Suppose, Margaret Jane Radin of Stanford Law School wrote recently, that a Web site operated by a securities brokerage suffers a crippling attack by hackers. The ability of its customers to conduct trades is hampered for several hours, or even blocked entirely. Imagine, too, that on the day of the attack the stock market is volatile, and that many customers are trying unsuccessfully to buy or sell stocks in a flash.
Of course, hackers are easy to blame. But what about the companies that investors rely on to make trades? Are the brokerage firms and their network providers -- which failed to prevent the attack that harmed the site -- vulnerable to a second onslaught a nasty lawsuit from unhappy clients who lost money as a result of the shutdown?
Professor Radin isn't the only legal thinker posing this question. Another paper co-authored by two partners and a legal assistant at a major law firm, also considers whether companies that fail to take reasonable steps to protect their computer systems from malicious attacks or internal malfunctions are sitting ducks for lawsuits.
So far, lawyers say, the answer is unclear. There have been no reported court decisions discussing the issue of a company's liability for a hacker attack, according to Radin, an authority on intellectual property, electronic commerce and Internet law. But lawsuits in the near future are highly likely, she said.
In her paper, professor Radin examined the possible legal fallout from a "distributed denial of service" attack. This is a particularly troublesome form of digital mischief whereby hackers gain control of unsuspecting users' computers and use those distributed machines to flood a targeted site or service with junk messages, overwhelming the site and causing it to be inaccessible to legitimate customers. (Her study, "Distributed Denial of Service Attacks: Who Pays?" commissioned by Mazu Networks, Inc., a Cambridge, Mass.-based security company, is available on the company's site.)
Radin concluded that there is a "significant risk" that in the near future targeted Web sites will be held liable to their customers for harm arising from distributed denial of service attacks. In addition, she reckoned that there is another "significant risk" that the computer network companies that carry the hackers' attack messages -- such as ISPs and backbone network providers -- will be held accountable to the targeted Web sites, and perhaps to the sites' customers.
In the second paper, members of the cyberlaw practice group of Sidley Austin Brown & Wood, a national law firm, considered the growing legal danger faced by online service providers who suffer security breaches or the internal glitches that can compromise their customer's information.
The study, "Liability for Computer Glitches and Online Security Lapses," by Alan Charles Raul and Frank R. Volpe, partners at the firm, and Gabriel S. Meyer a summer associate and J.D. candidate at Cornell University, was published earlier this month in a Bureau of National Affairs newsletter on electronic-commerce and will be available shortly on the firm's Web site. It concludes that e-commerce players must "demonstrate [a] willingness and ability to implement aggressive security measures" if they wish to stave off security breaches, avoid government intervention and escape, or at least limit, damages in a lawsuit.
Professor Radin, director of Stanford's Program on Law, Science and Technology, said in a telephone interview that companies need to begin taking seriously their potential legal liability for computer hacks. The vulnerability of businesses to distributed denial of service assaults is staggering, she said, citing a survey which found that more than one-third of respondents had experienced denial of service attacks. That figure, from the 2001 Computer Crime and Security Survey, conducted by the San Francisco-based Computer Security Institute, may be the tip of the iceberg because companies, fearful of bad publicity, often under-report attacks. Direct losses from denial of service attacks on Yahoo, eBay and others in February of last year have been estimated at $1.2 billion by the Yankee Group, a consulting company.
"E-commerce is not going to take off if customers fear it won't work in a pinch," Radin said.
Moreover, said Radin, federal and state laws aimed at individual hackers have shortcomings: Hackers are hard to trace and even when detected, are unlikely to have the deep pockets coveted by victims and their lawyers.
In the brokerage Web site attack scenario, a customer or a class of customers that suffered financial losses would sue the brokerage firm for damages, according to Radin. The firm, in its defense, might point to a section of its Terms of Service agreement with its customers. That fine print, no doubt, would have a clause clearing itself of liability.
But whether that defense would prevail is not clear, said Radin, particularly if a court finds the contract's terms to be oppressive or overly weighted toward the company, or if the contract's validity is in question due to questions over proper customer consent.
Also vulnerable to a negligence claim would be the network service providers and hosting companies, said Radin. There would be no contract defense for these companies to fall back on with respect to the broker's individual customers for the simple reason that there is no contract between them. On the other hand, the potential legal warfare between the brokerage and the network providers would likely proceed under the terms of their business contracts.
To determine whether the corporate defendants are negligent, courts will look at how any losses could have been prevented. "A court is going to say it is negligent of you not to implement preventative measures if they are reasonably effective and affordable," said Radin.
A jury will have to decide, in fact, if the company could have taken preventative measures, said Radin. Trials will, therefore, be a battle of expert witnesses, she predicted. But, she added: "I think as technology increases-- as easy fixes become available -- it's more likely that courts will be unsympathetic" to companies that have not done their utmost to block hacker invasions. That is particularly true with respect to the Internet service providers which are in the best position to take system-wide precautions, she said.
Meanwhile, Raul of Sidley Austin, which represents major communication companies and firms doing business online, said that his clients "either are, or ought to be" worried about their legal liability for malicious hacks or inadvertent glitches.
In his firm's paper, Raul and his colleagues said that companies can seek to manage their legal risks by adopting state-of-the-art security measures suggested by industry groups and supporting federal laws aimed at strengthening data security in the health and financial fields.
"Does a company have controls in place to prevent unauthorized access and careless release of data," asked Raul. "Is the company training employees in information security?" Is it constantly assessing its vulnerability to intrusions or glitches? The answers are important because an aggressive plaintiff's lawyer is sure to ask who was the person or unit responsible for data security? If the defendant offers a weak response, said Raul, it will look "really bad."