The master of literary horror and suspense Stephen King once said, “There’s no harm in hoping for the best as long as you’re prepared for the worst.” These words of wisdom are apropos in most aspects of life, especially when it comes to cybersecurity matters for your organization.
Having to deal with the aftermath of a data breach can be far more terrifying than the scariest Stephen King novel. What’s more, the threat of a data breach is not purely fiction, in fact, odds are, it can be a frightening reality. According to the Ponemon Institute in its 2017 Data Breach Study, the odds of a reoccurring data breach for an organization is nearly one in four. Now consider that the odds of dying in a motor vehicle accident in the coming twelve months is about one in nine thousand.
According to the 2017 Annual Data Breach Year-End Review by the Identity Theft Resource Center, there were 1,579 breaches last year. That equates to a 44.7% increase over the record high figures as reported for 2016. As a result of those breaches, 158 million social security numbers were exposed. The chance of your company experiencing a data breach is very real, and so is the potential liability. Just because you experience a data breach does not infer you are liable however, as long as you demonstrate a duty of care in regards to protecting your network and data. This doesn’t mean you have to spend half your budget on cybersecurity. It does require you to take the security measures that a reasonable person would have initiated in order guard against a data breach. Duty of care helps define the balance between what security measures are necessary to prevent foreseeable harm to others without posing an unreasonable burden upon the business itself. It is the responsibility to meet an obligated “duty of care” that will be the centerpiece of any sort of resulting litigation.
The good thing about litigation is that it sets rulings and precedents that we can follow and learn from in the future. Below are some examples of data breach cases that can help you navigate through the process of defining what your duty of care responsibility is.
Last December a high court ruled that WM Morrison Supermarkets PLC (“Morrisons”) was vicariously liable for a 2014 data breach involving the personal information of 100,000 employees. The suit was filed by 5,000+ employees who argued that Morrisons was directly liable, for breach of statutory duty. The breach was attributed to the actions of a disgruntled employee (Mr. Skelton) who held the position of an internal auditor for Morrisons. Mr. Skelton was in possession of a large file containing the personal data of Morrison employees that included names, insurance numbers, bank account and salaries. He was to pass the file onto to an external auditor, but while in his possession, copied the file to USB stick and deliberately posted the enclosed file online. Mr. Skelton was convicted on separate charges and is serving an eight-year prison term.
The court conducted a review of Morrisons conduct for the duration of the breach. They found that Morrisons had acted reasonable in allowing Mr. Skelton to access and take possession of the file. They had also acted reasonable in allowing him the use of a USB stick due to file size limitations of the company’s email system. The court did cite however, that Morrisons failed to ensure that Mr. Skelton had deleted the employee data after a reasonable period of time after the file exchange with the external auditor. As a result, the court found Morrisons vicariously liable for the actions of its employee.
In 2015, the Federal Trade Commission (FTC) found LifeLock guilty of failing to provide reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network. This included data stored in a database, transmitted through the enterprise LAN or transmitted over the Internet. Their lack of proper protocol is ironic since LifeLock is a leader in the credit monitoring business. LifeLock was cited for poor password management, patch management and a void of policies that did not limit access to sensitive data in an appropriate manner. As a result, the FTC stated that an unauthorized person could obtain to information stored on the defendant’s network through multiple avenues. Years later, the FTC followed with another complaint in that the company had still failed to address the deficiencies specified in the original complaint.
A Maine construction company had $588,000 stolen from its account with the Ocean Bank in 2009. In the end, the bank did manage to block $243,000 worth of the transfers, but the Patco Construction Company still incurred a loss of $345,000. Patco sued the bank on the grounds that it had failed to follow practices concerning the security of its customers, primarily their authentication process. Patco also argued that the bank should have noticed the suspicious transfers and stopped them before being sent, as they were larger than normally made by Patco. The transactions also originated from an unfamiliar IP address.
In 2011, a lower court ruled in favor of Ocean bank, agreeing that Ocean’s level of security was comparable to that offered by other banks. However, a federal appeals court overruled in favor of Patco a year later, finding that the online security measures were not commercially reasonable. The three-judge panel was especially disturbed in the practice the bank initiated in 2008 when they reduced the fraud transaction threshold to $1. This of course required every transaction to be approved through challenge response questions. They found this as bad practice since requiring challenges for every transaction failed to distinguish risk. Ocean then neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it could have done so, its efforts were not commercially reasonable.
Preparation Steps to Take
There are resources available to help companies navigate through the process leading to this determination. HALOCK Security Labs collaborated with CIS® (Center for Internet Security) to create a simple methodology called the CIS Risk Assessment Method (RAM). The CIS RAM incorporates CIS Controls to help management to organize and prioritize their security efforts in an effort to contain balance and clarity. It provides a method to develop risk criteria that demonstrates due care as expected by authorities and accepted by the courts. Download the CIS RAM to understand how to apply balance to your security protocols, compliance and business goals.