Lawyers see security suit-riddled future

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://news.com.com/2100-1009-996935.html

By Lisa M. Bowman 
Staff Writer, CNET News.com
April 15, 2003

SAN FRANCISCO -- Harry the Hacker could leave a long trail of lawsuits
in his wake.

At the RSA Conference 2003 here on Tuesday, lawyers outlined a
hypothetical scenario, in which Harry the Hacker, angry because he's
been fired, decides to put his computing skills to work for nefarious
purposes. During his cracking spree, Harry's escapades include using
the insecure system of We Care Hospital to launch an attack against a
bank, stealing the credit card numbers of customers of an online porn
company, discovering the medical records of his former boss, which
indicate he has just tested positive for HIV, and posting those
records on the Web.

Harry then absconds with millions and flees the country, leaving a
path strewn with victims of identity theft, privacy breaches, and of
course, staggering financial losses. Soon after, the finger pointing
ensues.

Many lawyers think security could be the next big area of cyber law,
especially as attacks become more prevalent and companies and their
customers suffer growing financial losses. What's more, hackers who
breach the systems to steal and use credit card addresses are often
difficult to find, meaning victims must find new targets for blame.

"There are all kinds of theories of liability that could be alleged,
and they're really only limited by the creativity of the attorneys
involved," Rebecca Grassi Bradley, an attorney with Whyte Hirschboeck
said about the Harry the Hacker scenario, prompting a chuckle from the
crowd.

In this case, the list of potential parties to lawsuits is as varied
as pairings at a square dance. The hospital could sue its privacy
consultant, which could also be sued by the bank and Harry's boss. The
bank could sue its security company. And the porn company could sue
its Web host and the company it hired to develop its site. Some of
those parties could then sue their insurers. And don't forget about
the customers of the online porn company and bank, which could file
class action suits against both entities. What's more, Harry's boss,
who happens to be British, could sue the British company that provided
his records to We Care Hospital, alleging it violated EU privacy
policies, which might require that company check to make sure the
records would remain secure once they're transferred.

The lawyers warned that privacy contracts don't necessarily protect
companies from liability, and privacy regulations in certain countries
could result in jail time for those who allow the unauthorized release
of private information, such as the medical records of Harry's boss.

Lawyers said companies need to plan for security and privacy risks of
all stripes and bring in security experts and attorneys long before a
breach happens. "We're probably the last to get called in," Jeffrey
Aiken, an attorney with Whyte Hirschboeck Dudek, told the crowd of
lawyers and security consultants. "You need to get everyone involved
in this process."

Aiken said e-commerce sites could take a page from the construction
industry, another sector that has to deal with a variety of partners
and is subject to heavy security and safety regulations.

Aiken suggested e-commerce companies limit liability by developing a
plan that includes a designated project team, a project office and a
written plan to deal with breaches.

He said even the largest companies are surprisingly ignorant of
security threats. For example, he recently attended a board meeting of
a major company in the financial services sector, which plans to
launch a new Web application soon. After a marketing presentation
about the project, Aiken said he asked if the new system had been
tested for security, and the room went silent. Executives then said
they would get right on it. "This is a sophisticated company, and they
weren't doing it right," he said.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence 
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.