Forwarded from: Marjorie Simmons <lawyerat_private> [This is the last posting on this topic. - WK] The "qualitative damages that are hard to put a dollar figure on" is called, in legal-damages parlance, "business good will." It is ascertainable and quantifiable, and has been for a long, long time. In law there are the concepts of assumption of the risk, comparative negligence, apportionment of damages, and, of course, proof of damages in order to (as a prerequisite to) recovery of damages. I've been interested for awhile now that there hasn't been more press skepticism nor general business understanding that the assessment of damages from defacements subjects itself nicely to such timeworn tests and really is little different from other business losses assessments. What needs attention is the quite deliberate obfuscation of these concepts (by wannabe profiteers as well as by some clueless press people) going on at a pretty constant pace. Folks need to disentangle, conceptually, the defacement act and motive from the assessment of damages in order to sort out the issues, which are multiple. The relationship(s) between an act and the consequences flowing from that act is (are) not so Byzantine as Windows security. I write letters, at times, and in response to the following letter, I was met by silence (surprise, surprise): ____ From: Marjorie Simmons Sent: Thursday, June 08, 2000 10:52 pm To: 'Ms Patrice Rapalus' Subject: 5th Computer Crime & Security Survey Dear Ms Rapalus, With regard to your most recent survey: http://www.gocsi.com/prelea_000321.htm I am curious as to whether your survey asked the respondents 1) whether they reported their losses to their shareholders and investors? 2) if not why not? 3) if so then why was this not reported on in the survey? This information is relevant, important, and, it seems to me that your survey is seriously flawed for the lack of this data. Many a lawsuit could be avoided or settled more quickly if companies did not attempt to, with impunity, report quite staggering financial losses to the press from security breaches and then somehow forget those losses when it comes time to communicate with investors and shareholders, not to mention with the IRS. If this was somehow simply overlooked, I hope you will soon work to correct it. Perhaps in the meantime your staff could query a sampling of the survey respondents for this information and post the results on your site as a survey supplement. Sincerely, Marjorie Simmons ____ Lots of other questions I *could* have asked her, but, I knew not to waste too much of my time. The concepts of assumption of the risk, comparative negligence, apportionment of damages, and proof of damages are all rooted in common sense and a sense of fair play, but only rarely are they considered when some members of the press, driven by whatever impulse, run to the people with their Gee Look At This sensationalist pontifications. Such behavior is certainly not limited to things technical; axiomatically, the more complex the subject matter, the more this happens. However, this is but history as usual. Luckily, most of the judiciary is a lot smarter than that and lacks the agendas of the players in the press and those who pay for the dissemination of certain 'news' items. So when defacement cases go to court, if they go to court, damages must be proven within a reasonable degree of certainty, negligence IS compared, and the assumed risks ARE considered (all assuming, of course, that the lawyers involved bring these arguments before the court.) So while we can try the cases in the Court of Email in order to be clearer on the issues and to educate our contemporaries, we should be mindful that the concepts are ancient and not difficult to apply, no matter the venue. What is needed is to call the agenda-minded on their errors in the more public forum. DO try this at home: give some little gratis presentations to your community Rotary club, or other such groups. (Do it for free in the spirit of Open Source -- a public affirmation of no agenda on your own part.) Talk about where a company can expect to face losses and how to account for them in real terms, and why. Use real-life examples. Make them ask questions, even those you cannot answer, and suggest for those they seek the advice of their accountants and lawyers. If you think yourself (1) too important for this, or (2) not known enough, you're (1) not, (2) not giving yourself enough credit. Was (is) anyone here a Scout? or an intelligence officer? (never ...! ; ) ), a veteran? Does 'Be Prepared' sound familiar? It will get muddier before it becomes Old Hat. Marjorie Marjorie Simmons, Esq. lawyerat_private http://www.carpereslegalis.com ~~~~~~~~~~~~~ On Thursday, January 17, 2002 11:15 pm, InfoSec News [SMTP:isnat_private] wrote: | Forwarded from: mezzanine <mezzanineat_private> | | > I would like to say that anytime a website gets defaced there are | > always monetary damages. | | Very true. I agree. | | > There are always qualitative damages that are hard to put a dollar | > figure on. | [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 03:47:41 PST