How much cyber security is enough cyber security?
July 2016 | EXPERT BRIEFING | RISK MANAGEMENT
The question of how much cyber security is enough cyber security is as much legal as technical.
In legal terms, the question is answered by considering the applicable ‘standard of care’. The standard draws the line between conduct that may render a company liable, and conduct that does not. If a company meets or exceeds the standard of care, it cannot be held liable.
In the context of cyber security, the standard of care which applies will depend on the nature of the information in question and the circumstances of the particular industry; the more sensitive or important the information which is stored, the higher the standard is likely to be.
Standards of care may be established in different ways and by different entities, including regulators, legislators, by contract, or by a court, retrospectively. Standards are often not explicit and there is no one place to find the applicable standard for any given organisation.
Standards of care are usually ‘technologically neutral’ in the sense that they do not require a specific solution to a specific problem and are typically framed in ‘should’ rather than ‘must’ language. Most regulators prefer persuasive as opposed to mandatory regulation; they prefer to issue ‘guidelines’ or ‘advisories’ to establish standards of care.
For example, ISO and the International Electrotechnical Commission jointly published the ISO/IEC 27000 family of standards, which is meant to provide an overall information security system, within which cyber security risks are addressed. Whereas the National Institute of Standards and Technology (NIST) is designed to apply in particular to infrastructure systems, the ISO/IEC 27000 family establish information security management standards applicable generically – they include, for example, standards in respect of leadership, planning, support, operation, performance evaluation and improvement.
Other standards, such as the Payment Card Industry Data Security Standard (PCI DSS), are introduced and enforced by contract. PCI DSS is a proprietary standard for organisations that handle credit cards. Now in its third version, the standard specifies 12 requirements for compliance. These include, inter alia, the installation and maintenance of a firewall to protect cardholder data, the encryption of cardholder data access, which is open to public networks, and the restriction of access to cardholder data by businesses on a need to know basis, etc. A failure to meet those standards can result in significant contractual penalties.
In the US, Executive Order 13636 – ‘Improving Critical Infrastructure Cybersecurity’ – which was issued on 12 February 2013, called for the development of a voluntary, risk-based cyber security framework — a set of industry standards and best practices, to help organisations manage cyber security risks. This prompted standards associations such as NIST to publish its ‘Framework for Improving Critical Infrastructure’.
None of these standards, in itself, constitutes a legal standard of care. The legal standard of care is the standard that a court considers that the defendant should meet, having regard not only for relevant technical or process standards, but the conduct of the prototypical ‘reasonable person’ or ‘reasonable company’ in similar circumstances. In any given case, regimes and frameworks, such as NIST, ISO/IEC 2700, or PCI DSS, may inform the standard of care. Much depends on what others in a given industry, or in similar industries, consider appropriate security processes, methods and regimes. For example, if the majority of participants in an industry require two-factor identification, this could be accepted as the standard required to be met in the industry.
Legal standards of care can also be legislated. But broad legislative standards which use terms such as ‘reasonable’ and ‘appropriate’ arguably do nothing more than invoke the common law test, where the issue is whether conduct is reasonable, having regard to that which would have been undertaken by a reasonably minded person operating in the same circumstances.
A decision by the Privacy Commissioner of Canada in a PIPEDA Report on Findings #2014-004 reveals the process by which a standard of care is found and applied. An individual received a breach notification letter from a third party provider of ticketing, marketing and fundraising services based in the US, the letter indicated that her personal information (including name, contact information and credit card number) had potentially been accessed through a cyber attack, and while the individual had no direct relationship with the organisation, she had made a purchase from a merchant that used its services. The letter was part of a broader breach notification effort that included notifying: (i) US law enforcement; (ii) Canadian data protection authorities, including the Privacy Commissioner; and (iii) the organisation’s clients. After receiving a notification letter, the individual filed a complaint against the organisation with the Privacy Commissioner.
The investigation focused on whether the organisation had safeguards in place that were appropriate to the sensitivity of the information at the time of the breach. It noted that the fact that a breach had occurred was not necessarily indicative of a contravention of privacy legislation, as “an organisation may have appropriate safeguards in place and still fall victim to a determined, clever and/or innovative attacker”.
The Privacy Commissioner found that the organisation had numerous technical safeguards in place at the time of the incident that were aimed at preventing and detecting breaches. These included: (i) the use of firewalls; (ii) the hashing and encryption of sensitive information; (iii) separate storage and obfuscation of encryption keys; and (iv) multiple intrusion detection systems (through which the breach was detected). The effectiveness of these safeguards was independently evaluated on a regular basis through external vulnerability scans and an audit of its ‘at-rest’ data protection practices against industry standards.
Ultimately, the Privacy Commissioner accepted that “The organisation had a vulnerability prevention program in place at the time of the breach; however, the vulnerability that led to the incident was a ‘zero-day exploit’, meaning it was not publicly known prior to the attack, and as such, the organisation could not have had foreknowledge of it”. Given the above, the Privacy Commissioner found that the organisation did have appropriate safeguards in place at the time of the breach, and rejected the complaint.
A decision of the US District Court in New Jersey is also instructive. An action was brought by a shareholder against the directors and officers of Wyndham Worldwide Corporation alleging a failure to sue as a result of data breaches pertaining to the company’s online networks, during which hackers accessed the personal and financial information of a large number of customers. The court found that the directors had made appropriate inquiries, obtained appropriate advice, and had enough information to make their decision. Their conduct was therefore reasonable in the circumstances, and the action was dismissed.
The question of how much cyber security is enough cyber security really depends on the nature of the information stored, the organisation, the industry and the threats to which the organisation is exposed. But cyber security is a process and not a state. As cyber technologies and threats evolve, so will the applicable standards of care.
Ira Nishisato is a partner and Roberto Ghignone is an associate at Borden Ladner Gervais. Mr Nishisato can be contacted on +1 (416) 367 6349 or by email: firstname.lastname@example.org. Mr Ghignone can be contacted on +1 (613) 369 4791 or by email: email@example.com.
© Financier Worldwide
Ira Nishisato and Roberto Ghignone
Borden Ladner Gervais