Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Legal liabilities: A new dimension to information security

How the Trade Practices Act could bring down a TJX
Page:

Readers will be familiar with the explosive global growth in data theft and data leakage incidents. But they may be less familiar with the corresponding increase in multi-million-dollar law suits flowing from such incidents, as those who are burned in the fall-out from security breaches seek compensation from the courts to cover their losses.

This brings a significant additional dimension to the risks associated with information security breaches and provides a new imperative for the effective management of risk.

Addressing these legal risks will require an increased level of engagement between the CIO and corporate legal advisers. Bridges between the disciplines of law and IT will need to be built, and lawyers and CIOs will need to break out of their respective silos of expertise to develop a coordinated response.

This will not be easy. Close collaboration between the CIO and the lawyer tends to be the exception rather than the norm because they often have little or no understanding of the core concepts that underpin each other’s respective disciplines. However, if increased levels of shared understanding are not achieved, then the response of corporate Australia to a whole new landscape of legal risk will be substantially underdone or misdirected.

The TJX case should be regarded as an indicator of things to come.

The TJX case

The TJX case is a good place to start to develop an understanding of the types of legal actions that are now flowing from information security breaches. This litigation resulted in American retailer TJX paying around $US80 million in compensation following a hack in which 45 million credit cards were lost.

Before looking at the TJX case in more detail, let’s briefly deal with one furphy that might otherwise confuse the newcomer to this field. The TJX case occurred in the USA, and Massachusetts state law applied – isn’t Australian law different? The short answer is not much, particularly in the areas of law that fell to be considered in TJX. If the facts of TJX were transposed to an Australian court, the applicable laws would be very similar. Both the Australian and the USA legal systems developed originally from British common law: While there are some local differences, there is a high level of commonality across the laws of all nations with an ‘anglo’ legal heritage.

The proceedings against TJX were brought by a group of ‘issuing’ banks — ones that issue credit cards to their customers. In essence, the banks’ case followed that:

  1. TJX had failed to maintain an appropriate level of information security;
  2. As a result, hackers were able to break into TJX’s systems and steal millions of credit and debit card records belonging to TJX’s customers;
  3. The hackers then sold those records on the internet, where they were purchased by fraudsters around the world;
  4. The fraudsters used the stolen records to commit numerous online transactions;
  5. The issuing banks were obliged to cover those fraudulent transactions on behalf of the innocent cardholders and were massively out of pocket as a result;
  6. The issuing banks were entitled to reimbursement of their losses from TJX, since those losses flowed from TJX’s inadequate security regime.

In legal terms, this translated into the following claims against TJX;

  1. Negligence
  2. Breach of contract
  3. Breach of the Massachusetts equivalent of section 52 of the Australian Trade Practices Act (the two pieces of legislation are very similar for practical purposes)
  4. Negligent misrepresentation — for all intents and purposes the same as breach of section 52.

Other subsequent cases where organisations are being sued for operating inadequate information security regimes, discussed below, were built on the same legal foundations.

Next page: Tort of negligence, breach of contract

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Federal Trade Commission, Mastercard, US Federal Trade Commission
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: data breach, IT law, lawsuits, security, tjx, Trade Practices Act
Latest Blog Posts
Whitepapers
  • 10 Mobile Security Requirements for the Bring Your Own Device (BYOD) Enterprise
    An enterprise mobility strategy needs to include more than the provisioning and security services available through mobile application and MDM solutions. To meet the mobility and security requirements of mobile users, enterprises need to look at deploying a solution for mobile content management (MCM) that supports BYOD policies. Read this whitepaper to learn: Why provisioning for mobile users has become more complex; Ten requirements to consider when selecting a mobile content security solution.
    Learn more »
  • Selecting an Application Lifecycle Management Vendor: An Ovum Report
    Leading industry analyst firms across the world include IBM Rational in their research efforts and provide opinions on our ALM solutions. Find out how Ovum confirmed IBM Rational as the clear leader on both axes of the assessment; Market Impact and Technology, along with a clear leadership in market presence.
    Learn more »
  • Risk management: ensuring the security of your hosted information
    Organisations of all sizes are becoming victims to cybercriminals, data breaches, information theft and security risks. But before you go out and spend a fortune on security software, solutions and consultants, the starting point is to identify and measure your business’s exposure to those risks. In this whitepaper, “Exploring, Identifying and Measuring” risk, we examine how to identify risk and share an approach for identifying and measuring risk in your organisation.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments