When you consider the risks of not properly securing your company's computer system, you think of hackers damaging files, viruses running rampant, and the downtime involved. Just in case you needed something else to worry about, let me add that you risk somebody suing you if a hacker hacks your system. While this type of lawsuit has yet to appear, this isn't a veiled threat, it's a promise.
Computer security is something that too many companies don't take seriously. While you risk damage to your own systems if you're hacked, your carelessness also risks my system.
The problem is that when you don't take commercially reasonable steps to properly secure your system, such as using firewall and anti-virus software, you're more likely to act as an unwitting conduit and facilitator for things like viruses, Trojan Horses and denial of service attacks. While the virus writer and original distributor may a 16-year old in the Ukraine, and not an attractive target for a lawsuit, you may just be sitting there looking like a deep pocket waiting to get picked because of your own stupidity.
Moreover, "stupidity," or more eloquently, "negligence" is actionable. If you think that's unfair because the kid in the Ukraine is the ultimate culprit, I don't agree.
Often the law has to allocate loss as between two innocent parties. It makes for tough policymaking, but it's done all the time.
In Florida, if you stupidly leave a gun accessible to a child, you could find yourself criminally responsible for the harm the child caused. If you don't properly secure your parking lot and I'm the third robbery victim in your lot that year, you just may find that the law holds you responsible for providing negligent security. The hypothetical scenarios are endless.
What they have in common is that the law holds you responsible for the actions of somebody else. You didn't pull the trigger. You didn't rob me in the parking lot. Still, as between the two innocent parties in that parking lot, me the victim and you the property owner, the law will sometimes choose to shift the loss to the more negligent "innocent" party.
Moreover, your computer system is no different in that your negligent failure to properly secure your system can cause harm to me. A look at the statistics seems to show that security for a company's own sake isn't a good enough motivator to implement excellent security.
According to the FBI's 2003 Computer Crime and Security Survey, overall financial losses reported by 530 survey respondents totaled over $200 million. Theft of proprietary information caused the greatest financial loss. The total was over $70 million for all respondents with an average reported loss pegged at $2.7 million.
Virus incidents (82%) and insider abuse (80%) were the most cited forms of attack. Most respondents (78%) cited their Internet connection as a frequent point of attack.
With all these attacks, only 30% reported the incidents to law enforcement and only 21% reported them to legal counsel.
We're starting to see Congress lobbied in an effort to get some protections from liability lawsuits and exemptions under antitrust laws so that companies can share information about attacks amongst competitors. While I agree that information sharing is important, I don't think protection from liability lawsuits is a good thing.
Why should a company without a firewall and anti-virus software be protected when its system is hijacked and causes harm to others? I'm sorry, but I'm not sympathetic to that. One innocent party is going to ultimately take the loss and I think the negligent one should.
If you're feeling picked on because you feel that others should be responsible too, I'll agree with you there. Microsoft, Sun and other hardware and software manufacturers should start bearing some of the responsibility for the flawed products that they rush to market.
Microsoft products in particular are legendary for poor security. From Microsoft's email products to its word processor to its operating systems, security has historically been an afterthought and it's only now beginning to change a bit.
The law should begin to see computer products as if it sees other products. If Ford delivers cars prone to igniting after a rear-end collision, the law has no problem saying Ford should pay. I don't understand why Microsoft (with its legendary pathetic security) shouldn't begin to pay if the security built into its products is deemed negligent.
The threat of liability to companies that don't secure their systems and software companies like Microsoft that build flawed products may just be the impetus it will take to start getting a handle on the problem.
|