1 / 31

Common Law Development of the Custodial Duty of Information Security in Financial Privacy Rights

Common Law Development of the Custodial Duty of Information Security in Financial Privacy Rights . John W. Bagby Professor of IST Penn State University. Purpose . Conceptual Framework for Information Security Custodial Duty Empirical Deductive from cases Policy Development

foster
Download Presentation

Common Law Development of the Custodial Duty of Information Security in Financial Privacy Rights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Law Development of the Custodial Duty of Information Security in Financial Privacy Rights John W. Bagby Professor of IST Penn State University

  2. Purpose • Conceptual Framework for Information Security Custodial Duty • Empirical • Deductive from cases • Policy Development • Inductive from Common Law • Integrative • Achieve coherence with legislation, regulation and standardization

  3. Custodial Duties are a Key Component • Basis of IT Risk Mgt Method • Min.Std.-below lies malpractice • Public Policy reaction more likely • CIOs & IT mgrs want/need guidance • Prof. practices typically integration of various forces • EX: legislation, stnadards, best practices, aspirational state-or-the-art, • All traditional learned professions • Self-discipline is THE definition of professionalism

  4. History of Info Security Custody • Both Old & New… • Old • Long historical accretion from experience • EX: Agent-principle, consulting requirements, privileges, national security, trade secrecy, contracts • New • Privacy protection subsumes custodial duties for information security • EX: GLB, SourBox, HIPAA, ISO17799 (27001, et.al.), CoBIT, COSO, “9 firms,” FISMA, ITIL, GTAG, NIST, Orange/Yellow Bk

  5. Motivation • Penn State’s iSchool & Security & Risk Analysis (SRA) program goals • Natural confluence from past work • Agent’s duties • Internal Control Responsibility • 1982 Control Responsibility Disclosure work well before SourBox • Malpractice • Standardization • Litigation Risk Management Database • NAS, NRC funded

  6. Current Custodial Duty Definition • Prescriptive derived from practitioners’generalization • Largely expressed in vague aspirations embodied in standards, statutes & regulations • Largely literal interpretations of legislation • Next steps: • Formally integrate experience • Pragmatic deduction from actual experiences

  7. Current Sources of Experience • Sources: fragmented, grassroots, sectoral • But soon will be awash in data • Initial stages of integration & public policy review • Much is not publicly available • Proprietary & Actuarial data • Some is confidential • Reminiscent of intell community turf • EX: CERT, ISACs, will improve • Organized by critical infrastructure sector

  8. Main Thesis: C/L is Efficient • C/L precedents are untapped source • What is best method to harvest? • How should C/L be communicated? • Thus far fragmented, poorly integrated for policy analysis • How should Info Custodians be tasked? • Professionalism, (K), Torts? • C/L is underutilized! • Both tort bar (plaintiffs) & insurance (most frequennt defendants) drive to inefficiency

  9. Nature of C/L vs. Civil Law • C/L Premise: laissez-fair, libertarian • From England’s law making tradition • Reactive, not anticipatory • Policy declarations reserved for real disputes among parties with stakes • Truth & optimality ultimately emerge • Decentralized • Civil Law, by contrast • European continent, Latin Am, emerging Asia • Prescriptive, anticipatory, hypothetical, forecasts, conceptual • Centralized

  10. The C/L is Efficient • From: Landes, Posner, et.al. • Decentralized aggregation of Preferences • Operate like efficient markets • Behaves like invisible guiding hand • Central planning: like visible hand • C/L efficiency improves • High “n,” correcting market failures • Often only weak efficiency • Occasionally semi-strong • Never would claim strong form efficient

  11. C/L can be Semi-Weak Efficient • Idiosyncratic, anecdotal • Standing Joke: the plural of anecdote is not Empiricism • Precedents accrue then stabilize • Aggregate of Holdings signal efficient behavior • Often can still contract around C/L

  12. C/L Efficiency Method • Numerous Independent Actors • EX: litigants (victims, perpetrators), counsel, witnesses (factual, expert), independent trial judges, appellate oversight, public policy adjustments • Guiding principles • Efficiency, fairness, social cost, national purpose, freedom of (K) • Produces Efficient Rules • Minimize Societal Waste • Signals society to efficiency • Often can still contract around C/L

