>Subject: Liable for security
>Date: 09 May 1995 15:42
>We are analyzing the potential costs of a security breach. One of the
>questions we are considering is the liability that may be incurred qwith
>various types of unauthorized behavior.
>What legal problems could a company incur if:
> 1. An employee posts offensive material?
> 2. A cracker hid a trojan horse in materials the company
> 3. A cracker distributes copyrighted software from the company's
>There are many different angles, but the basic question is whether or
>not there is a real risk of being held liable for damage done by elicit
>changes to the company's computer system.
> Does anyone know of relevant cases?
> Can anyone refer me to useful reference material?
The legal issues are largely pioneering and will vary from country to
country. It may also depend on the nature/size/reputation of the
corporations involved. Courts may consider relative levels of knowledge and
the burden of proof is usually greater in criminal than in civil cases.
Therefore a court may take the view that a company which has already
considered, or adopted, technology such as a firewall already admits
knowledge of all potential risks and has accepted responsibility for
preventing them. The result could then be that in two actions which are
functionally similar, the company which did not take any risk management
actions suffers less than the company which spent a fortune on risk
reduction technology that did not prevent the incident. I believe that
someone has already observed that 'the law is a ass'.
In a recent situation, Microsoft issued CD-ROMs to developers. Several
developers claimed that the material was contaminated by hostile code.
Microsoft appears to have admitted that the claims were correct, but blamed
a third party which produced the CD-ROM copies. From a public statement I
read, it seems that Microsoft just said that they would not use the third
party again. There may have been a public statement or two which I did not
see and this/these may have contained further information. However, it looks
like Microsoft just brushed off this highly sensitive issue and no one took
any further action. If that is the case, it may be that the affected
developers (probably small companies) did not relish taking a large
corporation through the courts. Equally, some covert compensation may have
been paid on the condition that the recipient never talks about it to
There is a growing number of BBS groups which discuss legal and competence
issues. These public discussions suggest that the incidence of risks of this
nature is quite widespread. Generaly, the impression is that most folk still
prefer to avoid using the courts and this may be wise because the legal
systems in different countries are still struggling to deal with post 'quill
There is also the question of corporate sensitivity/business reputation.
Most corporations still seem to believe that even a successful court action
can result in collateral damage.
The real winners of any court action tend to be the lawyers. During the long
(often very very long) period from starting an action to final victory, the
corporation bringing the action has to commit valuable resources to support
the action. In civil actions there is always the danger that the plaintiff
has to accept a discounted sum hours before the trial and this may be less
than 20% of the total costs and damage. If the action does go to trial, the
final settlement is unlikely to recognise this considerable expense. Victory
is therefore rarely complete, however cupable the defendant.
There is also the matter of reputations. The corporation damaged by the
actions or inactions of another corporation may eventually win in court but,
during the period to the victory, the corporate reputation may be severely
damaged. You only have to look back through some of the reactions on this
list to stories of organisations which have suffered some form of damage.
Many people will take the view that however negligent or criminal the
organisation found at fault, the victim is ridiculed by his peers for
allowing himself to be in the position. Thats not unlike rape cases, where
the court verdict has little benefit to the reputation of the victim. We all
know that the victim asked to be hit unless that victim happens to be us. If
human nature was different there would be a lot of news programmes and
tabloid papers going out of business.
It is therefore not entirely surprising that victims are reluctant to step
forward and warn the rest of us of particular risks or take legal action to
recover damages or stop a repeat incident.
As the law in most, probably all, countries has not caught up with
technology, the courts are even more of a lottery than usual. However, every
corporation is open to legal attack in the areas detailed by the questions
above. That risk is in at least two categories.
Firstly, most civil and criminal legal systems would allow one party to take
action against another where it is claimed that negligence made damage by a
third party possible. How successful such an action would be is open to
question and will depend on the specific circumstances, the national legal
system being used, and probably heavily on the court personalities involved
in a specific case.
Secondly, any organisation may risk a legal attack which is never intended
to achieve a victory in court. I am aware (having been engaged as an expert
witness by one party) of incidents where the objective of one party in a
court action was to blackmail the other party into agreeing to an
'out-of-court' settlement which was unusually favourable and unlikely to be
the result in continuing through trial. In this situation, the largest
corporation may win because it believes that PR damage is not going to be a
major factor to them and the other smaller corporation cannot fund an
effective legal defence/attack. Sometimes a small corporation may win this
way because it has little reputation to hazard but the other party could
suffer considerable damage to reputation. An additional factor may be that
the senior officers of some corporations consider it 'macho' to have a long
list of legal actions against them pending.