There is a predictable pattern when it comes to a data breach.
First, the company involves touts its “state of the art” security. Please, come to us — share your most intimate information with us. We use “state of the art” or globally recognized or some other euphemism for “we do what everyone else does” to protect your data.
The theory being that 10,000 lemmings can’t be wrong, right? Next come the ignored warnings — the threats on the hacker boards, the complaints of attacks, or sometimes just the knowledge of a vulnerability to a zero day attack. After that comes the actual loss of data, coupled with denials and minimizations. Finally, there is the class action lawsuit. Ah, litigation. The last refuge of security.
In the recent hack of the iCloud storage of naked pictures of (very attractive) celebrities, we seem to have moved very quickly to the last stage. It has been reported by the website TMZ that lawyers representing 20 year old (very attractive) model Joy Corrigan have filed a class action lawsuit against Apple (on behalf of herself and others similarly situated) alleging that Apple’s failure of security proximately lead to her.. well.. exposure.
According to TMZ, this was not the first time Corrigan’s pictures were hacked. The website says:
Joy says she reached out to Apple in early July … but the company blew her off, saying she was simply a victim of phishing, so she needed to change her password. She followed orders, but days later she was hacked again. Apple gave her the same song and dance.
So who is right and who is wrong? What is a website operator’s “duty of due care” to user’s of the system? What is the user’s obligation? Is the website or email provider a “guarantor” of security, or only obligated to do what is reasonable under the circumstances to prevent an attack.
If you know me, you know the answer to the question before you ask it. It depends.
First, lets start with the fact that the forensic investigation has not been completed, so we don’t actually yet know HOW the hacker or hackers obtained access to the hundreds of photographs of (very attractive) celebrities. Until we know causation, we can’t know about negligence, unless you adopt a theory the law calls “res ipsa loquitor” because we LOVE to translate things into Latin.
Under the res ipsa doctrine (the thing speaks for itself) we presume negligence and causation because the bad thing happened. A plane crashed. Planes don’t ordinarily crash. Ipso facto (more Latin!) the airline or manufacturer was negligent. It speaks for itself.
In the area of data breaches, not so much. Depending on the nature of the information and the promises made.
And that’s one problem. When websites want you to share intimate data — Social Security Numbers, medical information, credit card numbers, and financial information — they tell you how safe the data is.
The contractual equivalents of “trust us.” But when the data is breached, it’s a different story. “Well, NO data is absolutely secure” and “we do what everyone else does” or “hey, it’s a zero day attack… what did you want us to do?” Or the best explanation, from Otter in Animal House, “you F&*=)ed up. You trusted us.”
A little reality check. No data online is secure. None. Ever. If a hacker or state actor wants it — it’s theirs. Period. Got it? The question is whether the data is “reasonably” secure. And for that, the devil is in the details.
TOS’ed and Turned
So what level of security you get depends on what you are promised. And those “promises” either come from regulations, which mandate security, or from contracts, which proscribe a level of security.
Neither is very good.
Government regulations come in two flavors. Mild and spicy. The “mild” variety is like the Gramm Leach Bliley Act (GLBA) and says “hey guys, use “reasonable” security to protect stuff depending on the nature of the stuff and the nature of the threats.” It’s mild cause nobody knows what is “reasonable” except to say that others are doing it (benchmarking) or when there’s an actual breach to say, “well, you must have been unreasonable ‘cause there was a breach, right?”
It’s these kinds of promises companies make in their contracts and agreements, including Terms of Service (TOS) agreements with consumers. Reasonable security.
The: ”spicy” regulations say exactly what you should do. Have passwords of seven characters including upper and lower case, and special characters and change them every 60 days. Have timeouts every 3 minutes. Logout of apps after 5 minutes of idleness. Not four, not six.
These regulations, like FISMA and to a lesser extent HIPAA and PCI DSS, are more cookie cutter. They are out of date and obsolete before the bytes are dry on the screen, but no worries. They have the advantage of being auditable against. So a company with a biometric access device for authentication fails the audit because — well, it aint a password, and the auditor says we need a password. Great for compliance. For security? Meh.
The real driver for “reasonable” security is neither law, regulation nor contract. It’s the free market (sort of). For companies that understand the marketplace importance of security (like banks) they will invest resources in being secure. Will that make them secure? Of course not. Will it help? Sure.
Blame the Victims
This is always a fun one. In the law it’s called “contributory negligence” ‘cause we ran out of Latin phrases. It basically says that it’s the victim’s fault that their data was exposed. If only they had… done something or not done something.
Certainly information security is a shared responsibility. But blaming the customer is rarely the answer.
So in the case of the (very attractive) nude celebrity hack, many people have blamed the celebrities for taking the pictures in the first place, or for “sharing them” online. Sure, if you don’t want nude pix hacked, don’t have nude pics. Or regular pictures and Photoshop. Or a face and a body.
The point of security and privacy is to permit, enable and enhance people’s ability to create and share information with those they choose to share it with without fear that it will be shared with others. If you don’t want your medical information hacked, don’t go to the doctor. If you don’t want your financial information hacked, stuff your money in a mattress.
IT is supposed to enhance benefits, not risks.
What’s worse, many of the hacked celebrities may not have even known that, by taking pictures on their Apple devices, they were streaming copies to an iCloud server. You don’t secure what you don’t know about. Plain and simple.
Nowhere is this “blame the victim” mentality worse than in the online banking and wire transfer arena — particularly for commercial transactions. When a commercial bank account is “hacked” (unlike a consumer transaction) the bank accepts no liability for an unauthorized transaction if it used “commercially reasonable” security procedures.
How do you KNOW the bank used “commercially reasonable” procedures? When you set up the account, you are handed a document from the bank in which you attest under oath that the banks’ security procedures are “reasonable.” And what ARE these procedures? Oh, we can’t possibly tell you that. That would compromise security.
So if there is a breach resulting in a fraudulent transfer of funds from your commercial bank account, it’s YOUR fault — according to the bank. “We just followed YOUR orders.” Another things banks do is to provide a host of “optional” security procedures — for a price Ugate, for a price (Casablanca fans take note.)
If you don’t sign up for the “real two factor token based, dual key two person, voice activated retinal scan” program, well, it’s YOUR damned fault your account was hacked. We offered it to you? Hey, if you WANTED the optional brakes and air bags, you should have told us. Either these “options” are reasonable and necessary or not. So there’s, good, better, best and adequate security now? You get what you pay for.
The Class Action
Class action cases are almost always filed after a breach and after loss. They presume “negligence” – or a failure to meet a reasonable standard of care — by virtue of the fact of the breach. Often warning signs were missed, minimized or ignored. Often the specific cause of the breach could have been prevented or mitigated “if only” the company had done one particular thing –you know, the thing they did after the fact.
But real negligence doesn’t work that way. The company doesn’t only have to prevent this ONE attack. It has to prevent all of them. It doesn’t have to respond to the warning signs here but everywhere.
What is important is not that the company prevents all attacks. To minimize risk and liability the company need not make all the right decisions. It must have a process for evaluating and executing, and document that process.
Why didn’t you do x and such? Because we were busy doing Y. Is that reasonable? Maybe.
Don’t assume negligence from the breach. But don’t assume a lack of negligence from the lack of a breach. Sometime you just get lucky.
Are Joy Corrigan and the other (very attractive) celebrities going to win their class action lawsuit? I have no idea. I am afraid I will have to examine the evidence very very closely. Tough job. But I am sure I can do it.