CYBER SECURITY INTERNATIONAL

Large breaches are avoidable

Home Press Quotes Contact Us

Redress for loss of private e-data 

Edward J. Imwinkelried and Michael Cherry

When your client’s private financial information is hacked from a company’s computer system, argue a new theory of negligence based on the company’s failure to implement an adequate security strategy.

Because virtually every sector of American society relies extensively on computer data, the accuracy and security of digital information are vital. The public and private sectors have developed strategies to protect the privacy of sensitive information maintained in their computer systems, but almost every day we hear troubling stories about computer hackers breaching credit card and other financial records, resulting in massive identity and data thefts.

One example is the breach of the computer systems of the TJX Cos. Although there had been published warnings, the companies had not upgraded their wireless encryption, and that failure provided hackers with a path into TJX’s central database. Once in, the hackers were able to download an estimated 45 million credit and debit card numbers, plus personal information about customers, including names, addresses, and driver’s license, military identification, and Social Security numbers from transactions at the company’s T.J. Maxx, Marshalls, and other retail stores.1

Victims of the data breach filed a class action against TJX, charging the company with negligence for failing to maintain adequate security of its customers’ credit and debit card data and for not disclosing the breach for a month.2

The need for confidentiality and accuracy of computerized data has been addressed in a wave of legislation in recent years, including the Sarbanes-Oxley Act, which mandates requirements for certain types of financial data;3 the Gramm-Leach-Bliley Act, requiring financial institutions to take steps to safeguard customer data from unauthorized access;4 and the Health Insurance Portability and Accountability Act, prescribing security measures for the information that doctors, nurses, and other health care providers insert in patients’ medical files.5

More recently, on January 8, 2008, then-President Bush issued an executive order known as the Cyber Initiative—the Comprehensive National Cybersecurity Initiative—to upgrade America’s cyber defenses.6 The executive order sets out a multiyear, 12-step program that the federal government is undertaking to secure its cyber networks. The Defense Science Board perceives an enormous threat to the federal computer network:

The options open to adversaries are many and varied. They can attack network systems and computers from afar, introduce malicious code or components during production—especially since much of the nation’s software and hardware is produced abroad—and they can recruit insiders who can use their positions of trust for improper ends.7

President Bush’s homeland security secretary, Michael Chertoff, commented that the president’s order recognized that the United States needs a “Manhattan Project” on computer security.8

And in the private sector, the payment card industry, which includes the major credit card companies American Express, MasterCard, and Visa, has encouraged retailers to comply with its Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a comprehensive set of requirements for enhancing payment account data security.9 The standard was promulgated by the founding payment brands of the PCI Security Standards Council in order to encourage the global adoption of strong, uniform security standards.

Public- and private-sector organizations constantly seek to block hackers from their communications networks. They hire “white-hat” hackers—ethical computer security experts who test a company’s security systems—and then use the test results to strengthen their networks. In addition to using experts, they employ software security tools to scan their networks for weaknesses and provide an early warning of attack.

Despite all these precautions, skilled, determined Internet hackers have defeated many popular security systems. All they need is a single overlooked vulnerability. A recent incident involved Hannaford Farm Supermarkets, whose security measures included intrusion detection, network-weakness scanning, white-hat testing, virus updates, and auditors.

Certified payment card industry inspectors had twice pronounced that Hannaford’s system was PCI DSS-compliant. Hannaford’s executives undoubtedly prided themselves on the quality of their computer security—until they discovered that cyber-criminals had quietly copied confidential information from about 4.2 million credit cards used at their stores. If Hannaford had encrypted the credit card data at its cash registers—which the PCI DSS does not mandate—the Hannaford break-in might not have occurred.10 Plaintiffs filed suit against Hannaford for the security breach in federal district courts in Florida, Maine, New Hampshire, and New York.11

The TJX and Hannaford breaches are hardly isolated incidents. The total number of records containing sensitive personal information involved in security breaches in the United States since 2005 is approximately 246 million.12 And many of those records were of a financial nature.

It is clear that both public and private entities need to implement new security strategies for the safekeeping of computerized data. These new strategies should have two components: encryption and authentication.

Sensitive and confidential information—such as Social Security and credit card numbers—should always be encrypted, whether it is in transit or at rest. Encryption removes the practical incentive for hacking because even if the hackers succeed in stealing the data, there is no payoff—they cannot read it or use it.

Access to sensitive databases also should require thorough authentication. In many private and public computer systems, you must provide a password when you initially log on; but if you then access a sensitive database within that system, you are not required to separately log into the database. As a general practice, systems ought to require additional authentication, such as a fingerprint, when a user seeks to access sensitive or confidential information.

Suppose that your client suffers a financial loss due to a systems break-in suffered because a company relied on the traditional computer security strategies that have repeatedly proven to be inadequate. Why not argue that the company’s failure to implement a new strategy is actionable negligence?

The thrust of the plaintiff’s argument should be that even if the company complied with the prevailing industry practice, that practice is unreasonable given its repeated failures and the available alternatives. To enable your client to recover for such negligence, however, you will have to overcome several defense hurdles.

‘Only’ financial loss

To begin with, the defendant may contend that the plaintiff cannot maintain a negligence cause of action because the plaintiff’s only loss is financial in nature. Traditionally, in negligence actions, the courts have permitted recovery for financial loss only when the loss was incidental to a personal injury or property damage.13

But there are signs that the traditional view is weakening. Courts have abandoned that view in actions for fraud and deceit,14 negligent misrepresentation,15 and trade secret misappropriation.16 Some courts have already relaxed the rule where economic harm is highly foreseeable to a particular plaintiff or group of plaintiffs.17

These courts reason that permitting recovery in such circumstances does not create the risk of virtually limitless liability as in mass disaster cases.18 In a computer security case, a company’s customers are an easily definable class, and it is readily foreseeable that the customers will suffer economic loss if the company’s security practices are lax.

Moreover, even assuming that the traditional rule should still govern the run-of-the-mill fact situation, the plaintiff who has suffered a loss of personal and confidential data has a compelling argument that these are exceptional situations. In part, the courts have constrained the recovery of financial loss in negligence actions because they believe it is fair to expect plaintiffs to look to “other tort rules [to] protect against intangible losses like emotional or financial harm.”19 Those other rules include the doctrines vindicating dignitary interests, including privacy.20

In these fact patterns, one of the essential causes of the plaintiff’s financial loss is a violation of the plaintiff’s privacy interests. The citizen has entrusted information to a private or public entity with the expectation that the entity will take reasonable steps to safeguard that information from prying third parties. If the entity’s unreasonably lax computer security practices permit a hacker to acquire the plaintiff’s information, the entity’s negligence has enabled the hacker to intentionally violate the plaintiff’s privacy interest.

In other words, the entity’s negligence has allowed the hacker to tortiously obtain the plaintiff’s confidential information by wrongful means and use it to the plaintiff’s financial detriment.21 Since a violation of the plaintiff’s privacy interest is integral to the wrong, the published court opinions barring negligence recovery for purely financial loss are distinguishable.

In a 2006 case, Jones v. Commerce Bancorp, Inc., the plaintiff sued her bank after she discovered that funds were missing from her account. Criminals had stolen her personal information from the bank and used it to withdraw her money. She alleged that, because her account was low on cash, she suffered several financial losses, including the cancellation of her insurance policy for nonpayment of premiums.

Her complaint included counts for negligent and intentional infliction of emotional distress. The trial judge granted the defendant’s motion to dismiss the claim for intentional infliction of emotional distress, but denied the motion for the negligence count seeking solely economic damages.22

‘Speculative’ injuries

In a number of cases involving computer security breaches, the defendant has prevailed on the theory that the plaintiff’s damages are too speculative to be cognizable until the hacker or the hacker’s accomplice uses the stolen information to the victim’s disadvantage, such as by running up thousands of dollars in credit card charges.23 Most courts reason that the plaintiff’s injury from stolen personal data is too remote until there is an identifiable financial injury, and they have barred recovery even when the plaintiff has claimed that, as a result of the breach, he or she must incur the expense of credit monitoring.24 As one court stated, this expense “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.”25

While these cases probably represent the majority view, there is a strong policy argument and some favorable precedent for plaintiffs. It is true that at the time the complaint is filed, the plaintiff may not have suffered any injury other than the expense for credit monitoring. However, the plaintiff’s plight in these cases is analogous to that of a toxic-tort plaintiff who has been exposed to a toxic substance but has not yet manifested any symptoms of an illness. A growing number of courts permit toxic-tort plaintiffs to recover the cost of medical monitoring if their exposure significantly increases the risk of illness.26

The case of a security breach significantly increases the danger of future financial loss. Some hackers may steal data simply to prove that they can. However, when a hacker specifically targets personal information of financial importance, the more realistic inference is that, ultimately, the hacker and his or her accomplices will attempt to use that information to their financial benefit—and the victim’s economic detriment. Monitoring is not only prudent but necessary.

There is a judicial trend toward a more realistic view of the plaintiff’s situation in computer security breach cases. For example, in Lockwood v. Certegy Check Services, Inc., the court stated,

Although some courts have concluded that federal courts lack subject matter jurisdiction over claims similar to the plaintiffs’ because “plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact,” . . .“the injury-in-fact . . . requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.”27

In Ruiz v. Gap, Inc., the court reached a similar conclusion, acknowledging that to confer standing, a threat of future harm must be credible rather than merely remote or hypothetical. However, the court found that the plaintiff’s allegation of the increased risk of identity theft was sufficient to pass muster.28

Compliance with industry standard

Alternatively, the defendant may argue that it is not negligent because its computer security measures satisfied the industry standard. Although groups of companies, such as the payment card industry, have promulgated standards for encryption, there are no industry-wide customary practices. Rather, security practices are evolving and varied.

Moreover, even if there were a relatively uniform industry custom with respect to computer security, compliance would not be a complete defense to liability in negligence. Although there are tort law precedents holding that a defendant’s compliance with the relevant safety customs establishes as a matter of law that the defendant acted reasonably,29 that view has been criticized.30

Today, the universal view is that, while evidence of customary practice is both relevant and admissible, it is not conclusive on the issue of negligence.31 An industry cannot be allowed to determine its standard of care for purposes of tort law.32 Thus, a company is not insulated from negligence liability merely because its computer safety practices satisfy the industry’s customary standard. In the end, it is the court’s responsibility to decide whether the customary practice represents reasonable behavior. To make that decision, the court must conduct a careful cost-benefit analysis.

Cost-benefit analysis

The defendant may argue that a cost-benefit analysis does not justify imposing a duty on entities maintaining sensitive computerized data to enhance their security procedures to include encryption and more authentications. The numerous incidents of hacker break-ins show that a business’s reliance on conventional computer security safeguards undeniably exposes its customers to the risk of information and identity theft.

However, the defense argument runs, without more, that showing falls short of proof that the business’s current computer security practices are unreasonable or negligent. Virtually every type of human conduct creates some risk of harm, the defendant claims, and no person or business can be expected to guard against every risk.33

To determine when tort law demands that a defendant guard against a particular risk, the law employs a cost-benefit analysis. Many courts follow Judge Learned Hand’s classic formula in their decision-making process, considering the probability that the defendant’s conduct will lead to harm, the gravity of the foreseeable harm, and the cost of avoiding the harm.34 In other words, how likely is it that the harm will come to pass,35 what is the magnitude of the anticipated harm,36 and what would be the cost of an alternative,37 safer38 practice to avoid the harm?39

How would these factors figure in a contemporary court’s analysis of the question of whether tort law should require businesses to implement a new, stronger computer security strategy?

The benefits of imposing the new duty are clear in a quantitative as well as a qualitative sense. Due to vulnerable computer security practices, the private data of millions of Americans has already been compromised, with resultant huge dollar losses.40

The type of data involved also is significant. In many cases, the data stolen is intensely sensitive information. In the private sector, financial institutions keep vast quantities of financial information about their clients and customers in computerized databases; similarly, medical providers maintain huge reservoirs of information about patients. The government keeps fingerprints and other information about visitors to the United States and terrorists. The continued confidentiality of the data maintained in these databases is directly related to our country’s prosperity, health, and security. It is imperative that private- and public-sector entities have strong incentives to improve computer security.41

Of course, the benefits analysis is only one part of the equation. Before deciding to impose the new duty, the courts must be convinced that there is an alternative computer security strategy that is both technically and practically feasible.42 It is undeniable that both encryption and secondary authentication are technically feasible today. The question then becomes whether mandating the new, two-pronged strategy would amount to an impractical, undue burden.43

There certainly will be costs to adopting the new strategy; encryption can be expensive. The expenses will include training employees to use encryption and testing systems to check the encryption. In addition, there are learning-curve risks associated with encryption. The encryption key must be carefully safeguarded. If the owner of the database somehow forgets or misplaces the encryption key, even the owner cannot access the information.

In the long run, though, encrypting information may prove to be cheaper than network testing, such as the use of white-hat hackers. While network testing is an ongoing, recurring expense, encryption is a one-time expenditure for the data. And responsible key management can prevent the loss of the encryption key.

Stronger authentication procedures may require that some existing database application programs be revised. Vendors would probably charge a fee to modify their programs to permit such security improvement. For example, for two years, there might be a 10 percent to 20 percent price increase for rewriting their programs.

On balance, the benefits of recognizing the new duty appear to outweigh the costs. While it may be expensive to implement the strategy, there are higher stakes on the benefits side: an end to the astronomical financial losses that can result from hacking and the maintenance of the confidentiality of the sensitive information in databases.

Preemption

In light of the several pieces of federal legislation related to computer security, as a last line of defense the company may argue that a state law cause of action for negligence is preempted.44 Some federal statutes were undeniably inspired by policy concerns similar to those served by the recognition of a negligence cause of action. For example, one section of the Gramm-Leach-Bliley Act states that the statute is designed to promote the policy of protecting the privacy of the customers of financial institutions.45

But the act also contains two provisions that limit the legislation’s preemptive effect; these should enable the plaintiff to turn aside many of the defendant’s preemption attacks.46

The time for half-measures in computer security is well past. Too much critical, personal information is maintained on computer systems that have already been proven vulnerable to hacking. Traditional security strategies have failed again and again. Rather than attempting to harden their networks containing sensitive information, entities entrusted with such information should directly protect the data itself with encryption.

Given the hurdles that plaintiffs are likely to encounter, successfully litigating this new theory of negligence will be an uphill battle. But the trial bar has a historic opportunity to lead the effort. By pressing this new theory of negligence, plaintiff attorneys may obtain deserved relief for individual clients and classes of victims. Even more important, they can help provide a practical incentive for private and public entities to implement the new security strategy imperatively required to safeguard privacy in the 21st century.

Edward J. Imwinkelried is the Edward L. Barrett Jr. Professor of Law at the University of California, Davis. Michael Cherry of Woodcliff, New Jersey, is the president of Cyber Security International, a division of Cherry Biometrics.

Notes:

1.       See Dawn Kawamoto, TJX Says 45.7 Million Customer Records Were Compromised, CNET News (Mar. 29, 2007), http://news.cnet.com/ TJX-says-45.7-million-customer-records-were-compromised/2100-1029_3-6171671.html; Joseph Pereira, How Credit-Card Data Went Out Wireless Door, Wall St. J. (May 4, 2007), http:// online.wsj.com/article/SB117824446226991797.html.

2.       Jenn Abelson, TJX Faces Class Action Lawsuit in Data Breach, Boston Globe 1C (Jan. 30, 2007), www.boston.com/business/globe/articles/ 2007/01/30/tjx_faces_class_action_lawsuit_in_data_breach.

3.       15 U.S.C. §§7201-66 (2006).

4.       15 U.S.C. §§6801-27 (2006).

5.       Pub. L. No. 104-91, 110 Stat. 1936 (1996).

6.       Natl. Sec. Pres. Directive 54/Homeland Sec. Pres. Directive 23 (Jan. 8, 2008).

7.       Def. Sci. Bd., Defense Imperatives for the New Administration 18 (2008).

8.       Michael Chertoff, Remarks by Homeland Security Secretary Michael Chertoff to the 2008 RSA Conference (San Francisco, Cal., released Apr. 8, 2008), www.dhs.gov/xnews/speeches/sp_ 1208 285512376.shtm.

9.       PCI Security Standards Council, About the PCI Data Security Standard, http://www.pcisecurity/ standards.org/security_standards/pci_dss. shtml.

10.    Ross Kerber, Advanced Tactic Targeted Grocer: “Malware” Stole Hannaford Data, Boston Globe 1A (Mar. 28, 2008), www.boston.com/ business/articles/2008/03/28/advanced_ tactic_targeted_grocer; Joseph Pereira, Data Theft Carried Out on Network Thought Secure, Wall St. J. B4 (Mar. 31, 2008); Todd Wallack, Stung by Hackers, Grocer Encrypts Customer Data, Boston Globe 1C (Apr. 23, 2008), www.boston.com/ business/articles/2008/04/23/stung_by_hackers_ grocer_en crypts_customer_data.

11.    On June 9, 2008, the Panel on Multidistrict Litigation ordered that all the actions be consolidated in the District of Maine. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., MDL No. 1954 (filed June 9, 2008).

12.    Privacy Rights Clearinghouse/UCAN, A Chronology of Data Breaches, http://www.privacyrights/. org/ar/ChronDataBreaches.htm (total updated Dec. 18, 2008).

13.    Dan B. Dobbs, The Law of Torts §110, 258 (West 2000).

14.    American Law of Products Liability §60:41 & n. 57 (3d ed. 2003) (citing In re Ford Motor Co. Bronco II Prods. Liab. Litig., 1995 WL 222177 (E.D. La. Mar. 15, 1995) (applying Mississippi and North Carolina law)).

15.    Id. at n. 58 (citing State by Bronster v. U.S. Steel Corp., 919 P.2d 294 (Haw. 1996)).

16.    Id. at n. 59 (citing Bell Helicopter Textron, Inc. v. Tridair Helicopters, Inc., 982 F. Supp. 318 (D. Del. 1997) (Delaware law)).

17.    J’Aire Corp. v. Gregory, 598 P.2d 60, 64 (Cal. 1979); People Express Airlines v. Consol. Rail, 495 A.2d 107, 116 (N.J. 1985).

18.    See e.g. La. v. M/V Testbank, 752 F.2d 1019 (5th Cir. 1985).

19.    Dobbs, supra n. 13, at §110, 258.

20.    Id. at §424, 1197.

21.    Id. at §427, 1204.

22.    2006 WL 1409492 at *3 (S.D.N.Y. May 23, 2006); Gail P. Petravick & Simon Petravick, Identity Theft: Analyzing Current Trends in Litigation and Risk Management, 54 Pract. Law. 53, 55 (Aug. 2008).

23.    See Petravick & Petravick, supra n. 22, at 54.

24.    See e.g. Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007).

25.    Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); see also Shafran v. Harley-Davidson, Inc., 2008 WL 763177 at *2 (S.D.N.Y. Mar. 20, 2008).

26.    Allan L. Schwartz, Recovery of Damages for Expense of Medical Monitoring to Detect or Prevent Disease or Condition, 17 A.L.R.5th 327 (2004); American Law of Products Liability, supra n. 14, at §60:29.

27.    No. 8:07-cv-1434-T-23TGW, at 5 n. 1 (M.D. Fla. settlement approved Sept. 3, 2008) (citations omitted), https://datasettlement.com/final_ approval_order.pdf.

28.    540 F. Supp. 2d 1121, 1125-26 (N.D. Cal. 2008).

29.    William Prosser et al., Prosser and Keeton’s Hornbook on Torts §33, at 194 n. 6 (5th ed., West 1984) (citing Ellis v. Louisville & N.W. R.R., 251 S.W.2d 577 (Ky. 1952); Wommack v. Orr, 176 S.W.2d 477 (Mo. 1943); Titus v. Bradford, Bordell & Kinzua R.R., 20 A. 517 (Pa. 1890)).

30.    Id. at 194.

31.    Id. at 193, 195.

32.    Id. at 194.

33.    Id. at §31, 170.

34.    U.S. v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947) (“[L]iability depends upon whether B is less than L multiplied by P; i.e., whether B is less than PL”); Prosser et al., supra n. 29, at §145; see also Richard Posner, A Theory of Negligence, 1 J. Leg. Stud. 29 (1972).

35.    Dobbs, supra n. 13, at §145, 336; Prosser et al., supra n. 29, at §31, 171.

36.    Dobbs, supra n. 13, at §144, 337; §117, 279.

37.    Prosser et al., supra n. 29, at §31, 172.

38.    Dobbs, supra n. 13, at §144, 337.

39.    Id. at §145, 343. 

40.    The average identity-theft-related loss was $3,257 in 2006—up dramatically from $1,408 in 2005. Gartner, Inc., Press Release, Gartner Says Number of Identity Theft Victims Has Increased More Than 50 Percent Since 2003 (Mar. 6, 2007), http://www.gartner/. com/it/page.jsp?id=501912. The Federal Trade Commission has marshaled statistics indicating that fraud such as hacking has already visited losses running into the billions of dollars on innocent victims. Fed. Trade Commn., Consumer Fraud and Identity Theft Complaint Data: January-December 2006, at 6 (Feb. 2007), www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf. See also Fed. Trade Commn., 2006 Identity Theft Survey Report 6 (Nov. 2007), http://www.ftc/. gov/os/2007/11/SynovateFinalReportIDTheft 2006.pdf.

41.    Dobbs, supra n. 13, at §145, 344.

42.    Prosser et al., supra n. 29, at §31, 172 (an “alternative course” or “another route”).

43.    Dobbs, supra n. 13, at §145, 341 (quoting Judge Learned Hand—“the burden of adequate precautions”—in Carroll Towing, 159 F.2d 169, 173).

44.    See Thomas L. McGarity, The Perils of Preemption, TRIAL 20 (Sept. 2008).

45.    15 U.S.C. §6801(a) (2006).

46.    Id. at §§6807(a), 6824 (2006). For example, §6807(a) expressly provides that its provisions “shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state except” to the extent inconsistent with the federal statute.

