Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
New legal storm on Net horizon
- From: Paul Howell
- Date: Thu Jul 06 07:14:46 2000
At http://dailynews.yahoo.com/h/zd/20000704/tc/new_legal_storm_on_net_horizon_1.html
Tuesday July 04 04:15 PM EDT
New legal storm on Net horizon
By David Raikow, Special to ZDNet
Could you be sued for allowing yourself to be
hacked?
Amid the nearly constant stream of news coverage about
Internet security problems over the past six months, most
people probably didn't even register the recent attack on
Nike Inc.'s (NYSE:NKE - news) Web site.
After all, Web sites are attacked every day; Nike may be a
high-profile company, but there was nothing particularly
unusual about the incident itself.
One of the victims is preparing an
extremely unusual response,
however, that could change the way
we think of online security. Scottish
ISP FirstNet Online is preparing to
sue the shoe maker -- for "allowing"
itself to be hacked.
Caught in the middle
Sometime on or before June 21,
unknown intruders penetrated
FirstNet's servers and used them as
part of an attack that redirected Web and e-mail traffic
bound for "nike.com" to an anti-Nike activist site in
Australia.
According to FirstNet owner Greg Lloyd Smith, Nike
requested that the ISP redirect traffic back to its servers as
an emergency measure while Nike attempted to regain
control over the "nike.com" domain name. After the incident
was resolved, FirstNet submitted an invoice to Nike for its
services, and Nike refused to pay.
FirstNet is now preparing to file suit against Nike in the
Scottish courts. The primary focus of the complaint is fairly
simple question of contract law: FirstNet says it provided a
service and deserves to be paid.
In addition to its normal fees, however, FirstNet's bill
includes a claim for compensation for the disruption caused
by the enormous amount of traffic generated by "nike.com."
Smith claims Nike's lax security is responsible for the
incident, and that the company should therefore be
financially responsible for the resulting disruption.
A new wave of litigation?
The validity of FirstNet's suit under Scottish law aside, the
precedent set by this type of claim could trigger a whole new
type of litigation.
As far as I have been able to determine, no court has ever
squarely addressed the notion that a company could be
liable for failing to secure its own servers adequately. The
concept does have some support in U.S. law -- landlords
have been sued by their tenants for providing insufficient
building security, for example -- but the application of these
precedents to the Internet raises a host of complex
questions.
What should be considered "adequate" security? Does this
standard vary from business to business? What about
individuals who maintain servers? What about questions of
jurisdiction: Will dotcoms in Omaha face lawsuits from Sri
Lanka and Cameroon?
If the courts do address these issues, however, the
compelling business logic behind "negligent Internet
security" claims could make them the next big thing in
litigation.
Who's liable?
Computer crime is a major problem and imposes significant
costs on online companies. When faced with financial loss,
most businesses look for someone to sue, and bringing
computer criminals into civil court is not often an option.
Most attacks involve multiple networks owned by many
different companies, presenting a wide array of potential
defendants, some of whom are bound to have deep
pockets.
The potential effect of "negligent security" lawsuits is difficult
to overstate. Enormous ISP liability and litigation costs, for
example, could dramatically raise Internet access fees. The
threat of liability could create a significant barrier to entry,
hampering small businesses and startups while offering an
additional advantage to established companies with
substantial legal resources.
Moreover, the technical issues raised by these cases would
make the MS-DOJ trial look simple in comparison and
could impose a large burden on already-overtaxed courts.
On the other hand, the threat of security lawsuits could also
do a lot of good. PR claims aside, most businesses don't
consider network security a major concern; potential
lawsuits, however, have a way of making CEOs sit up and
pay attention. The legal arguments could bleed over into
questions of software development, forcing developers to
take more responsibility for securing their products.
Most important, the notion could force us all to realize that
Internet security is the responsibility of the entire Internet
community, and that we all have to play our part.
San Francisco-based security consultant and columnist
David Raikow holds a law degree from U.C. Berkeley's
Boalt Hall School of Law.
|
