An article in the aforementioned JIBC, "Security as a legal obligation" by Edwin Jacobs, argues the current security crisis from the perspective of bonus pater familias. This legal doctrine has it that we should ask, what would the good citizen do in this case?
What can be reasonably expected of all the actors here, assuming they were good citizens? As I argued in a recent blog entry concerning online account fraud (a.k.a. phishing), you can't blame any one party totally, and if you put all the cost on one party and none of the responsibility on the other parties then we give rise to moral hazard. That's the economics idea that anyone who is fully insured is more likely to incur the events, as they take no care.
The current situation in most western countries is, in simple terms, if a transaction was not authorised by the account owner then the financial institution carries the risk. This is by no means cut & dry, but when push comes to shove, that's what gets written down in the laws.
Does that mean that the FIs are already on the hook for all of phishing, identity fraud and the like? By no means, as the greater part of cost of any online fraud seems to be the cost to the individual's identity. Although the estimated heist is about $1000, I've also seen estimates of time lost to the user of 100 hours. If your time is worth more than $10 per hour, then you are now more concerned about the waste of your life; and another statistic has it that one in four never recover completely from the situation.
So we already have risk sharing in place. Which isn't to say that it's a nice way to live and do business, but it is at least a clearly demarcatible sharing arrangment. FI's pick up the tab for the money, but your identity's your own problem.
Where we go from here is that if there is to be any adjustment from this current risk sharing between the FIs and their users, then it has to be a better risk sharing. That is, not only does it need to better account for the economics of repairing the damage, it also has to be as easily measurable. That's a tall order, and my hat off to anyone who can do this.
Jacobs takes Sarbanes-Oxley to task by pointing out that not only are there already many laws in Europe that cover these points (and he works through some of them), but both providers and customers have a general duty of care. Obviously in the current environment, there is no lack of examples of failure to follow this guideline, so the question arises how it is that the principle has failed to save us in this case?
3.1. The concept of general duty of careThe presence of specific legislation related to security and risk management should not make us forget that every person (so also customers of on line services!) and every company have a general duty of care. If the lack of appropriate security measures leads to damages for third parties, the liability of the company which omitted to apply best practices in this field (and hence to behave as the 'bonus pater familias') will automatically be involved. Contrary to the specific legal security obligations described above in the specific laws, the general liability can to a certain extent be reduced by liability disclaimers that have to be carefully drafted.
(My emphasis.) It would seem that if one were to stereotypically cast the models as European above and American for the alternate, we could ascribe his last comment as the reason for the failure: general liability and a duty of care has been widely written out by liability disclaimers in the American model. This is no light thing, as the history of the credit card shows. When banks were aggressively marketing their cards in the mad ramp up to saturation, it was common to send cards to people who hadn't asked for them, and to stick them with the fraud bills. This blatent act of fraud on the part of the banks resulted in the regulations (Reg E?) that made the banks liable for all of any transaction not authorised, thus switching all of the risk from the consumer to the bank. At least until identity fraud took off.
It would seem simplicity itself to write to our congresspersons and demand they write liability back in again. "Dammit!" But I fear it isn't so easy, and it may very well be that Reg E recognises bonus american pater est mortuus. The counterbalance to this dramatic accusation is that the ecommerce revolution happened in the US and only to a lesser extent in the European circles. If we looked at all the startups and IPOs, we should expect to find a massive difference, perhaps as much as an order of magnitude.
Which meant that the value was created in the US and then exported by copycats to other farflung dominions of capitalism. All of which goes to show that making a claim for bonus pater familias as against the widespread disclaiming of same by contract is not easy: either we need to show correlation not causality with dotcom boom, or the pundits of bonus pater familias need to find something that counterbalances the 'economic miracle' argument.
Jacob's article (and blog) is worth reading if you are trying to make sense of Choicepoint, phishing, viruses and keyloggers and the madness known as Sarbanes-Oxley. I don't think it answers everything but it does offer a perspective why the crisis in security and governance is primarily American and not elsewhere.
Posted by iang at October 10, 2005 09:13 AM | TrackBackThere are no guiding ethical standards, the group that pays the most to government gets washed of the liability. Even worse they hire lawyers to write contracts that no one reads that frees them from claims. All this goes on as serious people address the real problem of insecure systems with the belief that a real world demand is waiting.
We are all waiting to die from Avian Flu but it only becomes a reality when we contract the Flu, not when our neighbor contracts it.
Posted by: Jimbo at October 10, 2005 10:40 AM