The recent Playstation Network security breach has got me thinking about this again; it’s been a concern for me for a while.
I work for a large company that you’ve all probably heard of. We have hundreds of disparate websites, many of which require (or at least encourage) registration. Security of users is treated somewhat cavalierly; some sites store passwords as hashes, some encrypt them, still others, believe it or not, store them in cleartext. I maintain that none of this is safe; even a hashed password may be subject to a dictionary attack. Due to poor coding practice, we’ve even had several SQL injection attacks, although as far as I know nobody’s had their identity stolen. We also have a large number of offshore consultants whose background is unknown (at least by us; we have no involvement in the hiring process), many of whom have unrestricted access to the data (or at least a copy of the data).
Unfortunately, all of this stuff is outside of my control. I’d like to have a discussion with people who CAN control it, but I’d first like to determine if we’d be legally and/or financially liable if users email addresses and passwords were stolen (forgetting about the massive inconvenience of our users for the moment; potential monetary loss always makes people pay attention). I don’t know if this particular legal claim has ever been attempted, which is why I placed this question in GD rather than GQ. Assuming a user was able to demonstrate that my company did not take all appropriate efforts to protect its users’ data (and from what I’ve said so far, I think they wouldn’t have much of a problem), could a case reasonably be made and a judgment ruled against us?
One thing you did not mention is the type of data which in this hypothetical situation would have been subject to a breach. Plenty of sites do not store really vital data such as SSNs, credit card numbers, etc. these sites would be less liable for a data breach.
I found a short youtube video discussing data breach liability from last year: HB Litigation conferences. Part two was more interesting IMO it is the top related video listed on the page I linked.
Also Running with Scissors, check your inbox I sent you a PM.
It depends. Make friends with your legal counsel The law usually starts with personally identifiable information (PII) - or if you do any kind of credit card processing, you have to worry about payment card industry regulations.
Beyond that, there are other types of losses to worry about like reputation - harder to quantify, but it could mean a lot of money depending on your industry.
but does it sit on the same network as the stuff that isn’t so well protected? The industry talks about the cardholder data environment - not just the server that the info sits on. If the cardholder data isn’t segmented by vpn/firewalls or whatever else, having it encrypted on a box that’s laying in a cesspool isn’t really going to work out in the long-run. And if your card-holder data gets compromised, you’re in a world of hurt with your banks and credit card companies - they’d impose some nasty fines if something ever happened.
Check your state’s secretary of state website for potential regulations. Also here for the PCI stuff.
Getting back to the OP - follow the epsilon breach for simple email address compromise. The other thing you have to be worried about, as I said, is reputation - and collateral damage. Once one system gets breached, they’ll likely move latterally through the infrastructure, gaining access wherever they can - an embarrassing website compromise could turn into someone way more serious if things aren’t setup properly.
I think it’s going to depend on the nature of the data stored.
My CompTia Security + book mentions this on the subject:
Personal data, including SSN, credit card numbers, medical information are all required to be protected by Federal and State Laws.
Gramm-Leach-Bliley Act (financial institutions and info, consent/opt-out methods mentioned), Sarbanes-Oxley Act (mandating auditing/tracking controls to be installed in regards to protected info), HIPAA (medical info) all contribute something to information security.
The Electronic Communications Privacy Act (modified several times since 1986) covers Emails (and mandates the warning banner you see when use of a device = consent to monitoring).
Older laws are considered to extend to digital data. Example: Student records are protected under the Family Education Records and Privacy Act of 1974.
On the state level, my book mentions California Senate Bill 1386, mandating that people must be notified when their PII is lost or disclosed.
These protections are also not just trying to prevent intruders from gaining the data, but also regulates the sharing of the data by the collecting agency.
Note: that is not meant to be a comprehensive list. Non-US laws may add more layers of complications.
The law usually starts with personally identifiable information (PII) - or if you do any kind of credit card processing, you have to worry about payment card industry regulations.