Lawyers see security suit-riddled future

SAN FRANCISCO--Harry the Hacker could leave a long trail of lawsuits in his wake. At the RSA Conference 2003 here on Tuesday, lawyers outlined a hypothetical scenario, in which Harry the Hacker, angry because he's been fired, decides to put his computing skills to work for nefarious purposes. During his cracking spree, Harry's escapades include using the insecure system of We Care Hospital to launch an attack against a bank, stealing the credit card numbers of customers of an online porn company, discovering the medical records of his former boss, which indicate he has just tested positive for HIV, and posting those records on the Web.

Harry then absconds with millions and flees the country, leaving a path strewn with victims of identity theft, privacy breaches, and of course, staggering financial losses. Soon after, the finger-pointing ensues.

Many lawyers think that security could be the next big area of cyber law, especially as attacks become more prevalent and companies and their customers suffer growing financial losses. What's more, hackers who breach the systems to steal and use credit card addresses are often difficult to find, meaning victims must find new targets to blame.

"There are all kinds of theories of liability that could be alleged, and they're really only limited by the creativity of the attorneys involved," Rebecca Grassi Bradley, an attorney with Whyte Hirschboeck said of the Harry the Hacker scenario, prompting a chuckle from the crowd.

In this case, the list of potential parties for lawsuits is as varied as pairings at a square dance. The hospital could sue its privacy consultant, which could also be sued by the bank and Harry's boss. The bank could sue its security company. And the porn company could sue its Web host and the company it hired to develop its site. Some of those parties could then sue their insurers. And don't forget about the customers of the online porn company and bank, which could file class action suits against both entities. What's more, Harry's boss, who happens to be British, could sue the British company that provided his records to We Care Hospital, alleging that it violated EU privacy policies, which might require that company to make sure that the records would remain secure once they're transferred.

The lawyers warned that privacy contracts don't necessarily protect companies from liability, and privacy regulations in certain countries could result in jail time for those who allow the unauthorized release of private information, such as the medical records of Harry's boss.

Lawyers said companies need to plan for security and privacy risks of all stripes and bring in security experts and attorneys long before a breach happens. "We're probably the last to get called in," Jeffrey Aiken, an attorney with Whyte Hirschboeck Dudek, told the crowd of lawyers and security consultants. "You need to get everyone involved in this process."

Aiken said e-commerce sites could watch the work of the construction industry, another sector that has to deal with a variety of partners and is subject to heavy security and safety regulations.

Aiken suggested that e-commerce companies limit liability by developing a plan that includes a designated project team, a project office and a written plan to deal with breaches.

He said even the largest companies are surprisingly ignorant of security threats. For example, he recently attended a board meeting of a major company in the financial services sector, which plans to launch a new Web application soon. After a marketing presentation about the project, Aiken said he asked if the new system had been tested for security, and the room went silent. Executives then said they would get right on it. "This is a sophisticated company, and they weren't doing it right," he said.