CG - Regulatory Nets vs. The Fishing Hook Of Litigation - Wendy Knox Everette

this is Wendy knocks Everett she is a hacker lawyer she really doesn't need much of an introduction because she's pretty impressive but I do have a few announcements if you guys could please sign at your phone's just so Wendy here cannot get distracted and keep keep right on pace with your phone and our talk I said that yeah without further ado here's one knee all right so you guys can hear me I'm going to be talking about regulatory nuts versus the fishing hooks of litigation or one of my favorite topics ever software product liability and regulations that are out there so this is a Bruce Schneier quote he has been talking a lot recently about

maybe there should be some regulations that will make us safe and prevent things like the Mirai botnet I think this quote is fairly naive there are threats posed by computers we do have regulation now and they're not you know perfect the alternative to regulation and a lot of people say is to have like warranties or software product liability which we don't also have so we have headlines like should software companies be legally liable for software breaches or should I be able to sue if some software that i acquire breaks so I am a lawyer this is not legal advice and I'm not your attorney we are gonna be talking about mostly some policy things a little bit of some econ tools and so

forth so Who am I I was a software developer and then I went to George Mason Law School I just finished up a fellowship at well Chen where we did a lot of privacy and computer security law and we are going to hop right in and look at what we have now which is regulation in the u.s. really is mostly along the lines of verticals so we have things like HIPAA that the Security Rule which talks about applying the Privacy Rule we have some SEC regulate there's FERPA these are all pretty much across like various industries and verticals and then we do have some liability in the US for software it's really mostly gone through a contract

law and we're going to touch a little bit on the difference between contract law and product liability law but really here is kind of a patchwork we're going to look a little bit at the GD P R which is a new European regulation that's going to be taking effect in May two thousand eighteen which will actually affect a lot of US companies because it's of its extraterritoriality it says that any company that has data of EU citizens is subject to the GD P R and so for some US companies it might really be the most stringent regulations they are subject to so liability in the u.s. is basically a civil law concept there's tort and there are contract

liability there are things like if you use buy a hot cup of coffee and it's too hot and it spills upon you and you get three million dollars and the jury this is like a civil tort lawsuit and tort liability is based either on negligence wherein you behaved unreasonably like if you caused a car accident and someone Sue's you or it's based on strict liability for product liability so now I'm going to go into this in too much detail you can check out my b-sides talk from last summer where I went into a whole bunch more of this a product liability really is more liability without fault you might have behaved entirely reasonably and a widget came

off the factory line and it was defective and someone was harmed and really developed to sort of act as a insurance function in the market so if someone is injured by a product we want them to be able to recover we also want to incentivize manufacturers to take good care so even though they don't have to have acted negligently we want to incentivize them to like make extra sure that they are not sending defective widgets off of the of the manufacturing line so contract liabilities a little bit different for software this is really what we have right now people negotiate contracts like master service agreements and so forth and they can build into these contracts some provisions such

that if there are breaches of the contracts and they can get damages regulation on the other hand as opposed to liability is the imposition of rules by a government body in the United States usually there are agencies that promulgate these states can also have regulations that people are subjected to so these are actually very distinct regimes you can obviously have both a lot of times though when we're talking about how should we make software safer there can be debate between like a software product liability would fix everything or oh we'll just you know create like an agency of to cover in robots like Ryan kilo likes to talk about and then that will take care of

everything for us so we're gonna talk a little bit about like why you might want to preference one or over the other and we're going to talk a lot about uncertainty and risk like pretty much this entire talk is uncertainty at risk so we're gonna I'm going to introduce you to this term ex ante vs. ex post ex ante basically it's fancy Latin lire term for you know this going in exposed is imposed later but another fancy latin term so we usually say regulations are ex ante and liability schemes are ex post and in terms of incentivizing security we might want to think like you know should we get the software product liability will that make consumers safer

