Readers will be familiar with the explosive global growth in data theft and data leakage incidents. But they may be less familiar with the corresponding increase in multi-million-dollar law suits flowing from such incidents, as those who are burned in the fall-out from security breaches seek compensation from the courts to cover their losses.
This brings a significant additional dimension to the risks associated with information security breaches and provides a new imperative for the effective management of risk.
Addressing these legal risks will require an increased level of engagement between the CIO and corporate legal advisers. Bridges between the disciplines of law and IT will need to be built, and lawyers and CIOs will need to break out of their respective silos of expertise to develop a coordinated response.
This will not be easy. Close collaboration between the CIO and the lawyer tends to be the exception rather than the norm because they often have little or no understanding of the core concepts that underpin each other’s respective disciplines. However, if increased levels of shared understanding are not achieved, then the response of corporate Australia to a whole new landscape of legal risk will be substantially underdone or misdirected.
The TJX case should be regarded as an indicator of things to come.
The TJX caseThe TJX case is a good place to start to develop an understanding of the types of legal actions that are now flowing from information security breaches. This litigation resulted in American retailer TJX paying around $US80 million in compensation following a hack in which 45 million credit cards were lost.
Before looking at the TJX case in more detail, let’s briefly deal with one furphy that might otherwise confuse the newcomer to this field. The TJX case occurred in the USA, and Massachusetts state law applied – isn’t Australian law different? The short answer is not much, particularly in the areas of law that fell to be considered in TJX. If the facts of TJX were transposed to an Australian court, the applicable laws would be very similar. Both the Australian and the USA legal systems developed originally from British common law: While there are some local differences, there is a high level of commonality across the laws of all nations with an ‘anglo’ legal heritage.
The proceedings against TJX were brought by a group of ‘issuing’ banks — ones that issue credit cards to their customers. In essence, the banks’ case followed that:
- TJX had failed to maintain an appropriate level of information security;
- As a result, hackers were able to break into TJX’s systems and steal millions of credit and debit card records belonging to TJX’s customers;
- The hackers then sold those records on the internet, where they were purchased by fraudsters around the world;
- The fraudsters used the stolen records to commit numerous online transactions;
- The issuing banks were obliged to cover those fraudulent transactions on behalf of the innocent cardholders and were massively out of pocket as a result;
- The issuing banks were entitled to reimbursement of their losses from TJX, since those losses flowed from TJX’s inadequate security regime.
In legal terms, this translated into the following claims against TJX;
- Breach of contract
- Breach of the Massachusetts equivalent of section 52 of the Australian Trade Practices Act (the two pieces of legislation are very similar for practical purposes)
- Negligent misrepresentation — for all intents and purposes the same as breach of section 52.
Other subsequent cases where organisations are being sued for operating inadequate information security regimes, discussed below, were built on the same legal foundations.
Next page: Tort of negligence, breach of contract