A recent class action lawsuit filed in South Carolina highlights evolving standards of care organizations now face with respect to protection of computer security and personal information privacy. Although the case is currently pending, it illustrates basic principles of computer system and information management now essential for all enterprises.
In 2012, a hacker penetrated the computer system of the South Carolina Department of Revenue. That breach compromised the income tax filings of approximately 3.6 million South Carolina individual taxpayers and 657,000 businesses. Substantial personal information included in those filings was thus accessed by the hacker. As a result of the breach, it is also believed that thousands of credit card numbers were exposed, as well.
A class action lawsuit was filed on behalf of the individuals who may have had their personal information disclosed in the breach. The named defendants in the case include the Department of Revenue and the commercial company that provided the computer
The claims raised in the case include allegations of negligence by the defendants. Plaintiffs argue that the defendants did not exercise reasonable care with regard to the planning, operation, and maintenance of the computer security system and practices applied to protect the personal information processed by the system.
The case has important implications for all organizations that collect, store, distribute, or otherwise process proprietary or sensitive information using their computers and computer networks. It suggests that standards of reasonable care will be used to evaluate the appropriateness of computer security measures. Reasonable care in the context of computer network security is likely to include the following standards:
All organizations should create and document appropriate policies, practices, and procedures to foster secure computer operations and protection of sensitive information. Those requirements should be communicated effectively to all individuals who use the organization's computers through clear notice and thorough training programs. There should be concise and firm penalties applied to individuals who fail to comply with the security requirements. All policies, practices, and procedures should be updated regularly to accommodate changing circumstances. They should address security of hardware, software, communications, databases, and online activities.
Computer security planning should include a comprehensive plan of action for use in the event of a security breach. That plan should include clear guidance regarding technical and operational actions to be applied to stop the breach and to minimize its impact. It should include operational instructions for cooperation with law enforcement authorities to address the breach. The plan should offer guidance as to the use of alternative computer and communications facilities until the system is secured. It should also include identification of all parties to be notified in the event of a breach, designation of an individual in the organization to be responsible for providing such notice, and instruction as to the content of all such notices. All remedial action plans should include periodic tests to ensure that they remain effective and to provide opportunities for plan enhancements and improvements.
Reasonable care in the context of computer security includes use of all commercially reasonable technical means available to secure computer hardware, software, databases, and online activities. Those technical measures include encryption software, firewalls to insulate closed networks from open ones, passwords, and secure browsers. They also include technical measures to secure mobile phones and other mobile computing devices. It is critically important that all technical security measures should be updated regularly. As technical security options and capabilities increase and improve, the reasonable care standard will require organizations to continue to modify, enhance, and update their technical security measures to utilize those advances effectively.
Insurance coverage can provide a helpful component of an overall computer security strategy. Such coverage can be provided through riders specifically addressing computer security concerns to supplement existing business insurance policies. The coverage can also be provided through separate cyberinsurance specialty coverage directly addressing computer security risks.
Application of negligence theories to computer security operations places important continuing obligations on all organizations that use computers and communications to process sensitive information. Those organizations will be expected to develop and enforce appropriate policies and practices to reduce the likelihood of computer security breaches, limit the impact of any such breaches, and improve security practices by learning from breaches. The organizations will be required to use the best commercially reasonable technical measures available to foster secure computing environments, and to update the technology they use on a continuing basis to take full advantage of technological advances.
Craig Blakeley is an attorney with the law firm, Alliance Law Group. For more than 25 years, he has provided counsel on the legal, regulatory, and public policy issues affecting the creation, distribution, and use of telecommunications, computer, and digital media technologies and services. Mr. Blakeley has written and lectured extensively on information technology law topics around the world, with publications on issues in law and technology including Global Information Technology Law which discusses telecommunications, Internet, e-commerce and e-government, and intellectual property issues in 22 countries.
Jeffrey Matsuura is Of Counsel to Alliance Law Group. Mr. Matsuura previously served as Assistant Professor and Director of the Program in Law & Technology at the University of Dayton Law School in Dayton, Ohio. Mr. Matsuura has written and lectured extensively on information technology law topics around the world and is the author of numerous articles and books on issues related to law, policy, and technology including Global Information Technology Law. He previously served on the faculty of the University of Dayton School of Law, where he directed that institution's Program in Law and Technology, and as a research fellow at the University of Edinburgh and the Smithsonian Institution.