This ruling seems like common sense, something that is sadly rare. And it provides some important takeaways. It means that if you detect a breach and close it before data is actually seen by anyone, you should avoid FTC penalties. And given the respect federal judges tend to give to the opinions of other federal judges, this could have consequences far beyond FTC rulings.
It won’t help with civil lawsuits, though, where anything that a party can allege is fair game so long as a judge doesn’t throw it out. But it will help with administrative headaches.
We need to split security holes into three categories, with their own rules and implications. First are holes that are deliberately opened by a cyberthief, to be used now or at some point in the future. Second are holes that are unintentionally opened by authorized employees or contractors, as in the LabMD case. Third are holes that exist because of an intentional but non-malicious vendor effort (such as creating a back door for maintenance or the use of a default password by a sloppy IT administrator).
Under scenario one (hole opened by bad guy), it’s almost impossible to make a strong argument that data was never at risk. Cyberthieves are good at hiding their tracks and placing misleading bogus clues in activity logs. If you believe a cyberthief has been in your system, you need to assume bad things happened. You can’t successfully argue hypothetical damage in those cases.
Under scenario two (employee accident), a quick response can save the day, as LabMd just discovered.
Under scenario three (vendor’s non-malicious hole), things get complicated. If the FTC or some similar agency wants to argue hypothetical damage, duration and knowledge become key factors. How long did the back door exist on your system? And how long was it there after your team learned of it?
This gets complicated because you could still be in trouble even if these answers are all in your favor. Let’s say that your vendor never told you about this back door and your people didn’t learn of it until bad guys broke in and did serious damage. It feels like you’re blameless, but your people did retain that vendor and install that company’s software. You can — and certainly should — sue that vendor, but that won’t stop your team from getting blamed and sued, too.
But at least Judge Chappell has left you in a better position than you were in before.
Sign up for CIO Asia eNewsletters.