Cybersecurity Liability and Negligence Overview
The key legal aspects of cybersecurity liability and negligence, focusing on cases like Dittman v. UPMC. Understand the duty of care, breach, causation, and foreseeability in negligence claims related to cybersecurity failures.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Negligence: Kline and Dittman Richard Warner, Professor, Chicago-Kent College of Law, rwarner@kentlaw.iit.edu
Two Problems First: The current state of cybersecurity causes us to waste a lot of time, effort, money, and emotional cost. We know how to defend better. Why don t we? Why do we waste time, effort, money, and emotions instead? Second: When my business client comes in with a mix of business and cybersecurity problems, what law do I need to know?
Answers First problem: Corporate culture: Investment in cybersecurity is not yet sufficiently understood to be a required infrastructure cost. C-level executives, IT personnel, and lawyers have difficulties understanding each other. Neither markets nor the law provide an adequate incentive to improve security. We focus on market/law issues. Second problem: In answering the first problem, we answer the what law do I need to know? question.
An Overview Cybersecurity Liability for failure to prevent access to a computer or network Liability for accessing a computer or network Rights against government seizure of data
Overview of Failure to Prevent Liability for failure to prevent access to a computer or network Statutes Regulations Common law Negligence Breach of Contracts Unjust enrichment Confidence
Dittman v. UPMC In Dittman v. UMPC , University of Pittsburgh Medical Center (UPMC) collected and stored information about its employees, including names, birth dates, social security numbers, addresses and bank information. As the Court notes, UPMC failed to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information in its computer network. Hackers exploited those failing to access the employees information. The employees alleged they were harmed: the stolen data . . . was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages. Is UMPC liable in negligence for the harm?
Negligence Liability UMPC liable in negligence for damage if Duty: It owes the employees a duty of due care; Breach: It did not act as a reasonable person would in the circumstances; Causation: The failure to act with reasonable care caused the damage; Foreseeability: The damage was a foreseeable consequence of your action.
The Landlord Tenant Analogy Determining the required level of care in cybersecurity contexts raises technological and public policy issues specific to cybersecurity. This does not mean there are no instructive non-cybersecurity precedents. On the contrary, the landlord/tenant case of Kline v. 1500 Massachusetts Avenue Apartment Corporation provides a background that reveals what is the same and what is different. We consider Kline first, then turn to Dittman.
Kline v. 1500 Mass. Ave. Kline was assaulted in the common areas of the apartment building in which she lived. She sued for negligence alleging that the building owner unreasonably failed to provide adequate security. The court decides in her favor.
The Courts Reasoning The landlord is the only one in the position to take the necessary acts of protection required . . . the landlord best equipped to guard against the predictable risk of intruders, . . . even as between landlord and the police power of government, the landlord is in the best position to take the necessary protective measures.
More Fully (1) The tenants do not control the common areas. Only the landlord can hire security personnel to patrol the areas, install surveillance cameras, lock entrances, and the like. The majority says, the landlord is in the best position to take the necessary protective measures. (2) Thus, the landlord has a duty of due care to protect tenants from crime in the common areas, and the failure to provide adequate security is a breach of that duty. (3) The history of increasing crime in the neighborhood and building makes harms of the sort that happened to Kline foreseeable. (4) Thus, the landlord is liable for the harm to Kline, assuming landlords failure to act caused the crimes.
What Is The Required Level of Care? Our concern in the questions below is with how to determine the required level of due care. The general approach: Courts consider government promulgated requirements (specific conditions) and standards (general guidelines), and as in Kline nongovernment customs and industry practices and standards. Government requirements: Non-compliance is conclusive evidence (most) or evidence (some) of negligence. Non-government: Compliance is evidence (but not conclusive) of due care and non-compliance is evidence (but not conclusive) of lack of due care.
Our Focus: Industry Practices And Standards Our discussion uses the notion of expected gain and loss. The idea is familiar from everyday life. Suppose that, on Monday, you want to go to dine on Brazilian food much more than you want to eat Mediterranean fare, but you go to the Mediterranean anyway. Why?
The Explanation You think it highly likely that the Brazilian restaurant is closed on Mondays while you are virtually certain the Mediterranean is open. When you take the probability of being open into account, the expected gain of going to the Mediterranean restaurant makes going there a more attractive option than expected loss of going to the almost certainly closed Brazilian restaurant.
What Is The Required Level Of Care In Kline? The landlord in Kline underinvested in security. How should a landlord decide how much to invest? Our answer is that they should decide in a way analogous to the way you decided whether to go the Brazilian or Mediterranean restaurant. Imagine a landlord Alissa deciding how much to invest to upgrade her current defenses.
