Businesses, non-profit organizations and government agencies regularly compile and maintain electronic databases of information about individuals who interact with these institutions. This article presents an analysis of civil liability for failure to safeguard confidential information. It focuses on the situation where a database owner failed to patch a computer security vulnerability which facilitated compromise of sensitive information. In a civil action against a database owner, foreseeability of exploitation of the vulnerability at issue is a key element of the liability analysis. The article provides judicial decision makers with the theoretical basis and a practical methodology to make an informed and rational decision about foreseeability. The main contributions of the article are as follows: (1) A forensic analysis of the law and technology of information security breaches identifies features that make exploitation of a security vulnerability foreseeable; (2) the article proposes a numerical metric of the foreseeability of exploitation of a specific vulnerability. The metric is a function of quantitative proxies of the features identified in (1); and (3) a numerical example illustrates application of the metric to vulnerabilities that have actually been exploited in cyber attacks. The proposed metric is not intended to provide a conclusive resolution of the issue of reasonable foreseeability, but it brings a measure of objectivity to an issue that is often clouded by distortions such as hindsight bias.
Meiring de Villiers,
Reasonable Foreseeability in Information Security Law: A Forensic Analysis,
30 Hastings Comm. & Ent.L.J. 419
Available at: https://repository.uchastings.edu/hastings_comm_ent_law_journal/vol30/iss3/2