Credit: Davidlohr Bueso, CC BY 2.0, via Wikimedia Commons
Enterprise security is a frustrating game, because IT winning 99.9% of the time isn’t enough. One lucky cyberthief or one careless employee — something completely beyond your control — can cause a data breach, a failure that will stay on your résumé forever. But a small dose of sanity emerged on Nov. 13 when a federal judge ruled that a data breach needs to have actual victims, not merely hypothetical ones.
The ruling, by D. Michael Chappell, the chief administrative law judge for the U.S. Federal Trade Commission (FTC), threw out an FTC complaint against a cancer research lab called LabMD. The matter involved a LabMD employee who violated company policies and downloaded P2P software, inadvertently exposing sensitive patient information on a file-sharing network. The breach, however, was detected and shut down before anyone on the outside saw that information, and no one ever accessed the sensitive data.
This case gets as close as any to the famed philosophy question, “If a tree falls in the forest and no one is around to hear it, does it make a sound?” Is it really a data breach if no unauthorized person ever sees or accesses the protected data?
It’s not that easy a question. Let’s say you’re in charge of building operations/facilities management and one of your security guards is supposed to make sure that every door in the building is locked as of a certain time at night. You check one night and find the door to your CEO’s office unlocked. You then establish that the security guard simply forgot. Should the guard be disciplined, perhaps even fired? Does it make a difference if no one actually entered the CEO’s office during the breach? For many people, the fact that someone could have strolled into the CEO’s office quite easily is reason enough to come down hard on the security guard.
“The burden was on Complaint Counsel to prove, initially, that Respondent’s alleged failure to employ ‘reasonable and appropriate’ data security ‘caused, or is likely to cause, substantial injury to consumers,’ as alleged in the Complaint,” the judge wrote in his decision. “The evidence presented in this case fails to prove these allegations. There is no evidence that any consumer has suffered any substantial injury as a result of Respondent’s alleged conduct, and both the quality and quantity of Complaint Counsel’s evidence submitted to prove that such injury is, nevertheless, ‘likely’ is unpersuasive.”
The judge also knocked down an FTC argument that the employee’s P2P mishap meant that a future data breach was likely. “The theory that there is a likelihood of substantial injury for all consumers whose information is maintained on Respondent’s computer networks because there is a ‘risk’ of a future data breach is without merit because the evidence presented fails to demonstrate a likelihood that Respondent’s computer network will be breached in the future and cause substantial consumer injury. While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury.”
Sign up for CIO Asia eNewsletters.