What is 'Reasonable Security?' - David Navetta, Information Law Group
When it comes to protecting your organization and your customers from a data breach, what is considered "reasonable security?"

This question is at the center of several ongoing lawsuits, and how the courts answer it may be one of the biggest stories of 2010.

Shedding light on this hot topic is David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. In an exclusive interview, Navetta discusses:

Current regulatory trends, including the HITECH Act;
Legal issues surrounding "reasonable security;"
How to use existing standards to establish "reasonable security."

Prior to co-founding the Information Law Group, Navetta established InfoSecCompliance LLC ("ISC"), a law firm focusing on information technology-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. He previously worked for over three years in New York as assistant general counsel for a major insurer's eBusiness Risk Solutions Group. While there he analyzed and forecasted information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transfer transactions. Navetta engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.

He currently serves as a Co-Chair of the American Bar Association's Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. He has spoken and written frequently concerning technology, privacy and data security legal issues.

TOM FIELD: What are the latest legal concerns about regulatory compliance and reasonable security? Hi, this is Tom Field, Editorial Director with Information Security Media Group, and we are getting our legal perspective today from David Navetta, one of the founding partners of The Information Law Group. David, thanks for joining me.

DAVID NAVETTA: Thanks for having me.

FIELD: Hey, just to get us started here, why don't you tell us a little bit about yourself, your background in your current roles both at The Information Law Group and with the American Bar Association.

NAVETTA: Yeah, great, thanks. By way of background, I am an attorney that focuses on information security, privacy and technology-oriented law. I have a law firm with a few other partners called The Information Law Group, and our focus is at those areas of law as well. In addition to that role, I am currently one of the co-chairs of the American Bar Association's Information Security Committee, and so I am basically living and breathing information security and privacy law issues, in particular where they intersect with substantive security and privacy practices.

FIELD: Now, what regulatory trends do you see impacting information security so far this year, particularly in banking, government and healthcare, the areas that we pay the most attention to?

NAVETTA: Well, I think we are at another interesting time in the information security regulatory legal risk realm. What I see right now are a few things that are going to be impacting companies in the coming months and years. On the one hand, I think we are seeing more activity on the federal government side (we will talk a little bit about HITECH Act a little later) that would impact the entire healthcare industry. But also, we recently had a bill passed, in the House of Representatives at least, called the Data Bill, which also regulates information security and privacy, including national breach notice law. So I think we are going to see some more broad-reaching federal laws with HITECH and perhaps data coming up in the future. On the other hand, we also are seeing states actively kind of taking steps in different directions and furthering the regulatory environment. Most people are probably aware of the Massachusetts and Nevada personal information laws and data security laws, and I think similar to what happened with SB-1386 in the state rounds, we may see more laws by states requiring some sort of level of reasonable security for companies that hold onto personal information, as well as in some cases particular types of controls that might need to be implemented, including encryption and written security policies. So, I think the regulatory environment and some of the legal risk is coming from all sides at this point in time.

FIELD: You spoke about HITECH, and certainly that is a huge topic now in the healthcare area. And you know we have got deadlines that have just been reached actually; what impact do you really see coming from the HITECH on healthcare organizations and information security in general?

NAVETTA: Well, I think there are going to be a lot of impacts. Healthcare is such a huge segment of the economy, and this hits a lot of different types of healthcare organizations, so basically anyone who is regulated under HIPAA is subject to the HITECH Act, as well as companies that are handling personal health records who may not be HIPAA covered. The FTC has a version of the HITECH Act, breach notice requirements, and the Health and Human Services side is a section that relates to covered entities under HIPAA as well directly to business associates. Basically the big concern is the breach notice obligations. It basically opens up an entirely new category of information, personal health records and medical information that may not have been subject to the existing state notification laws. On the one hand, oftentimes some of the state laws would�for instance California started the trend to put in medical information as one of the categories of information where notice is required. Other states haven't necessarily followed suit yet, but what I think HITECH does is it creates obviously a national law that makes all of these types of entities have to provide notice in the case of a security breach and impacting medical records. If I recall, when California changed their breach notice law to include medical records, there were quite a few medical record breaches. Oftentimes they were not huge ones, smaller numbers of records, but nonetheless it could be something that internally would be a difficult thing to manage for companies who are going to constantly have to keep their eye on records that may be breached in the medical realm.

FIELD: David, I want to shift gears with you a little bit here. There have been a couple of big stories in banking recently revolving around reasonable security. We have had a bank that sued a customer, and we have had a customer that sued a bank, and these have been huge issues. What do you see as some of the key legal issues that really are going to affect organizations beyond banking?

NAVETTA: Yeah, and this is an interesting area; just by way of more background, stepping back for a second. In the legal realm we have had plenty of lawsuits involving consumers whose personal information may have been breached by an organization, by all kinds of different organizations. We have also had credit card type of breaches where issuing banks have sued organizations after a security breach to recoup re-issuance costs. Both sets of these cases to a large degree have not gone very far now in the courts.

Basically, each of these sets of cases courts have more or less routinely dismissed the cases on a Motion to Dismiss, which is a very early procedural tactic, and the rationale being that the individual consumers, and even the banks, haven't suffered any damages yet, even though their information may have been exposed. So they may have bought some credit monitoring, but the courts have said, well, credit monitoring is basically something to prevent against future damages to your credit, or what have you. The same with the banks -- if they reissue a card they may not have been fraud yet on those cards, but it is an attempt to prevent future fraud.

Now we have these online banking cases where the general fact pattern is basically a smaller or medium size business has an online banking and wire transfer capability, and somehow or another the bad guys get the credentials of the banking customer, go in, use their online banking mechanisms to transfer money out usually to some bank way overseas, where it is usually very difficult to recover. And the bank is coming back and saying 'Well. , we are not responsible for that,' essentially. So in these cases what is interesting is that the issue of damages is really not an issue. The roadblock that existed for the consumer and issuing bank lawsuits -- damages -- is not an issue because obviously money has been taken directly out of these business' accounts, so that small component is overcome.

So what happens is, stepping back from the litigation context, there are various points during a litigation where you can get your case dismissed if you are a defendant earlier and with less money and with less risk frankly of a big verdict, so a Motion to Dismiss is one case. It is early on, and basically if you win a Motion to Dismiss, the court has basically said that you haven't been able to plead a claim against the defendant.

There is a next step that is called a Motion for Summary Judgment, in which basically a court will dismiss a case, saying that there is no set of facts that we could find that would allow the defendant to be found liable. The next step is actually going to trial. If you are not able to win on a Motion for Summary Judgment, you go in front of a judge or jury and go on to trial, and most attorneys and most companies will tell you that they don't want to be in front of a judge or jury because there is always a huge risk there. Most cases get settled well before a trial happens.

However, those two earlier chances to dismiss a case are very important for litigants. What is happening with these online banking cases is you have the damage component already settled, so a Motion to Dismiss is not going to be successful. Then you go to the Motion for Summary Judgment. We have had at least one case, involving online banking, where a court has denied the bank defendant's Motion for Summary Judgment, and the issue there was reasonable security; whether there was any reasonable security in place. In that case, I believe they were not using two-factor authentication, and there are some federal guidelines that suggest that that is the proper thing to do when it comes to online banking.

What the court did there was say that there is a question of fact as to whether or not the bank had reasonable security in place because they were not using two-factor authentication as recommended by this federal agency.

So, basically in essence what that does is it subjects the bank to a potential jury trial, which again is a risky proposition. So these online banking cases have the potential to get much further along than the consumer cases that we have seen so far.

Now on the question of reasonable security, that is where I think things are interesting and actually the impact of these cases is maybe wider than just banks because what I think what might happen is as they wind through the courts, we are going to get a better viewpoint of how court-approached the question is of what is reasonable security and actually it may be illuminating to some degree, and hopefully helpful because maybe organizations can react to address how the courts are going to look at it. But for instance in the previous case, what they looked at were FFIEC guidelines regarding online banking and two-factor authentication, and that piece of information alone was able to get the plaintiff over a hurdle as far as creating a question of fact. The problem with trying to establish reasonable security is obviously that you are going to have opinions on both sides of the equation.

