March 24, 2008

Liability for breaches: do we need new laws?

It is frequently pointed out by economists that incentives are the key to a lot of behaviour. They argue that, if incentives are aligned, positive results happen, and if misaligned, damage is done. This tradition goes a long way back in economics tradition, and has been recently highlighted to the Internet security community by Prof. Ross Anderson and others, who point out that the incentives are not aligned in information security.

The point in Information Technology is that a supplier provides the service, but disclaims the liability. The nature of this service might range from Microsoft's Windows operating system to banks' online interfaces, to Mozilla's browser to the vast behemoth known as the credit system. In each case, there are security ramifications to the service which are all passed on to the user. However, as the user is generally in no position to fix or even understand the security ramifications, we have an incentives clash.

The classical (liberal?) cry is that we need new laws to shift the liability back to supplier. The economic argument against that is simple: firstly, we have no clear picture of the efficient way to deal with the liability, and secondly, passing a law is almost always going to make matters less clear. So it will probably be wrong.

Now switch across to the breaches debate. Breaches in the US roll on, and sometimes even jump through the immigration barrier to the UK and other places. That's old news, but what is not is that the legal fraternity are now in on the act, and ready to file class action suits:

In a likely precursor of what's to come, a Philadelphia law firm and an attorney in Maine have filed class-action lawsuits against Hannaford Bros. Co., the Scarborough, Maine-based supermarket chain that this week disclosed a data security breach involving the potential compromise of 4.2 million credit and debit cards.

Philadelphia-based Berger & Montague PC filed its lawsuit yesterday in U.S. District Court in Maine. A similar suit was filed Tuesday by Bangor, Maine-based attorney Samuel Lanham Jr. on behalf of Hannaford customers in all of the states where the grocer does business.

In a class action suit, one suit is filed and all victims join it on one side. The judgement is then awarded and shared out (with a hefty percentage going to the attorneys). You could criticise the concept on several ground: the lawyers always win, the payouts are often small to each individual, the cases take a long time, the smaller company is blown away by them, there are easy ways to game the payout... etc etc, but from an economics perspective it is also evident that the class action suit achieves a switch in incentives.

Before now, the supplier of online banking, or merchant retailing, or Internet software was untouchable in any big sense for security issues. This was the point of the incentives commentators, in that there was no incentives alignment. (I went even further in the market for silver bullets by showing how incentives are negatively aligned. Because of the silver bullets effect, the big player is incentivized to deliberately avoid the much bigger extraordinary costs -- fingerpointing -- while absorbing all small, direct losses without noticing. This means that the big player was incentivized to avoid dealing with security, and thus was generally incentivized to make matters worse for the individual.)

Now, some large lump of incentives for security has switched across to the supplier. Now, at a minimum, there is the threat of a class action suit. Indeed, it is now a validated threat, as we can see the clarity, the presence and the danger (for retailers at least). At the maximum, there may be an actual judgement at the end of actual filed suit, something that is less likely and more tangible than a threat. Hence, it is now possible to calculate the expected value (loss) from the class action activity.

If, then, the silver bullet economics are shifted to the point where these direct security costs are now more important than the indirect fingerpointing costs, we might also hope that incentives have shifted sufficiently to bring security costs to the user back onto the agenda for the supplier. If we achieve that, then we'll have achieved a good thing.

Which also brings us to another conclusion about the market for security: we don't need any new laws, as the class action system may be sufficient. Well, that's not entirely true. What we do need is this:

1. a breach disclosure law (as SB1386 has been credited with opening the floodgates of breach information), and

2. a mechanism to shift the newly-surfaced incentives, such as the class action system.

It cannot be stressed enough that SB1386 was *necessary* to change the balance. It wasn't however sufficient, for that we still need to allocate the liability more directly. In the presence of class action threats, no more may be needed, and especially, new liability laws will be damaging because they will not only be too limiting in their understanding, they are likely to damage the (free market) emergence of the class action mechanism.

When do we find out if class action is enough? I first predicted this path many years back with respect to phishing, and eventually gave up waiting. So it is also fair to say that we need one more component:

3. Time. Patience.

Not something I (nor politicians nor blog writers nor security sellers) are well-endowed with, apparently, but it seems the market has sufficient endowments of it.

Posted by iang at March 24, 2008 10:32 AM | TrackBack

we had been been brought in to help word smith the cal. state electronic signature legislation (and later the federal legislation) ... some past posts

many of the parties involved were also active in the breach notification as well as the opt in/out legislative activity ... basically stuff swirling around "privacy". Some of the players had done detailed consumer surveys and found that for the most part, the privacy issue was

1) identity theft ... at the time mostly account fraud ... i.e. skimming/harvesting account numbers and performing fraudulent transactions

2) denial of service ... aka gov., commercial, private, public, etc institutions using personal information to the detriment of the individual.

much of the account fraud was coming from breaches of various kinds ... and this information wasn't being publicized ... and so the actual source of the problem wasn't being addressed ... which led to the requirement for breach notification legislation.

we didn't actually participate directly in any of the legislative activity with respect to these other efforts ... other than pointing out that the x9.59 financial standards work

had eliminated breaches as an account fraud threat/vulnerability. somewhat related post over in digital money blog Price point

however, later we were co-author of the x9.99 financial privacy standard ... and had to spend some amount of time looking at GLBA (with respect to opt-out notification requirement), HIPAA, EU-DPD, OECD, etc ... reference here to work on merged taxonomy and glossaries ... including one for privacy in support of the x9.99 work

these days GLBA is getting a lot more press ... not for its opt-out/privacy... but for its repeal of glass-steagall.

Posted by: Lynn Wheeler at March 24, 2008 12:35 PM

re: Liability for breaches: do we need new laws?

a little x-over Has Banking Industry Overlooked Its Biggest Breach Ever?


Has Banking Industry Overlooked Its Biggest Breach Ever?

from above:

Way back in July, law enforcement agencies issued a press release stating that they had indicted a former employee at Compass Bank for stealing information from the company. It now appears that the theft might be the biggest breach in banking history.

According to the privacy site, new details about the case against former Compass employee James Kevin Real indicate that approximately 1 million customers' personal information may have been exposed in the incident.

... snip ...

Posted by: Lynn Wheeler at March 25, 2008 08:00 AM

recent book reference:

You won't guess who's the bad guy of ID theft
You won't guess who's the bad guy of ID theft

and comment You won't guess who's the bad guy of ID theft

Posted by: Lynn Wheeler at April 14, 2008 07:32 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.