The Economics of Cybersecurity: Breach & Liability Rules

The Economics of Cybersecurity: Breach & Liability Rules

The Economics of Cybersecurity: Breach & Liability Rules Peter Swire Holder Chair of Law & Ethics Atlanta Federal Reserve March 21, 2018 Overview Swire background Cybersecurity: the economics of breach & liability rules Torts and efficiency rule for negligent harm to others Economics of data breach

Tort liability for defects in software FTC enforcement for unfairly bad computer systems Some reasons for optimism But, for Internet of Things, more reason for pessimism Peter Swire Background As law professor, taught Banking Regulation (1990s), switched to Internet law (1993) President Clintons Chief Counselor for Privacy WH coordinator HIPAA medical privacy rule WH representative for GLBA privacy rules Law of cybersecurity (2003)

National Economic Council (2009-10) Larry Summers, Raphael Bostic President Obamas NSA Review Group (2013) Georgia Tech (2013) Scheller College of Business; Computing, Public Policy Institute for Information Security & Privacy Senior Counsel, Alston & Bird December 2013: The Situation Room Part I: Efficiency, Negligence, and Torts Economics of tort law

Negligence and the Hand test 1947 Carroll Towing case, Judge Learned Hand Breach of duty of care if PL>B, where (Probability of loss) * (magnitude of Loss) > Burden Example: 10% chance of $1 million loss, so negligent if spend less than $100,000 to prevent the harm Posner: efficient to make defendant pay if flunks the Hand test Economic arguments for more or less liability than the Hand test More liability: Calabresi: Products liability, where manufacturers have

knowledge & control the risk Strict liability for defects because the manufacturer is the least cost avoider of the risk and consumers cant protect themselves from defectively-made automobiles Less liability: Tort reform proponents such as Peter Huber Institutional inefficiencies > theoretical efficiencies E.g., class actions, runaway juries, biased expert witnesses Conclusion: less liability than the Hand test because the system overly punishes the defendants, make goods more expensive, and punishes innovation

For Todays Discussion on Economics of Cybersecurity Scope: software flaws and badly protected computer systems Assess using the Hand test are cost-effective precautions being taken? For Calabresi approach: to date, these have not been doctrinally treated by the law as products liability, with strict liability these are services For Huber approach: I believe at least some of the tort reformer critiques are over-stated, with consequent risk of too few protections

Part II: Data Breaches and Market Failure Basic idea: mis-aligned incentives for the company that holds a large database of information about consumers Hand test: should prevent if (probability) * (magnitude of loss) > burden of precaution For the consumers, large potential loss (identity theft, theft from bank accounts) For the company itself, little direct harm and take few precautions, especially if consumers dont learn about the breach Result is market failure, where socially optimal level of precaution is higher than the companys optimal level of precaution

The Tort System and Data Breaches To date, the U.S. tort system has often prevented consumers from suing for breach: Courts have been reluctant to make defendants pay for noneconomic injury (fear of identity theft) Courts have been reluctant to certify class actions, saying the facts vary too much among the individual claimants Courts have been more positive, though, for bank plaintiffs, who can sue for the actual costs of replacing credit cards. Economic analysis: tort claims alone create inefficiently low level of precautions, because companies dont have incentives to take precautions to protect consumers

Data Breach Laws May Help with Efficiency Data breach laws started in California about 2003, now in almost every state: mail notices of breach, where SSN or other key data is lost Critique about notices mailed to individuals Notice mailed to individuals if a breach, but individuals dont know how to react to these notices On more positive note: Notices prevent companies from hiding the breach; improve market pressures for the company to take efficient precautions to protect its brand

Costs of mailing ~ cost of paying tort liability for lack of precaution Organizational pressure for better cybersecurity C-suite becomes aware of data breach Increases cybersecurity precautions/budget so it doesnt happen again (2) Tort Liability for Defective Software Part I: Data breaches (vulnerable systems) have not been solved by tort law Partial adjustment to get efficiency with breach notification laws

What about liability for defective software? To date, major barriers to plaintiffs who claim insufficient precautions in the creation of software Software liability and barriers to plaintiffs under tort law Elements of tort claim: duty, breach, causation, damages Duty: terms of service say no duty for harms caused by software Courts have not invalidated these TOS, so no duty Breach: did software company use reasonable care (take reasonable precautions) in writing software? Even well-written software has numerous flaws the mere

fact of a flaw does not show lack of reasonable precautions Barriers to tort liability for software Causation: Intervening acts of third parties the hackers criminal act caused the crime, not the software Lack of proximate cause for worldwide software problems Appropriate for 400 million Windows 10 users to sue for a small flaw in one line of software? If a negligent fire burns down the city of Chicago, dont hold the slightly negligent person liable for all of that Damages:

Economic loss doctrine tort claims usually require physical or other physical injury, and not mere economic loss Economic loss covered by contract law and warranties When torts will succeed for bad software My view is that software providers will start to lose when physical injuries occur, such as when an autonomous vehicle hits a pedestrian Terms of service the pedestrian did not agree to those Breach looks like a defect under products liability (car) rather than a negligent service Causation:

No intervening hacker/criminal Proximate cause is easier: 1 person hit by car, not 400 million software users Damages: physical injury rather than mere economic loss Part 3: FTC and unfair/unreasonable security practices To recap: Likely to have inefficiently low precautions in computer systems of barriers to tort claims for data breaches Likely to have inefficiently low precautions because difficult to sue for defective software

Federal Trade Commission Act, Section 5, with many cases claiming unfair and deceptive trade practices Wyndham Hotels case: FTC claimed: data stored in plain text (unencrypted); no firewall; weak passwords; and failure to remedy known security flaws Case settled with 20-year comprehensive cybersecurity plan for the company Does FTC Sec. 5 Improve Efficiency in Cybersecurity? Pro: tort system leads to inefficiently low precautions for systems (data breach) and software, so increase precautions using Sec. 5

Con: National Technology Security Coalition is Chief Information Security Officer (CISO) policy group, HQ in Atlanta Concerns that standards under Section 5 are vague, and enforcement is unpredictable by the FTC Programmers dont know how to code for fair or unfair practices Possible path forward: for technically complex areas, reduce uncertainty by pointing to standards/norms NIST Cybersecurity Framework, PCI-DSS, and other standards are becoming much more widely adopted, with greater specificity than previously for good practices

Conclusion Part 1 Reasons to believe we are getting inefficiently low precautions for cybersecurity Some reasons for optimism: Data breach laws help address weaknesses in computer systems Market forces have pushed some software toward better cybersecurity FTC (and state law) unfair and deceptive laws, when they incorporate standards, may push large system owners toward efficient precautions

Coda: Internet of Things Cybersecurity Pessimism for Internet of Things Billions of devices in coming years Few incentives for security in $25 or $250 consumer device where consumers have little ability to gauge cybersecurity When have flaws, little or no patching When the manufacturer goes out of business, no customer support Here is what the graph looks like -- Efficient solutions for IoT? For this emerging challenge, currently have big reasons for pessimism

Big corporations can develop procurement and management policies to mitigate the risk from IoT For consumers, be more cautious in using smart devices than most people have realized yet Goal is to speed up the societal learning curve of how to do cybersecurity in a world of pervasive, connected devices My apologies for ending on this pessimistic note, but these conclusions on IoT are widely shared among security researchers so we should focus more attention there Thank you

Recently Viewed Presentations

  • A Thousand Acres: - Kenton Elementary School

    A Thousand Acres: - Kenton Elementary School

    A Thousand Acres: King Lear in a Cornfield "A family portrait that is also a near-epic investigation into the broad landscape, the thousand dark acres of the human heart. . . . The book has all the stark brutality of...
  • CMA HQ Briefing Template - NRT

    CMA HQ Briefing Template - NRT

    Bruce Young October 2016. Argonne National Laboratory. 630-252-7097. [email protected] Regulatory Structure/Complexity driving Army OSC Course. Course Purpose and Scope. Instructional Staff. Students. Course Development . Current Modules.
  • Using the Visual Valet Model to Develop a Biblical Perspective

    Using the Visual Valet Model to Develop a Biblical Perspective

    Visual Valet, Harold Klassen, transformingteachers.org. Unless I am continually developing a more distinctively Christian way of thinking and teaching, I cannot blame the system in which I teach for hindering me. If I am personally overflowing with new insights which...
  • The Community Investment Tax Credit Community Development Innovation

    The Community Investment Tax Credit Community Development Innovation

    CDC: Theory of Change. From 2004 to 2015, MACDC Members have: Invested $4.3 billion in the Mass economy. Supported 473,304 families. Built or preserved 16,525 homes. Created or preserved 37,408 jobs. Helped 18,595 small business owners and entrepreneurs.
  • Distribution Committee - OWWA

    Distribution Committee - OWWA

    Chair's Report GOOD WORK EVERYONE!!!!! Source Water Protection Committee Committee Members Tim Lotimer Nick Benkovich Peter Busatto Eric Hodgins Mike Price Terry Spiers Mark Schiller Roland Welker Focus Issues related to the protection of ground and surface source water Provided...
  • CroninW_TB Epi_Genotyping_TBESC_2016

    CroninW_TB Epi_Genotyping_TBESC_2016

    Source: Population Action International. Have germs, will travel… Migrating . populations. TB Annual Update, March 22, 2016. This map show the travel has increased 4 fold from the 60s and 70s and note the heaviest arrows - most frequent paths...
  • IBM Security - RAMEC

    IBM Security - RAMEC

    This progression was formalized in 2012 with the creation of the IBM Security Systems Division that brought the multiple solutions together to increase the focus and help drive long term strategy for the organization. In 2015, IBM Security Systems Division...
  • Physical and Chemical Changes - Mr. Hoover's Science Classes

    Physical and Chemical Changes - Mr. Hoover's Science Classes

    Physical and Chemical Changes. Lesson 3. February 3rd, 2011. Physical Change. In a physical change, the substance involved remains the same (chemically). The substance may change form or state, however. ... WHMIS, HHPS, and MSDS labels provide information about what...