Member-only story
It’s time to create a TJ Hooper for information security
T.J. Hooper was a precedent-setting tort case in 1932. While I’m not a lawyer, I have a good friend, Ron Coleman, Esq., who blogs about law issues, so a bit of jurisprudence has rubbed off on me. In Hooper, Judge Learned Hand described what is now called the calculus of negligence or the Hand Test.
The case’s specifics are that two tugboats, one of which was the T.J. Hooper, were towing barges. During a storm, the barges sunk, and their cargoes were lost. The owners of the cargo sued the barge owners, who in turn sued the tugboat owners. They claimed that the tug operators were negligent because they failed to equip their tugs with radios that would have warned them of the bad weather.
The tugboat companies were defended under the prevailing practice theory. They claimed that because no other tugboat operators in the area were using radios, this constituted the standard of care for the industry. Judge Hand found the tugboat companies liable because they did not use readily available technology, the radio receivers, to listen for broadcast weather reports, even though the use of radios was not yet standard industry practice.
Hand astutely observed that “in most cases, reasonable prudence is, in fact, common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. Courts must, in the end, say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.”
As an information security professional, I have tried, along with others in the field, to get clients to be more serious about the need for security and privacy controls. To a large part, we have succeeded. But there are still far too many weak links in the security chain. Many companies have a prevailing practice regarding information security — that they need to do only the bare minimum to get by. They do that while millions of consumer records are breached weekly.
Despite the prevailing amount of security solutions available, companies often fail to devote the requisite amount of staff and budget to information security and privacy needs. This is becoming an even more critical issue as websites focus on personalizing the user’s digital…
