RE: Italian Police Nab Hacker Group

[InfoSec News <isn () c4i org>]

Forwarded from: Marjorie Simmons <lawyer () carpereslegalis com>

[This is the last posting on this topic. - WK]


The "qualitative damages that are hard to put a dollar figure on" is
called, in legal-damages parlance, "business good will."  It is
ascertainable and quantifiable, and has been for a long, long time.

In law there are the concepts of assumption of the risk, comparative
negligence, apportionment of damages, and, of course, proof of damages
in order to (as a prerequisite to) recovery of damages.  I've been
interested for awhile now that there hasn't been more press skepticism
nor general business understanding that the assessment of damages from
defacements subjects itself nicely to such timeworn tests and really
is little different from other business losses assessments.

What needs attention is the quite deliberate obfuscation of these
concepts (by wannabe profiteers as well as by some clueless press
people) going on at a pretty constant pace.  Folks need to
disentangle, conceptually, the defacement act and motive from the
assessment of damages in order to sort out the issues, which are
multiple.  The relationship(s)  between an act and the consequences
flowing from that act is (are) not so Byzantine as Windows security.

I write letters, at times, and in response to the following letter, I
was met by silence (surprise, surprise): 

____
From:   Marjorie Simmons 
Sent:   Thursday, June 08, 2000 10:52 pm
To:     'Ms Patrice Rapalus'
Subject:        5th Computer Crime & Security Survey

Dear Ms Rapalus,

With regard to your most recent survey:  
http://www.gocsi.com/prelea_000321.htm

I am curious as to whether your survey asked the respondents 

1)  whether they reported their losses to 
    their shareholders and investors?
2)  if not why not?
3)  if so then why was this not reported on in the survey?

This information is relevant, important, and, it seems to me that your
survey is seriously flawed for the lack of this data.  Many a lawsuit
could be avoided or settled more quickly if companies did not attempt
to, with impunity, report quite staggering financial losses to the
press from security breaches and then somehow forget those losses when
it comes time to communicate with investors and shareholders, not to
mention with the IRS.

If this was somehow simply overlooked, I hope you will soon work to
correct it.  Perhaps in the meantime your staff could query a sampling
of the survey respondents for this information and post the results on
your site as a survey supplement.

Sincerely,

Marjorie Simmons
____

Lots of other questions I *could* have asked her, but, I knew not to
waste too much of my time.

The concepts of assumption of the risk, comparative negligence,
apportionment of damages, and proof of damages are all rooted in
common sense and a sense of fair play, but only rarely are they
considered when some members of the press, driven by whatever impulse,
run to the people with their Gee Look At This sensationalist
pontifications. Such behavior is certainly not limited to things
technical; axiomatically, the more complex the subject matter, the
more this happens. However, this is but history as usual.

Luckily, most of the judiciary is a lot smarter than that and lacks
the agendas of the players in the press and those who pay for the
dissemination of certain 'news' items. So when defacement cases go to
court, if they go to court, damages must be proven within a reasonable
degree of certainty, negligence IS compared, and the assumed risks ARE
considered (all assuming, of course, that the lawyers involved bring
these arguments before the court.)

So while we can try the cases in the Court of Email in order to be
clearer on the issues and to educate our contemporaries, we should be
mindful that the concepts are ancient and not difficult to apply, no
matter the venue.  What is needed is to call the agenda-minded on
their errors in the more public forum.

DO try this at home:  give some little gratis presentations to your
community Rotary club, or other such groups.  (Do it for free in the
spirit of Open Source -- a public affirmation of no agenda on your own
part.)  Talk about where a company can expect to face losses and how
to account for them in real terms, and why. Use real-life examples.  
Make them ask questions, even those you cannot answer, and suggest for
those they seek the advice of their accountants and lawyers.  If you
think yourself (1) too important for this, or (2) not known enough,
you're (1) not, (2) not giving yourself enough credit.

Was (is) anyone here a Scout?  or an intelligence officer?  (never
...!  ; ) ), a veteran?  Does 'Be Prepared' sound familiar? It will
get muddier before it becomes Old Hat.

Marjorie

Marjorie Simmons, Esq.
lawyer () carpereslegalis com
http://www.carpereslegalis.com


~~~~~~~~~~~~~

On Thursday, January 17, 2002 11:15 pm, InfoSec News [SMTP:isn () c4i org] wrote:
| Forwarded from: mezzanine <mezzanine () brokenhalo org>
| 
| > I would like to say that anytime a website gets defaced there are
| > always monetary damages.
| 
| Very true. I agree.
| 
| > There are always qualitative damages that are hard to put a dollar
| > figure on.
| 

[...]




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.