For the past two weeks, Security States has been exploring the possibility of liability for software design flaws. It’s a critical issue—and likely the right answer from an economic perspective. But at this point that answer is theoretical. There are many steps between where we are today (no liability for any cyber breach) and there (product liability for software defects).
One of the steps (or at least possible steps) along that continuum is the development of a common law doctrine of tort liability for consequential damages caused by inadequate or negligent cybersecurity measures. Legal developments in this area are hesitant and incomplete, but two recent decisions from the federal courts of appeals point the way toward the development of this doctrine. The cases both involve third party liability—that is, liability of a service provider to third parties for damages caused by the provider’s alleged negligence—and are a step short of the product liability doctrines that would be inherent in software design claims. So, the recent cases are of modest immediate importance—but they may be harbingers of the future. Here’s a summary of both of them:
Patco — Consider the First Circuit decision, Patco Constr. Co. Inc. v. People’s United Bank (1st Cir. July 2012). Patco was a customer of People’s United—a typical mid-size business customer with a fairly normal and regular pattern of banking activity. The company regularly withdrew money to make payroll and it made monthly payments to a variety of vendors.
Our story begins with a mistake of some sort by Patco. Somehow, intruders installed malware on Patco’s computers and stole its banking credentials (user name and password). They then used those credentials to siphon money from Patco’s account, transferring it offshore.
But there is a bit more to the story then this all-to-common occurrence. According to Patco’s complaint, the large offshore transfer actually caused an alert to flag the transaction—it was so far out of the norm that an automated risk identification system transferred the transaction for human review. Unfortunately, the bank manager decided that the password/user name combination and the accompanying answers to certain challenge questions was sufficient to verify the transaction and ignored the alert...and all the money went offshore.
When Patco sued, they lost in the district court. That court relied on standard contractual terms in the bank’s agreement with Patco that disclaimed any liability for losses that might arise from using electronic banking. On appeal, that decision was reversed. The First Circuit decided that People’s reliance on password authentication and its decision to ignore certain transaction-based flags (which had highlighted the unusually large off-shore fund transfer) was not necessarily a good commercial practice. Perhaps most notably, the court concluded that People’s reliance on answers to challenge questions (which the Patco hackers had provided) was not a good security practice. The bank’s contract with Patco incorporated the Uniform Commercial Code’s requirement that the bank act in a “commercially reasonable” way, and the court thought the protections they had implemented were unreasonable.
After the appellate decision the case was sent back for a trial on the merits. At trial the questions would include whether Patco’s allegation was true—that is that the bank did, in fact, ignore an alert—and also whether Patco’s own negligence in losing its login credentials contributed to its own losses. While People’s Bank might, in the end, have won the case, all lawyers know that there is a substantial difference between winning a case (cheaply) on a legal ground early and winning it late (with the risk of losing) after a lengthy trial in court.
Because of that litigation uncertainty, as we would expect, a settlement soon materialized. As Wired’s Kim Zetter reports the bank paid out a judgment ($345,000) to Patco, whose account had been hacked. While it is difficult to prove the counter-factual, this appears to be the first time that a financial institution (or any other commercial entity for that matter) had been obliged to settle a claim premised on its own “commercially unreasonable” cybersecurity failures. In addition to the amount lost, People’s United Bank agreed to pay Patco roughly $45,000 in interest.
Lone Star Bank — When Patco was first decided, some saw it as a sign of things to come, others thought it might just be a “one-off” decision that did not signal the start of a trend. While making predictions about the future course of legal developments is a hazardous enterprise, at best, we can now, at least, say that Patco was not unique. Just last month the Fifth Circuit in Texas issued a very similar ruling in Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir. September 2013). This time, however, the banks won.
Heartland Payment Systems had a contract with a number of banks to provide credit card processing services. These banks, known as acquiring banks, were the ones who had contracts with the merchants making the sales. Heartland, in turn, cleared the transactions with the upstream banks (known as issuer banks) who, in turn, eventually received payment from the consumers to whom they had issued the credit cards.
Heartland was hacked in 2009 and lost the data from more than 160 million credit card accounts. Because of the interlocking web of financial relationships, they were not the only ones affected by the hack. The issuing banks incurred significant costs as well. These included losses from the fraudulent use of the stolen data, the cost of replacing credit cards and the cost of providing their consumers with credit monitoring services.
When the banks sued Heartland to recover these losses their suit was initially dismissed. The district court concluded that under New Jersey tort law, the banks could not get a recovery for purely economic losses. On appeal, the Fifth Circuit reversed. It said that the issuing banks had a valid negligence claim against Heartland for its cybersecurity failures and that, if proven, they could recover their consequential damages from Heartland.
Despite their limited scope, these two cases are significant for two reasons.
First, of course, the doctrine of tort liability, if it becomes common, will cause a significant change in current business models and practices. Today, most suppliers (like banks or energy companies) are comfortable with the assumption that if they suffer a cybersecurity breach the losses experienced by their customers will be borne by their customers, not them. This is a classic economic externality that, in the long run, causes providers to underinvest in cybersecurity. Development of a tort doctrine will reduce that underinvestment, though at some obvious costs to innovation and consumer pricing. If these cases are a sign of things to come we will see more cybersecurity at greater cost to consumers but with fewer vulnerabilities.
Second, the viability of a doctrine of tort liability will cast in stark relief some of the provisions in the proposed cybersecurity bills under consideration in the Senate. These bills sometimes suggest the need for the development of a Federal regulatory system to identify cybersecurity best practices and require them to be adopted by critical infrastructure service providers. One reason some oppose such a regulatory system is their belief that in the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly—imposing costs on those who stint their cybersecurity efforts in an unreasonable manner, without the costs that come from a hierarchical regulatory system.
It is still too early to tell how this all may shake out. But for now, it looks like we stand at the dawn of a new era of cybersecurity tort liability. That would be a significant change, if it comes to pass.