Two hacking horrors this month – both illustrating the legal strife that organizations can land in if they are unfortunate enough to be the victims of hacking or similar incidents.

One might think that being hacked is bad enough – but to then be sued by an aggrieved third party because you “allowed” yourself to be hacked – well, that would fall into the category of a very bad day at the office...

At the outset, let’s deal with one issue.  These cases are both happening in the USA.  But, the underlying principles being applied are as much a part of the Australian legal system as of the US system.  So there is no reason to believe that it would not happen here – particularly as Australian society is routinely described as becoming more litigious by the day.

The first case relates to the theft of a laptop that belonged to a financial analyst who worked for a financial services company specialising in providing loans to students.  Not surprisingly given the nature of the analyst’s work, the stolen laptop contained a database with personal information about the loan company’s customers.  It came to light that the data on the stolen laptop was not encrypted, and that therefore any hacker with basic skills could break the log on credentials (using password cracking tools) and access the unencrypted data on the machine.

The laptop was never recovered, but the loan company did the right thing and notified all its customers and advised them to place an alert on their credit bureau files.

One customer decided that they were sufficiently unhappy about the prospect of their personal financial information falling into the wrong hands that they would sue the loan provider.  The essence of their claim was that the loan provider had been negligent in failing to ensure, as a matter of policy, that sensitive data on mobile devices such as laptops should be encrypted.  (Obviously, if encryption had been used, the risk of identity theft and fraud flowing from the theft of the laptop would have been reduced almost to zero).

The judge found in favour of the loan company, saying that whilst the company had a legal obligation to take reasonable measures to protect the security and confidentiality of personal information, this did not extend to having in place a policy requiring encryption of data on mobile computing devices.  The judge acknowledged that the loan provider did have a written security policy in place (albeit the policy did not cover encryption) and had taken other safeguards to protect against unauthorised accessing of its data – and that these steps meant that the company had satisfied the test of taking reasonable care.  (If the company had not had a written set of policies and been able to produce evidence that it had taken a number of measures to make itself reasonably secure, it is fairly clear that the case would have gone against the company).

Many commentators in the information security field have expressed some surprise at the way the verdict went, arguing that encrypting data on mobile computing devices is such a basic step that it is difficult to see how a failure to do so could not amount to negligence.

However, the point the case does illustrate well is that most applicable law in this field (whether its statute law or common law) involves a test of “reasonableness”: provided you took reasonable care then you will be OK – you do not have to take “Fort Knox” levels of care.  What is “reasonable”?  Well, that’s a question for another day – but having a written set of policies in place is clearly a good start.

The second case is (at this time) still unresolved, so we do not know which way it will pan out.  But briefly, what happened was this.  A small not-for-profit organisation called HealthInsight was the victim of hackers who managed to take over its telecommunications infrastructure and make US$25,500 of unauthorised calls.

The telephone service provider AT&T is demanding that HealthInsight pay for all these calls made by the hackers (AT&T fully accept that they were unauthorised calls made by a person or persons unknown who had wrongfully broken into HealthInsight’s systems).  HealthInsight are basically saying “no – we are not responsible for calls made by hackers who broke into our systems”.

AT&T decided to go to court in an attempt to get HealthInsight to pay up.  Their argument is that HealthInsight were negligent in failing to take reasonable safeguards to prevent hackers from breaking in.  HealthInsight maintain that they did take reasonable safeguards, but that the hackers got in anyway.

Again, it looks like the case will turn on the question of whether HealthInsight took reasonable care.  We’ll watch this story unfold with interest...