It’s happened again: there has been another major breach of IT security systems. 230 million people have had to change their eBay passwords – and they’re not happy.
Apart from wondering where to levy the blame and how to overcome this PR disaster, is there more that eBay needs to consider, and are there wider implications for the wider e-commerce and IT industries? In a word: yes.
Data Protection ‘Remedies’ and Limitations
Data protection law, as we all know, says that anyone with data about living individuals is deemed to be the ‘controller of that data’ and must have proper safeguards of that data and deal with it in particular ways. The regulator charged with policing data protection law is supposed to clamp down hard on breaches of the law. In the UK the Information Commissioner’s Office is the independent regulator supposed to uphold data rights in the public interest and supposed to handle complaints and take any necessary enforcement action.
European data law contains eight principles that a data controller must abide by. The seventh data protection principle requires organisations to have in place ‘appropriate technical and organisational measures’ to guard against hacking and other unauthorised or unlawful processing of personal data. Being a piece of legislation of a very ‘European style’ this is never black and white; and whether or not security is appropriate will always depend on the nature of the data being controlled and the nature and extent of harm that might result from its improper use or failure to safeguard it.
However, given the amount of personal data controlled by eBay and given the vast size, resources and pedigree of eBay, it would be extremely surprising if the ICO, after an investigation, did not conclude that eBay has fallen foul of an obligation to be using the latest-greatest-fastest-best data security systems available for the commercial world.
There are several restrictions on an individual using the existing law against a breaching organisation. The first restriction is that the individual has no real route to redress when something happens, as in the eBay case. It is for the ICO to decide to do (or not to do) something about it. In the eBay case, the Information Commissioner announced shortly after the theft became public that he would co-ordinate with other jurisdictions when considering a global internet company like eBay. He announced that, as eBay is a US company, the US Federal Trade Commission will launch an investigation there; and in Europe, the Luxembourg data protection authority will take the lead in an investigation (because eBay’s European headquarters are in Luxembourg). This does not necessarily help any of the 14 million UK customers affected, although the Information Commissioner could still take action here if he chooses to do so.
The second restriction is that the powers of sanction given by law to the Information Commissioner are relatively puny (although a lot stronger than they used to be). He can issue fines of up to £500,000 if the law is found to have been breached – although the costs of such a fine will inevitably get passed back to the customers who use the online service. In any case, though a fortune to an individual, a £500,000 fine is relatively insignificant to a multi-million dollar operation. The better disincentive is always going to be the reputational damage to an offending organisation; although even this can be blunted by a good PR campaign, and by the harsh reality that (taking the eBay case as an example) if a consumer wants to buy goods cheaply at online auction, where else is there to go? Many online services have no real competitors. There is the additional practical issue that fines of that maximum magnitude (ie £500,000) are rare to the point of non-existence. By way of example, even when a data theft happened at Sony last year, Sony was fined only £250,000 for not installing up-to-date security software which was found to have led to the hacking of personal data of millions of customers (including passwords and card details).
The third restriction is that although the eBay hack happened several months ago, it only became public in May 2014. Although the ICO’s guidance says that, in cases of serious data breach, the organisation affected should contact the ICO, the law itself imposes no duty to do so. And so everyone can be (and frequently is) kept in the dark and, if something comes to light, it is often very late, and sometimes considerably after any compromise of security.
Recent Failures and Real People
Organisations holding data, even huge behemoths able to weather reputational storms and large fines, should not be eased into a false sense of security. Service users are getting increasingly frustrated with their information being compromised, and not unreasonably.
Not long ago there was the Heartbleed bug. Websites which used the prevalent – but compromised – open source OpenSSL software, including many popular web sites such as Facebook, Instagram and Pinterest, told everyone to change their passwords – which they all did. Then very recently, there was the report of theft from eBay, where it came out that a few months ago, an internal corporate account at eBay was used to get access to personal details such as dates of birth, phone numbers and addresses – and encrypted passwords. Despite having happened several months earlier, this only came out in late May; and so everyone was told to change their passwords (again).
Given that the average web user now uses over 20 web services, access to which is protected by passwords – such as LinkedIn, Twitter, banking online services, PayPal, Facebook, and so on – this means that many people are ever more frequently being put to major inconvenience and risk when passwords are compromised.
Due to the number of online services that most people use, despite all the exhortations of best practice to the contrary, people are people and they adopt behaviours which make their lives easier and more manageable. Increasingly, many people use the same password for all their services, despite the fact that everyone knows this should not be done. They do this because it makes for an easier life. However, for these people, a compromise in the security of any one service means all services used are compromised.
