Liability and the “Commercially Reasonable” Standard

Written by

When new technology introduces new legal questions, it can take a long time for courts to sort matters out, and cybersecurity is no exception to the rule. Cyberattacks that yielded major breaches of financial companies in 2008 or 2009 have spawned a series of lawsuits that aim to determine liability for losses that were caused by weak security.  Experienced security professionals are finding it interesting to see how the courts handle the basic fact that no networked system is “secure”. It is particularly interesting when the parties involved are depending on compliance with standards as the evidence that systems are reasonably secured, and even more interesting to consider the debate over who determines if the standards were met.
A case profiled in a recent article in Infosecurity magazine is one of several that involve disputes over whether it is “commercially reasonable” for financial institutions to comply with the authentication guidelines of a standards body such as the Federal Financial Institutions Examination Council (FFIEC). That agency recommends separation of duties with password-protected accounts, as well as other layered authentication procedures to protect large monetary transfers. In spite of those measures, the Zeus trojan and similar attacks have breached several institutions that claimed to be compliant, and the banks who have been breached argue that if they met the commercially reasonable standard, they are not liable for the losses of their customers.
The customers who lost their deposits disagree, and in a Missouri case, the victim of a cyberheist challenged the value of the FFIEC separation of duties recommendation since it only required password authentication, a mechanism the Zeus trojan (among others) is designed to exploit. The bank, in this case, did not argue that the FFIEC standard it followed was secure, only that it was “commercially reasonable” and therefore, it had no liability.

For those of us in the US federal IT community, this and other recent court cases have become of particular interest in that they reflect the broader challenge that the National Institute of Standards and Technology (NIST) Risk Management Framework calls “trust-based authorization” of IT systems. Just as businesses depend on and trust the procedures of financial institutions that handle their funds, federal agencies that migrate their sensitive applications to multi-tenant cloud environments must trust the procedures and processes of the hosting entity and their neighbors in the cloud. Control becomes indirect and no standards, whether they are promulgated by NIST, FFIEC, or the US Congress, can guarantee that compliance will prevent adverse events. This begs the question, what happens when a “commercially reasonable” standard does not reach the level of “acceptable”?  

What’s hot on Infosecurity Magazine?