"It’s going to be the next asbestos," Ed M. McPherson III, Atlanta-based director of PricewaterhouseCoopers, recently told a group assembled in New York City to learn about cybercrime’s impact on shareholder value.

Security vendors are banking on it. For instance, Redwood, Calif.-based Recourse Technologies worked with Daniel Langin, a defense attorney for several early Internet cases, to explore whether corporate officers could be held personally liable for information security breaches. His conclusion? You bet. "It takes one clear bellwether case to say you have this liability, before officers and directors wake up," he says.

"It’s not a ’sky is falling’ issue," says one CIO when asked about the likelihood of such lawsuits. Like many organizations, his large hospitality company forbids him from discussing the terms legal and security in the same breath, at least for attribution. "This is what the intelligent, forward-thinking company is thinking about. We believe that we’ve taken every possible precaution, and we’re looking for every possible thing on the horizon," he says.

Lawmakers are taking precautions as well. Members of Congress, most prominently Sen. Robert Bennett (R-Utah), think liability lawsuits are a real enough risk that they’re drafting legislation to mitigate the threat. Along with Sen. Jon Kyl (R-Ariz.), Bennett drafted a bill that would exempt businesses from Freedom of Information Act disclosures, antitrust prosecution and lawsuits resulting from the disclosure of cybersecurity information. In the House of Representatives, Tom Davis (R-Va.) and James Moran (D-Va.) have introduced similar legislation that would prevent voluntarily submitted information on security problems from being used in lawsuits.

Although critics have argued that such legislation would grant too broad a scope of immunity to businesses, the tenor of the discussion has changed in the wake of the Sept. 11 terrorist attacks in New York City and Washington, D.C. The argument for protecting the nation’s IT infrastructure gives more weight to the views of those who advocate companies’ sharing information with the government. Realizing that a security problem at one organization could be just the first domino, they hope to address mounting concerns about how a successful attack on an electric company, for example, could cause downstream outages to telephone systems, banks and many other services upon which citizens rely.

Meanwhile, judges have started assigning dollar values to security breaches. In courtrooms across the country, criminals have been ordered to pay hundreds of thousands of dollars, in addition to serving time. The problem is, hackers often have empty pockets, and the damage they do often far exceeds their own financial gain, if any. Enter the banana peel theory?you slip, and someone else should pay.