Firewall Wizards mailing list archives

Re:

From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 26 Aug 1999 19:40:26 -0400 (EDT)

On Thu, 26 Aug 1999, Rick Smith wrote:

almost any bank's physical security if one takes the time to look). What
matters is that the measures are consistent with reasonable and prudent
practice in the associated industry. This is, of course, a pretty low bar


[Warning: US-centric content]

I don't think this test necessarily applies to current caselaw.  While 
"best current practice" and "in the associated industry" come up 
constantly, the citations I've heard say that a case (Forgive me for not 
having a direct citation, I'm not sure where I stored the original 
comments anymore) in the early 1900's that applied to commercial shipping 
organizations and not providing lifevests to crewmembers applies and that 
"best common practice" isn't a high-enough standard no matter what an 
industry may think (at the time, few to no Great Lakes commercial fishing 
vessels issued lifejackets to crewmembers.)  If there's conflicting 
caselaw, I'd like to know, and I'll dig up the exact citation for the 
above example, making lawyers nervious is almost as fun as grilling 
"technical sales support" people.

I think "reasonable and prudent" is possibly a more accurate standard if 
you remove the industry association, but my information may be off or 
superceded by more extensive caselaw. 

IANAL and I don't play one on the 'Net, it's just my interpretation of 
what I've been told.  I do think the distinction potentially important 
and worth a mention.

in practice.

One can, of course, spell out security measures in a contract, or put in
liability disclaimers. From what I understand as a non-lawyer, such things
simply give the defendant some leverage in convincing a plaintiff not to
sue or to settle for a reasonable amount when a disaster occurs.


I wonder though if they'd provide more interesting fodder for shareholder 
lawsuits?  Especially for a security company whos marketing drivel could 
be misconstrued by an investor...  "The Web site says it's secure, 
management represented it as a secure solution, yet obviously by the 
verbage on this contract there wasn't a plan to do sufficient dilligence..."

More interesting, I think, would be a contributory negligence suit - 
either won or lost, it would make interesting precident.  Especially by a 
3rd party who isn't enjoined in a contract or license agreement.

I'm still convinced sysadmin insurance will boom once the 
ambulance-chasers become packet-chasers.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

Re: Rick Smith (Aug 26)
- Re: Paul D. Robertson (Aug 27)
  - Re: Joseph S D Yao (Aug 27)