Companies that do not have adequate security in place to protect
their IT assets are opening themselves up to lawsuits, warn
security experts.
Such litigation would force companies to take responsibility for
their roles, however unwitting, in security breaches involving
their computers. These might include distributed denial-of-service
(DDOS) attacks, the spread of computer viruses, public disclosure
of confidential information or financial loss to business partners
and customers.
"You can expect to see major liability lawsuits in the next 18
months", said Randy Marchany, a member of the Virginia Tech
Computing Center's systems management group and the co-ordinator of
its Computer Incident Response Team.
Increasingly, companies that fail to show due diligence in
minimising their exposure to such threats will become targets for
lawsuits, agreed Margaret Jane Radin, a professor of law, science
and technology at Stanford University Law School.
Legal liability in such cases is likely to depend on what
prevention technologies and practices are available and on whether
these technologies and practices are reasonably cost-effective to
implement, she said.
As a result, showing due diligence will mean everything from
implementing technologies such as firewalls, intrusion-detection
tools, content filters, traffic analysers and virtual private
networks to having best practices for continuous risk assessment
and vulnerability testing. It will also mean having corporate
policies and procedures backing up all of this, analysts
said.
There are a lot of dimensions to the issue, most of which are
outside the purview of IT departments, according to David
Krauthamer, MIS manager at telecoms equipment manufacturer Advanced
Fibre Communications. IT managers need to "be very aggressive about
controlling and monitoring security", he said.
The issue of who bears responsibility for DDOS attacks, for
instance, is a question that is likely to be legally tested in the
very near future, agreed most analysts.
DDOS attacks use a multitude of hacked systems, known as slaves or
zombies, to inundate a Web site or Internet-connected server with a
flood of useless traffic.
"The legal aspects of such attacks are a big, wide-open issue,"
said Tony Gauvin, a vice-president of software and operations at
New York-based financial start-up ElephantX Online Securities
LLC.
The attacks are hard to pinpoint, since they involve multiple
sources, including service and network providers, hosting
companies, portal operators, corporate sites and
universities.
It is possible that not only will service providers be held legally
liable for such attacks, but victim sites - those co-opted by
perpetrators to take part in the attack and sites crippled by
attacks - could be as well, said Joseph Cooper, president of Web
security company Digital Defense.
For instance, an online trading site taken down by a DDOS attack
could be found negligent if it lacks adequate measures to assess
the security readiness of its Internet service provider, Cooper
said.
"From a liability standpoint, it is a good defence to be able to
say that the security technologies you have are state of the art
and adequate; and that you have done everything you can," said Tom
Beach, senior vice president of risk management solutions at Zurich
North America Financial Enterprises. Zurich, like the growing list
of insurance companies scrambling to provide third-party liability
insurance, offers security assessment services through third
parties and also has recommended best practices for its
clients.
Emerging privacy and security regulations - such as US legislation
the Health Insurance Portability and Accountability Act and the
Gramm Leach-Bliley Act governing financial institutions - mandate
specific requirements for firms in these industries.
Companies in other industries would also do well to adopt a
continuous cycle of identifying and eliminating risk in accordance
with these regulations, analysts said.
Ultimately "the point to remember is that where there are no
specific laws, they will be built in the courtroom," warned Marc
Enger, a director at Digital Defense.