] One of the current recommendations is based on the three-strikes policy began in France late last year. The violation of digital rights management or other similar infringements including provisions for Internet users that are caught distributing copyrighted files would require the ISP to send an e-mailed warning to the infringing user. The second offence would then have file-sharers face a temporary account suspension. On a third offence, they would be entirely cut off from the Internet. (See also http://arstechnica.com/news.ars/post/20080218-three-strikes-infringement-policy-may-be-headed-down-under.html).

[16] The UK Privacy & Electronic Communications (EC Directive) Regulations 2003 and Directive 2002/58/EC (the E-Privacy Directive) may create problems. The juxtaposition of privacy versus control creates a fine line that is easily crossed.

[17] The fear of being seen as a publisher rather than mere conduit has lead many ISPs and ICPs to a state of inaction.

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

Possibly Related Articles:
15937
Enterprise Security
General Legal
Legal breaches Privacy Cyber Crime internet Security Liability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.