Court Rules that LifeLock Violates California’s Unfair Competition Laws

A federal district court in California has granted partial summary judgment in Experian Information Services, Inc. v. Lifelock, Inc., holding that LifeLock violates the state’s Unfair Competition Law.

LifeLock—infamous for its TV ads in which the founder puts his Social Security Number on the side of trucks—exploits an opportunity in fraud protection law. 15 U.S.C. § 1681c-1 allows “a consumer, or an individual acting on behalf of or as a personal representative of a consumer” to put a free ninety-day fraud alert on her credit file. This “initial” fraud alert requires the consumer to claim “a suspicion that [she] has been or is about to become a victim of fraud or related crime.” The law also allows for an “extended” alert, which lasts for seven years, but requires that the consumer have suffered actual fraud. What LifeLock does is place and renew initial fraud alerts every ninety days on behalf of customers, creating a sort of permanent initial fraud alert.

Experian doesn’t like that, partly because it has to expend resources processing all those repeating fraud alerts. So it sued LifeLock, claiming unfair competition, among a host of other complaints. The court agreed.

Its reasoning, in a nutshell, was this: the credit freeze law only allows fraud alerts to be placed by the consumer or an individual acting on her behalf. According to the legislative history of § 1681c-1, the word “individual” was specifically chosen over “person” so that individuals such as family members, attorneys, and guardians could place fraud alerts, but not companies (which are legally considered to be “people”). The court found that language to show a public policy against companies placing fraud alerts. Because the “unfair” business practices prohibited by California’s Unfair Competition Law include not only illegal practices, but also those contrary to public policy, the court found LifeLock’s placement of initial fraud alerts on behalf of individuals to be an unfair business practice, and thus illegal.

What’s interesting about this ruling—other than its implications for LifeLock—is that it reached its result without ever considering whether permanent initial fraud alerts themselves are contrary to the statute. It only says that organizations cannot place fraud alerts. But what about the practice of continually renewing an “initial” fraud alert so that it’s essentially permanent? The statute seems to contemplate specific remedies under specific situations: if you think you might be at risk of fraud, you get a ninety day alert that puts some restrictions on anyone who pulls your credit report. If you have been the victim of fraud, you get a seven-year alert with stricter restrictions. Arguably, if Congress had intended to allow for a permanent fraud alert, it would have provided for one. This ruling doesn’t address that issue.

This doesn’t seem to slam the door on all permanent initial fraud alerts. An individual consumer could always call all three credit reporting agencies every ninety days to place the fraud alert herself. She could also have an attorney, acting as her personal representative, do it for her. What this ruling says is that organizations can’t place fraud alerts: only individuals. It also effectively outlaws LifeLock’s business in California—or will, once the appeals are exhausted.

Published in:  on May 30, 2009 at 11:22 pm Comments (1)

IT Consulting Firm Sued for Certifying CardSystems as CISP Compliant

There’s a new variety of post-breach lawsuit. We’ve seen consumers sue merchants, banks sue merchants, and banks sue banks. Now, a bank has sued an IT consulting firm for certifying CardSystems as CISP compliant. Professional malpractice suits are nothing new in medicine or law practice, but we have not yet seen many security consultants sued for malpractice. That may change as standards and certification become more important.

CardSystems was a payment processor that experienced a massive security breach in 2005. Intruders compromised tens of millions of credit card numbers, leading to millions of dollars in fraudulent charges. In the wake of the breach, banks canceled and re-issued thousands of credit cards. Mastercard and Visa terminated their contracts with CardSystems, and CardSystems eventually filed for bankruptcy. It was the first example of a data breach killing a major company.

Merrick Bank is an acquiring bank, which means that it contracts with merchants to handle their credit card sales. Merrick used CardSystems to process those payments. Because the card association operating agreements make acquiring banks reimburse losses created by card processors, Merrick paid about $16 million to the associations after the CardSystems breach.

But Merrick does not just blame CardSystems for the breach. It also blames Savvis, the IT consulting firm that certified CardSystems’s compliance with Visa’s Cardholder Information Security Program (CISP). In May 2008, Merrick sued Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. Last week, the federal district court in Missouri transferred the case to Arizona and joined it with some similar cases, which is why a year-old case is being reported as if it were new.

New or not, the lawsuit is another example of an unfortunate tendency to equate compliance with security. I blogged before about a PCI DSS trainer who said that no one who was PCI DSS compliant had ever been breached—implying, if not directly stating, that PCI DSS compliance creates perfect security. Unfortunately, that seems to be the official line: Robert Russo, Director of the Payment Card Industry Data Security Standards Council, said much the same thing in Congressional testimony in March (p. 8: “[No] entity that has been subject to a data breach . . . was also in full compliance with the PCI DSS at the time of the breach”). Calling something a magic cure-all is a sure sign of snake oil; the PCI Council would do well to stop selling PCI DSS as a magic elixir.

Security assessment malpractice suits could have a long-term effect on the way assessments are conducted. Version 1.1 of PCI DSS started allowing compensating controls that permit compliance even when some requirements are not met. An assessor that requires strict adherence to PCI DSS requirements, with no allowance for compensating controls, can always point to those requirements when faced with a negligence claim. But when an assessor certifies compliance using compensating controls, it exercises more independent judgment, creating room for a negligence claim. The result could be less use of compensating controls.

There could also be some positive effects. Compliance requirements without liability for assessors make it too tempting for both parties to rush through the process. Sloppy consultants will assess as quickly as possible then hop to the next paying assessment. Some clients, more interested in the certification than security, will shop for the lowest-priced certification they can find. Not all assessments are like that, but security certifications make them more likely. Malpractice liability gives the consultant something to think about other than how quickly he can get paid for calling someone secure. But even security consultants who do things right need to be careful about how they structure engagement contracts, because these lawsuits will probably become more common.

One lesson for security consultants, and especially PCI assessors, is to be careful with engagement contracts. Savvis is not being sued by a client, but by a customer of a client—someone with whom Savvis had no contractual relationship. A limitation of liability and disclaimer of warranty have no force against someone who is not a party to the contract. A consulting firm would therefore want an indemnification clause in its contract, which would require the client to protect the consultant against anyone else in a claim arising from the engagement. But indemnification clauses aren’t always possible, and the client probably wants the assessor to indemnify it.

Of course, the risks are lower if the negligence claims fail. Negligence cases against processors and merchants have not fared well overall; it would seem even harder to recover against an assessor who certified a breached organization. The assessor could always raise the “Richard Russo defense” by blaming the breached organization for post-assessment changes. The basic negligence case is also harder: the plaintiff would have to show not only that the breached organization was negligent, but that the assessor knew or should have known that the breached organization was non-compliant at the time of the assessment, and that certification of the organization rose to the level of negligence. Proximate cause is probably harder to show, because the causality chain is the breached organization’s chain plus whatever was wrong with the assessment. Apportionment of fault could also be an issue: how much fault lies with the assessor for certifying compliance, and how much lies with the company for being non-compliant? The answer would be fact-specific, but the issues suggest that a case against an assessor would not be an easy win.

Issues like these are probably why PCI DSS assessors must carry cyber-risk and privacy liability insurance (QSA Validation Requirements v.1.1a, p. 40). The more people think that certification is all there is to security, the more the firms who provide those certifications will have to deal with lawsuits like these.

Published in:  on May 27, 2009 at 7:07 pm Comments (1)

Minnesota and Online Gambling

Minnesota’s Department of Public Safety has sent letters to eleven large ISPs, instructing them to block about 200 online gambling sites. The DPS’s requests are problematic on a number of fronts.

First, the DPS relies on 18 U.S.C. § 1084(d) for its authority. That section gives law enforcement the ability to have phone companies disconnect services used for illegal gambling. The actual language is more complicated than that, of course: there’s a notice requirement before take-down, the alleged gambling operation can still fight the order in court, and it applies not just to phone companies but to any common carrier. And there’s the first problem: ISPs aren’t common carriers. Things might be simpler if they were—the whole “net neutrality” debate would be mostly moot, for starters. But they aren’t. By its plain language, § 1084(d) doesn’t apply to them.

Even if it did apply, there’s another textual problem. The statute says the common carrier must “discontinue or refuse, the leasing, furnishing, or maintaining” of the facility it provides. In short, the common carrier can disconnect its customer. But none of the 200 online gambling sites are likely to be located in the U.S., much less on the ISPs’ networks, so they can’t just disconnect them. That’s why the DPS wants the ISPs to block the sites. But the statute the DPS relies on doesn’t authorize blocking, only disconnection.

One could argue that blocking is merely a less disruptive form of disconnection, but I think that argument should fail. A disconnection order presents straightforward questions of jurisdiction (i.e., is the customer someone the state can tell the common carrier to disconnect?), but those questions are more complicated when blocking sites that aren’t in the country. Because blocking is done by IP address, it’s likely to harm innocent web sites that share the same infrastructure; that’s less of a risk with disconnection. Finally, blocking, unlike disconnection, does not require any relationship between the ISPs and the blocked addresses. A disconnected customer knows he’s been disconnected (even without the notice requirement), and knows who to complain to (and, if necessary, sue for reconnection). If eleven ISPs block a website, the website owner would have to persuade or sue all eleven of them to get them to stop. In short, the mechanics and impact of blocking are quite different from disconnection, and shouldn’t be covered under the same term.

The Minnesota request looks clumsy compared to the New York Attorney General’s similar efforts to have ISPs block child pornography sites. The New York AG wisely tried to avoid problems with state restriction of speech by asking ISPs to block sites voluntarily, with only the subtlest hint that things would not be so pleasant if ISPs refused. But Minnesota came right out and said it: “we are the state, and we’re telling you to do this.” So there’s no question that it’s state action; now the only question is whether it’s unconstitutional. Why would the state do that, when some ISPs have shown that they’re willing to block sites voluntarily?

New York’s AG also made another smart choice: it picked on child pornography, not online gambling. You won’t find many people to defend child pornography, but online gambling has lots of proponents, including the Interactive Media Entertainment & Gaming Association, who just got a new pet cause, and Congressman Barney Frank, who will be introducing legislation to repeal the current three-year ban on online gambling. By targeting gambling, Minnesota ensured that the blocking won’t happen without a fight.

Minnesota seems to be rushing into a battlefield already strewn with the bodies of other would-be blockers. Kentucky’s attempt to take over online gambling domain names was blocked (it’s appealing the decision). In 2002, Pennsylvania tried to force ISPs to block sites with child porn, but that law was struck down as unconstitutional. Interestingly, a remnant of an early failed attempt to regulate Internet speech—the Communications Decency Act—shields ISPs from being held liable for content carried over their networks. With so many failed attempts in the past, it’s no wonder Minnesota had to look to a novel theory of law.

Still, I think the state would have had much less trouble—and as much or more success—if it had followed New York’s lead and just asked nicely.

Update, 5/5/09:I got confused on my voluntary ISP agreements. Qwest’s agreement was with the National Center on Missing and Exploited Children; New York’s Attorney General doesn’t seem to have been involved. New York convinced several ISPs to voluntarily remove some Usenet newsgroup hierarchies, which is a different matter entirely.

Published in:  on May 1, 2009 at 11:38 am Comments (2)