[ISN] Can Hacking Victims Be Held Legally Liable?

From: InfoSec News (isnat_private)
Date: Sun Aug 26 2001 - 02:54:27 PDT

  • Next message: InfoSec News: "[ISN] Updated release"

    http://www.nytimes.com/2001/08/24/technology/24CYBERLAW.html
    
    By CARL S. KAPLAN
    August 24, 2001
    
    Suppose, Margaret Jane Radin of Stanford Law School wrote recently,
    that a Web site operated by a securities brokerage suffers a crippling
    attack by hackers. The ability of its customers to conduct trades is
    hampered for several hours, or even blocked entirely. Imagine, too,
    that on the day of the attack the stock market is volatile, and that
    many customers are trying unsuccessfully to buy or sell stocks in a
    flash.
    
    Of course, hackers are easy to blame. But what about the companies
    that investors rely on to make trades? Are the brokerage firms and
    their network providers -- which failed to prevent the attack that
    harmed the site -- vulnerable to a second onslaught a nasty lawsuit
    from unhappy clients who lost money as a result of the shutdown?
    
    Professor Radin isn't the only legal thinker posing this question.
    Another paper co-authored by two partners and a legal assistant at a
    major law firm, also considers whether companies that fail to take
    reasonable steps to protect their computer systems from malicious
    attacks or internal malfunctions are sitting ducks for lawsuits.
    
    So far, lawyers say, the answer is unclear. There have been no
    reported court decisions discussing the issue of a company's liability
    for a hacker attack, according to Radin, an authority on intellectual
    property, electronic commerce and Internet law. But lawsuits in the
    near future are highly likely, she said.
    
    In her paper, professor Radin examined the possible legal fallout from
    a "distributed denial of service" attack. This is a particularly
    troublesome form of digital mischief whereby hackers gain control of
    unsuspecting users' computers and use those distributed machines to
    flood a targeted site or service with junk messages, overwhelming the
    site and causing it to be inaccessible to legitimate customers. (Her
    study, "Distributed Denial of Service Attacks: Who Pays?" commissioned
    by Mazu Networks, Inc., a Cambridge, Mass.-based security company, is
    available on the company's site.)
    
    Radin concluded that there is a "significant risk" that in the near
    future targeted Web sites will be held liable to their customers for
    harm arising from distributed denial of service attacks. In addition,
    she reckoned that there is another "significant risk" that the
    computer network companies that carry the hackers' attack messages --
    such as ISPs and backbone network providers -- will be held
    accountable to the targeted Web sites, and perhaps to the sites'
    customers.
    
    In the second paper, members of the cyberlaw practice group of Sidley
    Austin Brown & Wood, a national law firm, considered the growing legal
    danger faced by online service providers who suffer security breaches
    or the internal glitches that can compromise their customer's
    information.
    
    The study, "Liability for Computer Glitches and Online Security
    Lapses," by Alan Charles Raul and Frank R. Volpe, partners at the
    firm, and Gabriel S. Meyer a summer associate and J.D. candidate at
    Cornell University, was published earlier this month in a Bureau of
    National Affairs newsletter on electronic-commerce and will be
    available shortly on the firm's Web site. It concludes that e-commerce
    players must "demonstrate [a] willingness and ability to implement
    aggressive security measures" if they wish to stave off security
    breaches, avoid government intervention and escape, or at least limit,
    damages in a lawsuit.
    
    Professor Radin, director of Stanford's Program on Law, Science and
    Technology, said in a telephone interview that companies need to begin
    taking seriously their potential legal liability for computer hacks.
    The vulnerability of businesses to distributed denial of service
    assaults is staggering, she said, citing a survey which found that
    more than one-third of respondents had experienced denial of service
    attacks. That figure, from the 2001 Computer Crime and Security
    Survey, conducted by the San Francisco-based Computer Security
    Institute, may be the tip of the iceberg because companies, fearful of
    bad publicity, often under-report attacks. Direct losses from denial
    of service attacks on Yahoo, eBay and others in February of last year
    have been estimated at $1.2 billion by the Yankee Group, a consulting
    company.
    
    "E-commerce is not going to take off if customers fear it won't work
    in a pinch," Radin said.
    
    Moreover, said Radin, federal and state laws aimed at individual
    hackers have shortcomings: Hackers are hard to trace and even when
    detected, are unlikely to have the deep pockets coveted by victims and
    their lawyers.
    
    In the brokerage Web site attack scenario, a customer or a class of
    customers that suffered financial losses would sue the brokerage firm
    for damages, according to Radin. The firm, in its defense, might point
    to a section of its Terms of Service agreement with its customers.
    That fine print, no doubt, would have a clause clearing itself of
    liability.
    
    But whether that defense would prevail is not clear, said Radin,
    particularly if a court finds the contract's terms to be oppressive or
    overly weighted toward the company, or if the contract's validity is
    in question due to questions over proper customer consent.
    
    Also vulnerable to a negligence claim would be the network service
    providers and hosting companies, said Radin. There would be no
    contract defense for these companies to fall back on with respect to
    the broker's individual customers for the simple reason that there is
    no contract between them. On the other hand, the potential legal
    warfare between the brokerage and the network providers would likely
    proceed under the terms of their business contracts.
    
    To determine whether the corporate defendants are negligent, courts
    will look at how any losses could have been prevented. "A court is
    going to say it is negligent of you not to implement preventative
    measures if they are reasonably effective and affordable," said Radin.
    
    A jury will have to decide, in fact, if the company could have taken
    preventative measures, said Radin. Trials will, therefore, be a battle
    of expert witnesses, she predicted. But, she added: "I think as
    technology increases-- as easy fixes become available -- it's more
    likely that courts will be unsympathetic" to companies that have not
    done their utmost to block hacker invasions. That is particularly true
    with respect to the Internet service providers which are in the best
    position to take system-wide precautions, she said.
    
    Meanwhile, Raul of Sidley Austin, which represents major communication
    companies and firms doing business online, said that his clients
    "either are, or ought to be" worried about their legal liability for
    malicious hacks or inadvertent glitches.
    
    In his firm's paper, Raul and his colleagues said that companies can
    seek to manage their legal risks by adopting state-of-the-art security
    measures suggested by industry groups and supporting federal laws
    aimed at strengthening data security in the health and financial
    fields.
    
    "Does a company have controls in place to prevent unauthorized access
    and careless release of data," asked Raul. "Is the company training
    employees in information security?" Is it constantly assessing its
    vulnerability to intrusions or glitches? The answers are important
    because an aggressive plaintiff's lawyer is sure to ask who was the
    person or unit responsible for data security? If the defendant offers
    a weak response, said Raul, it will look "really bad."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 05:26:04 PDT