Expected Harm From Current Defenses Assume that she knows the probability for months of different types of attacks in the common areas given her current defenses, and the amount of harm each type of attack causes. That allows her to determine the expected harm from attacks given her current defenses: Expected harm from current defenses = harm from attacks taking probability into account.
Reduced Expected Harm From Current Defenses Next assume she knows the various possible improvements in defense available. The improvements do not ensure that there will never be an attack in the common areas, but they reduce the probability of an attack. For any improvement, assume Alissa knows the new, reduced probability of attacks. Then she can determine the reduction in expected harm from adopting an improvement: reduced expected harm from current defenses = harm from attacks taking reduced probability into account.
Knowledge Of Costs Finally, assume Alice knows how much the various possible improvements cost. Costs here include not just Alissa s time, effort, and money, but also the costs to tenants, such as increased rent as Alissa passes her increased costs on to her tenants and a loss of privacy from increased security surveillance from security personal and video cameras. Then we have an answer to how much she should invest in security.
The Right Level of Investment She should keep investing to reduce the expected harm until any further investment would spend more on security than the expected harm it avoids. Investing less is wasteful because a large investment would cost less than the harm it avoids. Investing more is also wasteful because the investment is great than the harm it avoids.
Agree? Do you agree that Alissa should keep investing to reduce the expected harm until any further investment would spend more on security than the expected harm it avoids? Yes No Not sure
Do Landlords Know What They Need To Know? Assume a landlord should decide how much to invest in security based on an expected gain and loss analysis. Will they know what they need to know? Will they know how much harm different types of attacks cause? Will they know the probability of an attack before and after improvements in defenses? Landlords are unlikely to have access to the necessary statistical studies if indeed such studies exist.
The Majoritys Solution The majority s answer is that landlords can find evidence of the degree of security required in the security practices of other landlords in similar buildings. As the majority says the required level of protection is the standard of protection commonly provided in apartments of this character and type in this community.
Market Assumptions It makes sense to treat industry practice as evidence of reasonableness if renters can know the different degrees of protection different landlords offer, and if they avoid landlords who underinvest in security (landlords who ought to reduce expected harms by spending more), and rent instead from landlords who adequately invest (invest until any further investment would spend more on security than the expected harm it avoids). Then profit-driven landlords have an incentive to offer security/rent combinations renters see as acceptable. Do you think renters behave this way? A similar Do defenders know what they need to know? question arises for cybersecurity and is even more problematic to answer.
Dittman v. UPMC (2018) UMPC (University of Pennsylvania Medical Center) has hacked an employee information was stolen. 62,000 employees. Personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information.
What Does Dittman Tell You About The Required Level Of Care? Suppose you want to know how fast you can reasonably drive on an icy road, and someone tells you correctly that it would be unreasonable to drive at 100 miles an hour. That does not tell you at what speed you should drive to be reasonable. It just tells you what not to do. Dittman is similar. It tells one that it is unreasonable to fall as far short as UMPC did in regard to encryption, firewalls, and authentication.
Not A Criticism of Dittman Tort law does not specify safe harbors applicable to a wide range of circumstances. When defendants actions are found to be unreasonable, it tells one that similar actions in similar circumstances may be unreasonable. When defendants are held to have acted reasonably, it tells one that that similar actions in similar circumstances may be reasonable. It does not tell one in general what would count as a reasonable use of encryption, authentication, network segmentation, and deployment of firewalls and network intrusion detection.
Can A Network Owner Use The Expected Gain/Loss Approach To Determine How Much Security Is Required? The approach requires a defender to invest in reducing expected harms until any further investment would spend more on security than the expected harm it avoids. Doing so requires knowing how much harm different types of attacks cause, and probability of an attack before and after improvements in defenses. We do not have sufficiently accurate estimates of either the likely loss from a type of breach or the probability of a breach occurring either with or without a particular type of defense.
Lack of Knowledge 1 A World Economic Forum report paints an accurate, if disturbing, picture of the lack of relevant data. Unknowns concerning the scale and impact of cyber threats, as well as relative levels of vulnerability, threatens paralysis. World Economic Forum, Partnering for Cyber Resilience Towards the Quantification of Cyber Threats , Sloan and Warner, Why Don t We Defend Better?: Data Breaches, Risk Management, and Public Policy.
Lack of Knowledge 2 Studies reporting aggregate business losses from data breaches. Ponemon Institute, ponemon.org/research. They do not provide information about the probability of different types of data breaches, They do not address the extent of individual loses. Those losses include identity theft, credit card fraud, a sense of violated privacy. The information about consumer losses is scattered over millions of consumers. The needed information is difficult to collect.
