This Means War

Put up your best fight to protect your network, or you could be held liable for damages to customers.
Magazine Contributor
3 min read

This story appears in the November 2003 issue of Entrepreneur. Subscribe »

In the latest legal turn in computer security, you may be held liable for failing to protect your network. Attorney Eric Begun, a partner at Blank Rome LLP in Philadelphia, points to two recent examples. In April, the Maine Public Utilities Commission (MPUC) fined Verizon Wireless $62,000 for service disruption following an SQL Slammer worm attack in January, due to a vulnerability in Microsoft's SQL Server 2000. Also this year, Guess? Inc. agreed to a legal settlement after the FTC found that customer information on the Guess? Web site was vulnerable to hacking (though no one hacked the site). In both cases, the companies failed to take the security steps that others in the industry had taken.

The virulent Slammer worm attacked networks, bringing them to a virtual standstill as it sent out hundreds of clones per second. Verizon took its data processing network offline for 30 hours to prevent further disruption and to fix the problem. When MPUC fined the company for the disruption under its service-level agreement, Verizon claimed it was not responsible for "situations beyond its control." MPUC rejected that argument, noting Microsoft had recognized the possibility of a worm the previous July and had posted a security patch twice since then, which competitors in the industry had used. Meanwhile, Guess? was collecting detailed personal information from its online customers, promising to store all personal information "in an unreadable, encrypted format." But an FTC investigation showed that for two years, the Guess? Web site was actually vulnerable to reasonably foreseeable hacker attacks, despite warnings in the industry and readily available security measures. Guess? agreed to a settlement, under which, for the next 20 years, it will maintain a comprehensive information security program, submit to audits of the program, and report on compliance.

"This is a hint about where the law may very well end up- serves as a heads-up," Begun says. Indeed, California just enacted a law requiring companies to report to their customers cases of unauthorized access to customer data. Take a lesson from Guess?, and make sure your privacy policy is accurate. Don't just copy another company's privacy policy without understanding it (copyright issues aside), or write one so reader-friendly that it misrepresents reality.

Begun advises business owners to get up to speed on security issues so they can negotiate intelligently with their Web host. Most data processing services and Web hosts offer a service-level agreement that includes a refund or credit if a given level of service isn't maintained. Such agreements may have an exception for events outside the host's control. But you can inform them you don't consider hackers and worms to be beyond their control.

Jane Easter Bahls is a writer in Rock Island, Illinois, specializing in business and legal topics.


More from Entrepreneur

Get heaping discounts to books you love delivered straight to your inbox. We’ll feature a different book each week and share exclusive deals you won’t find anywhere else.
Jumpstart Your Business. Entrepreneur Insider is your all-access pass to the skills, experts, and network you need to get your business off the ground—or take it to the next level.
Discover a better way to hire freelancers. From business to marketing, sales, finance, design, technology, and more, we have the freelancers you need to tackle your most important work and projects, on-demand.

Latest on Entrepreneur