or would it be better to have more stringent regulations and we're going to talk about which one of these might be better um very complicated I am actually not going to give you an answer I don't know I'm going to talk about some things we should think about mostly this is me getting annoyed at people on Twitter and being like you're not thinking about the things you should okay so liability regimes people say they're really good for innovation because if there is no harm there is no foul you can put something out on the market people adopt it and they use it and it's awesome like fabulous but if there is a problem it could go before a jury and

juries bring in a ton of uncertainty we don't tend to have that many jury trials these days anymore there's a lot more arbitration and settlements that can still be a lot of uncertainty for a company because you don't know what the upper limit of your damages could be and it could drive people to be a little bit more risk-averse and avoid implementing something really cool because they're concerned about what could happen there's not really as I mentioned software product liability in the u.s. right now consumers cannot go like sue because their word processing software broke and something happened you like didn't get it's a big deal or something that they wanted to and the reason

really it's pure economic loss I'm going to go point you to my talk last year and withdrawal this basically means if you're not bleeding there the courts are gonna be like well that's horrible for you but like you're not physically hurt you've merely suffered money damages and like we're sorry but you have no standing to bring your suit right now when we think about regulatory regimes a lot of times they say like oh well you know what the rules are going in so you don't have this uncertainty of like what would a jury do you know it's a lot more settled it much more of an idea of what could happen and we're starting to see

much more detailed security regulations like the New York State Department of Financial Services just passed some highly detailed regulations that cover New York State financial companies like you have to report to them within 72 hours if you think you might have suffered a data breach you must use two-factor you must have a C so like they're getting much more down into the weeds and we've seen in a lot of places so a lot of times people say oh you know these regulations are like really burdensome requirements like a 72 hour notification and the New York DFS or GDP are like this is a really big thing for companies like they're gonna have to really be on top of their in response

game start detecting these things and so forth and if you get more detailed regulations they can be out of date much more quickly as technology changes and so we have some tension there as this is just a sampling of some of the different regulations that govern US companies we have FTC section 5 a lot of people say is much more like a sort of liability scheme because they look at reasonableness and unfairness and they're sort of judging after something has happened if there's been some consumer harm HIPAA protects health information and we're implementing the Security Rule when we have all these like addressable requirements and so forth the New York State DFS ones are up here I'll tweet out

these these are all links you can sort of click there and read them and so I just wanted to call it the HIPAA Security Rule it's one that a lot of people talk about when you think about what would a cybersecurity regulation look like and this is detailed but it's actually kind of vague - or saying we want to ensure the confidentiality integrity and availability but like what's the SLA and availability like is this a five nines availability like what do you mean we're talking about this and there are you know other pieces of this that are a little bit more detailed but there's still like a lot of wiggle room essentially so the gdpr is somewhere we

mentioned this is going to start actually affecting the US companies and they require things like pseudonym ization encryption of personal data the 72-hour data breach notification the ability to correct personal data people come to you and say ok you have my email address incorrect you have to fix it you have to tell all your business partners and so forth this is actually a quote from Harold felt who's at public knowledge talking about net neutrality but I thought it kind of nicely captured the problem that happens with regulations there either so detailed that they're gonna stateful innovation or they are so vague that nobody knows how to comply and so therefore we have the uncertainty problem like hey you know like am i

complying am I not what's a regulator gonna come and tell me in three years are they gonna say I was unreasonable and please fine on me but if it's so detailed that that question is not there I think it's out of date really quickly and so it's kind of leaky in some ways you lose either way so as I said that's tea is really the key to a lot of this businesses try to reduce uncertainty because they want to sort of bound their risk and we are really concerned about risk avoidance of something that might depress depress innovation we have a really great software industry in the u.s. at the same time security is kind

of a dumpster fire I love innovation I worked as a software engineer at comm start-up store a long time like I am all for it but things like the Mirai botnet are like not sustainable you need to start figuring out how to incentivize people to do not have this these problems and one thing that we also might want to think about in terms of regulations and you can kind of see this at the gdpr if a regulation says oh you know if you don't follow this rule we're going to impose a $10,000 fine on you and the company looks at it goes okay well we avoid that role we might not get caught if we get caught it's $9,000 but we

could get like a 5 million dollar profit from this like we're gonna take the risk that we might not get caught and if we get caught located ten thousand dollars it's like a tax on doing this particular thing GDP R has said that there are fines go up to 4% of flakier I can't remember the exact terminology but like 4% of like your the money that you make in a year which is starting to get into serious money and making a lot of companies pay attention they cap them at like 20 million which is for startups like a big deal so they're trying-- they're sort of aware that companies might be like oh well whatever lips if

we get caught we'll pay the fine and so what we want to think about as we're thinking about whether we should have an ex ante or ex post sort of regime is we sort of want to balance the innovation and encourage people to go create really cool new things like go create you know like home robot vacuums or like connected coffee makers and so forth because they're kind of cool I love that technology but in ways that will not you know create new varieties and so forth like can we have both so far we're not doing a great job in having both and what happens a lot well we want to lean on a software product a liability is

you're kind of assuming that consumers are good at gauging their risk but you go into product liability you start talking a lot about people's risk utility curves like Tracy was asking me before like is this talk going to have one darts because blunder it's versus knives is like the really good product liability think they're both sharp they can both injure you lawn darts are no longer sold in the US because they're dangerous and they're not really useful knives are equally dangerous but you can buy them because they're really incredibly useful things and we say it's worth the risk because the utility is so high you sort of balance that there are also things like consumer expectations

and so forth but a lot of this is sort of thinking about like measuring that risk so when we start thinking about the regulations a lot of times people will do the long economic stuff love sighting the Coase theorem it's basically a economics theorem that says that if we reduce transaction costs it doesn't matter who has initial property rights people will trade amongst themselves to get to the most efficient sort of assignment of Rights but kösem self is actually not like the world's biggest fan of this like people make jokes about spherical cows about like the Coase theorem is really helpful for us to start thinking about how reducing transaction costs such as trying to figure out if you are in

compliance with something or not but like the real world it's not spherical cow so you have to recognize that this is a tool to help you think about things Coast also was kind of a fan of regulations sometimes there's a collective action problem in safety like well everybody go out and band together and get something to happen you know to improve the public safety you have you know like the tragedy the Commons problems and so forth and coast recognized that a lot of times government regulation can actually be a way to do that like we have fairly strong child safety rules that govern toys which sometimes are silly like they know they ban like the little super-strong magnet toys

um you can't get real kinder eggs in the US we've decided that this is a trade-off because we put children's safety so high so we're talking about product liability a lot of times I want to think about who's the least cost risk avoider and tort law and computer hacking can actually like there can be problems here because tort law thinks a lot about proximate cause and who actually caused the problem and we have hackers and insecure software I would say like okay who is really the person who created this problem so say we have a soccer developer who you know basically it does a very poor job of their security they're not doing their encryption correctly they're using

defaults because someone who installs the software it doesn't change a default password that's easily guessed we have an administrator who never updates the software a patch comes out and then we have a computer hacker who in terms of making these hard to prosecute a lot of times is not in the US so US laws can't reach lock and they go in and write a pot net that takes advantage of the default password and the software that was never updated like who is at fault here like who is the person who most easily could have avoided the problem is a software developer for treating the problem in the first place is it you know the company that never applied the

patch but they might have had business reasons for not applying the patch like there might be incompatibility issues they can't take the downtime is it the computer hacker but in terms of thinking about US law and like who you want to incentivize it's not really that useful for us to think about the computer hacker because it's very hard for us to like reach him and change his behavior you can't really incentivize him as easily because he's it outside the long arm of the law but you know like Heaney is really kind of you say like the last link in the chain so problems people think about botnets all the time you think about externalities like the

person who owns the camera does not really necessarily care that there's a botnet running on it the people who create the cameras to put them on the market do not really care that there is a botnet on there like none of these people are really actually incentivized to take care of the problem because there's not really any market pressure right now if you talk about consumers and their risk utility curves and their consumer expectations and so forth the consumer wants a camera that they bring home and they plug in and they works they care a lot about usability they care a lot about the camera working as a camera they care a lot less about is

this camera you know easily hackable and does it have a default password and so when you think about why we would want a regulation or why we would want to impose sekai software product liability I want to think about foreseeing these people to internalize these externalities and it software product liability in the case of like a camera botnet is not necessarily a great fix because there's been no physical harm and the person who is harmed if we're looking at a non physical harm is not early the camera owner who would be in a good position to bring suit it's the public at large and that's the sort of collective action kind of problem or regulation might start making a little

bit more sense but then we get into like okay like how do we regulate safe cameras so what we've seen sort of happen a lot in the software industry and I think that this is something interesting to start looking at about like how can we actually address this kind of thing going forward is there's a lot of compliance and auditing and vendor reviews of things that are starting to happen in this industry and they are not regulations they are not our product liability but it is companies negotiating with each other saying you know I need you to be safe and have these particular requirements and let's talk about SLA so it's talking about indemnification and so forth so we

see like tons of risk management frameworks out there like I use like nist SP 853 all the time CIS controls all the time I have spreadsheets that map these to other things and you really can start thinking this is companies trying to figure out how can we talk amongst ourselves about how to start getting a handle on this sort of risk a lot of times these are very closely tied to regulations like if we look at under HIPAA the BAA business associate agreements this is kind of the business has a regulatory requirement to have their business associates also comply in the way that this gets enforced is with a contract and the contract says you know you must

be secure in these ways yeah so it's really kind of an ex ante scheme as they go in and sort of think about this but a lot of this contract negotiation is also in a lot of ways and expose scheme if we think about companies indemnifying each other that's kind of an expose scheme because they say you know if you have a data breach and if you lose my data that I have you processing you're going to you know reimburse be certain amounts you will cover my legal costs you will cover whatever fines and so forth that I have and so these auditing and compliance standards are sort of in a way filling a gap they are helping

companies address a lot of the uncertainty that exists in this marketplace and so if we're going to start thinking about you know talking about like commercially reasonable security measures that we would want to put into regulations there may be something here that we would want to look at if we want to start thinking about like well what would suffer product liability actually look at it we could go look at how companies are negotiating between themselves of the master services agreements and SLA is and so forth it started seeing the language that they are using to bound these because these contracts although they do not necessarily need to live quite as long as regulations and used to

be on the books because it takes us forever to change a lot of these the are meant to be in place for a fairly long period of time so they can be something that can help us and as we mention the way that regulations are done in the u.s. is that agencies have to be granted authority to do something by a statute passed by Congress and then they need to go and sort of do an expert review of the area and they write out rules the rules get published in the Federal Register the public has usually 30 to 90 days to comment on them not a lot of people comment I wish that more software people would go in and comment

on some of these the DHS rules to talk about the threat intelligence information sharing had I want to say there were like 70 comments and they were almost entirely from lobbyists there were basically no people who worked in our industry who went and commented in a way this is problem because people are not aware of it and there's you know information overload is a thing but yeah I really do wish that people would go and get a little more involved in commenting on some these regulations and saying like this is going to be a problem for my small business in this particular way yeah because the agencies are actually required to take that feedback into

consideration and they get promulgated into final roles where they will usually sit pretty much for forever which is why they get very concerned about making these a little bit too tech specific but again we're into then the more specific it is Martina they can get the bigger it is the more concerned companies are about the uncertainty and they have this very unbounded risk because they don't know if it applies it could end up shifting into this expose scheme so that is my talk a lot of I don't know what the answer is but here are some tools for you to to think about sort of a framework here so thank you very much [Applause]