Bio: David A. Stampley, CIPP, is a partner at KamberLaw in New York. He has specialized in data privacy and security compliance for over 15 years. Currently, he litigates information- technology-related class actions. His prior roles include regulatory enforcement (New York Attorney General’s Office), privacy officer (a Fortune1000 B2B technology provider), and consultant and general counsel (Neohapsis). He started his legal career as an Assistant District Attorney in the Manhattan D.A.’s Office. Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or should have been considered reasonable or unreasonable by the other party in a court case. • I started the same place discussed today—the laws, regulations, and cases—and the rule of reasonableness. • And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation. • But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I asked them what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged. That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is already there. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.
Transcript
Bio: David A. Stampley, CIPP, is a partner at KamberLaw in New York. He has specialized in data privacy and security compliance for over 15 years. Currently, he litigates information-technology-related class actions. His prior roles include regulatory enforcement (New York Attorney General’s Office), privacy officer (a Fortune1000 B2B technology provider), and consultant and general counsel (Neohapsis). He started his legal career as an Assistant District Attorney in the Manhattan D.A.’s Office.
Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or shouldhave been considered reasonable or unreasonable by the other party in a court case. • I started the same place discussed today—the laws, regulations, and cases—and the rule of
reasonableness. • And then I looked at what rules there were in security literature—standards organizations,
textbooks, vendor documentation. • But, inevitably, I started calling people—I/S professionals, and asked them what they
considered good/bad, acceptable/unacceptable; why; and how they draw the line. I askedthem what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged.
That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is alreadythere. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.
2014 topic was “Who defines ‘reasonable security’? – Lessons from courts and regulators.Some key takeaways:
• Wyndham case: FTC exercise of unfairness jurisdiction. Wyndham said it wasn’t on notice of unreasonableness.
• Target case: CEOs affected? Maybe, but not through the courts. Security vendors on the hook? Not likely to be a major trend yet.
• Why is “reasonable security” not more defined in enforcement actions/cases?
• Class action constraints: consumer awareness, standing, certifiability, resources, provability, litigation risk & cost (long duration of litigation on contingency)
• Result: Many security failures go unaddressed.
2014 session emphasized definition of “reasonable security” after the question was put to thetest in enforcement and court actions. But if regulators and courts haven’t yet answered the question, how do I/S professionals determine what’s reasonable? Would it really help if the government came up with an answer?
Assumptions about target audience for this presentation:
• I/S professionals are trying to do their jobs. However, I/S is often viewed as a cost center. Communicating needs & getting budget $ for security can be a struggle. But regardless ofwho makes the go/nogo decision on security measures, if there’s a security failure, I/S is likely to be a target for blame.
• Many I/S professionals believe clearer rules about what is “reasonable” would support theirmission.
So who defines “reasonable security”? In this 2015 session, the answer is the same as last year—if I/S professionals want a workable definition, it’s incumbent on the I/S community to come up with it, since it has the expertise.
• Last year I advocated for security experts and thought leaders to coalesce & be heard.
• This year, we’ll work toward the answer from a different angle--the front line. That’s where the definition of reasonable security happens.
3
Our starting point is the same as last year—the dictionary definition of “reasonable.” • What is considered reasonable may vary with circumstances.
If that’s the case, you can’t expect regulators or courts to define it for every circumstance.Instead, regulations tend to be general and follow this definition. See, e.g., GLBASafeguards Rules
• You might be thinking, “That’s no help.” But the expectation is that an organization, informed by I/S professionals, can figure it out.If “reasonable” care is “ordinary” care, what is “ordinary”? It’s a level of care that any “competent [I/S professional] engaged in the same line of business would exercise undersimilar circumstances.”
• What does that tell you? Under the law, the idea isn’t that someone is playing hide the ball, not telling you the rule, and later playing gotcha. The expectation is that you already know what you need to know to figure it out.
[Refer back to FTC & class action case lists. Would you need a specific rule to tell you...?]
[Recap FTC jurisdiction]
• Prohibits unfair or deceptive acts or practices (may include omission).
[Recap Wyndham, LabMD discussion from last year—”we didn’t know the standards”; current status]
• Some argue that the FTC’s current authority isn’t enough to bring actions against companies for data breaches, espec. under unfairness jurisdiction.
Would you need a more specific legal rule to tell you whether the alleged practices are sub-standard and unreasonable?
[Discuss Verizon:
• FTC closing letters
• Value of prompt mitigation and cooperative response to regulatory inquiry.
• Recap from 2014: Recognition of enforcement body’s need to prioritize spending taxpayer dollars.]
[Recap 2014 discussion. FTC and state AGs don’t--and can’t—bring enforcement actions for every security failure.
• Jurisdiction (Wyndham challenge to FTC unfairness jurisdiction).
• Enforcement priorities discussed previously.
• Non-transparency—not every failure can be seen, so consumers and other businesses bearthe costs.]