  13. C/L has some Inefficiencies • Weak precedents • Early, seemingly groundbreaking cases abandon • Gain insufficient critical mass for reliability • Capture of Legislation • Repeated participation of rent-seekers • EX: plaintiff’s tort lawyers, Ins. Co. most frequent defendants • Pluralistic Capture of Politics Generally • Judge selection/election • Politicization of regulatory, prosecutorial priorities • K Street

  14. C/L is Self-Correcting • Mechanisms pressuring towards efficiency of the C/L • EX: • checks and balances, • the separations of powers, • strict constructionism, • case or controversy requirements, • independent judiciary exhibiting restraint and self-discipline, • expansive pre-trial discovery, • legal counsel’s role as officers of the court with strong duties to clients, • appellate reversal risk, etc.

  15. Potential Sources for C/L Custodial Duty • Precedents directly drawn from custodial cases • FTC, GLB, Nat’l Security, • Precedents derived analogically • Tort law • Malpractice • Property • Bailment • Privacy as form of IP • Agency • Contract • Protection for Consumers or the Vulnerable • Essentially privacy reg. is consumer protection • Strong correlation among custodial principles • Must argue good reasons for departures!

  16. Micro-Economics Fundamentals • Incentives to Invest & Innovate in Security • Lack of incentive directly risks market loss • Liability for product failure • Defective design • Defects in manufacturing • Defective Packaging or Transit • Failure to warn • Security is product feature • Security is service feature • Insufficient incentives for optimal security

  17. Externalities • Role of Externalities • Externalities: • Negative Externalities: all costs not borne by actor but at least some by others • Positive Externalities: all benefits not enjoyed by actor but at least some by others • Free Riders • Classic case I: pollution controls • Environmentalism costs polluters but society benefits • Incentives: • under-invest, hide activities, argue/lobby costs are speculative illusion to non-existent • Moral Hazard: person or organization does not bear full adverse consequences its actions • Classic Case II: workplace safety • Classic Case III: privacy • Security under-investment costs borne by individuals

  18. Free Riders & Public Goods • Free Riders illustrate market failure • do not internalize costs of benefits they enjoy • essentially ride free on others’ investments & enjoy benefits of others’ expenses • Public Goods - Security • Non-rival, under-produced by competitive markets • Producers risk free riders who they cannot effectively exclude from positive externalities • Producers under-invest w/o clear business model & return • EX: defense, law enforcement, justice system, property rights, public transport centers (warves, airports, roads), fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, invention), public education • How can you argue that Security is a public good? • What public responses might improve security • CyberCrime Enforcement

  19. Asymmetric Information Theory • Transactors have unequal bargaining pwr • The Market for Lemons: Quality Uncertainty & the Market Mechanism, George Akerlof (1970) • Two transacting parties do not have the same relevant information • Classic Examples: • buyers know less than sellers about product quality • lenders know less about borrower’s likely default • Seller’s incentive to pass off low quality goods as higher quality, hide defects • Security performance generally unknown to customers • Security Breach Notification laws are classic legislation to correct market failure

  20. Adverse Selection • Asymmetries induce adverse selection • Asymmetries lead to bad results when • Buyers purchase “bad” products or pay too much • Sellers select bad buyers or charge too little • As adverse selection experience grows: • Buyers retreat, seek intermediaries (assistance, repairs), suffer opportunity costs • Sellers lose money, use intermediaries, fail • Sub-Optimal Signals • More bad sellers/buyers, fewer good products • Custodians & 3d P service providers untrustworthy

  21. Moral Hazard • Moral Hazard is a form of externality: • person or organization fails to bear full costs of actions causing adverse selection then possibly consequences • EX: Smokers/parachutists/drunks hide their habit or activities when buying health/life ins • EX: US vs. UK in re ATM & credit card fraud • US banks liable for card fraud, UK banks not • US banks invested heavily to avoid losses • UK banks lazy & careless, avalanche of fraud • Individuals s/could do more to protect themselves

  22. Least Cost Provider • Liability generally most justifiable for: • Party with greatest responsibility for safety or quality (or security) • Party w/ lowest cost of services • Party financially able to burden risk • Economics seeks to incentivize least cost provider • Who is security’s least cost provider? • Individuals, ISP, s/w licensor, h/w supplier?

