Transcript Custodial Duty - Pennsylvania State University
Common Law Development of the Custodial Duty of Information Security in Financial Privacy Rights
John W. Bagby Professor of IST Penn State University
• • • •
Purpose
Conceptual Framework for Information Security Custodial Duty Empirical
–
Deductive from cases Policy Development
–
Inductive from Common Law Integrative
–
Achieve coherence with legislation, regulation and standardization
• • •
Custodial Duties are a Key Component
Basis of IT Risk Mgt Method
–
Min.Std.-below lies malpractice
–
Public Policy reaction more likely CIOs & IT mgrs want/need guidance Prof. practices typically integration of various forces
–
EX: legislation, stnadards, best practices, aspirational state-or-the-art,
–
All traditional learned professions
–
Self-discipline is THE definition of professionalism
•
History of Info Security Custody
Both Old & New…
–
Old
• •
Long historical accretion from experience EX: Agent-principle, consulting requirements, privileges, national security, trade secrecy, contracts
–
New
•
Privacy protection subsumes custodial duties for information security
•
EX: GLB, SourBox, HIPAA, ISO17799 (27001, et.al.), CoBIT, COSO, “9 firms,” FISMA, ITIL, GTAG, NIST, Orange/Yellow Bk
• •
Motivation
Penn State’s iSchool & Security & Risk Analysis (SRA) program goals Natural confluence from past work
–
Agent’s duties
–
Internal Control Responsibility
•
1982 Control Responsibility Disclosure work well before SourBox
–
Malpractice
–
Standardization
–
Litigation Risk Management Database
•
NAS, NRC funded
• • • •
Current Custodial Duty Definition
Prescriptive derived from practitioners’generalization Largely expressed in vague aspirations embodied in standards, statutes & regulations Largely literal interpretations of legislation Next steps:
–
Formally integrate experience
–
Pragmatic deduction from actual experiences
• •
Current Sources of Experience
Sources: fragmented, grassroots, sectoral But soon will be awash in data
–
Initial stages of integration & public policy review
–
Much is not publicly available
•
Proprietary & Actuarial data
•
Some is confidential
– – –
Reminiscent of intell community turf EX: CERT, ISACs, will improve Organized by critical infrastructure sector
• • •
Main Thesis: C/L is Efficient
C/L precedents are untapped source What is best method to harvest?
– –
How should C/L be communicated?
Thus far fragmented, poorly integrated for policy analysis How should Info Custodians be tasked?
– – –
Professionalism, (K), Torts?
C/L is underutilized!
Both tort bar (plaintiffs) & insurance (most frequennt defendants) drive to inefficiency
• •
Nature of C/L vs. Civil Law
C/L Premise: laissez-fair, libertarian
– – –
From England’s law making tradition Reactive, not anticipatory Policy declarations reserved for real disputes among parties with stakes
•
Truth & optimality ultimately emerge
–
Decentralized Civil Law, by contrast
– –
European continent, Latin Am, emerging Asia Prescriptive, anticipatory, hypothetical, forecasts, conceptual
–
Centralized
• • • • •
The C/L is Efficient
From: Landes, Posner, et.al.
Decentralized aggregation of Preferences Operate like efficient markets Behaves like invisible guiding hand
–
Central planning: like visible hand C/L efficiency improves
– – – –
High “n,” correcting market failures Often only weak efficiency Occasionally semi-strong Never would claim strong form efficient
C/L can be Semi-Weak Efficient
•
Idiosyncratic, anecdotal
–
Standing Joke: the plural of anecdote is not Empiricism
•
Precedents accrue then stabilize
•
Aggregate of Holdings signal efficient behavior
–
Often can still contract around C/L
• • • •
C/L Efficiency Method
Numerous Independent Actors
–
EX: litigants (victims, perpetrators), counsel, witnesses (factual, expert), independent trial judges, appellate oversight, public policy adjustments Guiding principles
–
Efficiency, fairness, social cost, national purpose, freedom of (K) Produces Efficient Rules
–
Minimize Societal Waste Signals society to efficiency
–
Often can still contract around C/L
• • •
C/L has some Inefficiencies
Weak precedents
–
Early, seemingly groundbreaking cases abandon
–
Gain insufficient critical mass for reliability Capture of Legislation
–
Repeated participation of rent-seekers
•
EX: plaintiff’s tort lawyers, Ins. Co. most frequent defendants Pluralistic Capture of Politics Generally
– –
Judge selection/election Politicization of regulatory, prosecutorial priorities
–
K Street
•
C/L is Self-Correcting
Mechanisms pressuring towards efficiency of the C/L
–
EX:
•
checks and balances,
• • • •
the separations of powers, strict constructionism, case or controversy requirements, independent judiciary exhibiting restraint and self-discipline,
• •
expansive pre-trial discovery, legal counsel’s role as officers of the court with strong duties to clients,
•
appellate reversal risk, etc.
• • •
Potential Sources for C/L Custodial Duty
Precedents directly drawn from custodial cases
–
FTC, GLB, Nat’l Security, Precedents derived analogically
–
Tort law
•
Malpractice
–
Property
•
Bailment
•
Privacy as form of IP
– – –
Agency Contract Protection for Consumers or the Vulnerable
•
Essentially privacy reg. is consumer protection Strong correlation among custodial principles
–
Must argue good reasons for departures!
• • • •
Micro-Economics Fundamentals
Incentives to Invest & Innovate in Security
–
Lack of incentive directly risks market loss
–
Liability for product failure
•
Defective design
• • •
Defects in manufacturing Defective Packaging or Transit Failure to warn Security is product feature Security is service feature Insufficient incentives for optimal security
• • • •
Externalities
Role of Externalities
–
Externalities:
•
Negative Externalities: all costs not borne by actor but at least some by others
•
Positive Externalities: all benefits not enjoyed by actor but at least some by others
•
Free Riders Classic case I: pollution controls
– –
Environmentalism costs polluters but society benefits Incentives:
•
under-invest, hide activities, argue/lobby costs are speculative illusion to non-existent
•
Moral Hazard: person or organization does not bear full adverse consequences its actions Classic Case II: workplace safety Classic Case III: privacy
–
Security under-investment costs borne by individuals
• • •
Free Riders & Public Goods
Free Riders illustrate market failure
–
do not internalize costs of benefits they enjoy
–
essentially ride free on others’ investments & enjoy benefits of others’ expenses Public Goods - Security
–
Non-rival, under-produced by competitive markets
–
Producers risk free riders who they cannot effectively exclude from positive externalities
–
Producers under-invest w/o clear business model & return
–
EX: defense, law enforcement, justice system, property rights, public transport centers (warves, airports, roads), fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, invention), public education How can you argue that Security is a public good?
–
What public responses might improve security
–
CyberCrime Enforcement
• • •
Asymmetric Information Theory
Transactors have unequal bargaining pwr
–
The Market for Lemons: Quality Uncertainty &
the Market Mechanism, George Akerlof (1970) Two transacting parties do not have the same relevant information
–
Classic Examples:
• •
buyers know less than sellers about product quality lenders know less about borrower’s likely default Seller’s incentive to pass off low quality goods as higher quality, hide defects
–
Security performance generally unknown to customers
–
Security Breach Notification laws are classic legislation to correct market failure
• •
Adverse Selection
Asymmetries induce adverse selection
–
Asymmetries lead to bad results when
•
Buyers purchase “bad” products or pay too much
•
Sellers select bad buyers or charge too little
–
As adverse selection experience grows:
•
Buyers retreat, seek intermediaries (assistance, repairs), suffer opportunity costs
•
Sellers lose money, use intermediaries, fail Sub-Optimal Signals
–
More bad sellers/buyers, fewer good products
–
Custodians & 3d P service providers untrustworthy
• • •
Moral Hazard
Moral Hazard is a form of externality:
–
person or organization fails to bear full costs of actions causing adverse selection then possibly consequences
–
EX: Smokers/parachutists/drunks hide their habit or activities when buying health/life ins EX: US vs. UK in re ATM & credit card fraud
– – –
US banks liable for card fraud, UK banks not US banks invested heavily to avoid losses UK banks lazy & careless, avalanche of fraud Individuals s/could do more to protect themselves
• • •
Least Cost Provider
Liability generally most justifiable for:
–
Party with greatest responsibility for safety or quality (or security)
– –
Party w/ lowest cost of services Party financially able to burden risk Economics seeks to incentivize least cost provider Who is security’s least cost provider?
–
Individuals, ISP, s/w licensor, h/w supplier?
