The Trade Practices Act
Section 52 of the Trade Practices Act (TPA) imposes a general and far-reaching obligation on Australian companies to not engage in conduct which is ‘misleading or deceptive’. This, and equivalent laws as the Massachusetts equivalent invoked in the TJX case, are often interpreted ‘creatively’ by the courts.
In particular, courts frequently find ‘implied representations’, breach of which amount to misleading conduct within the meaning of section 52. The TJX case itself provides a good illustration of this.
By taking credit and debit card payments, the presiding judge in the TJX case ruled the company implicitly represented to other players in the financial services ecosystem that it would take reasonable care of customer credit and debit card records — which it failed to do. As a result, losses flowing from that failure were recoverable as damages.
In addition to this type of implied representation, many organisations now make explicit representations on their websites about their commitment to security and their privacy policies.
While these kinds of statements may create a warm feeling amongst prospective customers, they also create legal obligations. If you state on your website that your company “takes reasonable steps to protect all information from misuse, loss, unauthorised access, modification or disclosure” then you had better do just that: If you fail to live up to your claim and customers suffer loss or damage following a security breach, you will likely be in the gun for damages under the TPA.
What it all meansThe TJX case should be regarded as an indicator of things to come. In the USA, numerous organisations are seeking compensation law suits for losses suffered as a result of security breaches.
And there is nothing peculiarly ‘American’ about these cases. The legal platforms for the claims are virtually identical to those which would apply under Australian law. Given the global proliferation of data theft and data leakage, it can only be a matter of time — and a short time at that — before Australia starts to see these kinds of cases coming through the local courts.
Those interested in these developments should keep a particular eye out for the Countrywide case (an internal hack where 17 million customer records were allegedly stolen and sold on the black market), the Heartland case (similar facts to TJX, with settlement discussions currently around US$60 million), and the Register.Com. Inc. case (where an ISP allegedly fell victim to a classic social engineering attack with the result that a major commercial customer’s online store was unavailable for an extended period).
CIOs are not expected to be experts in law and lawyers are not expected to be experts on information security, but these developments make it increasingly important that between them, they understand the legal obligations arising from these new types of risks, and that appropriate responses are implemented to satisfy those obligations.
This is a whole new ballgame for both disciplines. It will require the inhabitants of each camp to move out of their comfort zones, never an easy thing to do. It’s game on; How will you go?
Nick Gifford is principal at IT law consultancy Gifford & Co. He is author of Information Security – Managing the Legal Risks, and has worked as a London-based barrister, corporate lawyer, risk and compliance manager. He can be contacted at firstname.lastname@example.org.