Lawsuits for Security Blunders

posted onMay 23, 2001
by hitbsecnews

Saw this over at SNN

Security lapses can lead to compromised systems, lost data, and unhappy customers. Apparently, in the near future they are likely to lead to more lawsuits as well, at least according to a recent article in Computerworld. This is not surprising -- lawsuits can be an effective way to recover damages, whether real or imagined. No doubt such predictions can be viewed as being perhaps a bit of scare-mongering from the legal and security communities, but the threat of legal repercussions for lax security should certainly be considered in any security posture.

Companies that don't have consistent and verifiably appropriate security practices for protecting their IT assets are opening themselves up to liability lawsuits, warn security experts.

Although none have been filed yet, such suits would force companies to take responsibility for their roles, however unwitting, in security breaches that involve their computers. These might include distributed denial-of-service attacks, the spread of computer viruses, public disclosure of confidential information or financial loss to business partners and customers.

"You can expect to see major liability lawsuits in the next 18 months" or so, said Randy Marchany, a member of the Virginia Tech Computing Center's systems management group and the coordinator of its Computer Incident Response Team, speaking at the SANS 2001 technical conference in Baltimore last week.

Increasingly, companies that fail to show due diligence in minimizing their exposure to such threats will become targets for lawsuits, agreed Margaret Jane Radin, a professor of law, science and technology at Stanford University Law School.

Legal liability in such cases is likely to depend on what prevention technologies and practices are available and on whether these technologies and practices are reasonably cost-effective to implement, she said.

As a result, showing due diligence will mean everything from implementing technologies such as firewalls, intrusion-detection tools, content filters, traffic analyzers and virtual private networks to having best practices for continuous risk assessment and vulnerability testing. It will also mean having corporate policies and procedures backing up all of this, analysts said.

"There are a lot of dimensions to the issue," most of which are outside the purview of IT departments, said David Krauthamer, MIS manager at Advanced Fibre Communications Inc., a manufacturer of telecommunications equipment in Petaluma, Calif. What IT managers need to do is to "be very aggressive about controlling and monitoring security," Krauthamer added.

The issue of who bears responsibility for DDOS attacks, for instance, is a question that is likely to be legally tested in the very near future, agreed most analysts.

DDOS attacks use a multitude of hacked systems, known as slaves or zombies, to inundate a Web site or Internet-connected server with a flood of useless traffic.

"The legal aspects [of such attacks] are a big, wide-open issue," said Tony Gauvin, a vice president of software and operations at ElephantX Online Securities LLC, a New York-based financial start-up.

The attacks are hard to pinpoint, since they involve multiple sources, including service and network providers, hosting companies, portal operators, corporate sites and universities.

It's possible that not only will service providers be held legally liable for such attacks, but victim sites - those co-opted by perpetrators to take part in the attack and sites crippled by attacks- could be as well, said Joseph A. Cooper, president of Digital Defense Inc., a San Antonio-based Web security company that specializes in financial services firms.

For instance, an online trading site taken down by a DDOS attack could be found negligent if it lacks adequate measures to assess the security readiness of its Internet service provider, Cooper said.

"From a liability standpoint, it is a good defense to be able to say that the [security technologies] you have are state of the art and adequate and that you have done everything you can," said Tom Beach, senior vice president of risk management solutions at Zurich North America Financial Enterprises, a Baltimore-based financial services company that provides insurance for third-party liability. Zurich, like the growing list of insurance companies scrambling to provide third-party liability insurance, offers security assessment services through third parties and also has recommended best practices for its clients.

Emerging privacy and security regulations, such as the Health Insurance Portability and Accountability Act and the Gramm Leach-Bliley Act governing financial institutions, mandate specific requirements for firms in these industries.

Companies outside of these industries would also do well to adopt a similar continuous cycle of identifying and eliminating risk mandated by these regulations, analysts said.

Ultimately, "the point to remember is that where there are no specific laws, they will be built in the courtroom," warned Marc Enger, a former director of security operations for a branch of the U.S. Air Force and now a director at Digital Defense.

Computerworld

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs