Schneier on Security
A blog covering security and security technology.
« Google Ad Hack |
| Wiretapping in Italy »
May 1, 2007
Lawsuit for Not Disclosing a Security Breach
There's a class-action lawsuit against TJX by various banks and banking groups:
The suit will argue that TJX failed to protect customer data with adequate security measures, and that the Framingham, Mass.-based retail giant was less than honest about how it handled data.
This case could break new legal ground, and is worth watching closely. (I'm rooting for the plaintiff.)
Posted on May 1, 2007 at 1:53 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Minor nitpick: Prosecution is for criminal cases. Plaintiff is the party bringing suit in civil cases.
"Minor nitpick: Prosecution is for criminal cases. Plaintiff is the party bringing suit in civil cases."
Given the magnitude of the breach and the apparent failures by TJX executive and security personnel, these lawsuits may very well result in the first major corporate bankruptcy due to a security breach.
Amended to reflect that - while CardSystem Solutions went toes up after its breach and is thus the current largest enterprise to close after a security breach - the issues in this lawsuit and the size of TJZ will rivet the attention of the business community in a way that CardSystems never could.
THe banks and banking groups should be carefuil for what they wish... this could come back to haunt them if they ever suffer a nreach....
Realist, I'm sure that most banks suffer such breaches regularly. They will surely argue that TJX did not comply with standard practices and that this is why they should pay. In that case, the banks will merely have to meet that (minimal) standard and they can leak like a sieve without much worry.
I too am rooting for the plaintiff.
You argue that software vendors should be liable for their flaws, but I've expressed before here and elsewhere that I think such liability is the wrong approach and a dangerous precedent.
I believe the liability should fall squarely on the party specifically responsible for holding privileged data. They'll assert backpressure on the software developers, if it is the fault of the software.
Most software today is sold and/or distributed with a broad no warranties disclaimer attached. So your only options to put the liability on the software people:
1. Outlaw / override the no warranties clause. Problematic, because a vendor might write a buggy "personal" database, and when some company decides to download or purchase it and use it for lots of sensitive information and it is broken, the original author (who never intended their software to be run in such an important capacity) gets screwed.
2. Make companies liable, but only if they don't specifically say "no warranties". Nothing changes: everyone publishes with no warranties clauses.
But if a couple of major companies get seriously penalized for privacy breaches, they will wake up to the fact that they need to do due diligence on the solutions they install and put pressure back on the vendors in the form of "I won't buy it if it isn't secure".
Imagine the focus and responsible decision-making as well as the enormous CYA activity if TJX had to go into Chapter 11 as a result. It would be grand!
IT Security would finally be recognized as a value-add instead of being labeled as prohibitive and a huge cost-center. Who knows, upper management might even make wise decisions based on the good advice of their IT security group.
Executives ought to be sent to jail, gigantic fines ought to be levied, and bankruptcy and dissolution should follow – no mere reorganization should be allowed. As part of this, everyone affected should be made whole with *real* money and *substantive* action.
Then, we should sue the executives individually and take away all of their cash, investments, cars, houses, 401Ks, etc.
Then, we need an ethics investigation into why staff allowed this to go on, culminating in their censure and the removal of any certifications they possess. This, to teach everyone about whistle blowing and the proper procedures of dealing with broken management and dysfunctional organizations.
All of this should result in onerous new laws at both State and Federal levels. Onerous enough to make the expense of SOX look desirable and toothy enough to make SOX look even more toothless than it is. For instance, deliberately concealing a breach ought to be automatic jail for everyone, including staff that cooperated with the bankrupt management that mandated that behavior.
In the process, all of the broken State breach notification laws would be fixed. Did you know that in many States, the breach notification laws are so lame that they exempt that large a number of records compromised in the TJX case from the notification requirements? (e.g.; some have notification ceilings of 1,000,000 affected records…) The lobbies that brought these lame laws to you were paid by the players in this game who house tens of millions of records and who don’t want to be bothered with the expense.
Well, one can dream…
> due diligence on the solutions they install and put pressure back on the vendors in the form of "I won't buy it if it isn't secure".
Like the "candle" install script (IBM) that does "chmod -R 777" over all its files as the final step.
This would be so far from current practice I'll fall off my chair when I see it.
Does anyone know who was supposed to be auditing this major corporation?
From what I've read about the breach, the auditors may have been grossly negligent for many years if they weren't reporting weaknesses in systems security for several year-ends. In my experience, even the most cursory systems audit ought to have found some trace of such a thorough, ongoing penetration.
Of course, as we saw at Enron, some accounting firms (and maybe all accounting firms) consider they get paid millions every year to NOT report such things.
Yeah, right, I know accountants are "professionals" and they probably made up some rule that they're not responsible for anything (I'm not up-to-date on GAAP).
I've always thought there should be some criminal or civil charge for aiding and abetting gross incompetence and monumental stupidity when it comes to I.S. security.
"From what I've read about the breach, the auditors may have been grossly negligent for many years if they weren't reporting weaknesses in systems security for several year-ends. In my experience, even the most cursory systems audit ought to have found some trace of such a thorough, ongoing penetration."
In all fairness technical vulnerabilities are often missed by IT people, it would be unlikely that an auditing outfit (who is normally looking for corruption or bad practices within the organization) to find hidden flaws like this. The TJX data was even encrypted, but it seems like somone unknown to anyone else had a key.
All this talk of jail and other 'fixes' really does not address the problem. It sounds good but in truth any usable system will have vulnerabilities, and criminals will always be resourceful.
We need to take a lesson from auto safety: it's good to do everything reasonable to reduce accidents (short of a 5mph speed limit) but accidents will happen, and it's a good idea to accept this and work on making them survivable. We need straightforward ways of dealing with 'identity theft' efficient, legally defined ways of getting your records fixed to promptly and securely mitigate the damage.
byeh: Minor nitpick: Prosecution is for criminal cases. Plaintiff is the party bringing suit in civil cases.
Bruce: Fixed. Thanks.
Actually I think Bruce had it right in the first place. I'm rooting for the prosecution.
Re: Why encryption didn't save TJX.
The article goes into a lot of different issues surrounding the difficulty of properly implementing encryption in a database enviornment. I've faced many of these in my work as a software developer in retail companies.
But the real issue that I hope gets exposed by the TJX case is the insecurity of the "last mile" of credit card authorization.
For years, Visa, Mastercard, AMEX and Discover have been pushing retailers to improve the security of their databases - with good reason. There was much sensitive customer data that was stored totally in the open on database servers.
But as those types of issues have been addressed, the attackers move on to the next weakest link in the chain.
From what I have read, the TJX breach was, at least in part, some sort of man-in-the-middle attack. I haven't seen specifics yet, but I think it would be either between the client software running in the stores and a central authorization server running in the corporate offfice, or between that server and the authorization provider that TJX used.
Either way, now that data is encrypted wherever it is persisted, and restricted as to what is allowed to be stored in databases and log files in any case. The next change that has to be made is to encrypt the authorization traffic, and enforce some type of client-host authentication so that a man-in-the-middle attack would be ineffective.
The technology to do these types of security upgrades is readily available and it is not rocket science - it's a problem that has already been solved, but it is an expense that needs to be paid.
In retail, we've already done the upgrades to security that we needed to do to be compliant with the card issuers' policies. The hypocrisy is that in the remaining places where the data is vulnerable - specifically the authorization and settlement exchanges of data - no one is yet addressing the insecurities that exist.
Hopefully the cost of TJX's breach will be large enough to make both retailers and banks recognize that the cost of securing that remaining insecure link are not too great to contemplate.
That's my point. These same banks have suffered breaches themselves and will likely continue to do so. If they win their case, yes, they will have set a minium standard -- a "best practice" if you will.
But I'll bet you dollars to donuts that the banks involved in this lawsuit will eventually slip below this standard, and many others will not even meet it. So they should be careful for what they wish.
ANd a really good team of lawyers could argue that the banks should be held to an even highjer standrad, so there is quite a potential for backlash here.
"In all fairness technical vulnerabilities are often missed by IT people, it would be unlikely that an auditing outfit..."
You've obviously never dealt with the IT and technology auditors. Auditing is about understanding risks and control -- and the IT / technology auditors I know can run circles around most IT people and not even break a sweat.
I am more for an american version of european law that states someones personal information belongs to the person, and only limited information can be kept by companies. If consumer information was not accessable via corporate systems then the data breaches would not be as large.
"All this talk of jail and other 'fixes' really does not address the problem. It sounds good but in truth any usable system will have vulnerabilities, and criminals will always be resourceful."
It is a given in the security and risk management fields that nothing is perfect, but the real problem is that executives / companies don't practice even the slightest levels of due dilligence and even try to deal with the items they CAN control or manage.
Jail time, sustantive fines, etc., provide an "incentive" to these executives to practice due dilligence and address those risks, and not just accept losses as "part of doing business" while passing on the costs to the consumer.
Maybe they'll have better luck than others. So far, I'm unaware of any data breach lawsuits that have succeeded, but several that were tossed out.
For example, Pennsylvania State Employees Credit Union sued Fifth Third Bank of Cincinnati and BJ's Wholesale Club for very similar reasons. Fifth Third processed credit cards for BJ's Wholesale Club, who lost 235,000 credit card numbers. PCECU spent $100,000 reissuing credit cards, but their claims against both BJ's and Fifth Third were thrown out.
Individuals haven't had any better luck. It's hard to make a case for negligence when data is stolen. Even if you know that your information was among that stolen, it's almost impossible to draw a line of proof between the data theft and any actual harm you suffered.
This case will be interesting to watch, but don't get your hopes up. If they can get past the cause of action issues (e.g., not being a party to any contract, and courts being reluctant to look at negligence law for purely economic damages) and start talking about whether TJX had a duty to take better care of their customers' data, the results could be important. But expect either (a) the suit to be thrown out, or (b) a very fast settlement if it's not.
The key to getting better results from lawsuits between business partners who have experienced a breach rests with the contract language and agreements made BEFORE the breach.
I'm not a lawyer but I believe that if your contract doesn't specify security state or expectations then you fall back on the "reasonable person" and de facto standards or best practices in the industry as a means to demonstrate what security "should have been used".
If the current state of the industry is used, we can expect breaches to go unpunished for a long time, since the current state is that unsecured systems and breaches abound. The defendant can simply claim they took "reasonable measures as compared to what the industry expects".
If you want to see results, ensure your vendor contracts contain measurable security standards and / or at least an outline of the expectations you have surrounding data protection. Then you can more easily sue in the event they failed to protect your data to your standard.
But what happens when a business loses money from a non-business-partner's mishandling of data?
TJX accepts credit cards, so it has a contract with its bank and/or credit card companies. The banks have contracts with their cardholders, and with the credit card companies. But the banks don't have any direct contracts with TJX. They still have to spend money to replace cards because TJX screwed up, but there's no contract to negotiate in advance.
The banks might try to negotiate contracts with Visa, Mastercard, et al, so that the credit card brands would reimburse the banks when a merchant screwed up, but I doubt that kind of provision would fly.
In my life they'd have mostly been looking at technology risks as they relate to financial statements. That doesn't necessarily mean they do anything whatsoever at year end on 'peripheral' items like privacy. I guess it's a matter of perspective :(
re suing people for not having controls in place over credit card data - I'd much rather a market where I accept I (the consumer) will be paying a slightly higher interest rate for having a credit card to cover the issuer's risk of fraud losses. Hang on......
Good point on "downstream" vendors. The answer is still in the contract with your vendor IMO. If my vendor's vendor loses data or suffers a breach, to me, it's no different than my vendor suffering one (when viewed from net loss of cash and reputation) therefore the suit is against my vendor who was the result of my loss. It is up to them to determine if they have sufficient suit to "pass the savings" along to the downstream vendor. This is based on the idea that I can't directly effect the relationships between two entities in business with each other, but they hold something that effects me, so I need to exert what influence I can on those 3rd parties.
This dynamic builds the culture of accountability into a notoriously "disclaimed of any accountability" type of interaction, so it wouldn't be easy culturally or legally.
However if you can't depend on the vendor you use to pick good vendors downstream of you, then what other recourse do you have except to A) require them to perform more diligence, by threat of lawsuit if necessary, or B) find a single vendor that does everything, and sign a contract to your liking with them.
Despite the difficulty in A), I'd bet it's easier in the long run than finding B) in most interactions of sufficient depth.
As always, I'm potentially wrong and my opinions are simply my own, but the hard part isn't seeing the course, it's getting the industries involved to take it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.