by Scott Berinato

I.T. Litigation: Courts Make Users Liable for Security Glitches

Feb 01, 20044 mins

It used to be that the rules of the game made suing a vendor for a security breach a losing proposition. It was easier to settle a dispute for less, or to take an insurance payout and move on.

No more. Because of changes in the insurance business and some recent court decisions, it looks like this is going to be the year to watch for computer security lawsuits.

The tipping point came in October 2001. That was when, looking at huge payouts post-9/11 and no end to the super-viruses (such as I Love You and Nimda), the Hartford Insurance Co. removed computer damages from its commercial general liability plans. Other insurers followed suit. In 2002, as computer damages from major viruses intensified, agencies such as the National Institute of Standards and Technology were establishing rules and standards for software security?and security breach victims started to view the problem as one of negligence instead of liability.

“This is really a wave-of-the-future-type trend,” notes Bill Cook, a partner at Wildman, Harrold, Allen & Dixon in Chicago. (For more about how CIOs can avoid costly litigation, see “You Sue, You Lose?The High Cost of Litigation,” Page 40.)

The decisions in this new wave of cases are sure to create new legal precedents that will go a long way to directing the security and quality of software for the future. In an essay on the topic, Cook highlights several recent cases he expects to shape future software security rulings. Here are three big ones:

n Worm attacks and similar misdeeds are predictable when it comes to computer systems attacks. That’s the reading from the Maine Public Utilities Commission v. Verizon case.

After the Slammer virus a year ago, Verizon asked for a refund from the money it pays Maine’s utility commission for using its infrastructure. The refund would cover the time Verizon was unexpectedly down due to Slammer, and hence not using the network. Maine pushed back, saying that since Verizon hadn’t implemented the Slammer patch, and the company didn’t deserve a waiver. (Maine also noted AT&T and WorldCom had no problems with Slammer.)

In April 2003, the judge sided with Maine, saying that sophisticated worm attacks are foreseeable even if you can’t control them. Verizon didn’t get its refund.

n The courts can step in to determine security procedures. That’s what a government agency learned in Cobell v. Norton. In this case against the Department of the Interior over unpaid benefits to American Indians, the department’s computer security (and resulting website outage) became a major issue.

The judge in the case was so miffed at the Interior Department’s conduct related to information security audits that he commenced contempt proceedings.

n You can’t blame a vendor for your mistake. That’s the lesson from the contretemps between the state of New York and the American Civil Liberties Union.

When the ACLU accidentally published information about its donors (something the group had recently lambasted drugmaker Eli Lilly for doing), New York Attorney General Eliot Spitzer was ready to pounce. The ACLU, Cook says, wanted to beg off by noting its security was outsourced to a vendor. But, Cook says, that defense wasn’t going to work. “It was clear that the ACLU was going to be held responsible for the failure of its vendor,” he says. The sides ended up settling.

It is into this environment that a 50-year-old victim of identity theft steps in with her own lawsuit?against Microsoft. The woman is arguing that, while Microsoft claims it patches its systems, that’s not good enough. The suit contends that the “eclipsing dominance in desktop software has created a global security risk,” says attorney Dana Taschner, who filed the suit and wants to see Windows PC users made part of a class-action lawsuit.

“This will be a very interesting suit to follow,” Cook says. “It will answer the question of whether this is a matter of public policy?whether all software vendors have a more affirmative obligation to secure their environments.”