Securing third party data assets: Organisational liability. By Kevin van Tonder
An increasing number of organizations ('data controllers') are collecting, processing, analyzing and storing personal and sensitive third party ('data subjects') commercial data for a variety of legitimate business reasons and objectives.
This third party data can be grouped into three main categories, namely:
1. corporate data;
2. customer / client / patient data; and
3. employee data.
The unauthorised access of such data could potentially result in harm to both the data subject and the data controller. Today, nearly anyone can attack a network due to the widespread availability of intrusion tools and exploitation scripts that can easily duplicate known methods of attack. Therefore, the knowledge required on the part of a novice intruder to copy and launch known methods of attack is decreasing.
This, combined with the exponential growth of internet-based commercial transactions and the electronic storage of sensitive data, has cultivated a fertile environment for the unauthorized disclosure of sensitive and confidential commercial and private data, the transmission of destructive viruses and the theft of consumer information. Sophisticated information security architecture is now essential to any organization that values its data assets. Many organizations however still fail to put adequate security in place to protect their data assets.
In terms of South African law, the potential liability of a data controller towards a data subject could arise out of contract, delict or statute. The contractual liability is relatively straight forward as the rights and duties of the parties to a written or oral agreement are regulated by the terms of that agreement and a sophisticated and developed common law of contract. However, the waters become decidedly more murky when considering the potential delictual liability of a data controller.
Essentially, the delictual liability of a data controller towards a data subject for breaches in information security could be based on the actio legis Aquiliae, the actio iniuriarum or some form of faultless liability. This paper focuses on the potential delictual liability faced by organizations in South Africa vis-à-vis third parties in respect of information system security failures where data subjects have suffered:
1. sentimental loss suffered as a result of an iniuria - This loss could occur as a result of an invasion of privacy by intrusion; and/or
2. patrimonial loss suffered by a data subject without any physical damage being caused to the property of the data subject, so called 'pure economic' loss - Leif Gamertsfelder, of the solicitor's firm 'Deacons' in Australia, provides an example where a procurement hub is owned and operated by an IT company that has a contract with a service company. This service company in turn contracts with four motor vehicle manufactures who make use of the procurement hub as part of their just-in-time procurement process. The four manufacturers have no direct contractual relationship with the IT company. However the IT company may be liable to the motor manufacturers in delict if the hub is hacked due to poor e-security resulting in the destruction of vital data. As a result the four manufacturers suffer huge losses due to a disruption in their just-in-time ordering process.
Although the suffering of patrimonial loss as a result of some or other physical damage to the property of a data subject (as a consequence of the failure of the information security system of the data controller) is possible, it is submitted that this will seldom occur and will be excluded from the ambit of this discussion.
Pure Economic Loss
In principle, in South African law the actio legis Aquiliae is available to claim damages for pure economic loss. The analysis of the potential delictual liability of data controllers for any pure economic loss will therefore be structured according to the elements that constitute a claim based on an Aquilian action in South African law. The elements of the Aquilian action that pose a problem as far as security failure claims are concerned are:
1. Wrongfulness - It is trite that there is a two stage approach to determine wrongfulness. Firstly it must be ascertained whether a subjective right, a statutory duty or a duty of care has been breached by the perpetrator of the act. As the conduct of the data controller most likely is the result of an omissio, wrongfulness is not normally determined by asking whether the party suffering the harm has had a subjective right infringed but rather by asking whether the defendant has a legal duty to prevent loss. Therefore, in each particular instance in which the security system of a data controller has been penetrated by an unauthorized person, the courts will have to determine whether there was a duty of care upon the particular data controller to avoid causing loss to the data subject. Knowledge by the data controller that his conduct could cause damage plays an important role in the determination of such a legal duty.
Assuming that there is a legal duty upon a data controller to avoid causing loss to a data subject, the second leg to determine wrongfulness is to establish whether the violation of this legal duty occurred in a legally reprehensible manner i.e. was a legal norm violated according to the boni mores of the community. In determining whether such a legal duty does exist and whether the violation thereof would be contrary to the boni mores of the community, Section 43(5) of the ECT Act as well as the duty imposed upon the board of directors of companies by Section 5.4 of the Second King Report on Corporate Governance, may need to be considered along with other factors.
