Defining Reasonable Care for the Protection of Personal Data

Indeed, in a cybersecurity world of zero-day exploits and state-sponsored hackers, it would be unreasonable to conclude that the mere happening of a breach means the defendant was negligent under the circumstances. And so the court remanded the Dittman case to the Allegheny County (Pa.) Court of Common Pleas, where further litigation continues, and might someday establish a factual record from which a factfinder will evaluate the reasonableness of UPMC's protective measures.

But the notion that data breach litigation must proceed to a factual determination of the reasonableness of cybersecurity measures should be of little comfort to defendants. At common law, a defendant to a negligence claim must establish that, in light of the knowledge at hand, the defendant employed all of the reasonable care and judgment that ordinarily would have been exercised under the circumstances to protect the plaintiff from knowable threats or unsafe circumstances. See, Martino v. Great Atlantic & Pacific Tea, 213 A.2d 608, 610 (Pa. 1965).

Litigation of data breach cases under Dittman therefore may require lengthy factual discovery, probing both the adequacy of the defendant's security measures as well as past cyber incidents that might have put the defendant on notice of weaknesses in its defenses, and also costly expert discovery, focused on establishing the reasonableness (or unreasonableness) of those measures in light of emerging risks and available technology.

Accepting that data breach cases are likely to proceed to discovery, potential defendants then are left to wonder how they might prove that they exercised reasonable care in their efforts to protect personal information collected from customers, employees, students, and other individuals. Assuming they may need to rely upon testimony from a cybersecurity expert as to the reasonableness of the measures employed under the circumstances, how can a business seek proactively to undergird such testimony?

Post-Dittman, legal guidance has largely emphasized the importance of the client's adoption of a written information security program; a policy (or set of policies) suitable to the client's size, industry and risk that prescribes internal cybersecurity practices. Such policies certainly are a necessity. I compare the adoption of data security policies to the adoption of workplace harassment policies; as each serves (at least) two purposes. First, the policies inform the workforce of the importance, on one hand, of decorum and respect for coworkers, and, on the other hand, of the importance of protecting personal or otherwise confidential data (such as trade secrets) collected and held by the business. Infractions of both types of policies, as incorporated into an employee handbook, should be subject to discipline up to and including termination. These policies have a second purpose, as well: workplace harassment policies potentially provide an affirmative defense to civil claims; data security policies likewise establish the foundation of a showing of reasonable care by the business in the protection of personally identifiable information.

But advice that a business should establish a written information security program may often be so generalized to be meaningless. Worse, such advice may encourage businesses to merely copy a template policy found online, rather than conduct meaningful risk assessments and tailor the scope and details of such policies to fit. But advising clients to follow a more complex set of guidelines (such as the U.S. National Institute of Standards and Technology (NIST) framework or international ISO 27000 series) suffers in that these standards are confounding to everyone but auditors and cybersecurity professionals (for what it's worth, Wikipedia informs me that "Annex A" of ISO 27001 consists of 114 controls in 14 clauses and 35 control categories).

In routine negligence cases, lawyers are able to rely on precedent to suggest the "best practices" that go furthest toward establishing the exercise of reasonable care (I think here of the "hills and ridges doctrine" — burned into my brain as the subject of the 2003 Pennsylvania bar exam essay section — guiding property owners as to what constitutes an unreasonable accumulation of snow and ice in a parking lot).

It would be similarly useful if lawyers could guide their clients on sensible and understandable best practices for protection of personally identifiable information. But in this emerging area of the law, we are lacking in precedent; courts have not issued rulings to point us to the facts establishing whether a defendant's data security measures are sufficient or lacking.

In the absence of adequate precedent, attorneys must look for other resources to help a client to establish an exercise of reasonable care. These resources need to be practicable and sufficiently grounded as to be understood by business leaders, not just by CISOs. Perhaps such resources could even be digestible enough for lawyers and law firms themselves to adopt adequate measures to protect client information!

