Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Claiming $16 million in fraud losses, legal fees and penalties related to the breach, Merrick sued Savvis under theories of negligence and negligent misrepresentation.  After originally being filed in federal court in Missouri (where Savvis is headquartered), the case was transferred to Arizona (where CardSystems operated and eventually filed for bankruptcy due to fallout from the data breach).  If the Arizona court rules in favor of Merrick, data security auditors could for the first time be held professionally liable for their audits of a company’s information security in the same way accountants can incur liability for negligent audits of a company’s financial statements.  Data security auditors would likely increase the price of audits to account for the increased risk.

The filing of Merrick Bank v. Savvis coincides with increased scrutiny of security auditors and of self-regulation of the payment card industry.  Critics have noted that other payment card processors that suffered significant data breaches, such as Heartland Payment Systems, were also listed by VISA as service providers that were compliant with PCI DSS, which is the consolidated industry standard developed by the major payment card companies.  As a result of those breaches, the PCI Security Council announced late last year that it would strengthen oversight of auditors to “make sure no one is rubber-stamping something.”  Some experts believe regulation is possible, pointing to the recent proposed guidance on data encryption standards for personal health information as an example of how the federal government has imposed requirements on information security in a manner previously thought unlikely.

The President also indicated that he would be appointing a privacy and civil liberties official reporting to the new cybersecurity coordinator.

The President cautioned, however, that dealing with cybersecurity issues would take time. “Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years. But we need to remember: We’re only at the beginning. The epochs of history are long—the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy.”

The President did not say who would be the new coordinator, nor did he provide a timeline for naming the new officials.

Today’s announcement is obviously a significant step towards a broader, higher priority approach from the federal government towards the growing problem of securing information and the systems that process it. While the President stressed that the new approach would include the private sector, he said that the government would not be telling the private industry how to go about securing their infrastructure, nor would the government engage in information monitoring.

According to published press reports, release of the cybersecurity report was delayed six weeks over disagreements within the administration over how the new cybersecurity position would be managed. That delay, the decision not to name the new coordinator, the tone of the President’s announcement, and the tools for fighting cyberattacks that he appeared to rule out suggest that while the administration’s response is serious, it is not necessarily as urgent as some experts have sought.

The Cyberspace Policy Review is available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.

The President’s announcement is available at http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/.

And the unclassified documents on which the review relied are available at: http://www.whitehouse.gov/cyberreview/documents/.

The Obama Administration has taken these threats seriously.  On February 10 it initiated a 60-day review of federal cybersecurity efforts to protect vital U.S. computer networks (the Review).  The Review staff has engaged in significant and broad outreach to the government, the private sector and non-governmental organizations.  As the work of the Review draws to a close, its director, Melissa Hathaway, has intimated that it will not result in the naming of a cyber security advisor at the White House level.  This is an important, if controversial, signal.   However, on April 2, 2009, Senator Jay Rockefeller (D-WVA) and Senator Olympia Snow (R-ME) proposed legislation that would establish just such a position, invested with sweeping powers.  The legislation would empower government to set and enforce security standards for industry, and broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control critical infrastructure, such as electricity and water distribution.  Such new powers raise serious questions for industry and civil liberties.

The Centre for Information Policy Leadership has played a prominent role in these efforts.  Centre Senior Policy Advisor Professor Fred H. Cate has consulted on several occasions with the Review committee, and Paula Bruening served on the Commission. On April 5, Paula was featured as a guest on National Public Radio’s Diane Rehm show, along with Jim Lewis, director of the Commission’s  study, and Paul Kurtz, a cybersecurity consultant and former senior director, Office of Cyberspace Security at the National Security Council. During the hour-long discussion,  guests explained the nature of these cybersecurity threats, considered the challenges faced by government and industry, the consumer’s role, issues of civil liberties, and proposed possible ways to move forward.  To view the discussion, click here.