Lawsuits for Security Blunders
Saw this over at SNN
Security lapses can lead to compromised systems, lost data, and unhappy customers. Apparently, in the near future they are likely to lead to more lawsuits as well, at least according to a recent article in Computerworld. This is not surprising -- lawsuits can be an effective way to recover damages, whether real or imagined. No doubt such predictions can be viewed as being perhaps a bit of scare-mongering from the legal and security communities, but the threat of legal repercussions for lax security should certainly be considered in any security posture.
Companies that don't have consistent and verifiably appropriate security practices for protecting their IT assets are opening themselves up to liability lawsuits, warn security experts.
Although none have been filed yet, such suits would force companies to take responsibility for their roles, however unwitting, in security breaches that involve their computers. These might include distributed denial-of-service attacks, the spread of computer viruses, public disclosure of confidential information or financial loss to business partners and customers.
"You can expect to see major liability lawsuits in the next 18 months" or so, said Randy Marchany, a member of the Virginia Tech Computing Center's systems management group and the coordinator of its Computer Incident Response Team, speaking at the SANS 2001 technical conference in Baltimore last week.
Increasingly, companies that fail to show due diligence in minimizing their exposure to such threats will become targets for lawsuits, agreed Margaret Jane Radin, a professor of law, science and technology at Stanford University Law School.
Legal liability in such cases is likely to depend on what prevention technologies and practices are available and on whether these technologies and practices are reasonably cost-effective to implement, she said.
As a result, showing due diligence will mean everything from implementing technologies such as firewalls, intrusion-detection tools, content filters, traffic analyzers and virtual private networks to having best practices for continuous risk assessment and vulnerability testing. It will also mean having corporate policies and procedures backing up all of this, analysts said.
"There are a lot of dimensions to the issue," most of which are outside the purview of IT departments, said David Krauthamer, MIS manager at Advanced Fibre Communications Inc., a manufacturer of telecommunications equipment in Petaluma, Calif. What IT managers need to do is to "be very aggressive about controlling and monitoring security," Krauthamer added.
The issue of who bears responsibility for DDOS attacks, for instance, is a question that is likely to be legally tested in the very near future, agreed most analysts.
DDOS attacks use a multitude of hacked systems, known as slaves or zombies, to inundate a Web site or Internet-connected server with a flood of useless traffic.
"The legal aspects [of such attacks] are a big, wide-open issue," said Tony Gauvin, a vice president of software and operations at ElephantX Online Securities LLC, a New York-based financial start-up.
The attacks are hard to pinpoint, since they involve multiple sources, including service and network providers, hosting companies, portal operators, corporate sites and universities.
It's possible that not only will service providers be held legally liable for such attacks, but victim sites - those co-opted by perpetrators to take part in the attack and sites crippled by attacks- could be as well, said Joseph A. Cooper, president of Digital Defense Inc., a San Antonio-based Web security company that specializes in financial services firms.
For instance, an online trading site taken down by a DDOS attack could be found negligent if it lacks adequate measures to assess the security readiness of its Internet service provider, Cooper said.
"From a liability standpoint, it is a good defense to be able to say that the [security technologies] you have are state of the art and adequate and that you have done everything you can," said Tom Beach, senior vice president of risk management solutions at Zurich North America Financial Enterprises, a Baltimore-based financial services company that provides insurance for third-party liability. Zurich, like the growing list of insurance companies scrambling to provide third-party liability insurance, offers security assessment services through third parties and also has recommended best practices for its clients.
Emerging privacy and security regulations, such as the Health Insurance Portability and Accountability Act and the Gramm Leach-Bliley Act governing financial institutions, mandate specific requirements for firms in these industries.
Companies outside of these industries would also do well to adopt a similar continuous cycle of identifying and eliminating risk mandated by these regulations, analysts said.
Ultimately, "the point to remember is that where there are no specific laws, they will be built in the courtroom," warned Marc Enger, a former director of security operations for a branch of the U.S. Air Force and now a director at Digital Defense.