Subscribe
About

Cyber security liability seen increasing

By Reuters
Washington, 29 Mar 2004

Hackers, viruses and other online threats do not only create headaches for Internet users, they could also create prison sentences for corporate executives, experts say.

Though business groups have lobbied successfully against laws focused on cyber security, companies that do not make efforts to secure their networks could face civil and criminal penalties under an array of existing laws and court decisions, according to security and legal experts.

"Computer security is not solely a technology issue," said Dan Burton, a VP at computer-security firm Entrust who serves on a private-sector board to boost accountability.

Though healthcare, banking and deceptive-business laws all create security obligations, a new accounting-reform law now being phased in is likely to have the biggest impact.

The 2002 Sarbanes-Oxley Act holds executives liable for computer security by requiring them to pledge that companies` "internal controls" are adequate, and auditors are starting to include cyber security in that category, said Shannon Kellogg, director of government affairs at RSA Security.

Violating that provision could lead to criminal charges by the Justice Department and jail, said David Becker, a partner at the law firm of Cleary Gottlieb in Washington and former general counsel at the Securities and Exchange Commission.

"Any egregious intentional violation of federal securities law could be criminal," Becker said.

Companies that can prove they have taken concerted steps to improve their networks stand a much better chance of success in court, experts say.

Online viruses and worms like SoBig and Slammer have clogged computer networks and knocked vital Web sites offline, costing businesses some $55 billion in productivity last year, according to anti-virus company Trend Micro.

Other online risks, from identity theft to espionage, are harder to quantify.

The US government released a plan to increase online security last year, but it contained few hard-and-fast requirements for the businesses that control roughly 85% of the nation`s Internet infrastructure.

Another proposal to require public companies to disclose cybersecurity efforts was shelved last fall after business groups objected.

But many of the experts who advocate a hands-off approach say businesses will have to upgrade their online defences, thanks to Sarbanes-Oxley and other laws.

Healthcare companies will have to ensure by April 2005 that electronic patient data is stored in a confidential and secure manner, under the Health Insurance Portability and Accountability Act of 1996.

Banks and other financial-services groups face similar obligations under the Gramm-Leach-Bliley Act of 1999.

Companies that do not live up to their security promises have faced action by the Federal Trade Commission. Drug maker Eli Lilly and Co agreed to beef up its internal security after it inadvertently revealed the e-mail addresses of customers who used its Prozac anti-depressant medication.

Some courts have held businesses accountable as well. A Maine state panel ruled last year that Verizon Communications should have foreseen that its network would be vulnerable to Internet attacks like the Slammer virus, and thus should be forced to make infrastructure payments to the state even when its network was down.

In Washington, a judge has several times ordered the US Interior Department to unplug its computers from the Internet until it can guarantee that trust-fund payments to American Indians are secure against hackers.

"In the realm of terrorism and cyber terrorism, courts are more willing to find negligence than they did before," said Bill Cook, a partner at Wildman Harrold in Chicago.

Others are less convinced that a courtroom precedent is emerging, though they say that is no excuse not to improve computer defences.

"There are some court cases, but I do not know that there is really enough to pull together," said Bruce Heiman, a partner with Preston Gates & Ellis in Washington.

(Additional reporting by Kevin Drawbaugh)

Share