Firewall Wizards mailing list archives
Re:
From: Rick Smith <rick_smith () securecomputing com>
Date: Thu, 26 Aug 1999 11:12:05 -0500
Mellon, Ty wrote:
Hello, everyone. I am looking for information on regulation, statutes, etc., that address a company's liability when providing a service without adequate security.
I just finished reading Donn Parker's latest book, "Fighting Computer Crime," and he talks a good deal about the notion of due diligence with respect to information security. The bottom line seems to be that the safeguards must be widely available and widely used. It doesn't matter that there are identifiable vulnerabilities (one can identify vulnerabilities in almost any bank's physical security if one takes the time to look). What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar in practice. One can, of course, spell out security measures in a contract, or put in liability disclaimers. From what I understand as a non-lawyer, such things simply give the defendant some leverage in convincing a plaintiff not to sue or to settle for a reasonable amount when a disaster occurs. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/