Would you need a more specific legal rule to tell you the whether alleged practices are sub-standard and unreasonable? [Recap 2014 discussion of barriers to relief in class action:
Non-transparency: consumers may not know to bring cases because may not know whoharmed them, or even that they were harmed.Litigation risks, winnows down likelihood of relief: Cases handled on contingency, long duration, multiple motions to dismiss, availability of competent experts, costly expertdiscovery, technical sophistication of courts Jurisdictions requiring plaintiff reliance on specific misrepresentations. Certifiability of class.Standing.]
Target: Last year, discussion in I/S community of whether security vendors like Trustwave would be held liable for breaches. Not major trend so far. Garvey v. Hulu: Appeal issue of VPPA knowledge element. Did Hulu know what was sent to Facebook through Hulu’s implementation of Like button. Target, Yahoo, Spokeo: Biggest issue = standing
•
•
• • •
•
•
•
7
One rule is—don’t rely on predictions.Another is don’t hold your breath waiting for enforcers and courts to make the rules.Will there be a next wave, focused on data breaches? Maybe. But just remember that lawyers and reporters may be prone to making attention-getting predictions. There’s already a history of private litigation in response to data breaches.
Returning to definition of “reasonable”--a key takeaway is, you don’t have to wait for someone else to make rules because “everybody knows that.”
[2014 analogy: It doesn’t take a written rule to tell you to get the kids’ soccer team inside when you see a thunderstorm.]
[Refer back to Black’s definition of reasonable & case overviews.]
Many states have “baby UDAP” statutes. NY GBL § 349 provides useful angle in determining what is reasonable—the reasonable consumer.
• Organization can’t count on defense of “good heart, empty head.” Did company promise reasonable security and fail to deliver?
[Recap Wyndham discussion from last year—”we didn’t know the standards”; current status]
“Website Security Flaw Costs ZD,” Brian McWilliams, Wired, Aug. 28, 2002(regarding N.Y. Attorney General settlement with Ziff Davis Media for online exposure of subscriber information database):
In a statement, New York-based Ziff Davis said Wednesday that it had not broken any laws, and the company termed the incident “a one-time onlinesecurity violation ... caused by a coding error.”
Stampley said he was "surprised and disappointed" at Ziff Davis' characterization of the facts of the case. "Acts such as failing to use SSLencryption and disabling Web server logging indicate an ongoing failure to follow standard security practices.”
• Requires thinking ahead and considering consequences. Not just a question of does systemdo what we want, but whether someone else can use it in unwanted way.
FTC’s safeguards rule under the GLBA useful in understanding that:
• reasonable security isn’t one-size-fits-all—what is reasonable depends on the organization
• the organization is expected to be able to figure it out.
Many I/S professionals have been challenged within their organizations to “show me where the law says we have to do that.” The reasonableness standards under federal and state laws and regulations are where.
Takeaways:
• I/S professionals don’t have to become lawyers to determine position on reasonable security.
• I/S professionals do need to inform other actors in the organization, so reasonably foreseeable risks can be evaluated in context.
Good to be aware, but understand that lobbying positions aren’t rules or predictions I/S can count on or a reason for inaction. Plus, there may be strategic and tactical reasons for thosepositions that aren’t apparent. • If there is a compliance “minefield,” why? Specific examples? How much of it consists of
pre-existing laws? How different are the laws?Do consumers face any minefield of their own? Are they hurt/helped by a compliance minefield? Who bears costs of security compliance & failure?
• Would “one, consistent federal standard” that trumps everything else give I/S desirable rules? (Refer back to laws/cases). From a consumer advocate’s perspective, these would be potential effects of “one standard”:
• weak standard that trumps better laws and further diminishes opportunities forhealthy enforcement (refer back to constraints on regulatory enforcement and classactions)
• continues to shift the burden of losses to consumers • puts organizations that want to do the right thing at a competitive disadvantage • disincentivizes development of a more trustworthy and robust marketplace—what
looks like benefit to shareholder value is long-run loss of opportunity to maximize • and still won’t give I/S rules that are specific to the circumstances of the
organization. There may be very good bases for some policy arguments—but they are still just arguments. For I/S, don’t drink the Kool-Aid. Your organization needs you to have a clear head and be able to communicative objectively to those in organization who rely on I/S’s advice.
Plus, I/S can’t count on the outcome of policy and legal arguments.
• [Example of Hulu defense that VPPA didn’t apply to streaming video]
• From 14 years ago—”Internet Privacy; Enforcement Actions,” David Medine and Christine Varney, National Law Journal, Aug. 6, 2001:
“The FTC has treated Web site privacy policies as ‘representations,’ subjecting them to scrutiny under the act, thus transforming a decades-old consumerprotection law into a comprehensive, modern privacy statute.”
Perhaps the authors weren’t saying that the law was stale and shouldn’t apply to website privacy policies—but “transforming a decades old law” is a debatable characterization. The law was there and applied to commerce. Commerce moved online. The law was applied where commerce was taking place.
Deploying a new technology application doesn’t put the application beyond the reach of laws. Remember examples from NY § 349 and FTC Safeguards Rule language: reasonably foreseeable.
3
Bottom line: Don’t wait for someone else to tell you what the rule is.
• Even if more rules are needed, even if you agree that federal standards should beestablished that trump other laws: there are rules already, they need to be followed, and I/S has a duty to take a leading role in defining what compliance with thoserules looks like.
• If policymakers devise new data security rules without meaningful I/S input, theywon’t be good rules.
Regardless of how rules evolve, or whether upper management is held accountable forfailures, failures puts I/S professionals at risk, so you’d better speak up. [Discussion: Average CIO lifespan; I/S taking blame for breaches.]
• But, when you speak up, or if you are in a consultative role to other I/S professionals, bemindful: If the question is “Is it reasonable,” responding with “That won’t work” isn’t a useful answer. Some I/S professionals dismiss technologies/approaches by saying “That won’t work,” when what they really mean is, “It leaves some problems unsolved” or “It can be exploited.” Does it solve some of the problem—how much? Is it a starting place? Isthere a better option?
Other pitfalls:
• Saying that the sky is falling, and saying it often. The sky is usually not falling. Some I/S professionals treat security issues as crises when they are not, or fail to distinguish amonglevels of seriousness. Sometimes internal clients do this—not necessarily motivated bysecurity.
• Failure to document compliance efforts. [Refer back to Safeguards Rule.] Thinking about what’s reasonable, planning for it, documenting decisions shows attention to the issues. It’s not only an important part of maintaining institutional memory and continuity, it can validate the reasonableness of efforts, even if failure occurs. [Refer back to GLBASafeguards Rule—documented program.]
• Don’t pre-judge compliance failure. Based on my experience, some employees (out of vigilance or even internal jockeying) raise security issues with e-mails to too manyrecipients saying “We’re non-compliant.” Sometimes it’s I/S, or other employees referring to I/S issues.
• “We’re non-compliant” is not documenting compliance effort. It’s probably a legal conclusion that should be left to lawyers to make.
• It may be the wrong conclusion. There may be mitigating factors. But what the e-mail does is create a record that can be used as evidence against the organization, even if the conclusion is incorrect. (That may be one of several reasons that yourlawyers may ask I/S to direct compliance concerns to them.)
Part of incident response should include how to communicate about potential issues thatrequire attention
[Refer back to Safeguards Rule.] Remember that, while I/S should be defining reasonablesecurity from the I/S perspective, defining what that looks like for the organization involves others in the organization.
Think back to cases discussed—was unreasonableness obvious? If what’s reasonable seems hard ot pinpoint, start by defining what is out of bounds.
Rely on your expertise to define a starting point for what’s reasonable, as input to organizational determination. Back yourself up—if you believe certain practices are reasonable/unreasonable, there’s a reason why. What is industry practice? Get input from colleagues in other organizations who are “prudent and competent person[s] engaged in the same line of business or endeavor” facing “similar circumstances.” Refer to I/Sorganization publications.
I often hear I/S professionals say “there’s no proof” of what’s reasonable. Your word is a form of proof. You don’t get a guarantee of absolute proof, but your credibility is evidence, and if you back up your position, it’s even stronger evidence.
Then you’re ready to talk to your lawyer with information your lawyer needs, instead ofjust asking what the rule is.
Just as with some I/S professionals, some lawyers have a highly risk-averse “that won’t work” approach, but at least you’ll be in a position to give your lawyers information theyneed.
7
•
•
•
[Discussion: What do you do if you believe there’s a compliance failure and no one listens? Steps to protect yourself... ethical/moral issues.]
• The actions of I/S professionals matter in people’s lives. Right now, ask yourself: At one point might it be necessary to sound an alarm and maybe put your job at risk —or to walkaway? What would make it hard to look yourself in the mirror in the morning? What are the reasonably foreseeable risks? These are hard questions that sound dramatic, but thosekinds of challenges can come up, and when they do, they are dramatic. Ask yourself now, because these questions may be harder to answer when you’re in the middle of a situationin which the answers might matter.
• By asking yourself those questions—about where the line is between reasonable andunreasonable—you may gain clarity that will help in communicating the more everydayanswers about what reasonable security looks like.
“Success is never final and failure never fatal. It’s courage that counts.” — Attributed to George F. Tilton
[Discussion--being heard: Comment period for regulations and standards.] • Process is critical. It’s not just what you do, but how you do it, as a team, redundantly.
!
Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or shouldhave been considered reasonable or unreasonable by the other party in a court case. !
• I started the same place discussed today—the laws, regulations, and cases—and the rule ofreasonableness.!
• And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation.!
• But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I askedthem what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged.!
That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is alreadythere. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.!
What reasonable security looks like down the road is for you to decide—maybe not alone—but the security expertise is yoursThe rest of us are relying—reasonably so--on I/Sprofessionals, individually, and the I/S community, collectively, to tell us. !
