Security Laboratory

Security Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Other Related Articles in Leadership Lab: Information Technology and the Law


Mock Trial as Security Education Exercise


Benjamin Wright, JD

Increasingly, good information security requires good legal techniques. Wise application of legal tools such as contracts can promote security and intelligently allocate risks among enterprise trading partners.

Hence, more than ever before, IT security professionals need to understand how to use and interpret contracts. Although most security professionals are not lawyers, they need to understand how lawyers are taught to think. They need training.

A time-honored exercise for teaching students to think like lawyers is mock trial. A mock trial posits a set of facts that lead to a lawsuit between two parties. Students participating in a mock trial divide into two teams, each assigned to represent one of the parties, i.e., its client. Each team then develops and presents arguments for why its client should win the lawsuit.

Following is the fact pattern for a mock trial in a professional education course that teaches how to use contracts for advancing data security. From this fact pattern, it is not clear which of the two clients should win the lawsuit. But the mock trial process helps students learn to analyze contract language and to think critically about how that language could have been improved at the outset of the relationship between the parties.

Mock Trial Fact Pattern
Big American Hospital signed a data processing agreement with MidEast Service Provider in Israel. MidEast agrees to process and store healthcare data for Big American. The agreement included these clauses, with Big American being the “Customer" and MidEast being the "Service Provider":

Service Provider warrants that its data processing system (the "System"), when used in accordance with the requirements and procedures specified in the System user documentation, will perform substantially as stated therein. Service Provider does not warrant that the System will meet Customer's requirements or that the operation of the System will be uninterrupted or error-free.

Service Provider will use reasonable precautions, including but not limited to, physical, software and network security measures, employee screening, training and supervision and appropriate agreements with employees, to

a. Prevent anyone other than Customer or its authorized employees from monitoring, using, gaining access to or learning the import of Customer Data; and,
b. Protect appropriate copies of Customer Data from loss, corruption or unauthorized alteration.

THE WARRANTIES AND STANDARDS OF PERFORMANCE SET FORTH ABOVE ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED. NO IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR USE FOR A PARTICULAR PURPOSE WILL APPLY.

IN NO EVENT WILL SERVICE PROVIDER BE LIABLE FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES EVEN IF SERVICE PROVIDER CAN FORESEE THE POSSIBILITY OF SUCH DAMAGES.

Neither party will be liable for, or will be considered to be in breach of this agreement on account of, any delay or failure to perform as a result of any causes or conditions that are beyond such party's reasonable control and that such party is unable to overcome through the exercise of commercially reasonable diligence.

It shall be presumed that the consequences of a virus, worm, trojan, hacker intrusion or similar network security breach is not beyond the control of Service Provider.

During the course of work under the agreement, MidEast suffered a data security breach. Subsequent investigation revealed that the source of the breach was the Iranian military. The Iranians had, at great expense, developed a cyber-warfare capability. Using this capability, the Iranians discovered and exploited a zero-day vulnerability in the operating system of one of MidEast’s servers connected to the Internet. The Iranians stole medical data pertaining to Big American patients and posted it on numerous web sites for public view.

The security breach at MidEast was just one of a multitude of similar, successful, incidents perpetrated by Iran in a 24-hour period. Iran’s objective was to discredit Israeli businesses and thereby cripple Israel’s economy.

In response to this security breach, patients in the US sued Big American and won a $10 million judgment against the hospital for failing to protect their patient data. The hospital sued MidEast seeking reimbursement for the $10 million. Is Big American entitled to reimbursement?

==

Benjamin Wright is an attorney based in Dallas, Texas, and instructor for a series of courses[1] on IT security law, promoted by the SANS Institute.[2] He is the author of numerous books on technology law. http://www.benjaminwright.us

==

[1] http://www.sans.org/training/description.php?tid=862
[2] http://www.sans.org