Re: Response to door knocking

[JohnLNick () aol com]

As far as US law is concerned, most criminal statutes require you to intend
for the criminal action to happen (called mens rea). There are a very few
crimes where intent is not required (statutory rape, for example), but I
sincerely doubt that leaving a hole on your server which allows someone to
launch an attack on another machine could be grounds for criminal prosecution.

As far a civil liability is concerned, I see a possibility there under an
action for negligence. If you knew about the hole and your decision not to
patch it was not "reasonable" (as defined by a court), then your company
could, theoretically, be held liable by the attacked company, since they could
argue that your negligence in not patching the hole allowed them to be
attacked. However, I wouldn't really want to be the lawyer to try to assert
that negligence claim, and defending against it would be a lot more fun. 

But, I do have to say that this analysis is only based on generalities and
there might be some state-specific laws that I don't know about that could
change this. In general, as long as you have a security policy with policies
that make business sense and are not totally out of line with the industry and
you follow it fairly consistently, you shouldn't be in trouble.

John Nicholson