Directors' Digital Fiduciary Duties - IEEE Xplore

Download PDF
3 downloads 115 Views 101KB Size Report
Comment
The Dawes Act of 1887 vested beneficial title of the re- maining allotted lands in the federal government as trustee for individ- ual Native Americans.1 Between.
Digital Protection Editors: Michael Lesk, [email protected] Martin R. Stytz, [email protected] Roland L. Trope, [email protected]

Directors’ Digital Fiduciary Duties

I

n this inaugural article of the Digital Protection department, we will explore the potential legal and technical risks inherent in attempts to implement digital protection. Specifically, we will consider how liability might

arise for those who have fiduciary responsibility for sensitive

ROLAND L. TROPE Trope and Schramm LLP

information assets, including the emerging trend toward imposing liability where digital protections are severely deficient or digital security has been breached. We also will focus on obstacles created by disparities in the knowledge and expertise of professionals who are responsible for corporate assets and who risk legal liability if their efforts are insufficient or ineffective. We address these disparities to bridge the gap between executive personnel responsible for corporate governance and technical personnel responsible for corporate digital security.

Entrusted data must be safeguarded Corporate directors must rely on technical personnel to guarantee the integrity of sensitive data on company computers. However, evolving case law suggests that persons entrusted with fiduciary duties must meet high standards regarding an organization’s digital protection systems and the extent to which those systems can reliably protect the integrity of sensitive information assets. The logic of this case law suggests that corporate officers’ and directors’ supervisory responsibilities will extend from safeguarding corporate financial data accuracy to safeguarding the integrity of all 78

PUBLISHED BY THE IEEE COMPUTER SOCIETY



stored data. To protect entrusted assets now requires the protection of the computer systems that store records of those assets and provide internal controls for their reporting. The recent cases involved government officials as fiduciaries who failed to remediate discernible deficiencies in digital protection and security of computer systems. Corporate directors, being fiduciaries, should expect to be held to the same standard for their companies’ digital security.

Accounts the US government cannot balance or reconcile During the second half of the 19th century, the US government seized land from Native American tribes and allotted it to individual tribal members (to extinguish tribal sovereignty). The Dawes Act of 1887 vested beneficial title of the remaining allotted lands in the federal government as trustee for individual Native Americans.1 Between 1887 and 1934, the government removed approximately 90 million acres from Native American ownership. Subsequent legislation terminated allotment of tribal lands, extended indefinitely the federal government’s trusteeship of such lands, and authorized the US De1540-7993/05/$20.00 © 2005 IEEE



partment of the Interior (hereafter Interior) to manage the lands and related revenues, which would be held and invested for Native American beneficiaries in Individual Indian Money (IIM) accounts.2 The entrusted funds reportedly exceed US$3 billion, and the government pays the beneficiaries over US$500 million annually.3 On 10 June 1996, IIM accounts beneficiaries filed a class action suit against Interior Secretary Gale Norton and other federal officials serving as IIM trustees, alleging multiple breaches of fiduciary duty.1 In 1999, the US District Court found the federal government and its officials derelict in their duties, observing that Interior did not know the precise number of IIM accounts and their proper balances and lacked sufficient records to determine such values.1 The court held that the government owed statutory trust obligations to the IIM beneficiaries (including a duty to account), that Interior had failed to “ retrieve and retain all information concerning the IIM trust … necessary to render an accurate accounting”1 and that government performance of its fiduciary duties had been unlawfully withheld and unreasonably delayed. On appeal, the US Circuit Court of Appeals affirmed, noting: “The records upon which the government must rely to fulfill its trust duties are woefully deficient. … Interior … does not have complete or accurate information on the identities or whereabouts of all trust beneficiaries, nor … complete land title records,”2 and “Interior … does not have computer systems in place ca-

IEEE SECURITY & PRIVACY

Digital Protection

pable of tracking trust resources and relevant data.”2 The US District Court of Appeals interpreted Interior’s fiduciary duty to require a fair and accurate accounting of all funds held in trust by the US for the benefit of a tribe or an individual Native American and a duty to “maintain and complete existing records … and … to ensure that all aspects of the accounting process are carried out. … [T]his may well include an obligation to develop or obtain computer software capable of tracking and reconciling fund data.”2 The government’s failure to implement a computer system did not breach its fiduciary duty, but evidenced the government’s failure to discharge its fiduciary obligations in a reasonably prompt manner, which did constitute such a breach. Two months later, in April 2001, the Chief Information Officer of Interior’s Bureau of Indian Affairs (BIA) admitted: “For all practical purposes, we have no security, we have no infrastructure. … Our entire network has no firewalls on it. I don’t like running a network that can be breached by a high school kid.”4

Judicial scrutiny of digital security On 14 November 2001, a Special Master (whom the court had appointed in 1999) submitted a report to the court regarding his investigation of the integrity of Interior’s systems, and which chronicled Interior’s

failure to safeguard and secure IIM trust data. (A Special Master is an official of the US District Court appointed for assigned duties and who has authority to regulate proceedings and take appropriate measures to perform those duties fairly and efficiently.)5 The Special Master found “no firewalls, … no … solution for monitoring network activity including … hacking, virus and worm notification …,”6 and recommended “the Court intervene and assume direct oversight of those systems housing Indian trust data … [otherwise] the threat to records crucial to the welfare of hundreds of thousands of IIM beneficiaries will continue unchecked.” 6 On 5 December 2001, the court entered a temporary restraining order mandating that Interior “immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data.”7 In response, the government agreed to enter into a consent decree that included a mandate that “Interior shall not reconnect any information technology system to the Internet without the concurrence of the Special Master as herein provided.”8 The draconian nature of this court-ordered remedy makes abundantly plain the gravity of judicial concern for digital protection (as a process) and digital security (as an objective) where assets cannot be adequately safeguarded without safeguarding data. The Special Master ultimately

allowed Interior to reconnect 95 percent of its computers. However, his continuing concern for data protection led him, between March 2002 and July 2003, to direct a security assistance group (SAG) to test Interior’s reconnected computers. SAG’s investigations “identified numerous vulnerabilities exposing individual Indian trust data to uninvited review and manipulation.”9 When SAG conducted penetration tests, Interior’s system administrators made no effort to “restrict, block, or deny access from the source of the attacks,”10 implying that SAG’s penetration activities went undetected. When SAG conducted a Nessus security scanning test (www.nessus.org) on an Interior server, it identified a vulnerability that would “allow remote unauthorized users to grab copies of files from … the server.”11 In response to such disclosures, the government effectively hampered the Special Master’s further efforts to verify the security status of Interior’s computers. In May 2003, the government asked the court to disqualify the Special Master after he learned that an Interior official had “appraised oil and gas easements running across Indian lands for amounts considerably less than the appraised value of identical interests held by non-Indians” and then “destroyed the evidence of his 20-year practice of doing so.”12 Government pressure eventually caused the Special Master to resign, thereby re-

New department’s mission

T

his issue of IEEE Security & Privacy inaugurates a new department: Digital Protection. Its mission is to provide an open and responsive forum for discussing the technological, commercial, and legal aspects of protecting valuable digitized property. In the 21st century, we’ll increasingly measure wealth in bits, not bullion. As a result, topics such as digital rights management, software piracy, reverse engineering, intellectual

property law, liability management, and trusted computing platforms are increasingly becoming relevant to the general computing profession. This department’s goal is to keep readers abreast of the latest technical developments and informed about the corresponding legal, policy, social, and commercial issues. We welcome reader involvement through contributions and critical feedback.

www.computer.org/security/



IEEE SECURITY & PRIVACY

79

Digital Protection

moving from the litigation the person who probably had the best technical (and objective) understanding of Interior’s digital security

digital protection that is now an integral part such controls.) The court made clear the increasing inseparability of assets and the data that repre-

‘Without any evidence that the systems are secure, it would be an act of folly for this Court simply to permit’ [such computers] ‘to remain connected’ to the Internet. deficiencies and its efforts to trivialize those it could not disguise.

The plaintiffs seek digital protections In response to such developments, plaintiffs filed a motion seeking a preliminary injunction to compel protection of individual Native American trust data. After a hearing, the court issued an opinion, observing that Interior had adopted a “restrictive interpretation of the Consent Decree, namely, that once the Interior Department computer systems have been reconnected to the Internet, no further testing of those systems is either necessary or permissible.”11 This was not the understanding of the Special Master or of the court, which noted that, “It would certainly seem to be irrational to interpret the Consent Order to … mean that, once the computer systems had been reconnected, no procedure would be in place to verify … that the reconnected systems … continue to be secure from unauthorized Internet access.”11 The court placed the highest priority on safeguarding data and ensuring accurate and reliable accounting. (Directors seeking to comply with the Sarbanes–Oxley Act will find the court’s concern instructive, because they and their companies’ officers have legal obligations—under Section 404 of that act—to assess their companies’ internal controls for financial reporting and, therefore, the 80

IEEE SECURITY & PRIVACY



sents those assets, and found it essential, in protecting the former: “[to prevent] undetectable unauthorized persons to access, alter, or destroy individual Indian trust data via an Internet connection. The alteration or destruction of any of the trust data would further prevent the beneficiaries of the individual Indian money … from receiving the payments to which they are entitled, in the correct amount. … [and] would … render any accounting of the individual Indian trust inaccurate and imprecise, and therefore inadequate.”11 Plaintiffs proved irreparable harm that justified issuance of a preliminary injunction to prevent the continued operation of Interior’s computer systems that “… have not been demonstrated to be secure from Internet access by unauthorized persons. … Without any evidence that the systems are secure, it would be an act of folly for this Court simply to permit” [such computers] to remain connected” to the Internet.11 The court concluded that Interior’s system could not guarantee the security of the data in question, and made clear that such integrity must be guaranteed. But such a guarantee might be infeasible, particularly with any computer connected to the Internet. We know of no digital protection that can guarantee invulnerability in software that is inherently vulnerable to hacking or malicious code.

JANUARY/FEBRUARY 2005

On reviewing evidence of Interior’s digital protection system, in March 2004, the court concluded that it could not “conceive of any means by which Interior could be allowed to monitor itself and be solely responsible, without external monitoring, for the security of individual Indian trust data.”5 Without a hearing, the court issued a preliminary injunction that again required disconnection.

Judicial misconceptions of digital security Interior appealed, asserting the injunction lacked “any legal foundation or factual predicate.”13 On 3 December 2004, the US Circuit Court of Appeals found both contentions “unpersuasive,” recalled “Interior’s past gross computer security failures,” insisted its actions must be judged by “the most exacting fiduciary standards,” and found its officials as trustees had “egregiously breached their fiduciary duties.” However, the court vacated the injunction for procedural reasons, including failure “to hold an evidentiary hearing prior to entering the injunction” and that the US District Court had erroneously relieved the plaintiffs of their burden to demonstrate the “necessity of the IT injunction to safeguard against imminent and irreparable harm.”13 Such a holding clearly misunderstands the Internet and its threats. “Imminent” injury should be provable by showing a severe vulnerability to the Internet, as evidenced by daily security incidents or deficient defenses against Internet threats. The US Circuit Court of Appeals apparently required plaintiffs to demonstrate that a specified malicious code posed an imminent threat to Interior’s computers. Because any such threat could inflict its damage in a matter of minutes, it is unrealistic to require plaintiffs to postpone seeking injunctive relief until

Digital Protection

such threat materializes. The US Circuit Court of Appeals based its holding on the fact that “there was no evidence that anyone other than the Special Master’s contractor had ‘hacked’ into any Interior computer system housing or accessing IITD [individual Indian trust data].”13 Its logic overlooks the obvious: by the time a hacker made such an attack, it would be too late to protect any data. Moreover, because its intrusion detection systems had failed to detect any of the SAG penetration tests, Interior could not confirm or disconfirm any hacker attack. On remand, the US District Court will be hard pressed to address the misconceptions in the technological expertise reflected in the US Circuit Court of Appeals’ opinion.

Emerging duty for digital security Significantly, the US Circuit Court of Appeals also held that the US District Court’s “jurisdiction properly extends to security of Interior’s information technology systems … housing or accessing [trust data], because [Interior] … as a fiduciary, is required to maintain and preserve”13 such data. The court further acknowledged that Interior “has current and prospective trust management duties that necessitate maintaining secure IT systems in order to render accurate accountings now and in the future,”13 implying a fiduciary duty for digital protection and security. The US District Court of Appeals thereby suggested a judicial willingness to hold executive personnel responsible for highly technical knowledge where those with fiduciary duties also oversee the implementation and maintenance of digital security. By relying on a deficient digital protection system, such personnel could be at increasing risk of incurring legal liability for breaching a fiduciary duty of care in safeguarding information assets whose digital integrity is essential to

safeguarding financial assets. In the case of Interior’s fiduciary duties, safeguarding funds entrusted to its care was impossible without adequate safeguards on the integrity of the account data on which distribution of such funds depended. Thus, the digital asset has become inseparable from the physical asset. And fiduciary law has always imposed a high duty of care on those responsible for safeguarding thirdparty assets.

or the foreseeable future, malicious code releases will be sufficiently frequent and far-reaching that courts must consider recalibrating requirements for injunctive relief: an imminent security breach should be a rebuttable presumption when digital protections are insufficient or ineffective. As US Federal Trade Commission Commissioner Orson Swindle recently cautioned, “There can be law violations without a known breach of security. … Particularly when explicit promises are made, companies have a legal obligation to take reasonable steps to guard against threats before a compromise occurs.”14 Directors are arguably obligated to take such steps as part of their fiduciary duty to their company, particularly where failure to remediate could cause irreparable damage to financial or other sensitive records that are integral to the protection of the assets they represent. Deficient

F

underlying assets). You do not have to see rabbit tracks in your garden to know that you should find and fix the holes in the fence. If a company’s intrusion detection system fails to detect hostile probes, there will not even be any rabbit tracks to find.

Acknowledgment The views expressed here are solely the author’s and do not reflect official policy or position of the US Department of the Army, US Department of Defense, or US government.)

References 1. Cobell v. Babbitt, Fed. Supp. 2d, vol. 91, p. 1, Wash. DC, District Ct., 1999; www.indiantrust.com/_pdfs/ 99.12.21-memorandum_opinion. pdf. 2. Cobell v. Norton, Fed. Supp. 3d, vol. 240, p. 1081, (Wash. DC, Circuit Ct., 2001); http://caselaw.lp. findlaw.com/scripts/getcase.pl? court=dc&navby=case&no=00 5081A. 3. J. Files, “No. 2 at Interior Dept. Resigns,” New York Times, 8 Dec. 2004, Sec. A, p. 28. 4. K.M. Peters, “Trail of Troubles,” GovExec.com, 1 Apr. 2001, p. 100; www.govexec.com/fpp/fpp01/ bureau_of_indian_affairs.htm. 5. US Code, Title 28, Federal Rules of Civil Procedure, Rule 53 (Masters). 6. Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior, 14 Nov. 2001, p. 141, quoted in Cobell v. Norton, Fed.

In relying on a deficient digital protection system, such personnel could be at increasing risk of incurring legal liability for breaching a fiduciary duty of care … . digital protection requires immediate remediation (arguably the responsibility of those who have a fiduciary duty for protection of the

Supp. 2d, vol. 310, p. 77, Wash. DC District Ct., 2004; www.indian trust.com/_pdfs/20040315 DisconnectITSystems.pdf.

www.computer.org/security/



IEEE SECURITY & PRIVACY

81

Digital Protection

7. Order of US District Court Judge Royce C. Lamberth, Cobell v. Norton, Civil Action Case No. 1:96CV01285, 5 Dec. 2001; www. indiantrust.com/_pdfs/2001.12.05 _TRO.pdf. 8. Consent Order Regarding Information Technology Security, 17 Dec. 2001, quoted in in Cobell v. Norton, Fed. Supp. 2d, vol. 310, p. 77, Wash. DC, District Ct., 2004; www. indiantrust.com/_pdfs/20040315 DisconnectITSystems.pdf. 9. Cobell v. Norton, Fed. Supp. 2d, vol. 310, p. 77, Wash. DC, District, Ct., 2004; www.indiantrust.com/ _pdfs/20040315DisconnectIT Systems.pdf. 10. Security Assistance Group, Internet Assessment of Department of Interior, Bureau of Land Management, 27 Mar. 2003, p. 1, quoted in Cobell v. Nor-

11.

12.

13.

14.

ton, Fed. Supp. 2d, vol. 310, p. 77, Wash. DC, District Ct., 2004; www.indiantrust.com/_pdfs/2004 0315DisconnectITSystems.pdf. Cobell v. Norton, Civil Action Case No. 1:96CV01285, Wash. DC, District Ct., 2003; www.indian trust.com/_pdfs/20030728 MemorandumOpinion.pdf. A.L. Balaran, Special Master’s Letter of Resignation to Judge Royce C. Lamberth, 5 Apr. 2004, p. 2. Cobell v. Norton, Slip Opinion, Wash. DC, Circuit Ct., 2004; www.indiantrust.com/_pdfs/2004 1203ITSecPIDenied.pdf. O. Swindle, “Cybersecurity and Consumer Data: What’s at Risk for the Consumer?,” prepared statement, US Federal Trade Commission before Commerce, Trade, & Consumer Protection Subcommit-

tee, Committee on Energy and Commerce, US House of Representatives; www.ftc.gov/os/2003/ 11/031119swindletest.htm. Roland L. Trope is a partner in the law firm of Trope and Schramm LLP, and an adjunct professor in the Department of Law, US Military Academy. His research interests are cyberlaw, cross-border transactions, defense procurements, export controls, intellectual property, privacy, and management of information security. Trope has a JD from Yale Law School, a BA and an MA in English language and literature from Oxford University and a BA in political science from the University of Southern California. He is a member of the American Bar Association’s Cyberspace Law Committee, the Association of the Bar of the City of New York’s Information Technology Committee, and coauthor of the treatise Checkpoints in Cyberspace (to be published by the ABA in 2005). Contact him at roland. [email protected].

ADVERTISER / PRODUCT INDEX JAN/FEB 2005 Advertiser

Page Number

Enterprise Security Expo 2005

Cover 2

InfoSec World 2005

Cover 3

RSA Conference 2005

Cover 4

Advertising Personnel Marion Delaney IEEE Media, Advertising Director Phone: +1 212 419 7766 Fax: +1 212 419 7589 Email: [email protected] Marian Anderson Advertising Coordinator Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: [email protected]

Sandy Brown IEEE Computer Society, Business Development Manager Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: [email protected]

Advertising Sales Representatives Mid Atlantic (product/recruitment) Dawn Becker Phone: +1 732 772 0160 Fax: +1 732 772 0161 Email: [email protected] New England (product) Jody Estabrook Phone: +1 978 244 0192 Fax: +1 978 244 0103 Email: [email protected] New England (recruitment) Robert Zwick Phone: +1 212 419 7765 Fax: +1 212 419 7570 Email: [email protected] Connecticut (product) Stan Greenfield Phone: +1 203 938 2418 Fax: +1 203 938 3211 Email: [email protected]

82

Midwest (product) Dave Jones Phone: +1 708 442 5633 Fax: +1 708 442 7620 Email: [email protected] Will Hamilton Phone: +1 269 381 2156 Fax: +1 269 381 2556 Email: [email protected] Joe DiNardo Phone: +1 440 248 2456 Fax: +1 440 248 2594 Email: [email protected] Southeast (recruitment) Thomas M. Flynn Phone: +1 770 645 2944 Fax: +1 770 993 4423 Email: [email protected] Southeast (product) Bob Doran Phone: +1 770 587 9421 Fax: +1 770 587 9501 Email: [email protected]

IEEE SECURITY & PRIVACY



JANUARY/FEBRUARY 2005

Midwest/Southwest (recruitment) Darcy Giovingo Phone: +1 847 498-4520 Fax: +1 847 498-5911 Email: [email protected]

Northwest/Southern CA (recruitment) Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: [email protected]

Southwest (product) Josh Mayer Phone: +1 972 423 5507 Fax: +1 972 423 6858 Email: [email protected]

Japan Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: [email protected]

Northwest (product) Peter D. Scott Phone: +1 415 421-7950 Fax: +1 415 398-4156 Email: [email protected]

Europe (product/recruitment) Hilary Turnbull Phone: +44 1875 825700 Fax: +44 1875 825701 Email: [email protected]

Southern CA (product) Marshall Rubin Phone: +1 818 888 2407 Fax: +1 818 888 4907 Email: [email protected]