CIO — Just before 8 a.m. on feb. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved.
Faulkner’s company aimed its legal wrath not at any hacker but at another business, Exodus Communications, and five of its customers. As the nation’s largest Web-hosting company, Santa Clara, Calif.-based Exodus (which at press time filed for Chapter 11 bankruptcy protection) has served up the websites of such household names as American Airlines, eBay and General Electric. In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host’s systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime.
The case never made it to trial, but C.I. Host’s lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed. This messy and confusing case pitted not just rival against rival but victim versus victim. Although the attacks lasted only a couple of days, it took seven month’s worth of legal fees, not to mention time and energy, to close the case.
This scenario and other similar ones are likely to play out with increasing frequency as more companies suffer public outages and thefts as a result of security breaches. And it raises a crucial question that the courts have yet to decide: When information security fails, who’s to blame?
The hacker is at fault, to be sure, but experts say it’s only a matter of time before judges and juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security. Only CIOs who understand this legal minefield will have the answers their company needs to hear?and know how to protect their business not only from hackers but also from legal actions that may follow in the hackers’ destructive wake.
The Next Asbestos?
To hear some people tell it, corporate liability for failed information security is the coming apocalypse. Several experts predict a flurry of personal injury lawsuits filed by customers whose personal information has been disclosed, corporate lawsuits based on damage caused by security breaches at business partners and class-action lawsuits filed on behalf of irate stockholders.
