InfoSec & Forensics Law: September 2007

Comparing AB 779 and HF 1758 (New Payment Card Data Laws)

California is ready to adopt new legislation regulating the management of credit card data by retail merchants. The legislature has passed Assembly Bill (AB) 779, the so-called Consumer Data Protection Act, and submitted it to the governor for signature. Proponents believe Governor Schwarzenegger will sign the legislation. [Update: He vetoed the bill. But this discussion is still relevant to those thinking about how data security law should and should not be written.]

Similar to Minnesota's HF 1758, AB 779 contemplates that a merchant will reimburse credit card issuers for costs they incur replacing cards after the merchant suffers a data security breach.

Under Minnesota's HF 1758, the reimbursement requirement only applies if the merchant commits the "transgression" of storing card security data or full magnetic stripe data longer than 48 hours after transactions are authorized.

Compare California’s AB 779. Under 779, the merchant can be excused from the reimbursement requirement if the merchant avoids certain "transgressions" such as storing full track data, storing payment verification codes, transmitting unencrypted payment data over the Internet and storing payment information without a proper data retention policy.

Hence, HF 1758 and AB 779 are similar in the way they impose liability. Both laws effectively say a merchant that suffers a data breach must reimburse card issuer costs if the merchant has committed any of the identified transgressions. Further, both laws require reimbursement even if the breach is unrelated to the transgressions.

In other words, this is what the literal words of the Minnesota and California legislatures seem to mean: If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur.

Analysis: This scheme for imposing liability does not seem fair or rational. It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection.

The Law of Anti-Forensics Tools

Computer Crime Evidence

Data Security at Risk

Sophisticated hackers use so-called anti-forensics tools to make break-ins harder to detect and harder to trace once they are detected. The tools wipe out data, change timestamps, misdirect audit trails and scramble network logs so no one can prove what happened or when. Observers have
speculated that anti-forensic tools helped the crooks who stole credit card data from TJX Companies.

In principle, a hacker's goal in using an anti-forensics tool is to avoid prosecution. Yet the outcome of a criminal case against the hacker may ironically be different from what he had in mind. If a hacker is caught using anti-forensics tools, it will be easier to prosecute him and impose stiff punishment. The use of such tools can, in itself, be evidence of his sinister intent.

Similarly, if a government official were to use anti-forensics tools to hide a misallocation of funds, his misdeed may appear more to be a crime and less a mere clerical mistake.

Historically prosecution of hackers has sometimes been hard if they did not clearly steal anything. The hackers garnered some sympathy by saying they were just snooping around and not trying to harm anyone. But if a hacker uses anti-forensics tools, any sympathy will evaporate. Use of the tools can show he was trying to cover his tracks.

The CSI Working Group on Web Security Research Law, Inaugural Report, June 11, 2007, suggests a key factor in a computer crime prosecution is whether the defendant tried to hide. It cites the computer crime prosecution of Eric McCarthy, who arguably was just an innocent researcher who found a vulnerability in a USC server. But instead of reporting his finding in a responsible way, he disclosed the vulnerability in a pseudonymous e-mail to the press. His effort to hide his identity contributed to the conclusion that he was guilty.

Endless E-Discovery & Digital Record Investigations

Electronic Data Forensics Meets Traffic Tickets

Subpoena for Cell Phone Text & Call History Records

Engadget reports that a motorist successfully stymied a drunk driving prosecution by demanding to see the source code for the breathalyzer used to determine he was drunk. This story is a specific example of a big phenomenon in our legal system, caused by technology.

Information technology begets ever-growing oceans of records (e-mail, text, SMS, cell phone, instant message, video/audio, meta data and more). Records are irresistible to a legal or automobile-insurance investigation. Any investigation naturally wants to delve into all the relevant records. The relevant records in a drunk driving case include even the source code of the breathalyzer used to determine the driver was drunk.

Click Here

In the old days the investigation of an automobile accident examined only physical and eyewitness evidence. Now, the investigation includes review of a vast new pool of evidence -- cell (mobile) phone records & call history, which may indicate whether a driver was talking, texting or web surfing on the phone at the time of the crash.

