A Foreseeable Future
For liability purposes, the courts have declared terrorism to be a predictable security threat. CSOs need to adapt if they want to survive.
By William Cook
May 01, 2004 — CSO — The conventional wisdom in the weeks and months after Sept. 11th was that no one could have predicted the events of that day. The use of airplanes as weapons was roundly declared an asymmetrical threat. However, two recent court cases have altered the legal definition of a "foreseeable event."
In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court examined two main elements:1. Whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed; and 2. Whether the terrorist act was foreseeable. In finding that the case should go to a jury, the court stated that we impose a duty on a company when the relationship between the company and user requires the company to protect the user from the conduct of others. The court noted that we already depend on others to protect the quality of our water and the air we breathe. This duty of care extends to private companies.
But the court also made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable. The court went on to note that the danger of a plane crashing if unauthorized individuals invaded the cockpit was a risk that the defendant plane manufacturer should reasonably have foreseen
The second case involved Verizon and the Maine Public Utilities Commission. The case dealt with whether Verizon could get a waiver for certain performance failure penalties that it was required to pay. Verizon argued that it should not have to pay, since its website went down due to the Slammer worm. The commission found that viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies. The commission found that Verizon had not taken the reasonable steps available to it; steps that competitors AT&T and WorldCom did take (installing patches to ward against Slammer). Ultimately, the commission found that Verizon should be held accountable for its failure, indicating that virus attacks are also completely foreseeable events.
So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do?
ESSENTIAL READING
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- ESG Analyst White Paper - Benefiting from Server Virtualization: Beyond Initial Workload Consolidation
- A Critical Look Behind the Data
- Planning For Failure: Incident Management Is A Top Priority
- Identity Governance: The Business Imperatives
- CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
- Data Loss Prevention Solution for Managing E-Discovery
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
