In the latest legal turn in computer security, you may be held liable for failing to protect your network. Attorney Eric Begun, a partner at Blank Rome LLP in Philadelphia, points to two recent examples. In April, the Maine Public Utilities Commission (MPUC) fined Verizon Wireless $62,000 for service disruption following an SQL Slammer worm attack in January, due to a vulnerability in Microsoft's SQL Server 2000. Also this year, Guess? Inc. agreed to a legal settlement after the FTC found that customer information on the Guess? Web site was vulnerable to hacking (though no one hacked the site). In both cases, the companies failed to take the security steps that others in the industry had taken.
The virulent Slammer worm attacked networks, bringing them to a virtual standstill as it sent out hundreds of clones per second. Verizon took its data processing network offline for 30 hours to prevent further disruption and to fix the problem. When MPUC fined the company for the disruption under its service-level agreement, Verizon claimed it was not responsible for "situations beyond its control." MPUC rejected that argument, noting Microsoft had recognized the possibility of a worm the previous July and had posted a security patch twice since then, which competitors in the industry had used. Meanwhile, Guess? was collecting detailed personal information from its online customers, promising to store all personal information "in an unreadable, encrypted format." But an FTC investigation showed that for two years, the Guess? Web site was actually vulnerable to reasonably foreseeable hacker attacks, despite warnings in the industry and readily available security measures. Guess? agreed to a settlement, under which, for the next 20 years, it will maintain a comprehensive information security program, submit to audits of the program, and report on compliance.
Begun advises business owners to get up to speed on security issues so they can negotiate intelligently with their Web host. Most data processing services and Web hosts offer a service-level agreement that includes a refund or credit if a given level of service isn't maintained. Such agreements may have an exception for events outside the host's control. But you can inform them you don't consider hackers and worms to be beyond their control.
Jane Easter Bahls is a writer in Rock Island, Illinois, specializing in business and legal topics.