Can Hacking Victims Be Held Legally Liable?

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2001/08/24/technology/24CYBERLAW.html

By CARL S. KAPLAN
August 24, 2001

Suppose, Margaret Jane Radin of Stanford Law School wrote recently,
that a Web site operated by a securities brokerage suffers a crippling
attack by hackers. The ability of its customers to conduct trades is
hampered for several hours, or even blocked entirely. Imagine, too,
that on the day of the attack the stock market is volatile, and that
many customers are trying unsuccessfully to buy or sell stocks in a
flash.

Of course, hackers are easy to blame. But what about the companies
that investors rely on to make trades? Are the brokerage firms and
their network providers -- which failed to prevent the attack that
harmed the site -- vulnerable to a second onslaught a nasty lawsuit
from unhappy clients who lost money as a result of the shutdown?

Professor Radin isn't the only legal thinker posing this question.
Another paper co-authored by two partners and a legal assistant at a
major law firm, also considers whether companies that fail to take
reasonable steps to protect their computer systems from malicious
attacks or internal malfunctions are sitting ducks for lawsuits.

So far, lawyers say, the answer is unclear. There have been no
reported court decisions discussing the issue of a company's liability
for a hacker attack, according to Radin, an authority on intellectual
property, electronic commerce and Internet law. But lawsuits in the
near future are highly likely, she said.

In her paper, professor Radin examined the possible legal fallout from
a "distributed denial of service" attack. This is a particularly
troublesome form of digital mischief whereby hackers gain control of
unsuspecting users' computers and use those distributed machines to
flood a targeted site or service with junk messages, overwhelming the
site and causing it to be inaccessible to legitimate customers. (Her
study, "Distributed Denial of Service Attacks: Who Pays?" commissioned
by Mazu Networks, Inc., a Cambridge, Mass.-based security company, is
available on the company's site.)

Radin concluded that there is a "significant risk" that in the near
future targeted Web sites will be held liable to their customers for
harm arising from distributed denial of service attacks. In addition,
she reckoned that there is another "significant risk" that the
computer network companies that carry the hackers' attack messages --
such as ISPs and backbone network providers -- will be held
accountable to the targeted Web sites, and perhaps to the sites'
customers.

In the second paper, members of the cyberlaw practice group of Sidley
Austin Brown & Wood, a national law firm, considered the growing legal
danger faced by online service providers who suffer security breaches
or the internal glitches that can compromise their customer's
information.

The study, "Liability for Computer Glitches and Online Security
Lapses," by Alan Charles Raul and Frank R. Volpe, partners at the
firm, and Gabriel S. Meyer a summer associate and J.D. candidate at
Cornell University, was published earlier this month in a Bureau of
National Affairs newsletter on electronic-commerce and will be
available shortly on the firm's Web site. It concludes that e-commerce
players must "demonstrate [a] willingness and ability to implement
aggressive security measures" if they wish to stave off security
breaches, avoid government intervention and escape, or at least limit,
damages in a lawsuit.

Professor Radin, director of Stanford's Program on Law, Science and
Technology, said in a telephone interview that companies need to begin
taking seriously their potential legal liability for computer hacks.
The vulnerability of businesses to distributed denial of service
assaults is staggering, she said, citing a survey which found that
more than one-third of respondents had experienced denial of service
attacks. That figure, from the 2001 Computer Crime and Security
Survey, conducted by the San Francisco-based Computer Security
Institute, may be the tip of the iceberg because companies, fearful of
bad publicity, often under-report attacks. Direct losses from denial
of service attacks on Yahoo, eBay and others in February of last year
have been estimated at $1.2 billion by the Yankee Group, a consulting
company.

"E-commerce is not going to take off if customers fear it won't work
in a pinch," Radin said.

Moreover, said Radin, federal and state laws aimed at individual
hackers have shortcomings: Hackers are hard to trace and even when
detected, are unlikely to have the deep pockets coveted by victims and
their lawyers.

In the brokerage Web site attack scenario, a customer or a class of
customers that suffered financial losses would sue the brokerage firm
for damages, according to Radin. The firm, in its defense, might point
to a section of its Terms of Service agreement with its customers.
That fine print, no doubt, would have a clause clearing itself of
liability.

But whether that defense would prevail is not clear, said Radin,
particularly if a court finds the contract's terms to be oppressive or
overly weighted toward the company, or if the contract's validity is
in question due to questions over proper customer consent.

Also vulnerable to a negligence claim would be the network service
providers and hosting companies, said Radin. There would be no
contract defense for these companies to fall back on with respect to
the broker's individual customers for the simple reason that there is
no contract between them. On the other hand, the potential legal
warfare between the brokerage and the network providers would likely
proceed under the terms of their business contracts.

To determine whether the corporate defendants are negligent, courts
will look at how any losses could have been prevented. "A court is
going to say it is negligent of you not to implement preventative
measures if they are reasonably effective and affordable," said Radin.

A jury will have to decide, in fact, if the company could have taken
preventative measures, said Radin. Trials will, therefore, be a battle
of expert witnesses, she predicted. But, she added: "I think as
technology increases-- as easy fixes become available -- it's more
likely that courts will be unsympathetic" to companies that have not
done their utmost to block hacker invasions. That is particularly true
with respect to the Internet service providers which are in the best
position to take system-wide precautions, she said.

Meanwhile, Raul of Sidley Austin, which represents major communication
companies and firms doing business online, said that his clients
"either are, or ought to be" worried about their legal liability for
malicious hacks or inadvertent glitches.

In his firm's paper, Raul and his colleagues said that companies can
seek to manage their legal risks by adopting state-of-the-art security
measures suggested by industry groups and supporting federal laws
aimed at strengthening data security in the health and financial
fields.

"Does a company have controls in place to prevent unauthorized access
and careless release of data," asked Raul. "Is the company training
employees in information security?" Is it constantly assessing its
vulnerability to intrusions or glitches? The answers are important
because an aggressive plaintiff's lawyer is sure to ask who was the
person or unit responsible for data security? If the defendant offers
a weak response, said Raul, it will look "really bad."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.