Professional Standard of Responsibility for Data Security

The CEO of retail merchant Target lost his job owing in part to a data security breach. The Chief Information Officer lost his job too. Target is a turning point in the history of data breaches. It is changing the way enterprises approach data security.
Target breach is legal milestone
Lessons from Target

Insecurity Is a Fact of Life


To prevent data from leaking out is very hard – in fact, super hard – for an enterprise to achieve. To explain that point, journalist Quinn Norton publishes an article titled “Everything Is Broken.”  Although she speaks in terms I would not use (she says computers are “broken”; I say our expectations for computer security are unrealistic), I subscribe to her basic message: typical computers and software are inherently insecure. They are riddled with holes. They were not designed, they were not created, they are not deployed like M1 tanks.

Encryption Exemplifies Security's Unachievability

Take encryption. The public discussion about security often assumes that “encryption” is an achievable solution to much of the data security problem. But sustained use of encryption in a functioning enterprise – or by a reasonably careful individual – is a nightmare that is rarely acknowledged. To quote Norton: “Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible.”

She goes on to explain that so often encryption programs can be circumvented because – for example -- they sit on top of code written in the C programming language, which is often written by sloppy developers who fail to use secure coding practices. Secure coding in C requires a lot of discipline. According to knowledgeable expert, "C is unforgiving if you are lax in secure coding practices."

An example of a C programming vulnerability is the catastrophic Heartbleed bug that attracted so much attention when news of it broke April 2014. Security guru Bruce Schneier said that on a scale of 1 to 10, Heatbleed is an 11 in its magnitude!

Think about Schneier’s comment from a public policy perspective. Heartbleed had been sitting out there for years, unknown to the community, as loophole in commercially-popular encryption (OpenSSL). But the public policy conversation assumes “encryption” is good, practical, achievable.

Norton argues there are more Heartbleeds out there; the community just hasn’t identified them yet.

Another recent controversy demonstrates how impractical encryption can be. For years, many smart people have relied on TrueCrypt to encrypt records. Then suddenly TrueCrypt's developers announced the program is insecure and everything encrypted with it needs to be re-encrypted with something else. Even though the community is debating whether TrueCrypt is in fact insecure, the controversy compounds the nightmare for many enterprises that in good faith have devoted resources to encryption.

When we consider encryption as solution, we must acknowledge that the practical application of encryption is destined to fall short.

Breaches Are Normal


In data security, everyone makes mistakes, even the best experts. RSA itself – the gold standard among infosec vendors – suffered a major security breach in 2011. Hackers used spear phishing against RSA employees to compromise the company’s SecurID authentication tokens. (csoonline.com “The 15 worst data security breaches of the 21st Century,” February 15, 2012)

What about the National Security Agency? It is reputed to employ the best computer security team in the world. It devotes a massive budget to computer security. But it suffered a cataclysmic breach. Edward Snowden stole the NSA blind.

No one is immune to data security breaches, even when they have very qualified people working for them and they devote tremendous resources to the problem.

Data security is a highly adversarial contest, similar to high-stakes litigation. The enterprise faces very smart, capable and persistent adversaries, like Mr. Snowden or like talented opposing counsel.

Losing the data security contest is normal, just as losing a lawsuit is normal and losing a football game is normal.

CISO Emerges as a Peer to General Counsel


It is in this harsh, unpredictable environment that enterprises like Target must manage sensitive data like payment cards and healthcare records.

For an enterprise, managing data security has become like managing legal rights and liability. The enterprise will never get close to perfection. It will never know whether it made all the correct decisions. But it can devote professional attention to the problem.

Historically the infosec team at the enterprise was composed of technical staff under direction of the Chief Information Officer. Infosec guys often complained that their guidance did not get the needed respect. They’ve had a reputation for writing long, highly prescriptive security policies that say this “will” be done and that “must” be installed. Even though their policies often would not be followed, they felt it necessary to use unrealistic, compulsory policy language just to be heard. They spoke in simplistic, black and white terms.

The historical practice out of the infosec team is markedly different from the practice out of general counsel’s office.  Business lawyers eschew directives like you "must" do this and you "will" do that.  Often such absolute mandates are too simplistic to address the challenges the enterprise faces. Rarely do lawyers say something like, “The enterprise must file this lawsuit because the enterprise is guaranteed to win a bunch of money in the lawsuit.”

But when lawyers talk, executives listen. Corporate lawyers are esteemed, pretty-well paid professionals. General counsel is an executive.

Though lawyers can speak in soft tones, their “advice” and “recommendations” carry weight. Their advice and recommendations are perceived as having serious impact, even if the advice and recommendations are not always followed or not perfectly followed.

Seeking Higher-Caliber Security Advice


The world is changing. Target is rumored to be shopping for a Chief Information Security Officer who will not be a subordinate of the CIO.  Rather, the CISO will be a peer of the CIO. According to Business Insider, this elevation of the CISO (and therefore the elevation of the infosec team) is an emerging trend among enterprises. “This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers,” May 25, 2014.

Here is my interpretation of the trend: Management of data security has become mission critical for the modern enterprise. But management of security involves tradeoffs and unknowns akin to those applicable to the management of legal rights and liability.

The modern enterprise seeks sage leadership on data security. The enterprise will never achieve perfection; it will never know whether its decisions were the best. But the enterprise wants to get the kind of guidance from its security staff that it gets from its legal staff.

The implication is that the modern enterprise is seeking sharper, better-qualified security staff, and it is willing to pay higher salaries to get it. The modern enterprise is in the hunt for a more professional infosec team, lead by an executive-level CISO.

Legal Motivations for Professional Attention


When a patient visits a doctor, there is no guarantee the patient will get well. When a client retains a lawyer, there is no guarantee the client will win its lawsuit or achieve a desirable legal outcome.

The risk of an unhappy outcome is recognized in professional malpractice law.

So long as the doctor or lawyer exercises diligence and care, the professional is not liable for malpractice, even though the outcome is undesirable. Law motivates the professional to work and even be creative and take educated risks, but it recognizes that the task at hand can be unwinnable. It leaves much room for imperfection, mistakes in judgment and plain old bad luck.

I argue similar motivation should apply to data security in an enterprise. The enterprise should be motivated to seek qualified security expertise. But very commonly a diligent application of that expertise will fail to a greater or lesser degree. Qualified people will make mistakes. The possibilities for error and surprise are infinite.

Moreover, data leakage is like a serious disease. Often it is simply not curable. Law should motivate good work, but it should not punish a failure to cure.

Hence I argue that the law of data security should not hold an enterprise liable for a data leak if the enterprise meaningfully employs qualified staff.

I don’t anticipate infosec staff will be licensed like doctors or lawyers anytime soon. But I do think law can recognize the difference between qualified, vigilant staff and the absence of the same. And the law should recognize that even with qualified, vigilant staff, bad outcomes are normal, par for the course.

==
By: Benjamin Wright, attorney and teacher of Law of Data Security and Investigations at the SANS Institute.

Update:

Target's new CISO will report to the CIO. However, I'll bet that the new CISO will be treated as a trusted professional whose recommendations are given weight.

Related:

1. Floods of data breach notices

2.  Putting a Professional Standard of Care into Infosec Practice