I've been hearing a lot of about the rising threat of downstream liability. But, to date I haven't heard about any lawsuits. Do I really need to be concerned about the potential threat of downstream liability?
Downstream liability means that one company would be liable to another for damage caused by a criminal hacker. It is possible that we will see companies held responsible for downstream liability, but to date the judicial decisions have been few. One such decision is described below, in a quote from Benjamin Wright, Business Law and Computer Security, published 1993 by SANS Institute.
"In AT&T v. Jiffy Lube International, 4 CCH Computer Cases para. 46,845 (U.S. Dist. Ct. Md. 1993), a corporate telecommunications customer, Jiffy Lube International, was held liable for the long distance telephone charges run up by hackers. Using PCs, the hackers dialed into Jiffy Lube's PBX system, broke the password that granted access to long distance telephone service, and placed a flood of long distance calls, running up almost $56,000 in charges. Jiffy Lube argued the long distance carrier, AT&T, should be responsible for the damage, but Jiffy Lube lost its argument. The court reasoned: Jiffy Lube 'created the vehicle and mechanism by which those long distance calls became possible. But for Jiffy Lube's installation of a telephone system with a remote access feature, the disputed calls could not have been made.' "
For more info on this topic, visit these SearchSecurity.com resources: