INFORMATION SECURITY – See You in Court

Just before 8 a.m. on feb. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a crippling denial-of-service attack. By the end of the day, after outage complaints from what CEO Christopher Faulkner described as “countless” customers, the Fort Worth, Texas-based company got its lawyers involved.

Faulkner’s company aimed its legal wrath not at any hacker but at another business, Exodus Communications, and five of its customers. As the nation’s largest Web-hosting company, Santa Clara, Calif.-based Exodus (which at press time filed for Chapter 11 bankruptcy protection) has served up the websites of such household names as American Airlines, eBay and General Electric. In an injunction filed in a Texas district court and later moved to a U.S. district court, C.I. Host alleged that the defendants committed or allowed a third party to commit a denial-of-service attack on C.I. Host’s systems. The defendants insisted that they were victims of a hacker themselves, not the perpetrators of a crime.

The case never made it to trial, but C.I. Host’s lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed. This messy and confusing case pitted not just rival against rival but victim versus victim. Although the attacks lasted only a couple of days, it took seven month’s worth of legal fees, not to mention time and energy, to close the case.

This scenario and other similar ones are likely to play out with increasing frequency as more companies suffer public outages and thefts as a result of security breaches. And it raises a crucial question that the courts have yet to decide: When information security fails, who’s to blame?

The hacker is at fault, to be sure, but experts say it’s only a matter of time before judges and juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security. Only CIOs who understand this legal minefield will have the answers their company needs to hear?and know how to protect their business not only from hackers but also from legal actions that may follow in the hackers’ destructive wake.

The Next Asbestos?

To hear some people tell it, corporate liability for failed information security is the coming apocalypse. Several experts predict a flurry of personal injury lawsuits filed by customers whose personal information has been disclosed, corporate lawsuits based on damage caused by security breaches at business partners and class-action lawsuits filed on behalf of irate stockholders.

“It’s going to be the next asbestos,” Ed M. McPherson III, Atlanta-based director of PricewaterhouseCoopers, recently told a group assembled in New York City to learn about cybercrime’s impact on shareholder value.

Security vendors are banking on it. For instance, Redwood, Calif.-based Recourse Technologies worked with Daniel Langin, a defense attorney for several early Internet cases, to explore whether corporate officers could be held personally liable for information security breaches. His conclusion? You bet. “It takes one clear bellwether case to say you have this liability, before officers and directors wake up,” he says.

“It’s not a ’sky is falling’ issue,” says one CIO when asked about the likelihood of such lawsuits. Like many organizations, his large hospitality company forbids him from discussing the terms legal and security in the same breath, at least for attribution. “This is what the intelligent, forward-thinking company is thinking about. We believe that we’ve taken every possible precaution, and we’re looking for every possible thing on the horizon,” he says.

Lawmakers are taking precautions as well. Members of Congress, most prominently Sen. Robert Bennett (R-Utah), think liability lawsuits are a real enough risk that they’re drafting legislation to mitigate the threat. Along with Sen. Jon Kyl (R-Ariz.), Bennett drafted a bill that would exempt businesses from Freedom of Information Act disclosures, antitrust prosecution and lawsuits resulting from the disclosure of cybersecurity information. In the House of Representatives, Tom Davis (R-Va.) and James Moran (D-Va.) have introduced similar legislation that would prevent voluntarily submitted information on security problems from being used in lawsuits.

Although critics have argued that such legislation would grant too broad a scope of immunity to businesses, the tenor of the discussion has changed in the wake of the Sept. 11 terrorist attacks in New York City and Washington, D.C. The argument for protecting the nation’s IT infrastructure gives more weight to the views of those who advocate companies’ sharing information with the government. Realizing that a security problem at one organization could be just the first domino, they hope to address mounting concerns about how a successful attack on an electric company, for example, could cause downstream outages to telephone systems, banks and many other services upon which citizens rely.

Meanwhile, judges have started assigning dollar values to security breaches. In courtrooms across the country, criminals have been ordered to pay hundreds of thousands of dollars, in addition to serving time. The problem is, hackers often have empty pockets, and the damage they do often far exceeds their own financial gain, if any. Enter the banana peel theory?you slip, and someone else should pay.

“Some lawyer is going to figure out where the deep pockets are and is going to chase them,” says Attorney Mark Grossman, chairman of the computer and e-commerce law group of Becker & Poliakoff in Miami and the TechLaw columnist for The Miami Herald. “My own profession can make me lose yesterday’s lunch. Sometimes we earn our reputation. It’s the American psyche: Something goes wrong, someone else should pay for it. It’s one of our failings. Juries like to give deep-pocket money away when some small third party gets hurt.”

Lawsuits Looming

To date, CIO has not found any such liability lawsuits. However, several sources indicated that third-party damages are being quietly settled out of court. As a rule, it’s cheaper for companies to make confidential settlements than to defend themselves. It also helps avoid publicity that might give stockholders and customers pause.

American International Group (AIG) has paid out millions of dollars for Internet risk-related claims, most as third-party damages. “Third-party liability insurance is by far our most popular option,” says Ty R. Sagalow, executive vice president and COO of AIG E-Business Risk Solutions in New York City, which has sold more than 1,200 cyberinsurance policies since it started offering the coverage in early 2000. He’s mum on the details, but says the first concern companies have when purchasing insurance is often that they’ll get sued if something goes wrong.

Related issues have started to make headlines. In September, the world’s largest financial services company found out the hard way that putting customer information into the wrong hands could lead to a lawsuit. Citibank and its New York City-based parent company, Citigroup, were served with a class-action privacy lawsuit alleging that the companies illegally disclosed private financial information to telemarketers and vendors. Citigroup was not available for comment. (For information on other privacy lawsuits, see “Miller’s Privacy Warning,” Page 72. To understand the overlap, see “Security Versus Privacy,” Page 64.)

In August, the Washington state attorney general’s office asked Qwest Communications to refund DSL customers affected by Qwest’s outages while it fought the Code Red worm. The Denver-based company insisted that the Code Red problems were not its fault. (See “Code Red: Phase Two,” Page 68.)

Also, the Federal Trade Commission is investigating an internal security bungle in which drug manufacturer Eli Lilly accidentally revealed the e-mail addresses of 700 Prozac users. At least one customer complained to the American Civil Liberties Union that the security breach violated his privacy. In a letter to the FTC requesting the investigation, ACLU Associate Director Barry Steinhardt quoted Eli Lilly’s security and privacy statement, and asserted that the Indianapolis-based company had violated its own promise of confidentiality. The FTC won’t release details until its investigation is complete.

C. Lee Jones, chairman and CEO of AmericasDoctor in Gurnee, Ill., and former vice president of IT of global pharmaceutical business at Abbott Laboratories, is one of many CIO-types watching with concerned skepticism. Jones says he would be shocked if the Eli Lilly incident didn’t result in legal action. “The lawyers follow the blood trail,” he says. “They’re like sharks out there. When you have ill-defined laws, you’re going to have attorneys try to set precedent.”

Security Safeguards

CIOs looking for a sure way to avoid the coming deluge of legal action aren’t going to find one. “Anybody can sue anybody for any reason at any time,” says Bruce L. Dean of Karger, Key, Barnes & Springer in Dallas, one of the defense attorneys in the C.I. Host case. “All it takes is money and convincing a lawyer to file the case.”

Dean got the June 2002 trial date scratched from the court’s calendar by arguing that his client, the Santa Clara, Calif.-based Web-hosting company Wintelcom, didn’t have any business ties in Texas. Future cases may require more than that. Attorneys agree that CIOs should follow the “prudent man rule”?a legal term that Attorney Langin explains as, “the duty to do what a prudent person would do to protect information assets.”

To keep lawsuits from sticking, Langin and others offer these tips.

• Establish and implement an in-house security policy. This number-one security best practice involves setting and communicating rules for how your company protects and handles data. Milwaukee-based FBI Agent Mark Bowling points out that if a company has a security policy, “then you can demonstrate that you have standards you adhere to. We’ve certainly found instances where you have [victims damaged by an attack on someone else], where the primary victim’s security was not as sophisticated or as well-documented as it otherwise could be.”
• Have a security audit done. Once a company has a policy, officers should make sure it’s being followed. Security firms, corporate auditing companies and even insurers can conduct independent tests of a company’s security measures?from physical weaknesses to the configuration of firewalls to how vigilant employees are about protecting information assets. “If you have a third party come in and review [your information security], then it helps prove your case,” explains Theodore Claypoole, an attorney for Womble, Carlyle, Sandridge and Rice’s technology transaction group in Winston-Salem, N.C., and former in-house legal counsel for Bank of America and CompuServe. “You can say, ’Look, we spent money to have a reputable company review our procedures; we took those suggestions, and we made those changes.’”
• Remember security in contracts. Legal counsel and information security specialists should work together on putting security parameters into contracts with business partners and outsourced service providers. Then they should do their homework. “Clearly you have much less control over an outside party than you do over your own employees, and it’s vitally important for a company entering into an outsourcing operation to actually check the security of the contractor’s computers rather than just leaving it as a matter of agreement,” Claypoole says.
• Don’t make promises you can’t keep. Companies shouldn’t set themselves up for a breach-of-contract lawsuit with overzealous marketing or sloppy promises. “I think if you look at privacy policies [on websites], you’ll see that,” says Fred H. Cate, professor of law at Indiana University and senior policy adviser to the Center for Information Policy Leadership. He points out that wise companies say they use “appropriate security measures” rather than promising perfect information security.
• Pay attention to regulations affecting your industry. The Gramm-Leach-Bliley Act for the financial services industry and the Health Insurance Portability and Accountability Act for health-care companies dictate how customer information should be protected. Companies that do business overseas may have to follow rules established in other countries, such as the European Union’s strict guidelines. Companies that don’t meet those requirements will face penalties or lawsuits.
• Consider purchasing e-commerce insurance. Basic business insurance policies typically do not cover the risks associated with doing business online. Cyberinsurance, which is offered by established insurance groups such as AIG and newer, e-centric groups like Insuretrust, fill the gap by covering liability and direct damages from information security breaches. The cost of cyberinsurance varies, based on the size and scope of an organization’s computer systems and how thoroughly the company has addressed security. Many security experts predict that in the future, these policies and the standards they impose will shape how companies protect their systems.
• Pay attention to what similar companies are doing. Because so many companies are bungling security, it may be simple to prove you’re doing as much as anyone else. “Everybody has bad security today,” says Steve Hunt, a Chicago-based analyst with Giga Information Group. “There’s simply not an awareness or an understanding of what is good security.” The best you can do is prove you’re trying?that you’re doing as much as the company next door.

So that’s it, folks. The best defense for this impending legal hassle is a much-advised, often-ignored list of best practices. The question is whether the gathering clouds will have the proverbial silver lining and generate an incentive for companies to act on security best practices. In the process of doing so, they just might prevent hackers from doing damage in the first place.

“There’s always going to be that rare group of people who want to take advantage of the system,” says Bette Walker, CIO of Energy and Chassis Systems for Delphi Automotive Systems in Flint, Mich. “Security can become a legal problem. I think of it first as preventing a problem from occurring. Then the next step, I don’t have to worry about.”