April 27, 2007

Breached *and* sued -- is TJX the tipping point to liability alignment?

TJX is to be sued. The huge data breach by the US retailer is news covered elsewhere, as it is just a big one in a series of other like ones.

The suit will argue that TJX failed to protect customer data with adequate security measures, and that the Framingham, Mass.-based retail giant was less than honest about how it handled data.

What is interesting is that this could be the first time that someone big says "boo!" If the banks are now getting together to sue TJX for doing the wrong thing, this sets an interesting precedence: the banks say (presumably) that TJX was negligent and has done damages.

If the courts can show this is worth remedy, then the reverse is possible too. There are other suits possible. If the banks lose the data, then maybe they should be sued? If Microsoft's OS is shown to be insecure and susceptible to lost data, then maybe it should be sued? Or the banks that quite happily permitted it to be used, again? If someone pushes a particular product for commercial purposes (such as a firewall, a secure token, an encryption protocol, or just advice...) and it is shown to be materially involved in a breach, maybe the pusher needs to be sued?

What would this mean? A lot of suits, is one thing, such as is being readied against Paypal. A lot of money wasted, and the lawyers get richer. Some banks, some suppliers, some pushers and some users might modify their behaviour. Others might just get more defensive.

That may be bad ... but what's our alternative?

Suppliers and sellers of bad products have not been punished. Neither have buyers of bad products. Leaving aside the sense of blame and revenge, where is the feedback loop that tells a company that "buying that was wrong, that hurts?" Where is the message that says "you shouldn't use that software for online banking" to the user?

To address this lack of feedback, lack of confirmed danger, many have suggested government action. But, other than the spectacular exception of the SB1386 data breach disclosure law, most government laws and interventions have made matters worse, not better.

Economists like those going to WEIS2007 have suggested many things: Align the incentives, share more breach information amongst victims, make software vendors liable, etc etc. I suspect that one common rejoinder here is that the very economics that explains the problem often gives clues as to why it isn't solved.

Some mad crypto people have even suggested designing security into the system in the first place. Yet other fruitcakes have said that designing the wrong security in was what got us to where we are now...

What doesn't seem clear from an outside, global, society perspective is ... what to do?! None of those approaches are going to "just work," even if they are adopted.

However, the liabilities (growing) and the interests (diverging) are going to be balanced and aligned, one way or another. The Internet security world today is out of balance, unsustainable in its posture.

Here's my prediction: At some point we do reach a tipping point, and at that point the suits start.

However, predicting re-balancing-by-suits has been a little like predicting the collapse of the dollar in the new not-quite-global-currency regime: when it did happen, we were caught by surprise. And then it bounced back again...

So, no dates on that prediction. Let's watch for TJX copies.

Posted by iang at April 27, 2007 09:42 AM | TrackBack

Funny how when states have 35 different laws requiring breach notifications, banks say it is bad. Then, when they realize that they have a cause of action in one state (MA) that they don't have in others, they're happy about it.

One way to somewhat harmonize those beliefs would be for the banks to lobby hard for model legislation in all 50 states (+DC) that establishes the same cause of action and type of relief available to them in MA.

Posted by: Chris at April 27, 2007 09:46 AM

I think that the tort system is a great system for dealing with externalities. Many people think that damage awards are outrageous - but that is hard to determine. In many of the suits the parties agree to caps and floors before the suit begins and agree not to disclose those amounts. So, when you see that someone got $10,000,000 for spilling hot coffee on their crotch, you actually have no idea how much they got. In this case, the actual damages should be very easy to determine.

As for lawyers making a lot of money, more power to them. There is no shortage of lawyers, so I assume it is an efficient market. And while money may be "wasted" because of all the suits, I think it is far more efficient than, say, government regulations.

So, I say, let the suing begin!

Posted by: Nick at April 27, 2007 10:21 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.