CyBОК. Chapter 3. Laws and regulations. Part 6

Ruslan Rakhmetov, Security Vision

We continue the series of publications devoted to the body of knowledge on cybersecurity - Cybersecurity Body of Knowledge (CyBOK). Chapter 3 of this body of knowledge describes the main regulatory norms and principles of international law that are relevant to cybersecurity and can be applied in assessing cyber risks, managing information security, and investigating cyber incidents. Today is the sixth part of the review of Chapter 3 of CyBOK, which describes the offenses considered in assessing the risks of being held accountable for harm in the field of cybersecurity.

3.7. Civil offense (tort)

Tort is any civil offense, with the exception of breach of contract, and tort liability implies civil liability for causing harm. Unlike liability for non-fulfillment of the terms of a contract, liability for a civil offense (tort) is not necessarily based on a conscious and voluntary relationship between the person committing the tort ("offender", English tortfeasor) and the person who suffered from this tort ("victim"). In this section, the authors of CyBOK describe some common tort doctrines that cybersecurity professionals need to consider.

3.7.1. Negligence

Most legal systems have a concept of public responsibility of individuals when performing certain actions. If a citizen fails to fulfill his duties and this harms the victim, he has the right to file a lawsuit against the offender for financial compensation.

3.7.1.1. The limits of due care

Legal systems indirectly recognize that a person is not always accountable to everyone, and some limitations in the scope of responsibility are normal. For example, in the British judicial system, it is believed that Alice may be responsible for the lack of due care to Bob if three conditions are met:

  · Alice and Bob somehow interact with each other in time and space;

  · Alice can anticipate that her actions or omissions may cause harm to Bob.;

  · Taking into account Alice's actions or omissions, her responsibility to Bob can be considered logical and reasonable in advance.

The predictability of damage is often used as a mechanism to limit liability in cases of negligence and is usually assessed based on whether the person could have foreseen the damage. At the same time, the offender is not exempt from liability due to lack of ability to assess the consequences of his actions, lack of plans to commit an offense, or lack of ability to predict damage to potential victims. The concept of "due diligence" does not depend on the existence of a commercial or contractual relationship between the offender and the victim - for example, motorists must pay due attention to other drivers, motorcyclists, cyclists, pedestrians. Similarly, manufacturers of non-commercial software, for example, suppliers of Open Source solutions, must also pay due attention to users who predictably rely on the correct operation of this software.

In the context of cybersecurity, the consequences of mistakes are becoming more predictable, and when considering such cases, courts are increasingly considering damages for larger groups of victims. For example:

  · The store accepting bank cards for payment is responsible for the lack of due care when processing payment data by the terminal in front of the cardholder, issuing bank, acquiring bank;

  · The provider of the e-mail service, when providing information security for mail servers, is responsible for the lack of due care to its users and recipients of mail from this provider.;

  · A commercial company that ensures the cybersecurity of its IT and OT infrastructure is responsible for the lack of due care to its employees, contractors and suppliers, as well as to any third parties that may be attacked using the compromised infrastructure of this company;

  · When implementing cryptographic protection of network communication protocols, the developer of web server software is responsible for the lack of due care to those who will use this software (for example, to visitors to online stores, website owners, and cloud providers who use this software);

  · When generating encryption keys and certificates, the certification authority is responsible for the lack of due care to buyers (users) of issued certificates and companies that rely on the reliability of issued certificates and the cryptographic strength of the keys.;

  · The web browser developer, when choosing root certificates embedded in the browser, is responsible for the lack of due care to all people who use this browser.

3.7.1.2. Breach of obligations: assessment of validity and reasonableness of behavior

If Alice is responsible for not paying proper attention to Bob when conducting certain activities, at what point does Alice become a delinquent (behaving unreasonably and unreasonably, i.e. negligent)? As a rule, to answer this question, Alice's actions are evaluated in terms of whether her behavior was objectively justified and reasonable. To assess the validity and reasonableness of a behavior or decision, you can use the cost-benefit test: if the cost of implementing precautionary measures is less than the product of the probability of damage from their absence and the amount of possible damage, then it is a reasonable and reasonable decision to take these precautions.

The concept of reasonable and justified behavior can also be used when evaluating actions or omissions in cybersecurity. The victim can accuse the offender of unreasonable and unreasonable behavior (negligence) in violation of legislation or failure to comply with technical standards. For example, if Alice gained unauthorized access to Bob's computer and caused damage to it, Bob can claim that Alice was negligent, and the adoption and dissemination of various information security standards can help substantiate this position in court. In addition, the court may take into account obvious evidence of negligence, for example, when a developer who created a VPO for research purposes allows the spread of the resulting virus.

3.7.1.3. The interpretation of "guilt" varies over time and depends on jurisdiction

The concepts of negligence and reasonable and reasonable behavior are applied differently in different countries and depend on society, and also change over time and with the development of technology. Thus, actions in cyberspace are becoming more and more potentially dangerous, and mistakes in cyber defense are becoming more predictable, better understood, and more accurately proven with the development of computer forensics practices.

3.7.2. Strict liability for defective products

In the second half of the 20th century, countries with advanced industrial economies developed rules regarding strict liability for defective products, referring to defects in the architecture and design of the product, rather than defects in specific implementation, which may depend on production failures. Victims of defective products, i.e. those who have suffered damage to health or property, are granted the right to compensation for damage and legal action against the infringer if his product is not safe, as can be expected in certain circumstances. In this case, a defect in the software or firmware may cause unsafe operation of the device (for example, a cyber-physical system - wearable electronics, a car, smart home elements), therefore, these standards of protection for the user of the device may also apply.