 

Redress for loss of private e-data 

Edward J. Imwinkelried and Michael Cherry


When your client’s private financial information is hacked from a company’s computer system, argue a new theory of negligence based on the company’s failure to implement an adequate security strategy.
Because virtually every sector of American society relies extensively on computer data, the accuracy and security of digital information are vital. The public and private sectors have developed strategies to protect the privacy of sensitive information maintained in their computer systems, but almost every day we hear troubling stories about computer hackers breaching credit card and other financial records, resulting in massive identity and data thefts.
One example is the breach of the computer systems of the TJX Cos. Although there had been published warnings, the companies had not upgraded their wireless encryption, and that failure provided hackers with a path into TJX’s central database. Once in, the hackers were able to download an estimated 45 million credit and debit card numbers, plus personal information about customers, including names, addresses, and driver’s license, military identification, and Social Security numbers from transactions at the company’s T.J. Maxx, Marshalls, and other retail stores.1
Victims of the data breach filed a class action against TJX, charging the company with negligence for failing to maintain adequate security of its customers’ credit and debit card data and for not disclosing the breach for a month.2
The need for confidentiality and accuracy of computerized data has been addressed in a wave of legislation in recent years, including the Sarbanes-Oxley Act, which mandates requirements for certain types of financial data;3 the Gramm-Leach-Bliley Act, requiring financial institutions to take steps to safeguard customer data from unauthorized access;4 and the Health Insurance Portability and Accountability Act, prescribing security measures for the information that doctors, nurses, and other health care providers insert in patients’ medical files.5
More recently, on January 8, 2008, then-President Bush issued an executive order known as the Cyber Initiative—the Comprehensive National Cybersecurity Initiative—to upgrade America’s cyber defenses.6 The executive order sets out a multiyear, 12-step program that the federal government is undertaking to secure its cyber networks. The Defense Science Board perceives an enormous threat to the federal computer network:
The options open to adversaries are many and varied. They can attack network systems and computers from afar, introduce malicious code or components during production—especially since much of the nation’s software and hardware is produced abroad—and they can recruit insiders who can use their positions of trust for improper ends.7
President Bush’s homeland security secretary, Michael Chertoff, commented that the president’s order recognized that the United States needs a “Manhattan Project” on computer security.8
And in the private sector, the payment card industry, which includes the major credit card companies American Express, MasterCard, and Visa, has encouraged retailers to comply with its Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a comprehensive set of requirements for enhancing payment account data security.9 The standard was promulgated by the founding payment brands of the PCI Security Standards Council in order to encourage the global adoption of strong, uniform security standards.
Public- and private-sector organizations constantly seek to block hackers from their communications networks. They hire “white-hat” hackers—ethical computer security experts who test a company’s security systems—and then use the test results to strengthen their networks. In addition to using experts, they employ software security tools to scan their networks for weaknesses and provide an early warning of attack.
Despite all these precautions, skilled, determined Internet hackers have defeated many popular security systems. All they need is a single overlooked vulnerability. A recent incident involved Hannaford Farm Supermarkets, whose security measures included intrusion detection, network-weakness scanning, white-hat testing, virus updates, and auditors.
Certified payment card industry inspectors had twice pronounced that Hannaford’s system was PCI DSS-compliant. Hannaford’s executives undoubtedly prided themselves on the quality of their computer security—until they discovered that cyber-criminals had quietly copied confidential information from about 4.2 million credit cards used at their stores. If Hannaford had encrypted the credit card data at its cash registers—which the PCI DSS does not mandate—the Hannaford break-in might not have occurred.10 Plaintiffs filed suit against Hannaford for the security breach in federal district courts in Florida, Maine, New Hampshire, and New York.11
The TJX and Hannaford breaches are hardly isolated incidents. The total number of records containing sensitive personal information involved in security breaches in the United States since 2005 is approximately 246 million.12 And many of those records were of a financial nature.
It is clear that both public and private entities need to implement new security strategies for the safekeeping of computerized data. These new strategies should have two components: encryption and authentication.
Sensitive and confidential information—such as Social Security and credit card numbers—should always be encrypted, whether it is in transit or at rest. Encryption removes the practical incentive for hacking because even if the hackers succeed in stealing the data, there is no payoff—they cannot read it or use it.
Access to sensitive databases also should require thorough authentication. In many private and public computer systems, you must provide a password when you initially log on; but if you then access a sensitive database within that system, you are not required to separately log into the database. As a general practice, systems ought to require additional authentication, such as a fingerprint, when a user seeks to access sensitive or confidential information.
Suppose that your client suffers a financial loss due to a systems break-in suffered because a company relied on the traditional computer security strategies that have repeatedly proven to be inadequate. Why not argue that the company’s failure to implement a new strategy is actionable negligence?
