Courting Cybersecurity

Posted January 20, 2015

Former D.H.S. First Assistant Secretary for Policy Says Threat of Tort Liability Won’t Force Companies to Improve Cybersecurity

What is tort liability anyway? In short, it’s the legal obligation of one party to a victim as a result of a civil wrong or injury. Okay, say a company that, for the sake of argument we’ll call Company A, has been breached because it did not have sufficient cybersecurity protections in place. Company A would then be liable for damages to customers whose private information was compromised as a result of the breach.

Now, we’ve gone through this rather lengthy explanation because tort liability is sometimes confused with torte liability, which is when a waiter trips over his shoelace and dumps the raspberry walnut torte you ordered in the lap of the client who didn’t want dessert in the first place because she had to catch a plane to meet her fiancé’s family for the first time. In this case the restaurant would not only be liable for the cleaning bill, but possibly for a new client.

In Stewart Baker’s piece on washingtonpost.com, he offers reasons why tort liability will likely not be the monetary catalyst that causes companies to improve cybersecurity. The following has been excerpted from his article and edited to fit our format. You may find the complete piece by clicking on this link.

The bark without bite

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability.  That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

What price compromised accounts?

Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.

Damages modest in terms of dollars

So, how much incentive for better security comes from the threat of data breach liability?  Some, but not much. [The] actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.

Settlements unsettling argument for more cybersecurity

[Sony’s settlement was mostly in free game play. And courts have capped] the defendants’ total liability. [What’s] striking about the caps is how low a price these agreements set, especially on an individual basis, where $2.50 per victim looks to set the high end and 50 cents the low. Of course, to determine how much you spend annually to avoid that liability, a company would have to discount the settlement price by the probability of a breach in any given year.  Even Sony doesn’t have a breach every year, so a probability adjustment cuts the value of avoiding liability to something between a half and a tenth. At those prices, I wouldn’t expect much change in corporate cybersecurity budgets.

What about the big boys?

[In] cases like Target and Home Depot[, banks sue] for the cost of reissuing credit cards.  That’s a very different theory of liability mainly applicable to a limited number of big retailers.  In the end I doubt that liabilities to issuing banks will drive much cybersecurity either, not because the claims are low — they’re more likely to be in the $50 per card range — but because establishing liability will not be all that easy and because things like tokenization will likely prove much cheaper than improving security.

ThreatMetrix

ThreatMetrix

close btn