• United States



William Cook: Who Is Liable for Information Security?

Mar 01, 20043 mins
ComplianceData and Information SecuritySecurity

The previously amorphous world of information security law is quickly taking on a solid form, Cook says in a paper called "The Legal Mandate for Information Protection."

William Cook, a partner in the intellectual property practice at Wildman, Harrold, Allen & Dixon, sees information security changing right before his eyes. Once a difficult realm to litigate in, judges and plaintiffs are suddenly eager to jump in and try cases against the allegedly negligent who don’t apply patches and who don’t take security best practices seriously. The previously amorphous world of information security law is quickly taking on a solid form, Cook says in a paper called “The Legal Mandate for Information Protection.” CSO spoke with Cook about the trend and what it means.

CSO: What does “downstream liability” mean in the context of information security?

William Cook: There’s no one definition, but in general, it means the negligent handling of one computer system that causes damage to others. When this is between parties that have an a priori relationship (employees, partners), the cases are handled by contract and employment law. But with the superviruses, there’s a new wrinkle in the law

not around liability but around negligence. It springs from the idea that we all have an obligation to maintain a certain amount of security on the Internet, and we can be found negligent if we don’t maintain that security and something unknowingly happens to someone else out there.How significant is this change?Historically, the law has been clear. You can’t foresee or assume you’d be the victim of criminal activity. For the first time in the history of the law we have an areacyberspacewhere judges are saying that the criminal acts of others are foreseeable. The publicity around viruses and the known limitations of the software’s quality make it so. In Maine Public Utilities Commission v. Verizon Maine, Verizon wanted a prorated fee refunded when Slammer took its network down for several days. Maine said no, because Verizon hadn’t applied the Slammer patch, and the judge agreed, saying the outage was foreseeable, and Verizon shouldn’t get its money back. And the chief witnesses against Verizon were its competitors, who basically said, “We foresaw the problem and applied the patch.”

So even if ISPs aren’t protected, vendors are because they offer patches?

Yes. Though, we have a potential class- action lawsuit against Microsoft in which the plaintiff is saying the patching system is too complicated, and that Microsoft needs to do better. This will be an interesting suit to follow. It will answer the question of whether software quality is a public-policy issue.What else are you seeing in terms of lawsuits and information security?Judges and regulatory agencies, such as the FTC, are taking a harder-line stance now. They’re not afraid to push back and back up regulations with action.