3.7.3. Limitation of liability

If the victim can prove a causal relationship between his damage and the actions of the alleged offender, he will be able to take legal action against him. At the same time, people may behave negligently, irresponsibly and unreasonably, but if such behavior does not harm anyone, then legal responsibility does not come. The violator will be able to avoid liability if he manages to prove that the damage was caused regardless of his actions (i.e. there is no actual causal relationship between the actions and the damage). Difficulties arise when there is no direct connection between the actions of the alleged offender and the damage to the victim - for example, when there are several intermediate links between the primary action and the final damage, i.e. a number of consequences (results) of the initial action of the offender.

In cybersecurity, it can be quite difficult to prove a direct causal relationship between a cyber incident and the damage caused by it. For example, in the case of a data leak, it will be difficult for a citizen to prove that his personal data, which was then used by fraudsters to harm a citizen, was obtained from this leak, and not from some other source. The requirement to notify citizens of their data leaks can help people protect their rights, but even in this case, the victim will still have to prove a direct causal relationship between the leak and the subsequent fraud using the data from this leak. At the same time, it may be easier to prove financial damage due to leakage of payment card data, since leakage of payment card data and an attempt to unauthorized debit funds from it follow each other and are usually close in time.

3.7.4. Scope of responsibility

When considering civil offenses, the scope of responsibility should also be taken into account: different countries have their own approaches to determine what exactly constitutes legally definable harm caused to the victim, who will have to prove the fairness of the financial assessment of his damage from the actions of the offender. For example, in the case of injury to health, a financial assessment of the damage may include an assessment of the salary lost during temporary disability, as well as the victim's costs of treatment and rehabilitation, the cost of hospital care and necessary medical equipment, etc. In addition, in some countries, a citizen may demand compensation for suffering, pain, stress, moral damage, etc. In the case of a cyber incident, the victim may demand compensation not only for damage to health and private property, but also for their economic losses.

It can be difficult for victims to prove legally significant damage. For example, in the case of a violation of privacy (confidentiality of personal data), it will be difficult to assess the financial damage caused to a citizen only if the data leak did not directly affect his economic or business interests. For example, if the bank compensated the client for the funds stolen as a result of a payment data leak, and also reissued the card for free, it will be difficult for the victim of such a leak to prove the existence of any other losses incurred. In addition, in certain countries, the victim may demand a fixed financial compensation for a certain type of damage, even without calculating the losses incurred. In some US states, courts apply the mechanism of "punitive" or "exemplary" damages. punitive / exemplary damages), in which compensation is collected from the offender in a disproportionately greater amount than the loss suffered by the victims - this practice is used to punish violators who have repeatedly shown negligence or made decisions without taking into account their potentially negative impact on the well-being or health of citizens.

3.7.5. Attribution, allocation and reduction of liability for civil offenses

3.7.5.1. Subsidiary liability

In some cases, the responsibility of the offender may be assigned to another person - in this case, the mechanism of subsidiary liability works. For example, civil liability for an employee's actions may be assigned to the employer, while the employer's arguments about taking precautions, training the employee, applying candidate screening procedures for hiring, or applying strict labor standards are usually not taken into account by the court.

3.7.5.2. Joint and several liability

If several offenders have caused damage to the victim at once, then by a court decision they will be jointly and severally liable, i.e. each of the violators will be obliged to compensate the victim for 100% of the damage. At the same time, the offender who has paid compensation may demand compensation from other offenders, with whom he is jointly and severally liable, however, in the event of bankruptcy of companies or their location in different countries, such a task may not have an effective solution. This feature should be taken into account when choosing partners, contractors and suppliers, especially if they are small companies or they are located in foreign jurisdictions.

3.7.5.3. Affirmative defense

Offenders often use an affirmative defense mechanism in which they admit their mistake, but claim that the actions of the victim themselves also led to the damage - this is called "mutual negligence" or "comparative error." This approach allows the offender to reduce his level of responsibility or even completely avoid it. In cybersecurity, an affirmative defense mechanism such as "consent" or "risk assumption" can also be used, in which the offender proves that the victim knew about the risks in advance and was aware of the likely negative consequences. Such a mechanism can be used in the provision of information security services that can potentially harm customers - for example, a similar risk assumption by the customer may be prescribed in the contract for conducting penetration testing. In many countries, it is allowed in court to refer to the level of technology development, which at the time of the appearance of defects or errors in the software did not allow the developer to anticipate or eliminate them. In addition, it can be argued in court that a defect, error, or vulnerability in the software was caused by the need to comply with legal requirements that affected the architecture, design, and implementation of the product (for example, if the developer was forced to use weak encryption algorithms or was forced to add user data collection functionality).

3.7.6. Conflicts in legislation when considering civil offenses

In the judicial review of civil offenses that affect different jurisdictions, the court decides on the laws of which country will be applied. For example, in the EU, the rules for choosing standards are prescribed in the law "Rome II" (Regulation 864/2007), while in the USA each state adopts its own rules for choosing standards. As a rule, courts are guided by one of two principles: either the legislation is applied at the place of commission of the offense, or the legislation is applied at the place of loss. The EU courts may apply the laws of the country in which the damage was caused, or in which the victim resides, or in which the defective product was purchased.