Others resort to remembering only one password to a password ‘vault’ or ‘aggregator’ which is a piece of software or a service which keeps lists of all the other passwords for online services used. Often, this breaches the terms of use of many services because the particular password for a service is then recorded somewhere other than in one’s head. Also, if the vault password is compromised, again, all the passwords within it are compromised.
Finally, there are the geeky shmos, such as the writer of this article, who take the time and trouble to come up with strong, individual and different passwords for every online service used (and also tend to read the terms and conditions of each online service used). Being told to change a password because someone – not the user of the service – has compromised the user’s password and having to re-remember a new string of letters and numbers, caps and lower case for a particular service, is something most users do not relish doing. These users are punished for adopting correct security protocols.
Not only that, people should be (and increasingly are) leaving digital instructions in their wills, so that when they die, their list of passwords to online services is available to next of kin, to sort out online banks, Facebook accounts and generally, a life lived increasingly online. Having to change a password means having to update such instructions each time that that security is compromised by a service provider. Yet more inconvenience.
Remedies for Aggrieved Users
That inconvenience is being foisted on more and more customers with increasing frequency – which is not good business.
So if the Information Commissioner does nothing (or even if he does something) what could be done by an aggrieved user of an online service? Leaving data protection aside, which would appear to offer no meaningful individual right of redress, there seem to be two main possible civil causes of action.
The first cause of action is for breach of contract. Anyone using an online service will have a contract with the service provider. Contrary to what most of the population seem to believe, we all know that a contract does not have to be written down to be valid, although in the case of the majority of ‘free’ web services (and almost always for paid services), they are written down. This is the ‘Terms of Use’ that everybody scrolls through and very few bother to read when signing up to use a new online service. However, chances are that those Terms of Use will, if properly drafted, contain a clause about the user’s responsibility to keep the password secure – but nothing about the service provider’s obligations to keep the service secure.
Secondly, even if it can be argued by the aggrieved user that the service provider has an implied duty under the contract to keep the user’s password secure (and it may be argued through the use of legal mechanisms such as the law of implied terms), generally the exclusions and limitations of liability carve out, again, whatever responsibility a good lawyer is able to argue was implied into the contract in the first place. This is particularly the case with US-based services which typically offer their services ‘as is’.
Thirdly, at least in the case of the Heartbleed bug, most online services will argue that the existence of a defect in the open source code used to protect their services was something out of their reasonable control – and therefore excluded from the ambit of the service provider’s responsibility by the usual ‘force majeure’ clause in the Terms of Use. However, this may still allow a breach of contract claim for not taking enough care to protect data which has been stolen (as in the eBay case) or left on a train (as in the case of a certain health authority).
Fourthly, and most fatally for the aggrieved user’s case, even if one could sue for breach of contract, such an exercise is costly in terms of time and money. And to recover anything, anybody suing has to show an actual quantifiable loss linked to the breach and the inconvenience of changing a password is usually not worth very much. While it may be possible to argue that there is some loss in updating documentation annexed to a will (particularly if that annexed paperwork is lodged with a lawyer), this is always likely to be much, much lower than the costs involved in bringing a legal action in the first place. Unless it can be demonstrated that a stolen password has led to a greater loss, it is just not cost-effective or worthwhile for a user to take a service provider to court.
So, in practice, nobody sues for breach of contract.
The second possible cause of action is the tort of negligence – breach of a duty of care (here, owed by a service provider) to those sufficiently proximate to it (here, the users of its online service). However, even if a duty of care could be shown to exist, the second, third and fourth points set out above for breach of contract also apply here. In other words the Terms of Use probably exclude all liability for suing for the tort of negligence and/or that liability is excluded as a force majeure and, anyway, the costs of bringing a legal action in the first place are likely to be far higher than any loss. Also, if claiming purely economic loss, rather than physical loss (as here), the obstacles to a legal claim are even higher.
So, in practice, nobody sues for commission of the tort of negligence by the service provider.
Does that mean all organisations are off the hook? I wouldn’t be so sure. Only very few organisations can weather any reputational damage and can afford to pay huge fines – although fines of a really stinging magnitude are rarely levied. However, this may be about to change. The status of the law and the ambit of the responsibilities of service providers is currently being debated at a European level, with many proposals to strengthen them, particularly in the areas of responsibility for data. The European institutions view the Internet and data very differently to our American cousins. Is the law currently good enough, with respect to liability for ‘making everyone change their passwords – again’? Send in any answers in a passworded document, please. Just don’t count on that password staying safe.
Mark Weston is a Partner at Matthew Arnold & Baldwin and Head of the Commercial/IP/IT Department there.