Lack of Knowledge 3 The FBI s Internet Crime Complaint Center reports that data breaches costs individuals $10.5 billion in 2022. Internet Crime Complaint Center(IC3), www.ic3.gov), This reports only breaches that individuals were aware of and reported . The aggregate loss would be considerably higher if we were able to add losses from undetected and unreported data breaches. Further, the expected gain/loss approach requires knowing the losses from different types of attacks, and reports like the Internet Crime Complaint Center s do not provide that information.
Industry Standards? The majority s approach in Kline was that landlords can find evidence of the degree of security required in the security practices of other landlords in similar buildings. Is this viable in the context of defending against data breaches? It is if (a) the data subjects (the tenants by analogy) can know the different degrees of protection different data storers (the landlords by analogy) offer, and (b) if they avoid data storers who underinvest in security (storers who ought to reduce expected harms by spending more), and provide data only to storers who adequately invest (invest until any further investment would spend more on security than the expected harm it avoids).
Problems Both (a) and (b) are problematic. T he employees in Dittman could not avoid giving their data to UPMC not as long as they wished to work for UPMC. In addition, it is highly unlikely that the employees were aware of and able to evaluate UMPC s data security practices. Further, individuals data is often shared with third parties in ways that individuals are unaware of.
Can Courts Decisions Require Improvements In Standards? The lack of relevant data about probabilities and harms makes doing so difficult. To see why, compare Judge Learned Hand s famous decision in The T.J. Hooper, 60 F.2d 737 (1932). The T. J. Hooper, a tug, encountered a storm and sank along with the barges it was towing along the Atlantic coast. It did not have a shortwave radio capable of receiving weather reports. With one, it would have received the report of the coming storm and put in at the Baltimore harbor to ride out the storm safely.
The T. J. Hooper Shortwave radios were a technological innovation at the time, and it was not the custom for tugs to have them. Despite the lack of a custom, Hand finds the tug owners negligent on the ground that it is desirable public policy to require tugs to have shortwave radios. As he famously claims, a whole calling may have unduly lagged in the adoption of new and available devices. It never may set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission (The TJ Hooper, 740).
Expected Loss in The T. J. Hooper Hand can plausibly say in the end what is required because the relevant information for the expected gain/loss calculations is readily available both to the court and to tug boat captains. For tug boats the regularly travel along the Atlantic coast, expected loss from a strong storm is high in a tug lacking a shortwave radio. .
What Courts and Captains Know The probability of encountering a strong storm is high, and the loss from sinking is high. With a shortwave radio, the probability encountering a strong storm is significantly reduced. Compared to the expected loss without a radio, a radio is a relatively inexpensive investment that avoids much greater losses. The problem in the data breach cases is that courts and defenders lack the relevant facts about probabilities and harms
Was the attack foreseeable? In Dittman, the employees claim that large stores of data on Internet-accessible computers are a predictable target of attack by cybercriminals, and on that basis they conclude that the attack was foreseeable. The Kline court points out this error: a predictable event can have a very low probability of occurring. The chance of a fatal airline accident is predictable: 1 in 11 million. That does not make it foreseeable in the sense negligence requires.
Foreseeability Dittmantreats the harm as foreseeable if it is within the scope of the risk created by UMPC s lack of security. Applying the test: Assume that UPMC s lack of security violated its duty of due care to the employees. Think of data breaches of the type that occurred in Dittman as associated with a range of types of harms that a reasonable person would expect as a probable result of the breach. The harm to the employees is foreseeable if it is an instance of one of the harms in the range.
Palsgraf Palsgraf v. Long Island Railroad (1928), is a classic example. As Helen Palsgraf waited on the platform for her train, another train stopped briefly at the station. As it began to depart, a man carrying a package ran to catch it, unsteadily jumped aboard, and was about to fall when a guard on the train pulled him in while another guard on the platform pushed from behind. The package, which contained fireworks, fell and exploded. The explosion caused a large coin-operated scale at the other end of the platform to fall, striking and injuring Palsgraf. There was nothing the railroad attendant saw or could have seen that would have put him on notice that helping the passenger would result in the explosion that followed. Hence the chain of events that ensued was not foreseeable.
Compare Palsgraf Had the package been clearly marked with the word "Explosives" that would have changed the foreseeability calculus. The railroad would have been on notice of the risk. Does storing data on a computer connected to the internet put the owner on notice of the risk of a breach just as much as the explosives label would have put the railroad attendant on notice? (a) Yes (b) No
![Negligence Liability in Donoghue v. Stevenson [1932]](/thumb/198881/negligence-liability-in-donoghue-v-stevenson-1932.jpg)