  23. FTC : Forum for Custodial Duty Definition • Privacy Czar!?! • GLB Federal Functional Regulator • All non-traditional “financial institutions” that provide various financial services such as lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts • FTC Act §5 unfair, deceptive practices • Dual missions: • Consumer protection • Maintenance of competition

  24. Stage 1: the Early Cases • Pre-GLB & COPPA • Major difficulties • Misrepresentation • Breach of (K) • To preserve privacy • To refrain from onward transfer • Importance of consumer privacy • EX: • Toysmart: Bkcy sale of list • Liberty Financial: harvesting child data • ReverseAuciton: spam, imposter harvesting • Int’l Outsourcing Group: Online pharmacy (Viagra) harvesting for onward tsfr, prey upon vulnerable populations • Gateway Learning: onward transfer • ChoicePoint: onward transfer • CartManager: onward tansfer

  25. Stage 2: General Principles Develop • Post-Initial Privacy Regulation, Discovering Effective Security requires systems approach • Major Difficulties: • Training, oversight, negligence in online system design • EX: • Eli Lilly: Prozac listserv mistakenly revealed all members in single spam • Microsoft: Passport system misrepresentation • Am.Student List & Educ.Research Center: misrepresented harvesting purpose (admission strategy) really target mkt.

  26. Stage 3: Specific Practices Required • Implementing emerging statutory, regulatory & standards approaches, Systems approach emerging • Major Difficulties; • Key security components absent • Particular controls & claims ineffective • EXs: • Guess, Petco & CardSystems: SQL injection vulnerabilities • Tower Records: access controls • BJs, DSW, CardSystems: unencryption • DSW: excessive retention (FTC Disposal Rule) • Guidance Software: massive irony, 3d party security services firm (unencryption, SQL, access controls, incident detection)

  27. GLB Safeguards Rule • Financial institutions must design, implement and maintain safeguards • Purpose: to protect private info • Must implement written information security program • appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data • Security program must also: • assign one or more employees to oversee program; • conduct risk assessment; • put safeguards in place to control risks identified in assessment then regularly test & monitor them • require service providers, by written contract, to protect customers' personal information; & • periodically update security program • Cases: • Sunbelt Lending, Nationwide Mortgage • Superior Martgage • Nations Title

  28. C/L Custodial Duty Ontology I • Now in iSchool feel pressured to design & test an “artifact” derived from empirics • Planning, Delegation, Management, Compliance, Controls • Data Acquisition • Authority to Collect • Inducing revelation, EULA, Screening & Verification, Vulnerable Populations are • 3d P Transfer Onward • Justify Need for Particular Data • EX: Rating counter-party • But: Assure justification for data brokerage business model, Risky to argue unforeseen possible future uses (inside, onward transfer)

  29. C/L Custodial Duty Ontology II • Custody difficulties • Data Breaches • Information in eTransit, EDI systems • Various temporary holdings • Cardswipes, EDI systems • Information in Physical Transit • Laptops • Hacking by outsiders • Insiders • Malfeasance • Nonfeasance, misfeasance, incompetence • Access security • Crashes, loss through physical, managerial non/misfeasance • 3d party service provider negligence, insolvency, unclear duties (but: SAS 70, EU Data Dir’s reciprocity)

  30. C/L Custodial Duty Ontology III • Retention • Evolving towards justifiable “Need” • Consider review costs before destruction C-B/A • Destruction & Record Retention Requirements (ERM) • Industry sectoral analysis predicts vulnerabilities & robustness • http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm • Noteworthy: • laptop theft vulnerability in private sector and among medical centers • incompetence of personnel or software highest in public sector including military • vulnerability to outside hackers highest in higher education, lowest in medical centers • insider malfeasance lowest in (not-for) public sector and higher education

  31. Preliminary Findings • Security Standards are emerging as controlling • C/L interprets them with useful detail • Obvious security controls are req’d • Security program must be managed • Policies must be actively deployed & maintained • IT Audits are coming soon to ALL • EULAs are enforceable (K)s • FTC may “supervise” for decades

More Related