The legal duty to act positively to prevent damage is not new to our law. Since Minister of Police v Ewels 1975 (3) SA 590 (A), the existence of a legal duty to prevent loss had to be determined according to the legal convictions of the community. However the existence of such a legal duty does not mean that all omissions will attract liability. This will depend on whether the defendant also acted in a culpable manner (discussed below). In Minister of Safety and Security v Van Duivenboden 2002 (3) ALL SA 741 (SCA) it was confirmed that a person can be liable for a negligent omission.
Furthermore in determining the possible existence of a legal duty of a data controller to prevent a data subject suffering loss, it may be prudent to consider Carmichele v The Minister of Safety and Security and Others CCT 48/00 in which the Constitutional Court held that the Bill of Rights imposed a duty upon the State to prevent gender-based discrimination and to protect the dignity, freedom and security of women.
The Bill of Rights states that everyone has a right to privacy. So the question arises whether there is a duty upon the State to protect the privacy of its citizens? If it is successfully argued that the State has the duty to protect the privacy of its citizens and it is accepted that the Constitutional Court has the power to develop the common law, it may be argued that this duty not only rests upon the State. In Khumalo et al v Holomisa CCT 53/01, the Constitutional Court addressed the issue of the 'horizontal' application of the Constitution (s 16) and its effect on the common law of defamation in South Africa. O'Regan J, in Holomisa's case, points out that the Constitution distinguishes between two categories of persons and institutions bound by the Bill of Rights. Whereas s 8(1) binds the legislature, executive, judiciary and all organs of state to the terms of the Bill of Rights, s 8(2) goes further and provides that:
(2) A provision of the Bill of Rights binds a natural or a juristic person if, and to the extent that, it is applicable, taking into account the nature of the right and the nature of any duty imposed by the right.
(3) When applying a provision of the Bill of Rights to a natural or juristic person in terms of subsection (2), a court -
(a) in order to give effect to a right in the Bill, must apply, or if necessary develop, the common law to the extent that legislation goes not give effect to that right; and
(b) may develop rules of the common law to limit the right, provided that the limitation is in accordance with section 36(1).
It is therefore submitted that it is not inconceivable that the duty imposed upon the State in the Carmichele case could be extended to include other constitutionally guaranteed rights such as the right to privacy. The principle confirmed in the Khumalo case could then extend this duty to private organizations. Such an interpretation is not inconceivable.
International developments on the duty of care may also be considered as a method of trying to determine the possible future development of the law regarding information security in South Africa. According to Thomas Smedinghoff, (partner with the law firm Baker & McKenzie), the final version of the U.S. National Strategy to Secure Cyberspace, released in February 2003, may help to define corporate responsibility in the United States in this area. Although it disavows any goal of regulating security, and seeks only a "voluntary" partnership with the private sector, the National Strategy raises issues likely to influence development of a rapidly growing body of U. S. statutory, regulatory, and common law on corporate cybersecurity obligations.
If one looks at the functions of Electronic Communications Security (Pty) Ltd ("Comsec"), established in terms of the Electronic Communications Security Act 2002, it is possible that Comsec will borrow extensively from this policy. This could be the catalyst needed to develop this aspect of our law in South Africa.
2. Negligence -The objective reasonableness of the conduct on the part of the data controller will need to be investigated. Of importance is what would constitute reasonable steps on the part of a data controller to secure the data of a data subject. In particular the relevance of industry standards and in particular the security standard ISO17799 should be taken into account. Furthermore, third party conduct (other than that of the hacker) may affect the determination of negligence on the part of a data controller.
The first possible third party conduct to be considered is that of security software manufacturers that release software that contain vulnerabilities (whether known or unknown to the manufacturer) which may in itself constitute a specific form of delict known as manufacturer's liability. Can it be said that the data controller acted negligently when it designed security architecture complying with industry standards, but despite this the system was nevertheless breached due to a vulnerability in the security software supplied to the data controller by a manufacturer of that software? A few possible scenarios that could influence the outcome of this discussion are:
1. A software manufacturer releases software that is largely untested or is tested but is released with known vulnerabilities; or
2. A software manufacturer releases software that is thoroughly tested but a hacker discovers a vulnerability despite thorough testing according to industry standards by the software manufacturer; and
3. In the course of ongoing development, a software manufacturer discovers a vulnerability and makes a patch available to rectify the vulnerability or bug. How will the data controller's liability be affected if it failed to download that particular patch timeously and as a result, loss was suffered by a data subject due to the unauthorized access into a system via the vulnerability for which a patch was made available?
