The previously amorphous world of information security law is quickly taking on a solid form, Cook says in a paper called "The Legal Mandate for Information Protection." William Cook, a partner in the intellectual property practice at Wildman, Harrold, Allen & Dixon, sees information security changing right before his eyes. Once a difficult realm to litigate in, judges and plaintiffs are suddenly eager to jump in and try cases against the allegedly negligent who don’t apply patches and who don’t take security best practices seriously. The previously amorphous world of information security law is quickly taking on a solid form, Cook says in a paper called “The Legal Mandate for Information Protection.” CSO spoke with Cook about the trend and what it means.CSO: What does “downstream liability” mean in the context of information security?William Cook: There’s no one definition, but in general, it means the negligent handling of one computer system that causes damage to others. When this is between parties that have an a priori relationship (employees, partners), the cases are handled by contract and employment law. But with the superviruses, there’s a new wrinkle in the lawnot around liability but around negligence. It springs from the idea that we all have an obligation to maintain a certain amount of security on the Internet, and we can be found negligent if we don’t maintain that security and something unknowingly happens to someone else out there.How significant is this change?Historically, the law has been clear. You can’t foresee or assume you’d be the victim of criminal activity. For the first time in the history of the law we have an areacyberspacewhere judges are saying that the criminal acts of others are foreseeable. The publicity around viruses and the known limitations of the software’s quality make it so. In Maine Public Utilities Commission v. Verizon Maine, Verizon wanted a prorated fee refunded when Slammer took its network down for several days. Maine said no, because Verizon hadn’t applied the Slammer patch, and the judge agreed, saying the outage was foreseeable, and Verizon shouldn’t get its money back. And the chief witnesses against Verizon were its competitors, who basically said, “We foresaw the problem and applied the patch.”So even if ISPs aren’t protected, vendors are because they offer patches?Yes. Though, we have a potential class- action lawsuit against Microsoft in which the plaintiff is saying the patching system is too complicated, and that Microsoft needs to do better. This will be an interesting suit to follow. It will answer the question of whether software quality is a public-policy issue.What else are you seeing in terms of lawsuits and information security?Judges and regulatory agencies, such as the FTC, are taking a harder-line stance now. They’re not afraid to push back and back up regulations with action. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe