Time to create a TJ Hooper for information security and privacy?

A court case over tugboats, coal and maritime radio may hold the key to compelling companies to (finally) protect data

ben rothke on information security

T.J. Hooper was a precedent setting tort case in 1932. While I'm not a lawyer, I have a good friend, Ron Coleman, Esq., who blogs about law issues, so a bit of jurisprudence has rubbed off on me. In Hooper, Judge Learned Hand described what is now called the calculus of negligence or the Hand Test.

The specifics of the case are that two tugboats, one of which was the T.J. Hooper, were towing barges. During a storm, the barges sunk and their cargoes lost. The owners of the cargo sued the barge owners, who in turn sued the tugboat owners. They claimed that the tug operators were negligent because they failed to equip their tugs with radios that would have warned them of the bad weather.

The tugboat companies defended under the prevailing practice theory. They claimed that because no other tugboat operators in the area were using radios, this constituted the standard of care for the industry. Judge Hand found the tugboat companies liable because they did not use readily available technology, the radio receivers, to listen for broadcast weather reports, even though the use of radios was not yet standard industry practice.

Also read about 3 things the litigator says you must know

Hand astutely observed that "in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission."

As an information security professional, I have tried, along with others in the field, to get clients to be more serious about the need for security and privacy controls. To a large part, we have succeeded. But there are still far too many weak links in the security chain. Many companies have a prevailing practice regarding information security -- that they need to do only the bare minimum to get by. They do that while millions of consumer records are breached on a weekly basis.

It's early 2011 and in spite of the prevailing amount of security solutions available, companies often fail to devote the requisite amount of staff and budget to information security and privacy needs. This is becoming an even more critical issue as web sites focus on personalizing the user's digital experiences via the aggregation of personal data. As the value of this personal information increases, so does the potential for its misuse and with significant implications when it is misused.

This has directly resulted in hundreds of millions of personal records being breached in the last few years, much of it due to negligence in relation to security and privacy controls. Congress occasionally tries to do something, but a watered-down Gramm-Leach-Bliley Act, for example, did not affect the change needed.

Pragmatism showed itself with when the PCI Security Standards Council created the Payment Card Industry Data Security Standard (PCI DSS). But rather than being embraced as something a long time in coming, a bad case of Stockholm syndrome took hold. Congressional hearings were held to determine why PCI has not stopped every merchant security issue, even though the DSS has been around for just four years. Congress seemed to feel that PCI is the security equivalent of David Copperfield, and that it could magically make every security problem go away.

Have information security professionals failed or have the people they have been speaking to failed to listen? Perhaps the lawyers need to step in and create a Hooper-style case for information security and data protection to compel those companies to take security seriously.

Corporate America has had more than an adequate amount of information security and privacy hardware and software tools long available to obviate many of the most common security problems. That alone suffices to create a calculus of negligence.

Common sense dictates that before deploying an Internet-based financial application, a company should have adequate security testing. Common sense also says that computer security for a 1,000-person bank can't be achieved with only two staff people.

But obviously, common sense won't give us security. Instead, I suggest that law and litigation can achieve what firewalls and encryption can't. Thirty years of unbreakable public-key cryptography has not achieved for security what a single class action lawsuit can.

What is needed is a TJ Hooper kind of case for internet security. To date, companies have often dealt with the scores of pages of findings from the failed information security audit by neglecting them until the next audit, and new set of management. While the audits of myriad security professionals have been neglected, monetary judgments may be the only way to wake these companies from their security slumber.

Hackers from across the globe, pounding on corporate networks and thousands of data breaches, have failed to provide enough of a wake-up call to the myriad threats. The only viable wake-up call seems that it must come from the legal side. When the risks of insecure networks turn into significant legal and financial risks, companies then will understand and stop making insipid IT security decisions.

While regulations such as California SB1386 often mean nothing more than sending out mea culpa letters to violated constituents—a Hooper case for information security could mean that finally, companies would think twice before choosing insecurity.

Also see 6 ways we gave up our privacy

It is incredible to think that the FAA can ground an entire aviation company due to non-compliance with the minutiae of an airworthiness directive, yet companies such as Heartland and TJ Maxx can have major security breaches of tens of millions of consumer records, effecting millions of consumers, and be allowed to continue to operate "business as usual," or get by with a relatively small financial penalty.

The outcome of such a suit would be to ensure that companies are held to the highest level of liability and losses due to their wrongful network security practices. Such a suit would both deter future misconduct and ensure all new networks are deployed with an adequate level of security.

Can it be that a single litigation can achieve more for information security than a rack full of encryption hardware devices?

Ben Rothke CISSP, CISA (ben.rothke@usc-bt.com) is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.