Firewall Wizards mailing list archives
Re: The New Security Threat: Lawyers?
From: Paul Robertson <proberts () patriot net>
Date: Wed, 29 Jan 2003 18:28:04 -0500 (EST)
On Wed, 29 Jan 2003, Alan Rudd wrote:
Ok group, just thought I would toss this one into your capable hands for some fun dialog. Although when you dig thru this it's scary. Alan Rudd Bytex Corp 508.422.9422 "A number of security experts seem to believe that lawsuits resulting from lax, or simply ineffective, computer security are on the horizon. It's not
That's been said for most of the last 10 or so years, it hasn't proven to be true yet. We'll be _worse_ off if it proves ever to happen[1].
hard to picture. John Doe buys US$300 worth of stereo equipment online using a credit card; two days later, someone manages to crack the server holding the customer information database, and John Doe becomes a victim of identity theft. After establishing which company is responsible for leaking his information, John Doe gets a lawyer and sues the company. Within a couple of months, it snowballs into a class-action suit after hundreds of other customers realize that their information was pilfered as well.
Sure it's hard to picture, I can't picture the same thing happening if someone breaks into the local mall and steals credit card receipts.
"How about a scenario in which a company is struck by another Outlook virus that e-mails random files from a user's hard drive? All it takes is one confidential document landing in the wrong hands, and your company or organization could be facing a lawsuit from one of your partners or customers.
We've had viruses that did that, no lawsuits yet.
"Software vendors, too, may find themselves liable for vulnerabilities in their products. "The language in End User License Agreements (EULAs) and so-called shrinkwrap licenses has protected companies against damages for products with security holes -- or at least that was the intent. "However, a recent ruling against Network Associates (NYSE: NET) proves that clauses in a EULA may be unenforceable -- allowing customers to sue a software or hardware vendor for damages if that vendor's products are not secure. I've never understood how companies could get away with such onerous license agreements, and the answer may be -- they can't.
I think it's a pretty large step to get from "can't publish reviews of a product isn't valid" to "liability limitation clause isn't valid." I don't think the NY court explained its reasoning behind making that part of the EULA unenforcable well (it's also a state court, so there aren't widespread issues here for the industry as a whole- other than in doing business in the state of New York.) Part of that case seems to hinge on misleading statements, and part on selective enforcement of the terms. Also, there seems to have been some splitting of the restrictive cluase from the rest of the license agreement. EFF has the opinion up at: http://www.eff.org/IP/UCITA_UCC2B/spitzer-v-network-assic.pdf I doubt this is really going to open any major legal ground. Though I'm not a lawyer and don't play one on mailing lists. Paul [1] For real positive change, have the SEC mandate reporting of security incidents and infections in a quarterly report. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation
<<ATTACHMENT: winmail.dat>>
Current thread:
- The New Security Threat: Lawyers? Alan Rudd (Jan 29)
- Re: The New Security Threat: Lawyers? Paul Robertson (Jan 29)