This article can also be found in the Premium Editorial Download "Information Security magazine: Closing the gap: How to decide when (and if) to patch vulnerabilities."
Download it now to read this article plus other related content.
You've seen it often enough. Some hacker creates an army of zombies to launch a DDoS attack against a high-profile corporate target. Maybe he hijacks your networks as a platform for his attack. In addition to being an unwitting accomplice, you're hit with something brand new -- a liability suit by the company devastated by the attack.
"Why me?" you ask. Going after the original attacker -- if you can catch him -- seems to be the obvious course of action, but it's unlikely that a script-kiddie living in his parents' basement will have much liquidity. Stricken companies are going to follow the money to recoup their losses.
Legal experts think it's only a matter of time before hacker victims start suing the owners of systems and networks used as launchpads in attacks. Their clients are asking now how they can strengthen their security posture against such suits. Infosecurity's first downstream liability lawsuit, experts say, will likely be born from catastrophe. For example, an online retailer will be hit by a devastating DoS attack that disrupts its business.
"They would have nothing to lose at that point," says Stephen Wu, president and CEO of the Mountain View, Calif.-based InfoSec Law Group.
So far, companies have resisted suing others, in part because they are reluctant to admit in public filings that they have been compromised, Wu says. "Also, if you are complaining about another's security, then your security will be scrutinized."
Downstream liability may smack of punishing a victim twice. First, your company's systems get hacked, then you get sued for the damage caused by the attacker. Life is unfair, and being a victim won't help you in court.
"The law would look at you and say, 'So what?' Look upstream for someone to sue yourself," says William Cook, a partner with Chicago-based law firm Wildman Harrold.
If a major attack is the spark for downstream liability lawsuits, regulations are the kindling. Regulations help determine whether a company met its responsibility and, therefore, wasn't negligent. Say a HIPAA-regulated hospital is sued; it could argue its security was reasonable, because it complied with the regulation.
The Legal Case
A downstream liability lawsuit would put the compromised company's security on trial. Under tort law, the plaintiff would have to prove the offending company had a duty to keep its computers secure, as measured against generally accepted standards and practices.
In other words, the company has "a duty to be a nice guy to everybody else on the Web," says Mark Rasch, a former head of the Department of Justice's computer crime unit and now senior VP and chief security counsel of MSSP Solutionary.
Should there be a requirement that all systems connecting to the Internet have a certain minimum level of security? So far, no court or legislature has said companies or individuals have a duty to be responsible 'Netizens.
"At some point, all of us will have a minimal amount of things we have to do when operating a computer on the Internet," says Gary Saidman, an attorney specializing in infosecurity matters with Atlanta-based law firm Kilpatrick Stockton.
The models are already out there. Regulation establishes duties and standards. HIPAA requires organizations to secure confidential patient data. The Gramm-Leach-Bliley Act requires protection of financial services data. A future downstream liability case against a health care provider or financial services company might create precedent based on these and other regulations by ruling their security/privacy provisions constitute a reasonable security standard.
Contractual security obligations -- particularly service level agreements (SLA) -- which spell out very specific requirements, might also help establish a security standard. Courts or legislatures could cite typical SLA terms, such as maintaining up-to-date AV signatures and patches or maintaining firewalls, in crafting minimum security responsibilities.
Given the growing body of security regulations, legal experts say it's not much of a leap to see a general duty to maintain a certain level of security imposed by a legislature extending protection beyond industry-specific controls or by a court, probably through precedent-setting liability cases.
Let's Be Reasonable
Cook says his clients are concerned about the possibility of downstream liability lawsuits and how to gird their companies against that possible day in court. Cook tells them the best defense is being able to show you understand your risks and have taken steps to address them.
But determining whether a company did enough is subjective. "Negligence is what the 12 people of the jury think it is," Saidman says.
A company being sued for downstream liability will have to convince a judge or jury its security measures were reasonable. But what is reasonable?
"Describe what you did to an average person and see if he or she thinks it's reasonable," says Curtis Karnow, an attorney with law firm Sonnenschein, Nath & Rosenthal.
For example, a victim of a downstream attack might argue it's reasonable to require a company to patch its systems within two weeks of a patch release. The compromised company would have to show it followed a well-established patch testing and rollout strategy, says Michael Overly, an attorney with Los Angeles-based law firm Foley and Lardner. Taking time to methodically test patches is a reasonable thing to do, even if it isn't enough to prevent a security breach.
"It's not unheard of that applying patches creates new security holes," Overly says. "Jumping too quickly into patching may be negligent in itself."
Reasonable can also be defined, in part, by what your competitors are doing, which defines best practices.
"You do tend to have competitors in cases come forward and say the company being sued does not conform to the industry," says Cook. "That is the best bang for your marketing buck."
Verizon learned this the hard way in April 2003, when the Maine Public Utilities Commission rejected its request for relief from $62,000 fees owed to local carriers after the SQL Slammer worm shut down its networks. Verizon had applied for a steep break on the fees owed under its service agreement, arguing the worm "was an event that was beyond its control" -- like a lightning strike. The commission's rejection rested in part on comments submitted by competitors WorldCom (now MCI) and AT&T. They handled Slammer with minimal interruption, they said, because they did a better job patching their systems than Verizon. Why should Verizon get a break?
Get Ready Now
Companies weigh the costs of security against the risks to their systems -- it's how we do business. They simply don't have the budgets to address all potential threats, and courts will realize that. The important thing isn't trying to plug all security holes, but addressing the most critical ones.
"I have a lot of clients who are afraid to admit they couldn't afford to install something, but that's OK if they did the proper analysis," Cook says.
Perhaps the best place to start is to make sure you comply with the regulations affecting your business.
In addition to avoiding possible compliance penalties, you'll establish a demonstrable security standard.
Hire industry-savvy consultants to look at what competitors are doing. They will have a good sense of what is reasonable in your industry sector.
Consultants also give you expertise that you may not have in-house. For example, a white hat hacker or a professional pen tester could "look at your company as the bad guys would, so you can see what someone would want to steal," Cook says.
Consider specialized liability insurance. Insurance companies that offer infosecurity coverage expect your company to adhere to their requirements for best practices, following ISO 17799 or some other standard, and will conduct a formal risk assessment before they sell you a policy. That's no guarantee against compromise, but you'll demonstrate you're already adhering to a de facto standard if your security program satisfies an insurance company.
"It's like offering life insurance to middle-aged men. I only want to sell it to nonsmokers who exercise and eat right," says Robert Parisi, Jr., senior VP at AIG eBusiness Risk Solutions, which sells infosecurity insurance. "But there is still a lot of risk out there. The insured guy could be hit by a truck."
It's important to remember that different companies will face different risks -- and different levels of liability exposure. Tailor your liability mitigation strategy to your situation. A multinational telecommunications company will have more risks than, say, a small manufacturer. Courts will understand "most companies aren't in the security industry," Karnow says. "Their business is making widgets, not security."
About the author:
Edward Hurley is a news writer for SearchSecurity.com, Information Security's sister site.
This was first published in February 2004