Remaking the Information Security Market

A Bad Year for Information Security class action lawsuits in California, which seek damages for ChoicePoint's allegedly negligent sale of personal data to identity thieves posing as legitimate businessmen and for violating credit reporting laws. Just days ago, Bank of America was hit with a illegal sale of bank data to debt collectors by bank employees were found in possession of a New Jersey customer's personal information. Up north, the Canadian Imperial Bank of Commerce faces a class action lawsuit in Ontario for violating Canada's repeatedly faxing customers' personal information to business in West Virginia. For a long time, information security professionals have Looking for Change in All the Wrong Places If 2005 turns the information security market around, it will be becaue of commercial litigation between businesses, not consumer litigation. Consumer lawsuits face a number of handicaps in American courts. In the absence of a legislative solution, most consumer claims will have to prove a duty (that the defendant had a legal obligation to secure the consumer's information), damage (that the consumer suffered some kind of harm), and causation (the relationship between the security breach and the consumers' damage). Many courts do not yet impose economic loss doctrine. Finally, credit card number, through the final Guidance on the security standards in the has held firms responsible for has the occasion). But the most effective force improving information security today is peer pressure from other businesses. Even if consumer litigation ends up costing firms money, corporate decision-makers will be slow to change if they discount it as as a gambit by greedy plaintiffs' lawyers. Likewise, legislators and regulators will not win over the hearts and minds of executives if they are perceived as meddling. But firms can't ignore demands for improved security from their peers like predatory litigation or overregulation; at that point, security is a legitimate cost of doing business. The most prominent example of corporate peer pressure is the information security standards imposed by MasterCard, Discover on merchants and third-party card processors. (These rules have evolved over time; the most recent standard is the uniform gained access to this accidental database (which contained an large number of credit card numbers) and began to use the card numbers and to trade them with other criminals. After discovering the breach, a number of banks cancelled the compromised cards, reissued them. Of course, the cardholder's banks were left holding the bag for any fraudulent charges. Several banks have since there were approximately $10 million in outstanding claims against it. Where the ChoicePoint plaintiffs must rely on common law torts and fair credit statutes that are ill-suited to remedying the risk of identity theft, the BJ's plaintiffs have a contract that explicitly spelled out security requirements that BJ's allegedly breached. This largely eliminates the duty and economic loss issues that bedevil consumers' lawsuits. (On the other hand, proving causation will still present difficulties and the BJ's plaintiffs may face problems because their contract was with Visa, not BJ's.) Still, the BJ's case is a better model for future information security breach lawsuits than the ChoicePoint litigation. Businesses have more money and a better legal standing to sue their partners over information security failures than consumers. The Real Legacy of ChoicePoint Instead, the lesson most companies are likely to take home from ChoicePoint case is how not to disclose a security breach. ChoicePoint discovered that a ring of identity thieves purchased personal information on nearly 150,000 people through a series of front businesses; law enforcement agents supposedly cleared ChoicePoint to disclose the incident a few months later. Although individuals from every state were effected, ChoicePoint limited its SB 1386) requires businesses to disclose unauthorized access to personal data. (Some speculate that some prodding by state attorneys general did ChoicePoint notify affected consumers in the other 49 states. All this adds up to the general perception that ChoicePoint handled the disclosure poorly: certainly, no company has attempted a California-only notification since. On the other hand, ChoicePoint's dilemma is obvious: companies that disclose security breaches not only expose themselves to lawsuits, but risk market discipline. Customers who are security-sensitive will avoid companies that fail to make security a priority. Information security professionals might come to the conclusion that the risks of notification are a more powerful incentive for information security improvements to companies than even the threat of litigation. Legislatures are also learning from the ChoicePoint debacle: companies cannot always be trusted to protect consumers without laws prompting them to do the right thing. SB 1386 replicas have Arkansas, Indiana, North Dakota, and Illinois's law is waiting for the governor's signature. (Unfortunately, bills in Congress threaten to preempt these laws. Companies want a single, national standard, instead of a set of standards that vary from state to state. The problem is that the current versions of the federal bills do not have strong notification provisions.) The Global Rise of a Duty to Disclose Information Security Breaches and maintains a