Tuesday, May 31, 2005

Information Security Liability

Over the last decade we have seen a tremendous growth in the use of computer networks, most notably the Internet, to serve nearly every need from commercial activities to very personal communications. As with so may other technologies, our burgeoning electronic world has spawned a less desirable element. Whether they are out for an easy profit or choose to simply be malicious, computer-related crime has also grown significantly causing billions of dollars in losses. Like the physical world, the strategy for mitigating these losses has been to implement management, operational, and technical controls to keep the bad guys out and devise a series of civil and criminal penalties to punish and extract compensation from offenders and to deter others.

Unfortunately, where substantial ill-gotten gains are possible with a small chance of apprehension, the incentive to commit computer will remain. That leaves us with trying to keep the bad guys out through improvements in information security. While technology companies are constantly offering new information security products and services, would-be buyers need to implement these controls and need sufficient incentive to spend limited resources on information security, a cost with dubious value to many. While some may choose to bolster information security controls based on the premise that they will prevent successful attacks, many need additional incentive. That incentive is frequently coming in the form of government regulation and contract obligations. However, the law has always offered protection to victims of intentional and unintentional wrongdoing through the common law provisions of tort law. Organizations and individuals have always faced potential accountability for their negligent behavior.

Unfortunately, defining what constitutes negligent behavior and holding the right people and organizations responsible has presented challenges in the fast-changing world of information technology. Moreover, information security has the added challenge in the fact that damages to one’s negligence only tend to arise as a result of the intentional wrongdoing of a third party. It’s the equivalent of being hit over the head by a baseball bat and then suing Louisville Slugger for splinters. However, we all are responsible for our behavior and should be held accountable for our mistakes. In information security, that means that those who build, install, and maintain information systems should be held to the same standard of care as the people who build our cars or serve us lunch.

Under common law tort principles, to obtain recovery for another’s negligent behavior, a plaintiff must show that the defendant had a duty to follow a standard of care, that the standard of care was breached, that the resulting harm was caused by the breach, and that actual damages resulted. Successfully demonstrating negligence in information security is difficult under each of these elements. As we see below, the difficulties arise from logistical challenges and unsettled legal theory.

Duty
[Disclaimers, foreseeability of harm, duty to whom?]

Breach
[Standard of care, Carroll Towing, T.J. Hooper, product liability standards for manufacturing and design defects]

Causation
[Multiple tortfeasors (e.g., hackers, ISP, software publishers, IT services vendor, end user, etc.)]


Damages[Economic loss doctrine, applicability of consequential damages, tangible/intangible product]

No comments: