:Information Law and Policy Spring 10

Alex Smolen, Krishna Janakiraman, Satish Polisetti, Daniel Perry

TJ Maxx, a retail apparel company, failed to secure their customers’ private information. In-store networks transmitted sensitive data like credit card numbers and social security numbers to corporate networks in plain text, had inadequate authentication and authorization controls, and had no intrusion detection or prevention mechanisms. As a result, at least two security breaches occurred in 2005 and 2006 that caused millions of dollars of losses in money and time to customers and banks. In response to these breaches, the FTC deemed TJ Maxx’s lack of security an “unfair” business practice and reached an agreement with TJ Maxx to prevent future breaches. This agreement instructs TJ Maxx to use encryption before storing data, put dedicated employees in charge of an information security program, use better password systems, and submit to regular third-party audits. TJ Maxx agreed to this order and not penalized in any other way.

The TJ Maxx security breaches caused significant monetary loss to consumers and businesses. What law or set of laws can be used to hold TJ Maxx and similar companies liable? Why didn’t TJ Maxx have good security systems in the first place? There are several laws that relate to information security, but it is difficult for businesses to understand how to follow them and there is not always adequate definition and enforcement.

An example of a law related to information security is CA State Bill 1386 which has subsequently been adopted in a similar form by most other states. In 2003, California SB 1386 amended civil codes 1798.29, 1798.82, and 1798.84 and introduced new privacy regulations that require that any organization that does business in California and stores unencrypted personal information to notify any California resident if their personal information was acquired by an unauthorized third party. Protected personal information includes social security numbers, financial information, as well as medical and health insurance information. Notification can be via mail or electronic, but must be given as quickly as possible. While there are no specified monetary penalties for violating these codes, an injured person can file a civil suit against a company. This law does provide a punitive mechanism for companies that fail to secure their information systems, but it focuses on breaches. If a company is unaware of a breach, or believes that no one will be able to win a suit claiming injury against them, than they may choose not send a notification. Alternatively, a company could decide that sending notifications is less expensive than implementing an effective information security program.

The California Office of Privacy Protection released recommended practices related to these new civil codes in May of 2008. The practices detail ways for an organization to manage an information security program centered around restricting internal access to personal information and notification to individuals or groups if there is a security breach of this information. Practices include allowing employees access to personal information on a ‘need to know’ basis, notifying individuals of a breach within ten days by first class mail or email, using encryption standards, and reviewing security standards annually. Implementation of all of the recommendations will almost undoubtedly be extremely costly for any business and the fact that they are not legally binding (i.e. no Safe Harbor) provides little assurance. The recommendations are also fairly vague, and there is no regulatory action enforcing compliance. They are simply “recommendations”.

The FTC consent agreement with TJ Maxx as well as SB 1386 and the associated recommendations demonstrate legal approaches to information security enforcement. The goal of these mechanisms is to ensure privacy and prevent security breaches in the future. However, each of these approaches is problematic and it is very hard to imagine a legal framework that can ensure information security. In his paper “The State of Information Security Law”, Smedinghoff mentions that there is no single statue that obligates a company to secure its information. Instead, there is a hodgepodge of federal, state and international laws that pertain to information security. Furthermore, these laws are segregated based on public versus private companies as well as by industry – finance, health care, e-commerce, etc. Even if a company wants to secure its information, it does not have clear set of legal obligations to work towards. Companies may be subject to several different information security laws based on their industry, the data they store, and the states they do business in.

Another major challenge for information security law is the ambiguity of the concept of “information security”. As Smedinghoff mentions, security is relative and the terms used in some of the statues are often hard to pin-down phrases like “reasonable (or) appropriate security”. This leaves businesses with little guidance as to what is required for legal compliance. A welcome trend is the emergence of laws that focus on the treatment of specific information like social security numbers or payment cards information as well as specific standards related to security controls like data retention or authentication.

From a company’s point of view, it is difficult to determine “what is applicable to us” when it comes to information security law. This could be an economic strain, especially for small companies that can’t afford legal or information security expertise. There is also an increasing trend towards outsourcing information systems to the “cloud”. This represents another unclear legal area – the obligations and liabilities of the company and the cloud provider. We have seen in other areas like privacy and copyright that technology moves extremely rapidly compared to the law. New technology presents new information security threats, which the law may not address.

There is no omnibus US information security legislation for businesses – in fact, it is almost the exact opposite. There are a variety of different laws related to different sectors and types of data. Even for large organizations, implementing an effective information security program to address these laws is challenging and costly. Information security is a big expense for many organizations, and yet overall security controls are still often bad. TJ Maxx is not alone – see Heartland, Card Systems, and Hannaford Brothers for other examples of large-scale breaches. As Smedingham states: “A key problem, however, is that the nature of the legal obligation to address security is often poorly understood by those levels in management charged with the responsibility, by the technical experts who must implement it, and by the lawyers who must ensure compliance. Yet, it is perhaps one of the most critical issues companies will face.” It seems that increased clarity, or potentially unification, of information security law would help improve the state of information security by giving businesses a clear objective, and if this objective included appropriate information security policy and controls, it would ultimately help the consumer.

1 Comment