"Some lawyer is going to figure out where the deep pockets are and is going to chase them," says Attorney Mark Grossman, chairman of the computer and e-commerce law group of Becker & Poliakoff in Miami and the TechLaw columnist for The Miami Herald. "My own profession can make me lose yesterday’s lunch. Sometimes we earn our reputation. It’s the American psyche: Something goes wrong, someone else should pay for it. It’s one of our failings. Juries like to give deep-pocket money away when some small third party gets hurt."

Lawsuits Looming

To date, CIO has not found any such liability lawsuits. However, several sources indicated that third-party damages are being quietly settled out of court. As a rule, it’s cheaper for companies to make confidential settlements than to defend themselves. It also helps avoid publicity that might give stockholders and customers pause.

American International Group (AIG) has paid out millions of dollars for Internet risk-related claims, most as third-party damages. "Third-party liability insurance is by far our most popular option," says Ty R. Sagalow, executive vice president and COO of AIG E-Business Risk Solutions in New York City, which has sold more than 1,200 cyberinsurance policies since it started offering the coverage in early 2000. He’s mum on the details, but says the first concern companies have when purchasing insurance is often that they’ll get sued if something goes wrong.

Related issues have started to make headlines. In September, the world’s largest financial services company found out the hard way that putting customer information into the wrong hands could lead to a lawsuit. Citibank and its New York City-based parent company, Citigroup, were served with a class-action privacy lawsuit alleging that the companies illegally disclosed private financial information to telemarketers and vendors. Citigroup was not available for comment. (For information on other privacy lawsuits, see "Miller’s Privacy Warning," Page 72. To understand the overlap, see "Security Versus Privacy," Page 64.)

In August, the Washington state attorney general’s office asked Qwest Communications to refund DSL customers affected by Qwest’s outages while it fought the Code Red worm. The Denver-based company insisted that the Code Red problems were not its fault. (See "Code Red: Phase Two," Page 68.)

Also, the Federal Trade Commission is investigating an internal security bungle in which drug manufacturer Eli Lilly accidentally revealed the e-mail addresses of 700 Prozac users. At least one customer complained to the American Civil Liberties Union that the security breach violated his privacy. In a letter to the FTC requesting the investigation, ACLU Associate Director Barry Steinhardt quoted Eli Lilly’s security and privacy statement, and asserted that the Indianapolis-based company had violated its own promise of confidentiality. The FTC won’t release details until its investigation is complete.