One avenue to explore is a review of the allegations made by the plaintiffs in recent, post-Dittman, data breach cases. For example, an alleged hack of convenience store chain Wawa that purportedly exposed payment card information of the store's customers has resulted in the filing of several class action lawsuits. These cases, filed on behalf of customers and the financial institutions that issued those payment cards, include claims of negligence. The averments in those complaints focus on the defendant's alleged: failure to respond timely to warnings from Visa regarding cyber threats to gas stations; failure to adopt the latest chip-and-pin technology to replace magnetic stripe card readers; and, failure to follow guidelines from the Federal Trade Commission and NIST to "adopt appropriate safeguards" and "develop a sound data security plan." But these allegations (like those set forth in the complaints in other data breach cases) seem either too specific to the nature of the particular alleged breach, or, like the concepts discussed above, too general to guide a business toward concrete solutions.

More concrete guidance was issued in January by the federal Office of Compliance Inspections and Examinations, part of the U.S. Securities and Exchange Commission. OCIE based its 13-page report on thousands of examinations of financial sector participants and highlighted the following key elements of an effective governance and risk-management program to address cybersecurity risks:

• Risk assessments to identify, analyze and prioritize cybersecurity risks to the organization;
• Written cybersecurity policies and procedures to address these risks; and
• Effective implementation and enforcement of those policies and procedures.

While these are useful high-level touchstones, more specific "best practices" are identified in the report, such as the following:

• Board-level (or senior leadership-level) engagement that internalizes responsibility to oversee cybersecurity programs at the top of the enterprise;
• Access-management programs to: limit user access to systems based on job duties; limit access during onboarding, transfers and termination; require strong and periodically changed passwords; utilize multifactor authentication using a key fob or mobile application to supplement passwords; revoking system access immediately for individuals no longer employed, including former contractors; and, monitoring access, including failed login attempts and requests for username or password changes;
• Data loss prevention measures, including vulnerability scans and perimeter security (such as firewalls, intrusion detection systems, and blocking access to removable media such as USB thumb drives);
• "Detective" security measures to detect incoming fraudulent communications and prevent computer viruses from running, and to capture and retain system logs for aggregation and analysis;
• Patch management programs that automatically install available updates of all software, including anti-virus and anti-malware solutions;
• Encryption of data in motion (e., being sent by email) both internally and externally, and also as in rest (i.e., saved) on all systems including servers, laptops, and mobile devices;
• Network segmentation, so that access to one part of a system does not allow access to all parts of all systems;
• Vendor management programs to conduct due diligence and impose contractual terms on service providers;
• Insider threat monitoring to identify suspicious behavior, conduct penetration tests, and block transmission of sensitive data (such as Social Security numbers or account numbers) out of the organization;
• Breach response plans, and tabletop exercises to test and assess those plans; and
• Cybersecurity training and awareness programs for the organization's workforce.

Additional guidance can be found in the full report, OCIE Cybersecurity and Resilience Observations, available at https://www.sec.gov. For another great resource featuring specific and accessible action steps for businesses, I recommend the nonprofit Center for Internet Security's Top 20 Controls and Resources, available at https://www.cisecurity.org.

Ultimately, an expert witness testifying for the defense in a data breach case might exhaustively survey and apply the NIST framework to the facts at issue. Even then, adherence to industry-standard practices will not insulate a defendant entirely from potential liability. Quoting Justice Oliver Wendell Holmes, the Pennsylvania Supreme Court has said that adherence to the norm does not preclude a finding of negligence: "What usually is done may be evidence of what ought to be done, but what ought to be done is fixed by a standard of reasonable prudence, whether it is usually complied with or not." See, Incollingo v. Ewing, 282 A.2d 206, 217 (Pa. 1971) (citing Texas & Pacific Railway v. Behymer, 189 U.S. 468, 470 (1903)).

While large companies may have sufficient resources to wholly adopt complex industry guidelines from the outset, many clients instead need more practicable (and understandable) advice on how they might start to try to avoid liability for a data security incident.

I hope that the resources provided here will be useful to attorneys advising such clients. Someday, courts may find that these measures demonstrate reasonable care in the collection and protection of personal information.

*****

Devin Chwastyk is a member of and chair of the privacy and data security group at McNees Wallace & Nurick. For more than 15 years, he has represented parties in data breach litigation, counseled businesses on compliance with emerging privacy laws, and helped clients respond to data security incidents.