News Feature

INFORMATION SECURITY - See You in Court

By Sarah D. Scalet

November 01, 2001 — CIO — Just before 8 a.m. on feb. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved.

Faulkner’s company aimed its legal wrath not at any hacker but at another business, Exodus Communications, and five of its customers. As the nation’s largest Web-hosting company, Santa Clara, Calif.-based Exodus (which at press time filed for Chapter 11 bankruptcy protection) has served up the websites of such household names as American Airlines, eBay and General Electric. In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host’s systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime.

The case never made it to trial, but C.I. Host’s lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed. This messy and confusing case pitted not just rival against rival but victim versus victim. Although the attacks lasted only a couple of days, it took seven month’s worth of legal fees, not to mention time and energy, to close the case.

This scenario and other similar ones are likely to play out with increasing frequency as more companies suffer public outages and thefts as a result of security breaches. And it raises a crucial question that the courts have yet to decide: When information security fails, who’s to blame?

The hacker is at fault, to be sure, but experts say it’s only a matter of time before judges and juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security. Only CIOs who understand this legal minefield will have the answers their company needs to hear?and know how to protect their business not only from hackers but also from legal actions that may follow in the hackers’ destructive wake.

The Next Asbestos?

To hear some people tell it, corporate liability for failed information security is the coming apocalypse. Several experts predict a flurry of personal injury lawsuits filed by customers whose personal information has been disclosed, corporate lawsuits based on damage caused by security breaches at business partners and class-action lawsuits filed on behalf of irate stockholders.

1 | 2 | 3 | 4 | 5 |next page »

Comments

Share [+]

TOOLS

Comments

Digg This

SlashDot

CENTER OF EXCELLENCE

Security

» Prudential Financial Protects its Brand with Symantec Data Loss Prevention Solutions
FORTUNE 100 insurance leaders rely on the Symantec Data Loss Prevention solution to protect sensitive customer data.

» Information Security: Data Drains and How to Prevent Loss
Do you know where your confidential data is, where it is going, and how to prevent it from leaving your organization.

» Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands
Learn what the thought-leaders at PricewaterhouseCoopers have to say on the risks associated with data security.

» 7 Requirements of Data Loss Prevention
Incorporate best practices from many companies using DLP solutions as you establish your organization's requirements and safeguard confidential data.

» Ponemon Study: How Much Does a Data Breach "Cost"?
35 U.S. organizations that lost confidential information and had a regulatory requirement to publicly notify affected individuals are studied in this report.

Center sponsored by