It's nerve-racking enough that network hacking and cyberattacks are on the rise, but thanks to recent trends in liability law, enterprises and their CIOs could also be facing a new security headache: They could be held accountable for compromised data due to cyberintruders.
Legal pundits call it "vicarious liability," and it means that organizations may be vulnerable to lawsuits and damage claims, even if security measures are in place and no one inside the company committed a wrongful act. Essentially, if a hacker commandeers a computer and uses it in a distributed denial of service (DDoS) attack, the corporate organization owning the hijacked computer could be liable for damages resulting from the malicious break-in.
No clear legal lines drawn yet
But, then again, a company may not be liable. The trouble CIOs face is that the law is not definitive at this point. But it does not appear to be leaning in an organization’s favor.
“There’s a trend toward holding [companies] responsible for what takes place on their systems,” said Benjamin Wright, a Dallas-based attorney and founding author of the book The Law of Electronic Commerce.
When it comes to cyberliability, the legal system takes its cue from traditional property-liability laws. For example, if a building's chimney is in such poor condition that it is nearing collapse, it is considered to pose a threat to nearby buildings and community residents, and the property owner is held accountable.
“If the chimney falls, you are still responsible for any damages, even if you didn’t know there is a problem with the chimney,” said Wright. “This is the type of liability creeping into the law of the Internet today.”
Adequate protection undefined
The challenge for CIOs is figuring out how to protect their enterprises from such liability problems, say experts. Unfortunately, there is no simple way to ensure that a company is 100 percent liability-free, because the law is still unclear.
In legal situations outside of cyberlaw, there are specific examples that can guide a company. “Someone can slip and fall on your property, and you could be considered negligent,” said Steve Haase, CEO of INSUREtrust.com LLC, a risk-management solution provider headquartered in Atlanta. However, he explained, if precautions were taken, like removing ice from a sidewalk, and the person who slipped is just clumsy, the property owner might get off the hook.
Unfortunately, there isn’t a comparable distinction when it comes to computer and Internet liability problems. In the event that a hijacked system caused damage, one might expect that a company could be relieved of liability if it could demonstrate that proper steps had been taken to safeguard their systems. But the problem, said Haase, is that “no one knows what adequate protection is yet."
"Someone can hack your system, and you may be liable for problems, such as blocked access to data or having private information compromised, that arise from this hacking," he explained.
Cyberattacks are on the rise
Up until the recent rash of threats, a company was likely protected from liability if it demonstrated that it had followed common security procedures like installing firewalls and scanning for viruses. But thanks to the ever-evolving attack tools, that’s not the case any longer.
New threats like worms, spyware, password cracking tools, and hacker tools that exploit known holes in operating systems and applications are not blocked by most of today’s security systems.
The current threats are stirring up a lot of trouble. Early this year, the Code Red worm, which launched a DDoS attack, disrupted government Web sites during the week of July 23 and infected approximately 300,000 computers.
And unfortunately, the threats continue to grow due to the availability of easy-to-use hacking weapons.
“Before, you had to be fairly technically astute to develop and use the hacker tools,” explained Robert Bales, CEO and founder of security-software vendor SaferSite Inc., based in Carlisle, PA. “Now we’re seeing hacker tools with GUIs.”
To put this in real-time perspective, 1,090 vulnerability alerts were issued last year, according to CERT, the main reporting center for Internet security problems. This year, there have been 1,820 alerts in the first three quarters alone. The number of known denial of service (DOS) vulnerability and attack tools has more than doubled as well, from about 275 last year to over 600 so far this year, according to SaferSite.
Most have not addressed liability issue
According to a recent TechRepublic survey, 61 percent of CIOs report that they haven't reviewed the possible liability threat to their organization associated with cyberattacks.
With such new threats and weapons on the rise, legal experts believe it’s an issue CIOs need to pay attention to. They advise IT leaders to do whatever possible to protect systems from malicious software.
That means vigilantly monitoring and installing new patches to both known and newly discovered operating system and application holes. Every patch will not only reduce your risk level but could also thwart tomorrow’s liability lawsuits.
Are you stepping up system protection?
In light of growing cyberattacks and the liability issues that loom ahead, what is your enterprise doing to insulate itself against intruders and lawsuits? Write and tell us.