That was the question posed at a mock trial for the security information legal fraternity at RSA on Tuesday.
The conclusions - based on US law, but reflecting international practice - are that both the law and industry standards lag behind best practice in protecting the consumer, suggesting the situation needs clarification and the bar needs to be raised – and quickly.
The basic premise of the trial followed the breach of a hypothetical tax returns company, Tax R Us, with stolen tax returns information and credit card data being used for fraudulent tax filings and other illegal activity. The stolen credit card information was never used as it was encrypted in compliance with PCI standards, but a customer (plaintiff) wanted to know why their data wasn't protected too, as its' misuse has caused their credit rating to drop and meant they missed out on buying a house at below market value.
The presiding judge, John Facciola (US Magistrate , US district court for the District of Columbia) called on the plaintiff's counsel, Steven Teppler (Partner, Abbot Law Group) to put the case, and explain why the defendant should either be immediately found guilty of negligence, or have the case go to court for trial by jury.
It quickly became apparent that all the assumptions that we, in the security industry, may take as givens, would be called into question by both sides, highlighting manifold deficiencies in the system.
Tax R Us confirmed that it stored credit card data, which it kept in compliance with PCI DSS, and thus encrypted at rest, while social security card data that it stored was kept in plain text. So when a worker clicked on a phishing email and allowed the download of a piece of malware, the hacker increased their access privileges inside the system over a period of two months, and was then able use the social security data of clients once it had been exfiltrated.
The defendant, represented by Hoyt Kesterson, as company CISO, openly admitted that encryption was only used for the credit cards, because it faced financial penalties for non-compliance, whereas the breach on other personal identifying data only required the reporting of the breach – which was done. “No one told me that I had to encrypt the data,” Kesterton told the court.
The Counsel for the defence, Jay Brudz (Partner, Drinker Biddle & Health), contended that the defendant had done everything legally required of them. He went on to probe the expert witness Carlos Villalba (Director of Services, Terra Verde) who had carried out the forensic examination. He then questioned his competence as an expert, the efficiency of PCI DSS as not being the best standard available, and encryption of resting data as not being the norm in the industry. But firewalls and malware were employed, staff were trained in the correct procedures including changing passwords every seven days, and thus in the defendant's view they had done all that could reasonably be expected of them, and given the cost of encryption, there was no business case to implement it.
Now prosecution questioned the credentials of the CISO, his background, experience and competence to know what best practice was – and having worked his way up without experience elsewhere did undermine his credibility.
The prosecution's case was that the absence of an agreed standard did not absolve the defendant from blame, that there were steps they could have taken to mitigate the likelihood of breach, and they knew what these steps were, including encryption. As such, prosecutors argued that to be negligent like everyone else was no excuse. Case law referred to New York factory fire with locked doors, smoking permitted, and lax standards contributing to several deaths, for which the owner was found guilty of negligence despite there being no agreed standards.
In fact, this was the crux. In common law there is a duty of care to customers; if the terms of business spoke about security of data then this was even more explicit, and the loss of confidential personally identifying data showed the level of care provided was not commensurate with the value of data with which they had been entrusted.
But while it was demonstrated that there was a case, not all in the audience felt that it was beyond question, and most felt the case should go to trial, with just one person arguing that there was no case to answer. The other issue raised was whether a jury of lay people would understand the technical aspects of the case – but having experts versus experts is not uncommon thus the case probably would have gone to trial.
In the opinion of the presiding judge, common law which protects those hurt by other people's negligence would support the plaintiff. But it was pointed out that in most cases where no loss could be demonstrated the case would be dismissed – with Facciola noting that in the US only one percent of breach cases go to trial because there is no loss.
If this case had gone to trial, the argument that it was too expensive to encrypt non-card data would be shot down by the counter argument that the benefit outweighs the burden. But equally, even if there were a standard, it wouldn't fit everyone and there would need to be a risk assessment. It was not decisive whether there should be statutory standards in such a fast moving tech area, though some called for a baseline while others wanted a common law basis. In the US, different states were likely to introduce different standards – but national players would need to meet the most onerous.
So in the absence of a standard, the expectation is that sooner or later, maybe not for three or even five years, there will be a ‘bell weather' case that establishes liability with punitive costs on any losing defendant.