Both sides (the plaintiff and the defendant) are going to hire experts who are going to have counter-opposing opinions, and that is the classic type of question for a jury to decide. And I am not sure exactly how you are going to get through that issue and be able to get a case basically dismissed earlier on if you are a bank. I think it could be very difficult.

There was another recent case, EMI v. Comerica, which I think which probably even illuminates reasonable security a little bit further. In that case (another online banking case) the bank was actually using, providing, two- factor authentication to its clients, and in this case they were using a token-based system. What is interesting there, and why I think this is going to stretch the idea of what is reasonable and what is not reasonable, is that the plaintiff in that case, EMI, it appears that they gave up their username/password as well as the randomly-generated number on their token due to a phishing attack.

So, basically the allegations state that they received an email that looked similar to emails that Comerica had given before to the plaintiff, and essentially that plaintiff gave up the credentials and then allowed about $500,000 dollars to get transferred out of its account.

Now the question from a legal standpoint is what kind of duty does the bank owe to its customers to prevent basically the customer from volunteering this information? And then another question to follow up on that is some states that have laws that relate to contributory negligence or comparative negligence that basically say if you are a contributory negligence state that applies that law, if a plaintiff was more than 51 percent responsible for the harm they may be barred from recovery completely. In comparative negligence states, they say if the plaintiff was 30 percent responsible, that means that the bank may only be 70 percent responsible and the plaintiff would retain 30 percent of the harm that they suffered.

So, I think the questions here are going to be very interesting to see what kind of responsibility the courts put on the actual bank customers to protect the information and protect their credentials and to not do things that compromise those credentials. From a legal standpoint in what is reasonable, what kind of duties does the bank have to make sure that its customers don't do something stupid�in some cases I would think that if, for instance, a banking customer were out and left their computer at Starbucks with a sticky note with all of their passwords on it, to what extent does the bank have a responsibility to try to prevent someone from using those credentials when a customer has done that?

I think these are going to be very interesting questions, and what is going to be interesting from my point of view is that hopefully we will be able to see how the court analyzes these questions and what kind of standards they impose as far as whether they are going to impose a duty on banks to prevent these things from happening.

FIELD: Well, David, we have tackled a lot here. One last question for you, given all that we have talked about, and especially given this overriding topic of reasonable security, what advice would you give to our audience about the elements they really need to be paying attention to now in their own information security organizations?

NAVETTA: Right. This is interesting; I am going to be speaking at the RSA on some of these issues coming up next week. One of the things that we are talking about, and I am talking about with my fellow lawyers at the American Bar Association, as well as security professionals that are part of my community there, is how to use existing standards to establish reasonableness.

I think I would recommend companies to take a look at ISO and other standards and try to peg their activities to something that is established and something that can be defended. If you are looking at the issue of reasonable security and an industry standard, something good to tie to it may not be --you may need to do more than the industry is doing if the industry itself is not doing enough. But it is something that is set as basically a minimum. On the issue of risk-based types of factors and how you need to consider laws that are risk-based, I would say that as a practice, any kind of control or practice that you can put in place that is not expensive, but that reduces a lot of risk, are the types of controls that if you don't have them in place you are going to get in trouble on the legal side. Controls that are extremely expensive and maybe only reduce risk on a marginal level may not be necessary when it comes to the question of reasonable security.

One thing to remember is: Courts don't require perfect security, they require reasonable security. So it is possible for a breach to happen and a company to be found not liable for that breach, as long as they have got processes in place that tie to risk as well as what others in the industry are doing. I think those are important steps to take for an organization and the last step again, I think, it is more important than ever for security professionals and lawyers to try to translate between each others professions here to come to an understanding of how each others worlds work because there needs to very much be a collaborative effort between basically two professions that kind of speak their own language oftentimes.

I think this is going to be one of the bigger challenges for organizations -- getting security professionals and lawyers together on the same page and opening up those lines of communication, so that they can speak together and hopefully achieve compliance as well good security.

FIELD: Very good, David. I appreciate your time and your insights today.

NAVETTA: Thanks so much. I appreciate it.

FIELD: We have been talking with David Navetta, the founding partner with The Information Law Group. For Information Security Media Group, I'm Tom Field. Thank you very much.

Around the Network