Investigations More Difficult

Net result: legal investigations and prosecutions grow ever more expensive and difficult to close. In any controversy, there are always more records to uncover, inspect and argue about. If you want to gum-up an investigation -- or legitimately shift its focus -- just subpoena or demand access to more relevant records. (But of course, any subpoena or other document demand should be rational and relevant to the investigation. A subpoena is a legal demand that someone turn over information or evidence. Commonly the laws of litigation enable a party to subpoena others for records. If a party abuses the power to subpoena, by demanding irrelevant records or by issuing a demand with no regard for the cost of compliance, a court may sanction the issuer of the subpoena.) Or employ computer forensics to search for all the deleted records or to find hidden connections among records.

Or, to further impede prosecutors, a defendant can allege that any incriminating electronic records are false because they were created by hacker or a virus. Such an allegation calls for deep forensic investigation. An Alabama CPA successfully employed the "virus defense" when tried for criminal tax evasion. Eugene Pitts persuaded a jury that the reason his tax returns were inaccurate this that a virus had infected his computer and the virus caused his tax preparation software to malfunction!

Corporate E-Discovery

In corporate lawsuits, e-mail records are so voluminous, and the e-discovery of them so expensive, that e-discovery becomes a litigation weapon in and of itself, where one party bullies another into settling just so it can avoid the costs of digging through mountains of e-mail. See, Chris Mondics, "Ediscovery profoundly changing lawyering: But some say rules for e-mail and other digital data don't serve justice," Philadelphia Inquirer, June 8, 2008.

To quote CSO Magazine: "Fraud investigators are struggling to cope with vast quantities of data sent to them by financial institutions, meaning some crimes may go uninvestigated or even unnoticed."

Update: When parents of girls with eating disorders sued a health insurer, the insurer demanded e-discovery access to the girls' massive blog, e-mail, social-networking and text message records (OMG!). The insurer said it was entitled to examine these records to ascertain whether the disorders were biological or psychological.

Please turn to my other post on e-discovery, in which I argue firms can employ technology creatively to transform e-records from a liability to an asset.

--Benjamin Wright, instructor at SANS Institute, teaching eDiscovery and eInvestigations Law.

Definition of Data Security Breach

When Has Privacy of Credit Card or Social Security Numbers been Compromised?

Security Incident Response and Information Protection Law

Many states now have data breach notification laws modeled on or inspired by California's SB 1386. Usually, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security.

In all these data notification laws, a key issue is the definition of what constitutes a breach of data security. Just because a hacker accesses data related to a credit card account does not mean that the account has in fact been compromised (or, in the alternative, that the data has been compromised in any meaningful way). The credit card system features many layers of security beyond simply the purported confidentiality of a person's name + credit card number + card security code.

Thus a corporation holding data might detect that a hacker accessed card data, but still conclude (based on other controls in the industry) that none of the card data in question had in fact been "compromised". The other controls I speak of can include monitoring of card activity, telephoning cardholders to confirm transactions and much more.

Confusing and Unnecessary Notices

To send unnecessary breach
notice is unethical.

If a data owner is too quick to conclude that a minor slip in security constitutes a "data security breach", then the owner will senselessly waste money and confuse constituents by sending them unnecessary notices and providing them unwarranted credit protection services. Further, excessive conclusions that a breach has occurred can lead to credit cards being replaced so often that cardholders don't know which of the cards in their wallet is valid and which is not.

Crying WOLF

When the public hears too many announcements that data has been "BREACHED," it becomes like the villagers who grew insensitive to the boy's cries of "WOLF". For that reason, I argue enterprises are legally and ethically justified to expect that a reasonably high threshold be crossed before they send out notices of a "data security breach."

2013 Reform

I published most of the foregoing in 2007 and 2008. Fortunately, in 2013 a leading authority has reviewed this issue carefully and instituted reform. The U.S. Department of Health and Human Services now says that a breach notice is required only after a sophisticated risk assessment has determined a notice is justified. See my analysis of HHS's new regulation on data security breach notice.

--Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Update July 2008: Anton Chuvakin makes an interesting observation. If dataholders maintain good system logs, then in the event of a security breach they can examine the logs carefull to determine with precision which particular data files (if any) were compromised. That would allow them to notify only the people affected, rather then everyone on whom they hold data.

For more on this topic, see my other article on data security breach.

Update Summer 2008: See my analysis of a breach notification where data on stolen laptop are encrypted, and my examination of the definition of "private" data.

(Reminder: Nothing I publish is legal advice to anyone and not a substitute for advice from a lawyer.)

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law