A recent capital one breach conviction exposes the scale of cloud entitlement risk. This conviction could set a precedent for many other companies in the future. The failure of a party to protect its data can give rise to an unjust enrichment claim. In this article, we examine this area of law and consider the potential liability of a party to a data breach.
Defendants have not explained how such a limitation on negligence liability could apply to the data breach alleged in this case
One hundred million people – well over a half billion, in fact – have had their data exposed in one way or another. And while some companies are taking the necessary steps to ensure that their customers’ information is safe, others aren’t. According to a recent report, some organizations are still not adopting the same vigor that they used to in the good old days.
Thankfully, a few bad apples have brought to light. For example, the Department of Justice has charged a Seattle woman with computer fraud in connection with an alleged breach of her employer’s computer system. In the process, the e-mails have revealed, accompanied by an incriminating twitter post. On top of that, there have been numerous articles about the phishing attempts and a plethora of lawsuits. Until the dust settles, however, there are few answers to the question of who was responsible for the hulk.
The same news reports have attributed the “worst” incident to a misconfigured web application firewall. A rogue employee gained unfettered access to the company’s cloud environment – in particular, its Amazon Web Services S3 servers. Using the credentials, Thompson was able to enumerate folders, extract data and even exfiltrate a small subset of the company’s data in the process. As a result, the e-mails not only revealed but viewed by hundreds of nefarious types. Fortunately for the victims, their e-mails and personal information deemed to be of little value to the perpetrators.
Likewise, while there have been no pending motions to dismiss the e-mails, a lawsuit has filed against Capital One for failing to impose a security breach notification process. Regardless of who was responsible for this nefarious act, the consequences were clear: a massive leak of highly personal data, a slew of bogus legal claims, and a whole slew of ostensibly innocent consumers. Indeed, the plaintiffs have slapped a $1 million check against the credit card provider, and have been spending considerable amounts of time and money trying to mitigate the damage.
Unauthorized individuals could gain access to a credential in the AWS cloud environment
If your organization uses the AWS cloud, there is a risk that unauthorized individuals could have gained access to your credential. Fortunately, there are tools and best practices that you can use to reduce the risk of your credentials compromised.
The best way to avoid having your credentials stolen is to monitor your cloud services. To do this, you need to have a policy in place. This policy must include an operational safety policy that requires independently auditable credentials. You should also implement event monitoring and other mechanisms to track activity in your cloud environment.
One of the first and most important steps you should take is to remove your root user access keys. You can do this by logging into your Management Console and clicking on My Account. There, you’ll see the number of access keys you have.
When you remove an access key, you are no longer able to use it. However, you can reactivate it and create a new one. Once you have created your new access key, you can push it to all your AWS services. Make sure that the new credential is compatible with the restrictions on your previous API key.
One common security issue is that a service account may store its keys in a public S3 bucket. Because of this, you should not store your credentials in a public S3 bucket.
Another way to secure your AWS accounts is to create and store your access keys in a secure location. For example, a secure storage system like Hashicorp’s Vault is a good option.
You should ensure that your organization is following cloud best practices. One example is using individual IAM users, not root key pairs, in your AWS account. Using a CA to sign your requests for temporary credentials recommended.
These are just some of the tools you can use to help protect your AWS credentials. In addition, you should use cloud-native tools to manage your AWS workloads.
To monitor your AWS accounts, you can use AWS CloudTrail. You can also search for user activity on the CloudTrail console.
Failure to secure a party’s data can give rise to an unjust enrichment claim
The Capital One Data Breach was a security lapse that allowed unauthorized individuals to steal the personal information of 100 million customers. As a result, these customers still exposed to ongoing data misuse.
Aside from the potential for identity theft, these individuals also had to contend with increased fraud risk and diminished value of their PII. Ultimately, this may have made them unwilling to use Capital One’s credit card services.
Capital One’s failure to provide adequate data security measures is the basis for several lawsuits against the company. Plaintiffs allege that Capital One breached the Federal Trade Commission Act (“FTC Act”) and the Gramm-Leach-Bliley Act Safeguards Rule, as well as the FTC’s most basic duty to protect the public’s personal information. They also claim that Capital One breached the state laws in their jurisdictions.
As a result, Plaintiffs have alleged seven causes of action on behalf of a proposed class of consumers. These include an unjust enrichment claim, an implied contract claim, an express contract claim, a statutory claim under multiple states, and a declaratory judgment claim.
In the past, the FTC has enumerated the most notable consumer protection statutes, which are the Capital One Data Breach and the Cloud Custodian. However, Defendants argue that the federal standard of care has no bearing on their actions.
Despite their best efforts, Capital One’s data security system failed. In fact, the company failed to implement any of the best practices or industry standards for security. Rather than remediating the system, Capital One relied on a third-party cloud service, Amazon Web Services, to manage its files.
Several states have enacted a data breach notification statute, which requires entities to inform their customers of any computerized data breach. Several companies have opted to assert that the corresponding law does not exist in their jurisdictions. Nonetheless, the court is required to consider these claims in its discretion.
Lastly, the court faced with a unique situation: the defendants are seeking to dismiss each claim. To be relevant, the claim must be a minimum of the following: (a) an actual assertion of liability, (b) enough economic damage, and (c) the fact that the requisite notice provided in a time-sensitive manner.
Conclusion
The conclusion of the Capital One breach conviction is a reminder of the fragility of work product privilege. It is a reminder of how important it is to listen to security tools.
Capital One was the victim of a significant insider hacking incident in March. The breach exposed personal information about 100 million customers. It included social security numbers, bank account numbers, dates of birth, and transaction data. It also revealed millions of credit card applications. In addition, 80,000 Social Security numbers linked to the accounts of secured credit card customers.
When the breach discovered, Capital One notified customers through its responsible disclosure program. It also began a rapid remediation process. After a couple of days, the compromised data restored.
Although the data compromise quickly remediated, the event created an opportunity for a lawsuit. Capital One customers filed a lawsuit against the company and its cloud vendor, AWS. They allege that the breach caused by a misconfiguration of the Web Application Firewall, which enabled the attack. An ethical hacker discovered the exploits and reported them to Capital One.
Mandiant investigated the incident. It provided information to Capital One directly and through its forensics firm, Debevoise. Initially, the scope of the investigation limited to the discovery of the data compromise. However, after the prospect of litigation became greater, Mandiant changed its scope to a more extensive investigation.
According to court documents, the Mandiant report provided to fifty Capital One employees and four regulators. It also distributed to the company’s Board of Directors.
During the prosecution of the case, Capital One argued that the Mandiant report was privileged under the work product doctrine. They also argued that the Mandiant report was prepared in a substantially different manner than it would have been without the prospect of litigation. This argument rejected by the Magistrate Judge.
In his Order, the Magistrate Judge determined that the Mandiant report was not privileged. He found that the work product protection applied to the forensics investigation report only because the document was prepared for litigation that expected to occur in the future.
Recommended readings: How Does Social Media Affect Our Lives?