The thrust of the plaintiff’s argument should be that even if the company complied with the prevailing industry practice, that practice is unreasonable given its repeated failures and the available alternatives. To enable your client to recover for such negligence, however, you will have to overcome several defense hurdles.
‘Only’ financial loss
To begin with, the defendant may contend that the plaintiff cannot maintain a negligence cause of action because the plaintiff’s only loss is financial in nature. Traditionally, in negligence actions, the courts have permitted recovery for financial loss only when the loss was incidental to a personal injury or property damage.13
But there are signs that the traditional view is weakening. Courts have abandoned that view in actions for fraud and deceit,14 negligent misrepresentation,15 and trade secret misappropriation.16 Some courts have already relaxed the rule where economic harm is highly foreseeable to a particular plaintiff or group of plaintiffs.17
These courts reason that permitting recovery in such circumstances does not create the risk of virtually limitless liability as in mass disaster cases.18 In a computer security case, a company’s customers are an easily definable class, and it is readily foreseeable that the customers will suffer economic loss if the company’s security practices are lax.
Moreover, even assuming that the traditional rule should still govern the run-of-the-mill fact situation, the plaintiff who has suffered a loss of personal and confidential data has a compelling argument that these are exceptional situations. In part, the courts have constrained the recovery of financial loss in negligence actions because they believe it is fair to expect plaintiffs to look to “other tort rules [to] protect against intangible losses like emotional or financial harm.”19 Those other rules include the doctrines vindicating dignitary interests, including privacy.20
In these fact patterns, one of the essential causes of the plaintiff’s financial loss is a violation of the plaintiff’s privacy interests. The citizen has entrusted information to a private or public entity with the expectation that the entity will take reasonable steps to safeguard that information from prying third parties. If the entity’s unreasonably lax computer security practices permit a hacker to acquire the plaintiff’s information, the entity’s negligence has enabled the hacker to intentionally violate the plaintiff’s privacy interest.
In other words, the entity’s negligence has allowed the hacker to tortiously obtain the plaintiff’s confidential information by wrongful means and use it to the plaintiff’s financial detriment.21 Since a violation of the plaintiff’s privacy interest is integral to the wrong, the published court opinions barring negligence recovery for purely financial loss are distinguishable.
In a 2006 case, Jones v. Commerce Bancorp, Inc., the plaintiff sued her bank after she discovered that funds were missing from her account. Criminals had stolen her personal information from the bank and used it to withdraw her money. She alleged that, because her account was low on cash, she suffered several financial losses, including the cancellation of her insurance policy for nonpayment of premiums.
Her complaint included counts for negligent and intentional infliction of emotional distress. The trial judge granted the defendant’s motion to dismiss the claim for intentional infliction of emotional distress, but denied the motion for the negligence count seeking solely economic damages.22
‘Speculative’ injuries
In a number of cases involving computer security breaches, the defendant has prevailed on the theory that the plaintiff’s damages are too speculative to be cognizable until the hacker or the hacker’s accomplice uses the stolen information to the victim’s disadvantage, such as by running up thousands of dollars in credit card charges.23 Most courts reason that the plaintiff’s injury from stolen personal data is too remote until there is an identifiable financial injury, and they have barred recovery even when the plaintiff has claimed that, as a result of the breach, he or she must incur the expense of credit monitoring.24 As one court stated, this expense “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.”25
While these cases probably represent the majority view, there is a strong policy argument and some favorable precedent for plaintiffs. It is true that at the time the complaint is filed, the plaintiff may not have suffered any injury other than the expense for credit monitoring. However, the plaintiff’s plight in these cases is analogous to that of a toxic-tort plaintiff who has been exposed to a toxic substance but has not yet manifested any symptoms of an illness. A growing number of courts permit toxic-tort plaintiffs to recover the cost of medical monitoring if their exposure significantly increases the risk of illness.26
The case of a security breach significantly increases the danger of future financial loss. Some hackers may steal data simply to prove that they can. However, when a hacker specifically targets personal information of financial importance, the more realistic inference is that, ultimately, the hacker and his or her accomplices will attempt to use that information to their financial benefit—and the victim’s economic detriment. Monitoring is not only prudent but necessary.
There is a judicial trend toward a more realistic view of the plaintiff’s situation in computer security breach cases. For example, in Lockwood v. Certegy Check Services, Inc., the court stated,
Although some courts have concluded that federal courts lack subject matter jurisdiction over claims similar to the plaintiffs’ because “plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact,” . . .“the injury-in-fact . . . requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.”27
In Ruiz v. Gap, Inc., the court reached a similar conclusion, acknowledging that to confer standing, a threat of future harm must be credible rather than merely remote or hypothetical. However, the court found that the plaintiff’s allegation of the increased risk of identity theft was sufficient to pass muster.28
Compliance with industry standard
Alternatively, the defendant may argue that it is not negligent because its computer security measures satisfied the industry standard. Although groups of companies, such as the payment card industry, have promulgated standards for encryption, there are no industry-wide customary practices. Rather, security practices are evolving and varied.
