Companies could face litigation over IT security breaches

Companies that do not have adequate security in place to protect their IT assets are opening themselves up to lawsuits, warn...

Companies that do not have adequate security in place to protect their IT assets are opening themselves up to lawsuits, warn security experts.

Such litigation would force companies to take responsibility for their roles, however unwitting, in security breaches involving their computers. These might include distributed denial-of-service (DDOS) attacks, the spread of computer viruses, public disclosure of confidential information or financial loss to business partners and customers.

"You can expect to see major liability lawsuits in the next 18 months", said Randy Marchany, a member of the Virginia Tech Computing Center's systems management group and the co-ordinator of its Computer Incident Response Team.

Increasingly, companies that fail to show due diligence in minimising their exposure to such threats will become targets for lawsuits, agreed Margaret Jane Radin, a professor of law, science and technology at Stanford University Law School.

Legal liability in such cases is likely to depend on what prevention technologies and practices are available and on whether these technologies and practices are reasonably cost-effective to implement, she said.

As a result, showing due diligence will mean everything from implementing technologies such as firewalls, intrusion-detection tools, content filters, traffic analysers and virtual private networks to having best practices for continuous risk assessment and vulnerability testing. It will also mean having corporate policies and procedures backing up all of this, analysts said.

There are a lot of dimensions to the issue, most of which are outside the purview of IT departments, according to David Krauthamer, MIS manager at telecoms equipment manufacturer Advanced Fibre Communications. IT managers need to "be very aggressive about controlling and monitoring security", he said.

The issue of who bears responsibility for DDOS attacks, for instance, is a question that is likely to be legally tested in the very near future, agreed most analysts.

DDOS attacks use a multitude of hacked systems, known as slaves or zombies, to inundate a Web site or Internet-connected server with a flood of useless traffic.

"The legal aspects of such attacks are a big, wide-open issue," said Tony Gauvin, a vice-president of software and operations at New York-based financial start-up ElephantX Online Securities LLC.

The attacks are hard to pinpoint, since they involve multiple sources, including service and network providers, hosting companies, portal operators, corporate sites and universities.

It is possible that not only will service providers be held legally liable for such attacks, but victim sites - those co-opted by perpetrators to take part in the attack and sites crippled by attacks - could be as well, said Joseph Cooper, president of Web security company Digital Defense.

For instance, an online trading site taken down by a DDOS attack could be found negligent if it lacks adequate measures to assess the security readiness of its Internet service provider, Cooper said.

"From a liability standpoint, it is a good defence to be able to say that the security technologies you have are state of the art and adequate; and that you have done everything you can," said Tom Beach, senior vice president of risk management solutions at Zurich North America Financial Enterprises. Zurich, like the growing list of insurance companies scrambling to provide third-party liability insurance, offers security assessment services through third parties and also has recommended best practices for its clients.

Emerging privacy and security regulations - such as US legislation the Health Insurance Portability and Accountability Act and the Gramm Leach-Bliley Act governing financial institutions - mandate specific requirements for firms in these industries.

Companies in other industries would also do well to adopt a continuous cycle of identifying and eliminating risk in accordance with these regulations, analysts said.

Ultimately "the point to remember is that where there are no specific laws, they will be built in the courtroom," warned Marc Enger, a director at Digital Defense.

Read more on Data centre hardware