•
FTC : Forum for Custodial Duty Definition
Privacy Czar!?!
– –
GLB Federal Functional Regulator
•
All non traditional “financial institutions” that provide various financial services such as lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts FTC Act §5 unfair, deceptive practices
•
Dual missions:
– –
Consumer protection Maintenance of competition
• • •
Stage 1: the Early Cases
Pre-GLB & COPPA Major difficulties
– –
Misrepresentation Breach of (K)
•
To preserve privacy
• •
To refrain from onward transfer Importance of consumer privacy EX:
– – – –
Toysmart: Bkcy sale of list Liberty Financial: harvesting child data ReverseAuciton: spam, imposter harvesting Int’l Outsourcing Group: Online pharmacy (Viagra) harvesting for onward tsfr, prey upon vulnerable populations
– – –
Gateway Learning: onward transfer ChoicePoint: onward transfer CartManager: onward tansfer
• • •
Stage 2: General Principles Develop
Post-Initial Privacy Regulation, Discovering Effective Security requires systems approach Major Difficulties:
–
Training, oversight, negligence in online system design EX:
–
Eli Lilly: Prozac listserv mistakenly revealed all members in single spam
– –
Microsoft: Passport system misrepresentation Am.Student List & Educ.Research Center: misrepresented harvesting purpose (admission strategy) really target mkt.
• • •
Stage 3: Specific Practices Required
Implementing emerging statutory, regulatory & standards approaches, Systems approach emerging Major Difficulties;
–
Key security components absent
–
Particular controls & claims ineffective EXs:
–
Guess, Petco & CardSystems: SQL injection vulnerabilities
– – – –
Tower Records: access controls BJs, DSW, CardSystems: unencryption DSW: excessive retention (FTC Disposal Rule) Guidance Software: massive irony, 3d party security services firm (unencryption, SQL, access controls, incident detection)
• •
GLB Safeguards Rule
Financial institutions must design, implement and maintain safeguards
– –
Purpose: to protect private info Must implement written information security program
•
appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data
–
Security program must also:
• • •
assign one or more employees to oversee program; conduct risk assessment; put safeguards in place to control risks identified in assessment then regularly test & monitor them
•
require service providers, by written contract, to protect customers' personal information; &
•
periodically update security program Cases:
– – –
Sunbelt Lending, Nationwide Mortgage Superior Martgage Nations Title
• • • •
C/L Custodial Duty Ontology I
Now in iSchool feel pressured to design & test an “artifact” derived from empirics Planning, Delegation, Management, Compliance, Controls Data Acquisition
–
Authority to Collect
•
Inducing revelation, EULA, Screening & Verification, Vulnerable Populations are
•
3d P Transfer Onward Justify Need for Particular Data
– –
EX: Rating counter-party But: Assure justification for data brokerage business model, Risky to argue unforeseen possible future uses (inside, onward transfer)
•
C/L Custodial Duty Ontology II
Custody difficulties
–
Data Breaches
•
Information in eTransit, EDI systems
–
Various temporary holdings
•
Cardswipes, EDI systems
• •
Information in Physical Transit Laptops
– –
Hacking by outsiders Insiders
•
Malfeasance
•
Nonfeasance, misfeasance, incompetence
– –
Access security Crashes, loss through physical, managerial non/misfeasance
–
3d party service provider negligence, insolvency, unclear duties (but: SAS 70, EU Data Dir’s reciprocity)
• • •
C/L Custodial Duty Ontology III
Retention
– – –
Evolving towards justifiable “Need” Consider review costs before destruction C-B/A Destruction & Record Retention Requirements (ERM) Industry sectoral analysis predicts vulnerabilities & robustness
–
http://www.privacyrights.org/ar/DataBreaches2006 Analysis.htm
Noteworthy:
–
laptop theft vulnerability in private sector and among medical centers
–
incompetence of personnel or software highest in public sector including military
–
vulnerability to outside hackers highest in higher education, lowest in medical centers
–
insider malfeasance lowest in (not-for) public sector and higher education
• • • • • • •
Preliminary Findings
Security Standards are emerging as controlling C/L interprets them with useful detail Obvious security controls are req’d Security program must be managed
–
Policies must be actively deployed & maintained IT Audits are coming soon to ALL EULAs are enforceable (K)s FTC may “supervise” for decades