Legal Issues in Data Breaches and Confidentiality Violations

The content covers various scenarios related to breach of confidence, liability of businesses in safeguarding data, and legal causes of action in case of data breaches. It discusses real-life analogies and legal principles concerning the mishandling of confidential information, including a case study involving Capital One’s vulnerability to hackers. The importance of maintaining trust and confidentiality in customer relations is emphasized throughout the content.

• Legal Issues
• Data Breaches
• Confidentiality
• Liability
• Trust

herd836 Follow

Uploaded on Nov 21, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Breach of Confidence Richard Warner, Professor, Chicago-Kent College of Law

2. Analogy After the breakup with Raquel, Jacob gets engaged to Alice. He gives love letters he received from Raquel to his best friend Roger for safekeeping, with the understanding he trusts Roger to make sure Alice will never find them. Unfortunately, Roger carelessly leaves the letters where it is highly likely that Alice will find them, which she does. Jacob complains, I trusted you, but you might as well have handed the letters to her! Do you agree with Jacob? (a) Yes (b) No

3. A Cause of Action? Suppose you allow a business to collect and store data about you on the understanding that it will safeguard the data. But it stores the data in a way that makes it easy for hackers to access it, which they do. Do you should you have a legal cause of action against the business based on their breach of your trust? (a) Yes (b) No

4. Capital Ones Vulnerability Capital One on AWS - server can copy information from and to a URL Data on the hackers website Hackers gain access through a misconfigured firewall Hackers tell the server to send data to a URL the hackers control -- this is the SSFR.

5. Liable? Should Capital One be liable? (a) Yes, all I need to know is that they left the door open. (b) Only if they were negligent in leaving the door open. (c) Not sure.

6. California Breach of Confidence (1) Customers conveyed confidential and information to Capital One; (2) Capital One knew the information was disclosed in confidence; (3) there was an understanding between Capital One and the customers that the confidence would be maintained; and (4) there was a disclosure or use violating the understanding.

7. Conditions (1) (3) Was the information collected as part of a relationship of trust? Privacy policy landing page: We're in the business of keeping your money and information safe. As a business that relies on trust, protecting your information is just as important to us as protecting your finances. https://www.capitalone.com/privacy/privacy.

8. Conditions (1) (3) The privacy policy: We have an information security program that includes administrative, technical, and physical measures that are designed to protect information within our company. https://www.capitalone.com/privacy/online- privacy-policy/online-privacy-policy. Is this enough to satisfy the confidentiality requirements?

9. A Disclosure Violating the Understanding? Capital One on AWS - server can copy information from and to a URL Data on the hackers website Hackers gain access through a misconfigured firewall = Capital One left the door open Hackers tell the server to send data to a URL the hacker control -- this is the SSFR.

10. Is It A Disclosure? Compare this: Suppose Capital One gave information to a political party in violation of the understanding to keep it confidential. This is a positive act of disclosure. In the actual case, Capital One misconfigured a firewall in a way that hackers could exploit to gain unauthorized access. Is this enough for a positive act of disclosure?

11. An Argument Against Breach of confidence is a form of strict liability. Strict liability = you breach confidence, then you are liable. Think of it as You break it, you bought it: There is no I acted reasonably defense. No I broke it but not liable because I was acting reasonably. Classic examples: wild animals and explosives. Also: reservoirs. A good idea in data breach cases?

12. A Massive Amount of Liability One likely result is that many businesses and organizations would face breach of confidence lability. The Identity Theft Resource Center reports that in 2022 there were 1806 incidents of unauthorized access to information involving 422,143,312 victims. To the extent those incidents involve trusting relationships and inadequate security, the breached businesses would arguably be liable for breach of confidence.

13. Would We Get What We Want? Over investment Under investment Wastes time, effort money Adequate security Inadequate security = cost of defense = expected loss with defense

14. Overinvestment Likely A business will be liable even if it takes all reasonable steps to secure its network. So, it Is likely to spend more than it would if it just took the reasonable steps.

15. Liable? Should Capital One be liable? (a) Yes, all I need to know is that they left the door open. (b) Only if they were negligent in leaving the door open. (c) Not sure.

16. Narrow Application The tort of beach of confidence has had a more robust development in the United Kingdom than in the United States. Neil M. Richards and Daniel J. Solove, Privacy s Other Path: Recovering the Law of Confidentiality, Georgetown Law Journal 96, no. 1 (2008 2007): 123 82. In the United States, the tort applies only to a limited set of relationships, with most cases involving the patient-physician relationship. Richards and Solove, 158. Warren v. DSG is a King s Bench case that limits the application of the tort.

17. Warren v. DSG (2021) Attackers infiltrated DSG's systems and installed malware which was running on 5,930 point of sale terminals at the stores. In the course of the Attack, the Attackers accessed the personal data of many of DSG's customers. Warren claimed his data was compromised-- his name, address, phone number, date of birth and email address.

18. The Breach of Confidence Claim When Roger negligently left the letters where Alice would likely find them, we imagined Jacob complaining, I trusted you, but you might as well have handed the letters to her! Warren makes a similar claim: namely, DSG's failure to implement basic security measures to protect his information meant that there was in effect publication to the third-party hacker. Can a failure to secure information be tantamount to disclosing it?

19. How Many Wrongs? Are there two wrongs? A negligent failure to adequately secure information, and a disclosure to third parties that amounts to a violation of trust? The court finds only a failure to secure information.

20. The Courts Position There is a distinction between (1) an equitable duty of confidentiality and (2) a duty to take care to prevent confidential information or documents from falling into the hands of someone else. (1) is an obligation of conscience, which requires not misusing the information. It is violated only by an affirmative act of misuse. (2) is breached by a failure to take reasonable steps prevent unauthorized access, the failure aledged here.

21. Is the court right? Or is there both a legally actionable failure to secure data and a legally actionable violation of trust?

22. The Love Letters Recall Jacob s complaint to Roger: I trusted you, but you might as well have handed the letters to her! That complaint makes sense as long as one imagines Roger stored the letters negligently, but imagine he took every reasonable precaution to hide the letters well. Then Jacob cannot plausibly complain that Roger might as well have handed the letters to Alice. Is the same true in Warren?

23. DSG Assume DSG took every reasonable step to secure the information. There would appear to be no ground for claiming that DSG breached its customers trust. So why not say as the Warren court does that the legally actionable wrong DSG commits is just inadequately securing the data? And that a breach of confidence requires something different, namely, an affirmative act of disclosure or misuse?