Moreover, even if there were a relatively uniform industry custom with respect to computer security, compliance would not be a complete defense to liability in negligence. Although there are tort law precedents holding that a defendant’s compliance with the relevant safety customs establishes as a matter of law that the defendant acted reasonably,29 that view has been criticized.30
Today, the universal view is that, while evidence of customary practice is both relevant and admissible, it is not conclusive on the issue of negligence.31 An industry cannot be allowed to determine its standard of care for purposes of tort law.32 Thus, a company is not insulated from negligence liability merely because its computer safety practices satisfy the industry’s customary standard. In the end, it is the court’s responsibility to decide whether the customary practice represents reasonable behavior. To make that decision, the court must conduct a careful cost-benefit analysis.
Cost-benefit analysis
The defendant may argue that a cost-benefit analysis does not justify imposing a duty on entities maintaining sensitive computerized data to enhance their security procedures to include encryption and more authentications. The numerous incidents of hacker break-ins show that a business’s reliance on conventional computer security safeguards undeniably exposes its customers to the risk of information and identity theft.
However, the defense argument runs, without more, that showing falls short of proof that the business’s current computer security practices are unreasonable or negligent. Virtually every type of human conduct creates some risk of harm, the defendant claims, and no person or business can be expected to guard against every risk.33
To determine when tort law demands that a defendant guard against a particular risk, the law employs a cost-benefit analysis. Many courts follow Judge Learned Hand’s classic formula in their decision-making process, considering the probability that the defendant’s conduct will lead to harm, the gravity of the foreseeable harm, and the cost of avoiding the harm.34 In other words, how likely is it that the harm will come to pass,35 what is the magnitude of the anticipated harm,36 and what would be the cost of an alternative,37 safer38 practice to avoid the harm?39
How would these factors figure in a contemporary court’s analysis of the question of whether tort law should require businesses to implement a new, stronger computer security strategy?
The benefits of imposing the new duty are clear in a quantitative as well as a qualitative sense. Due to vulnerable computer security practices, the private data of millions of Americans has already been compromised, with resultant huge dollar losses.40
The type of data involved also is significant. In many cases, the data stolen is intensely sensitive information. In the private sector, financial institutions keep vast quantities of financial information about their clients and customers in computerized databases; similarly, medical providers maintain huge reservoirs of information about patients. The government keeps fingerprints and other information about visitors to the United States and terrorists. The continued confidentiality of the data maintained in these databases is directly related to our country’s prosperity, health, and security. It is imperative that private- and public-sector entities have strong incentives to improve computer security.41
Of course, the benefits analysis is only one part of the equation. Before deciding to impose the new duty, the courts must be convinced that there is an alternative computer security strategy that is both technically and practically feasible.42 It is undeniable that both encryption and secondary authentication are technically feasible today. The question then becomes whether mandating the new, two-pronged strategy would amount to an impractical, undue burden.43
There certainly will be costs to adopting the new strategy; encryption can be expensive. The expenses will include training employees to use encryption and testing systems to check the encryption. In addition, there are learning-curve risks associated with encryption. The encryption key must be carefully safeguarded. If the owner of the database somehow forgets or misplaces the encryption key, even the owner cannot access the information.
In the long run, though, encrypting information may prove to be cheaper than network testing, such as the use of white-hat hackers. While network testing is an ongoing, recurring expense, encryption is a one-time expenditure for the data. And responsible key management can prevent the loss of the encryption key.
Stronger authentication procedures may require that some existing database application programs be revised. Vendors would probably charge a fee to modify their programs to permit such security improvement. For example, for two years, there might be a 10 percent to 20 percent price increase for rewriting their programs.
On balance, the benefits of recognizing the new duty appear to outweigh the costs. While it may be expensive to implement the strategy, there are higher stakes on the benefits side: an end to the astronomical financial losses that can result from hacking and the maintenance of the confidentiality of the sensitive information in databases.
Preemption
In light of the several pieces of federal legislation related to computer security, as a last line of defense the company may argue that a state law cause of action for negligence is preempted.44 Some federal statutes were undeniably inspired by policy concerns similar to those served by the recognition of a negligence cause of action. For example, one section of the Gramm-Leach-Bliley Act states that the statute is designed to promote the policy of protecting the privacy of the customers of financial institutions.45
But the act also contains two provisions that limit the legislation’s preemptive effect; these should enable the plaintiff to turn aside many of the defendant’s preemption attacks.46
The time for half-measures in computer security is well past. Too much critical, personal information is maintained on computer systems that have already been proven vulnerable to hacking. Traditional security strategies have failed again and again. Rather than attempting to harden their networks containing sensitive information, entities entrusted with such information should directly protect the data itself with encryption.
Given the hurdles that plaintiffs are likely to encounter, successfully litigating this new theory of negligence will be an uphill battle. But the trial bar has a historic opportunity to lead the effort. By pressing this new theory of negligence, plaintiff attorneys may obtain deserved relief for individual clients and classes of victims. Even more important, they can help provide a practical incentive for private and public entities to implement the new security strategy imperatively required to safeguard privacy in the 21st century.
Edward J. Imwinkelried is the Edward L. Barrett Jr. Professor of Law at the University of California, Davis. Michael Cherry of Woodcliff, New Jersey, is the president of Cyber Security International, a division of Cherry Biometrics.
Notes:
1. See Dawn Kawamoto, TJX Says 45.7 Million Customer Records Were Compromised, CNET News (Mar. 29, 2007), http://news.cnet.com/ TJX-says-45.7-million-customer-records-were-compromised/2100-1029_3-6171671.html; Joseph Pereira, How Credit-Card Data Went Out Wireless Door, Wall St. J. (May 4, 2007), http:// online.wsj.com/article/SB117824446226991797.html.
2. Jenn Abelson, TJX Faces Class Action Lawsuit in Data Breach, Boston Globe 1C (Jan. 30, 2007), www.boston.com/business/globe/articles/ 2007/01/30/tjx_faces_class_action_lawsuit_in_data_breach.
3. 15 U.S.C. §§7201-66 (2006).
4. 15 U.S.C. §§6801-27 (2006).
5. Pub. L. No. 104-91, 110 Stat. 1936 (1996).
6. Natl. Sec. Pres. Directive 54/Homeland Sec. Pres. Directive 23 (Jan. 8, 2008).
7. Def. Sci. Bd., Defense Imperatives for the New Administration 18 (2008).
8. Michael Chertoff, Remarks by Homeland Security Secretary Michael Chertoff to the 2008 RSA Conference (San Francisco, Cal., released Apr. 8, 2008), www.dhs.gov/xnews/speeches/sp_ 1208 285512376.shtm.
9. PCI Security Standards Council, About the PCI Data Security Standard, http://www.pcisecurity/ standards.org/security_standards/pci_dss. shtml.
10. Ross Kerber, Advanced Tactic Targeted Grocer: “Malware” Stole Hannaford Data, Boston Globe 1A (Mar. 28, 2008), www.boston.com/ business/articles/2008/03/28/advanced_ tactic_targeted_grocer; Joseph Pereira, Data Theft Carried Out on Network Thought Secure, Wall St. J. B4 (Mar. 31, 2008); Todd Wallack, Stung by Hackers, Grocer Encrypts Customer Data, Boston Globe 1C (Apr. 23, 2008), www.boston.com/ business/articles/2008/04/23/stung_by_hackers_ grocer_en crypts_customer_data.
11. On June 9, 2008, the Panel on Multidistrict Litigation ordered that all the actions be consolidated in the District of Maine. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., MDL No. 1954 (filed June 9, 2008).
12. Privacy Rights Clearinghouse/UCAN, A Chronology of Data Breaches, http://www.privacyrights/. org/ar/ChronDataBreaches.htm (total updated Dec. 18, 2008).
13. Dan B. Dobbs, The Law of Torts §110, 258 (West 2000).
14. American Law of Products Liability §60:41 & n. 57 (3d ed. 2003) (citing In re Ford Motor Co. Bronco II Prods. Liab. Litig., 1995 WL 222177 (E.D. La. Mar. 15, 1995) (applying Mississippi and North Carolina law)).
15. Id. at n. 58 (citing State by Bronster v. U.S. Steel Corp., 919 P.2d 294 (Haw. 1996)).
16. Id. at n. 59 (citing Bell Helicopter Textron, Inc. v. Tridair Helicopters, Inc., 982 F. Supp. 318 (D. Del. 1997) (Delaware law)).
17. J’Aire Corp. v. Gregory, 598 P.2d 60, 64 (Cal. 1979); People Express Airlines v. Consol. Rail, 495 A.2d 107, 116 (N.J. 1985).
18. See e.g. La. v. M/V Testbank, 752 F.2d 1019 (5th Cir. 1985).
19. Dobbs, supra n. 13, at §110, 258.
20. Id. at §424, 1197.
21. Id. at §427, 1204.
22. 2006 WL 1409492 at *3 (S.D.N.Y. May 23, 2006); Gail P. Petravick & Simon Petravick, Identity Theft: Analyzing Current Trends in Litigation and Risk Management, 54 Pract. Law. 53, 55 (Aug. 2008).
23. See Petravick & Petravick, supra n. 22, at 54.
24. See e.g. Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007).
25. Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); see also Shafran v. Harley-Davidson, Inc., 2008 WL 763177 at *2 (S.D.N.Y. Mar. 20, 2008).
26. Allan L. Schwartz, Recovery of Damages for Expense of Medical Monitoring to Detect or Prevent Disease or Condition, 17 A.L.R.5th 327 (2004); American Law of Products Liability, supra n. 14, at §60:29.
27. No. 8:07-cv-1434-T-23TGW, at 5 n. 1 (M.D. Fla. settlement approved Sept. 3, 2008) (citations omitted), https://datasettlement.com/final_ approval_order.pdf.
28. 540 F. Supp. 2d 1121, 1125-26 (N.D. Cal. 2008).
29. William Prosser et al., Prosser and Keeton’s Hornbook on Torts §33, at 194 n. 6 (5th ed., West 1984) (citing Ellis v. Louisville & N.W. R.R., 251 S.W.2d 577 (Ky. 1952); Wommack v. Orr, 176 S.W.2d 477 (Mo. 1943); Titus v. Bradford, Bordell & Kinzua R.R., 20 A. 517 (Pa. 1890)).
30. Id. at 194.
31. Id. at 193, 195.
32. Id. at 194.
33. Id. at §31, 170.
34. U.S. v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947) (“[L]iability depends upon whether B is less than L multiplied by P; i.e., whether B is less than PL”); Prosser et al., supra n. 29, at §145; see also Richard Posner, A Theory of Negligence, 1 J. Leg. Stud. 29 (1972).
35. Dobbs, supra n. 13, at §145, 336; Prosser et al., supra n. 29, at §31, 171.
36. Dobbs, supra n. 13, at §144, 337; §117, 279.
37. Prosser et al., supra n. 29, at §31, 172.
38. Dobbs, supra n. 13, at §144, 337.
39. Id. at §145, 343.
40. The average identity-theft-related loss was $3,257 in 2006—up dramatically from $1,408 in 2005. Gartner, Inc., Press Release, Gartner Says Number of Identity Theft Victims Has Increased More Than 50 Percent Since 2003 (Mar. 6, 2007), http://www.gartner/. com/it/page.jsp?id=501912. The Federal Trade Commission has marshaled statistics indicating that fraud such as hacking has already visited losses running into the billions of dollars on innocent victims. Fed. Trade Commn., Consumer Fraud and Identity Theft Complaint Data: January-December 2006, at 6 (Feb. 2007), www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf. See also Fed. Trade Commn., 2006 Identity Theft Survey Report 6 (Nov. 2007), http://www.ftc/. gov/os/2007/11/SynovateFinalReportIDTheft 2006.pdf.
41. Dobbs, supra n. 13, at §145, 344.
42. Prosser et al., supra n. 29, at §31, 172 (an “alternative course” or “another route”).
43. Dobbs, supra n. 13, at §145, 341 (quoting Judge Learned Hand—“the burden of adequate precautions”—in Carroll Towing, 159 F.2d 169, 173).
44. See Thomas L. McGarity, The Perils of Preemption, TRIAL 20 (Sept. 2008).
45. 15 U.S.C. §6801(a) (2006).
46. Id. at §§6807(a), 6824 (2006). For example, §6807(a) expressly provides that its provisions “shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state except” to the extent inconsistent with the federal statute.
 

Posted with permission of TRIAL (February 2009). Copyright American Association for Justice, formerly Association of Trial Lawyers of America (ATLA(r)).