Profits Over Safety and The Smoking Gun

If you’ve seen the 2001 movie Erin Brockovich, you know that from 1952 to 1966, Pacific Gas and Electric Company (PG&E) dumped about 370 million gallons of chromium-tainted wastewater into unlined wastewater ponds around the town of Hinkley, California. PG&E used chromium 6, or hexavalent chromium (a cheap and efficient rust suppressor), in its compressor station for natural-gas transmission pipelines. During that time, hundreds of people in the Hinkley area got sick with cancer and many of them died.

In 1993, legal clerk Erin Brockovich began an investigation into the health impacts of the contamination and identified documents regarding PG&E’s knowledge of chromium 6, which turned out to be a “smoking gun” in litigation. Eventually, a class-action lawsuit about the contamination was settled in 1996 for $333 million, the largest settlement of a class action lawsuit in U.S. history at the time. PG&E settled the last of the cases involved with the Hinkley claims between 2006 and 2008, paying another $315 million, for a total of $648 million.

PG&E was also required to discontinue its use of chromium 6 and clean up the contaminated groundwater; however, the chromium plume has been spreading. PG&E’s negligence in the use of chromium 6 (despite their knowledge of its potential impacts) was not only costly to the company, but costly to many people in terms of health issues and even death. Their assessments of the risks in using chromium 6 were short-sighted, focusing on profits over the safety of the community.

A Duty of Care for Negligence

This hack not only puts the security of these companies at risk but also leads to added concerns because many of its members are federal agencies as well as state and local law enforcement agencies that handle sensitive materials on a regular basis. Cyber criminals could take advantage of this vulnerability and use it to gain access to confidential government records or even personal information belonging to members of the public.

The case United States v. Carroll Towing Co., 160 F.2d 482 (2d Cir. N.Y. Mar. 17, 1947) set a standard of case for determining negligence, which utilizes a balancing test to determine whether a breach of the duty of care occurred. That test consists of three variables: (1) The foreseeability of the incident in question; (2) the gravity of the resulting injury; and (3) the burden of adequate precautions.

Negligence doesn’t just apply in cases of product liability or toxic tort like the PG&E case above – it can apply in many forms of “injury” to an affected party, including the injury suffered by that party when their data in your possession is accessed during a data breach.

Regulators and Risk Assessment

When it comes to negligence in protecting the data of others, regulatory agencies look to risk assessment mechanisms to determine whether a breach of the duty of care occurred. For example, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule includes several expectations regarding reasonable and appropriate assessment of risks, including:

  • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information…”
  • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
  • “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [electronic protected health information (ePHI)]”

The Payment Card Industry (PCI) Security Standards Council also provides Risk Assessment Guidelines for its PCI Data Security Standard (PCI DSS). Protecting the data of others has become a standard expectation from several regulatory agencies – addressing your own organization’s risks is not enough.

Risk Registers and Breach Liability

A risk register is a deliverable used in risk management to prioritize risks as the organization operates its services and delivers its products. It can be used to fulfill regulatory compliance but mostly to stay on top of potential issues that can derail intended outcomes.

As evidenced above, regulatory agencies like risk assessments/registers. While not having a risk assessment and related risk register may carry high liability, organizations should be aware that they may have just as high of liability if their risk assessment documents liability. Regulators and plaintiff’s attorneys will ask for the risk register as part of discovery. Here are the possible results:

  • NO Risk Register = High Liability
  • Risk Register which is short-sighted and self-incriminating = High to Very High Liability
  • Risk Register which is demonstrates duty of care = Lower Liability

PG&E considered the risks of using chromium 6 as it related to their own profits. But their failure to consider the safety of the community was not reasonable and appropriate, which cost them more than half a billion dollars. Risk Assessments much consider harm to all parties and consider lowering risk to an acceptable level from the perspective of all parties that could be injured. This is called Duty of Care.

DoCRA and Risk Registers

The Duty of Care Risk Analysis Standard (DoCRA) presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks, not just the organization conducting the risk assessment. A DoCRA Risk Analysis involves conducting a reasonable and appropriate risk assessment – whether qualitative or quantitative – that addresses these three principles:

  1. Risk analysis must consider the interests of all parties that may be harmed by the risk.
  2. Risks must be reduced to a level that would not require a remedy to any party.
  3. Safeguards must not be more burdensome than the risks they protect against.

The Center for Internet Security developed a risk assessment (CIS RAM) built exclusively on DoCRA, which is freely available to anyone who wants to use it, and even provides real-world data on the causes of security incidents. Here’s how the DoCRA/CIS RAM assessment compares to other risk assessment approaches:

risk register compare

Common Risk Assessment Methods and Approaches

Conclusion

Assessing risks is important for an organization but failing to provide a standard of care and consider the potential of harm to others, is a “smoking gun” for regulators in the event of a data breach. Ensuring that your risk assessment approach is reasonable and appropriate not only addresses the criteria that regulators are looking for, it also keeps your company off the Hollywood big screen!

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING