[ISN] Lawyers see security suit-riddled future

From: InfoSec News (isnat_private)
Date: Wed Apr 16 2003 - 00:59:03 PDT

  • Next message: InfoSec News: "[ISN] Voicemail Hacking Leaves Ears Ringing"

    Forwarded from: William Knowles <wkat_private>
    
    http://news.com.com/2100-1009-996935.html
    
    By Lisa M. Bowman 
    Staff Writer, CNET News.com
    April 15, 2003
    
    SAN FRANCISCO -- Harry the Hacker could leave a long trail of lawsuits
    in his wake.
    
    At the RSA Conference 2003 here on Tuesday, lawyers outlined a
    hypothetical scenario, in which Harry the Hacker, angry because he's
    been fired, decides to put his computing skills to work for nefarious
    purposes. During his cracking spree, Harry's escapades include using
    the insecure system of We Care Hospital to launch an attack against a
    bank, stealing the credit card numbers of customers of an online porn
    company, discovering the medical records of his former boss, which
    indicate he has just tested positive for HIV, and posting those
    records on the Web.
    
    Harry then absconds with millions and flees the country, leaving a
    path strewn with victims of identity theft, privacy breaches, and of
    course, staggering financial losses. Soon after, the finger pointing
    ensues.
    
    Many lawyers think security could be the next big area of cyber law,
    especially as attacks become more prevalent and companies and their
    customers suffer growing financial losses. What's more, hackers who
    breach the systems to steal and use credit card addresses are often
    difficult to find, meaning victims must find new targets for blame.
    
    "There are all kinds of theories of liability that could be alleged,
    and they're really only limited by the creativity of the attorneys
    involved," Rebecca Grassi Bradley, an attorney with Whyte Hirschboeck
    said about the Harry the Hacker scenario, prompting a chuckle from the
    crowd.
    
    In this case, the list of potential parties to lawsuits is as varied
    as pairings at a square dance. The hospital could sue its privacy
    consultant, which could also be sued by the bank and Harry's boss. The
    bank could sue its security company. And the porn company could sue
    its Web host and the company it hired to develop its site. Some of
    those parties could then sue their insurers. And don't forget about
    the customers of the online porn company and bank, which could file
    class action suits against both entities. What's more, Harry's boss,
    who happens to be British, could sue the British company that provided
    his records to We Care Hospital, alleging it violated EU privacy
    policies, which might require that company check to make sure the
    records would remain secure once they're transferred.
    
    The lawyers warned that privacy contracts don't necessarily protect
    companies from liability, and privacy regulations in certain countries
    could result in jail time for those who allow the unauthorized release
    of private information, such as the medical records of Harry's boss.
    
    Lawyers said companies need to plan for security and privacy risks of
    all stripes and bring in security experts and attorneys long before a
    breach happens. "We're probably the last to get called in," Jeffrey
    Aiken, an attorney with Whyte Hirschboeck Dudek, told the crowd of
    lawyers and security consultants. "You need to get everyone involved
    in this process."
    
    Aiken said e-commerce sites could take a page from the construction
    industry, another sector that has to deal with a variety of partners
    and is subject to heavy security and safety regulations.
    
    Aiken suggested e-commerce companies limit liability by developing a
    plan that includes a designated project team, a project office and a
    written plan to deal with breaches.
    
    He said even the largest companies are surprisingly ignorant of
    security threats. For example, he recently attended a board meeting of
    a major company in the financial services sector, which plans to
    launch a new Web application soon. After a marketing presentation
    about the project, Aiken said he asked if the new system had been
    tested for security, and the room went silent. Executives then said
    they would get right on it. "This is a sophisticated company, and they
    weren't doing it right," he said.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 04:44:57 PDT