Further possible third party conduct affecting a data controller's negligence is so-called 'downstream' conduct. Electronic data interchange and the internet have both allowed organizations to interact with each other via linked networks. For example, many businesses have established automated ordering systems with their suppliers. Along with the obvious benefits of having direct access to a particular area of your supplier's network, the problematic issue surrounding 'downstream liability' rears its head. Company A may have an excellent security system in place to protect it against external attacks. Company B may not have given too much thought to its security architecture. A hacker may easily penetrate company B's firewall and then, by exploiting a trust relationship between company B and company A's respective networks, a hacker is able to penetrate company A's system, gaining access to sensitive third party data stored on that system. The question that needs to be addressed is whether company B is liable towards company A for any loss company A may have suffered as a result of company A having been found liable towards the data subject by a court of law or whether the actions of company B would exclude negligence on the part of the data controller completely?
Sentimental loss could occur as a result of an invasion of privacy by way of intrusion. Here a hacker may gain access to the private medical records of a data subject held by a hospital. A second example is the invasion of privacy via publication. Here a hacker could publish private information contrary to the existence of a confidential attorney-client relationship which was obtained from the server of an attorney firm. To be held liable under the actio iniuriarum for an invasion of privacy for example, there must exist an animus iniuriandi on the part of the wrongdoer. However, a data controller will in most cases never satisfy this requirement when its security system is bypassed by a third party hacker. A hacker will most likely have this animus, but tracking him down will be near impossible. If he is tracked down, it is usually to a foreign country and the data subject is then faced with the unenviable task of entering into cross-border litigation to gain satisfaction. The question is whether damages for sentimental loss as a result of a wrongful invasion of privacy can now be claimed from the data controller despite the absence of an animus iniuriandi? It cannot be claimed under an Aquilian action as sentimental loss cannot be claimed using the actio legis Aquiliae in South African law.
There are two ways of solving the problem at hand:
1. Introducing legislation setting out the security standards to be applied by organizations that collect, process and store sensitive third party commercial and private data along with the liability that attaches to these organizations for a failure to adhere to these standards. In addition to the European Union Data Protection Directive (95/46/EC) and its associated regulations, two United States federal statutes also deal with data security, although these are limited to the highly regulated financial and health sectors. Regulations imposing a comprehensive obligation to implement security began in the financial industry with the 2001 Gramm-Leach-Bliley Act Security Regulations. These regulations require financial institutions to implement a comprehensive written information security program to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information. In 2002 government enforcement agencies began extending the approach embodied in these regulations to non-regulated industries through a series of consent decrees.
2. Alternatively, the courts could develop the common law of faultless liability. It was highlighted earlier that claims for sentimental loss against organizations for invasion of privacy by hackers as a result of poor information system security, cannot be pigeonholed under either the actio legis Aquiliae nor the actio iniuriarum. Animus iniuriandi is a material requirement for claims dealing with an invasion of privacy. An organization would almost always not have the required animus. The only option available to the courts, it would seem, is that the animus requirement, in cases where sentimental loss is claimed pursuant to security lapses, be replaced by the rule that a company which makes it its business to collect, store and process sensitive commercial and private third party data is responsible for any sentimental loss that may arise as a result of an invasion of a data subject's privacy by a third party hacker. Cases in which patrimonial or pure economic loss are claimed could still possibly be dealt with under the actio legis Aquiliae provided the elements comprising the Aquilian action are met.
As the use of the internet grows and organizations continue to seek the competitive edge through business intelligence and data profiling, an ever increasing amount of sensitive third party data, both private and commercial, will be collected, processed and stored by organizations. It is inevitable that security lapses will occur more frequently due to the deliberate efforts of hackers. It is essential therefore that organizations view information security as a process and not a product. Consequently, the legal compliance with security obligations involves a process applied to the facts of each case in order to achieve an objective (i.e. to identify and implement the security measures appropriate for that situation), rather than the implementation of standard specific security measures in all cases. There are no hard and fast rules. The obligation seems to be that which is reasonable under the circumstances to achieve the desired security objectives.
Kevin van Tonder, Group Legal Advisor at Tellumat (Pty) Ltd
14 May 2003
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - email@example.com