Re:

[Rick Smith <rick_smith () securecomputing com>]

Mellon, Ty wrote:

> Hello, everyone. I am looking for information on regulation, statutes,
> etc., that address a company's liability when providing a service
> without adequate security.

I just finished reading Donn Parker's latest book, "Fighting Computer
Crime," and he talks a good deal about the notion of due diligence with
respect to information security. The bottom line seems to be that the
safeguards must be widely available and widely used. It doesn't matter that
there are identifiable vulnerabilities (one can identify vulnerabilities in
almost any bank's physical security if one takes the time to look). What
matters is that the measures are consistent with reasonable and prudent
practice in the associated industry. This is, of course, a pretty low bar
in practice.

One can, of course, spell out security measures in a contract, or put in
liability disclaimers. From what I understand as a non-lawyer, such things
simply give the defendant some leverage in convincing a plaintiff not to
sue or to settle for a reasonable amount when a disaster occurs. 


Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/