EECS 298 McGeveran-THE DUTY OF DATA SECURITY

EECS 298 McGeveran-THE DUTY OF DATA SECURITY 103 Minn. L. Rev. 1135 Minnesota Law Review February, 2019 Article Data Security William McGeveran d1 Copyright © 2019 by William McGeveran THE DUTY OF DATA SECURITY Introduction 1136 I. Sources of the Duty of Data Security 1141 A. Traditional Legal Frameworks 1143 1. Federal Sectoral Regulation 1146 2. Consumer Protection Law 1148 3. Data Breach Notification Laws 1152 4. State Data Security Regulation 1153 B. Private Ordering Frameworks 1158 1. Industry Standards 1159 2. Financial Industry Controls 1164 3. Professional Certifications 1168 4. Contractual Duties 1170 II. Content of the Duty of Data Security 1175 A. Reasonableness and Risk 1176 B. Systems of Compliance 1180 C. Architectural Requirements 1188 D. Worst Practices 1193 III. Assessing the Duty of Data Security 1195 A. Rooted in Flexible Standards 1195 B. Adapted from Industry Practices 1200 C. Calibrated to Risk and Resources 1204 Conclusion 1208 *1136 INTRODUCTION When Equifax, the credit reporting agency and data broker, revealed that it had suffered a massive breach compromising personal information of 143 million people, the public reaction was understandable outrage. 1 Subsequent news about Equifax's apparent lapse in competence--failure to install a simple soft-ware patch that had been available for two months--quite justifiably increased that anger. 2 The question naturally arose: what precautions does the law require of firms like Equifax, who hold personal data about ordinary Americans that can be highly vulnerable to hacking, theft, leaking, or other misuse? What was Equifax's duty of data security? Some observers suggest that there is no valid answer to such questions. According to them, the law is insufficiently specific, concrete, or uniform, creating “uncertainty among businesses regarding the appropriate standards for data security.” 3 Lawyers fighting against Federal Trade Commission (FTC) enforcement actions in data security cases have been particularly vociferous, arguing that there is no way to understand the meaning of “reasonable” data security measures under consumer protection law. *1137 One defendant claimed the FTC could “hold virtually any business in the land liable for violating an unknown (and unknowable) standard.” 4 The Chamber of Commerce submitted an amicus curiae brief in another case protesting that the law “gives no advance notice to businesses of what they should do in a rapidly changing technological environment.” 5 A major 2018 decision by the Eleventh Circuit in LabMD, Inc. v. FTC partially accepted such contentions. 6 These claims are balderdash. In fact, the numerous sources of a duty of data security sound together in harmony, not cacophony. Both public law and the private sector have converged on a clear understanding of the duty of data security owed by companies like Equifax when they store personal data. Regulated parties are already shaping their data security measures in response. Like most businesses, they try to do so with common sense: they weigh costs and benefits, assess risk, and invest accordingly. 7 For their part, federal and state regulators (including but not limited to the FTC) have endorsed this set of foundational expectations for reasonable and appropriate security precautions. 8 Experts involved in the daily labor of data security certainly recognize these contours of responsible data security, and may even regard them as somewhat obvious. 9 This is the *1138 modern duty of data security. It is every bit as clear as many other legal duties concerning complex topics. Of course, there are serious issues concerning the enforcement of data security law. The LabMD decision brings to a head a simmering debate about the appropriate scope of the FTC's authority over data security. 10 The law still struggles with the measurement of harm and damages from security failures. 11 Companies systematically underinvest in security, many regulators lack adequate resources to effectively oversee giant corporations' deployment of fast-moving technologies, and there may be a need for more vigorous ongoing monitoring of compliance rather than a reliance on investigations triggered by security failures. 12 Some scholars have even proposed a strict liability standard for data breaches. 13 This Article stands apart from all these important issues, because it focuses on the content of the duty of data security, not the means by which it might be enforced. *1139 Instead, this Article defines the duty of data security. It examines fourteen different “frameworks” that impose data security obligations on private companies. It demonstrates how these frameworks are clearly converging on a common set of standards for data security in the United States. 14 And finally, it explains why that outcome is both highly familiar in the law and also desirable, notwithstanding objections that law should present cookbook-recipe rules instead of reasonableness