Last week, Equifax announced one of the biggest data breaches of all time, affecting 143 million Americans. And we’re not just talking leaked email addresses – the breach includes social security numbers, address history, even driver’s license details. Matters are made worse because it took nearly 6 weeks for the breach to be announced – and worse still, because Equifax is a credit reporting agency. It doesn’t just hold data about its own users, but also the customers of other companies who have never dealt with Equifax directly.
The lawsuits were inevitable, of course. But the speed they hit was impressive – it was less than 24 hours from announcement of the breach to the first class action hitting the courts, with the second following in just one more day.
They may have been prepared in mere hours, but these lawsuits could be seriously important. If you’re running an online service, you’d be smart to keep an eye on how they develop, because they could affect cloud businesses for years, or even decades to come.
To get the case off the ground, the court will decide whether Equifax can be sued in the first place – it’s tricky, because different federal circuits disagree about when this can happen. So, courts in Delaware, Illinois and Washington DC (for example) would allow the plaintiffs to proceed merely because their data is at risk after a hack. This is pretty easy to show. On the other hand though, New York, Conneticut and North Carolina would need to see not just a leak, but that the leaked data has actually been misused afterwards. Equifax HQ is in Atlanta, the 11th circuit. Although those courts have a history of recognising that difficulty (and so supporting data victim lawsuits), it hasn’t yet come down firmly on the question of risk vs misuse.
The big impact
After that the real fight starts. The court will have to decide what duty Equifax had to keep things secure. You might think that since there was a hack Equifax obviously breached its duty. But it’s not that simple: the court is going to look at the facts and decide what a reasonable company should have done, before deciding whether Equifax lived up to those requirements.
That decision will be very wide-reaching, because setting the bar for what a reasonable company should have done will not just apply to Equifax alone, but will lay the foundations for the tech and cloud computing industries generally. Any decision in this case could set the stage for companies across the USA to determine the steps they ought to be taking to protect user data.
In order to come to a proper conclusion about this case, it’s going to be necessary to understand the realities of the industry properly. The court’s technical understanding is going to depend heavily on the evidence the parties put forward, and the stories they tell. But cybersecurity is complicated. Usually in this context tech is often explained to the court using analogies with ordinary things, to make understanding easier. Unfortunately, the obvious analogy here is home security, but that just isn’t up to scratch.
The security arms race
Here’s the thing: Data security isn’t the same as ordinary security. In real life, we think of property as being either secure or not secure: if you lock your valuables in a safe at home, they’ll be protected the day you do it and they will stay that way until you take them out. In a year’s time, the safe will be just as hard to crack as it ever was. But cybersecurity is the opposite. It isn’t a lock.
Cybersecurity is an arms race.
Let’s say you create a web service today, and invest some money in getting your systems secure. You use state of the art software and protocols to ensure proper encryption, detect intrusions, and make sure you have automatic alert-and-response procedures in place. Since it’s set up secure, you might think it stays secure. Before long, though, a hacker will discover a hole in those state-of-the-art systems.
Overnight, that state-of-the-art setup changes from being completely secure to being woefully vulnerable. Until the hole is publicly announced, the company has no idea it’s been found. This gives the hacker a choice. If they are ethical (known as white hat), they will alert the software owners to the bug, giving them an opportunity to patch it. Otherwise, a black hat hacker may keep it secret, and exploit it for their own gain. This is what’s known as a Zero-Day exploit: one where you had zero days to react to and fix the problem. Can companies be expected to plan for that?
For Equifax, those are the billion-dollar questions. Early reports suggest that the hack happened through just such an exploit, in a popular open-source framework called Apache Struts. It’s been used for years, and there have only been two recently discovered flaws: one announced in March, and one just days ago on September 4, 2017. We don’t know which of these was used in the Equifax attack in July, but it’s vitally important: is this a case of a server left unpatched, or are we dealing with a zero-day exploit?
Emotions run high
As well as having to understand the technical issues, the court will need to deal the emotional issues unavoidable in cases where so much private personal data is stolen. And the international reaction has certainly been emotional: I mentioned at the top of this article that 143 million people are potentially compromised by the attack. To put those figures in context this breach hits about 45% – nearly half – of the entire US population. Pick a group of 12 normal people (say, an ordinary jury) and half of them are likely to have been hit by the attack personally.
So, there’s a real risk that the stories will be told, and understood, with a mix of technology and emotion. Explaining tech with analogies can be misleading, but emotion makes it much harder to come to a reasoned conclusion.
You be the judge
In this situation, what would be a reasonable obligations? Sure, a server should be patched soon after it comes out. But how soon is reasonable – days, or weeks perhaps? And what if there’s no patch – should a company be liable for a secret, zero-day exploit?