INFORMATION SECURITY - See You in Court

Just before 8 a.m. on feb. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as "countless" customers, the Fort Worth, Texas-based company got its lawyers involved.

Faulkner’s company aimed its legal wrath not at any hacker but at another business, Exodus Communications, and five of its customers. As the nation’s largest Web-hosting company, Santa Clara, Calif.-based Exodus (which at press time filed for Chapter 11 bankruptcy protection) has served up the websites of such household names as American Airlines, eBay and General Electric. In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host’s systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime.

The case never made it to trial, but C.I. Host’s lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed. This messy and confusing case pitted not just rival against rival but victim versus victim. Although the attacks lasted only a couple of days, it took seven month’s worth of legal fees, not to mention time and energy, to close the case.

This scenario and other similar ones are likely to play out with increasing frequency as more companies suffer public outages and thefts as a result of security breaches. And it raises a crucial question that the courts have yet to decide: When information security fails, who’s to blame?

The hacker is at fault, to be sure, but experts say it’s only a matter of time before judges and juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security. Only CIOs who understand this legal minefield will have the answers their company needs to hear?and know how to protect their business not only from hackers but also from legal actions that may follow in the hackers’ destructive wake.

The Next Asbestos?

To hear some people tell it, corporate liability for failed information security is the coming apocalypse. Several experts predict a flurry of personal injury lawsuits filed by customers whose personal information has been disclosed, corporate lawsuits based on damage caused by security breaches at business partners and class-action lawsuits filed on behalf of irate stockholders.

"It’s going to be the next asbestos," Ed M. McPherson III, Atlanta-based director of PricewaterhouseCoopers, recently told a group assembled in New York City to learn about cybercrime’s impact on shareholder value.

Security vendors are banking on it. For instance, Redwood, Calif.-based Recourse Technologies worked with Daniel Langin, a defense attorney for several early Internet cases, to explore whether corporate officers could be held personally liable for information security breaches. His conclusion? You bet. "It takes one clear bellwether case to say you have this liability, before officers and directors wake up," he says.

"It’s not a ’sky is falling’ issue," says one CIO when asked about the likelihood of such lawsuits. Like many organizations, his large hospitality company forbids him from discussing the terms legal and security in the same breath, at least for attribution. "This is what the intelligent, forward-thinking company is thinking about. We believe that we’ve taken every possible precaution, and we’re looking for every possible thing on the horizon," he says.

Lawmakers are taking precautions as well. Members of Congress, most prominently Sen. Robert Bennett (R-Utah), think liability lawsuits are a real enough risk that they’re drafting legislation to mitigate the threat. Along with Sen. Jon Kyl (R-Ariz.), Bennett drafted a bill that would exempt businesses from Freedom of Information Act disclosures, antitrust prosecution and lawsuits resulting from the disclosure of cybersecurity information. In the House of Representatives, Tom Davis (R-Va.) and James Moran (D-Va.) have introduced similar legislation that would prevent voluntarily submitted information on security problems from being used in lawsuits.

Although critics have argued that such legislation would grant too broad a scope of immunity to businesses, the tenor of the discussion has changed in the wake of the Sept. 11 terrorist attacks in New York City and Washington, D.C. The argument for protecting the nation’s IT infrastructure gives more weight to the views of those who advocate companies’ sharing information with the government. Realizing that a security problem at one organization could be just the first domino, they hope to address mounting concerns about how a successful attack on an electric company, for example, could cause downstream outages to telephone systems, banks and many other services upon which citizens rely.

Meanwhile, judges have started assigning dollar values to security breaches. In courtrooms across the country, criminals have been ordered to pay hundreds of thousands of dollars, in addition to serving time. The problem is, hackers often have empty pockets, and the damage they do often far exceeds their own financial gain, if any. Enter the banana peel theory?you slip, and someone else should pay.

"Some lawyer is going to figure out where the deep pockets are and is going to chase them," says Attorney Mark Grossman, chairman of the computer and e-commerce law group of Becker & Poliakoff in Miami and the TechLaw columnist for The Miami Herald. "My own profession can make me lose yesterday’s lunch. Sometimes we earn our reputation. It’s the American psyche: Something goes wrong, someone else should pay for it. It’s one of our failings. Juries like to give deep-pocket money away when some small third party gets hurt."

Lawsuits Looming

To date, CIO has not found any such liability lawsuits. However, several sources indicated that third-party damages are being quietly settled out of court. As a rule, it’s cheaper for companies to make confidential settlements than to defend themselves. It also helps avoid publicity that might give stockholders and customers pause.

American International Group (AIG) has paid out millions of dollars for Internet risk-related claims, most as third-party damages. "Third-party liability insurance is by far our most popular option," says Ty R. Sagalow, executive vice president and COO of AIG E-Business Risk Solutions in New York City, which has sold more than 1,200 cyberinsurance policies since it started offering the coverage in early 2000. He’s mum on the details, but says the first concern companies have when purchasing insurance is often that they’ll get sued if something goes wrong.

Related issues have started to make headlines. In September, the world’s largest financial services company found out the hard way that putting customer information into the wrong hands could lead to a lawsuit. Citibank and its New York City-based parent company, Citigroup, were served with a class-action privacy lawsuit alleging that the companies illegally disclosed private financial information to telemarketers and vendors. Citigroup was not available for comment. (For information on other privacy lawsuits, see "Miller’s Privacy Warning," Page 72. To understand the overlap, see "Security Versus Privacy," Page 64.)

In August, the Washington state attorney general’s office asked Qwest Communications to refund DSL customers affected by Qwest’s outages while it fought the Code Red worm. The Denver-based company insisted that the Code Red problems were not its fault. (See "Code Red: Phase Two," Page 68.)

Also, the Federal Trade Commission is investigating an internal security bungle in which drug manufacturer Eli Lilly accidentally revealed the e-mail addresses of 700 Prozac users. At least one customer complained to the American Civil Liberties Union that the security breach violated his privacy. In a letter to the FTC requesting the investigation, ACLU Associate Director Barry Steinhardt quoted Eli Lilly’s security and privacy statement, and asserted that the Indianapolis-based company had violated its own promise of confidentiality. The FTC won’t release details until its investigation is complete.

C. Lee Jones, chairman and CEO of AmericasDoctor in Gurnee, Ill., and former vice president of IT of global pharmaceutical business at Abbott Laboratories, is one of many CIO-types watching with concerned skepticism. Jones says he would be shocked if the Eli Lilly incident didn’t result in legal action. "The lawyers follow the blood trail," he says. "They’re like sharks out there. When you have ill-defined laws, you’re going to have attorneys try to set precedent."

Security Safeguards

CIOs looking for a sure way to avoid the coming deluge of legal action aren’t going to find one. "Anybody can sue anybody for any reason at any time," says Bruce L. Dean of Karger, Key, Barnes & Springer in Dallas, one of the defense attorneys in the C.I. Host case. "All it takes is money and convincing a lawyer to file the case."

Dean got the June 2002 trial date scratched from the court’s calendar by arguing that his client, the Santa Clara, Calif.-based Web-hosting company Wintelcom, didn’t have any business ties in Texas. Future cases may require more than that. Attorneys agree that CIOs should follow the "prudent man rule"?a legal term that Attorney Langin explains as, "the duty to do what a prudent person would do to protect information assets."

To keep lawsuits from sticking, Langin and others offer these tips.

Related:
1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 19th annual State of the CIO study