Chapter 3. The Role Of Law And Government Policy Vis-a-vis The Private Sector

Traditional Legal Responsibilities Translated to Cyberspace

Businesses have an incentive to maintain the security of their information systems because their profitability depends on it. In a variety of ways, if a company does not protect itself against cyber failures, it could suffer losses that directly affect its profitability. Cyber-security breaches can result in substantial interruption of a company's business and tarnish its reputation. An attack on a corporation’s computer network may shut down operations or result in damage to or loss of information such as customer data or trade secrets. Any company that fails to provide security may lose customers to competitors that do take security seriously. If makers of computers and software build insecure products, they risk losing customers.

In addition to pure market forces, many legal principles can create incentives for cyber-security.146 Corporations are subject to a web of legal responsibilities arising from traditional concepts of corporation or company law, contracts, and civil liability for intentional or negligent infliction of loss, to name a few. Corporations are also subject to relatively more modern regulatory obligations related to the registration and sale of securities on public exchanges and to unfair and deceptive trade practices, for example. Increasingly, attention is being given to how these traditional legal responsibilities might apply to cyber-security issues. Regulatory agencies are already determining by rulemaking or case- bycase adjudication that regulatory systems of fair trade or public disclosure apply to computer security issues as well as traditional misconduct or vulnerabilities. In legal systems where judges have authority to extend general legal concepts to new situations, judges could resolve lawsuits involving cyber-security by deciding that a traditional legal concept (such as negligence or the duties of contractual performance) applies to computer failures.

While this area of the law is barely emerging even in developed countries, part of the legal and policy debate in any nation concerning cyber-security should include consideration of how traditional legal concepts apply to the risks and responsibilities of computer security.

In this section, we discuss the ways in which legal policies of general applicability are being extended to cyber-security. In Chapter 4, we discuss governmental policies that are specifically designed to promote cyber-security in the private sector.

Laws Regarding Corporate Governance, the Registration and sale of Corporate Securities, and Accounting

Under company/corporate law, an entity’s officers and directors may have a fiduciary obligation to the corporation and its shareholders to use reasonable care in overseeing the corporation’s business operations. Increasingly, it is being recognized that this duty extends to matters of computer security. Some writers have noted that where corporate officers and directors are negligent in failing to take appropriate steps to assess the threat of cyber-security breaches and to insist that management protect the corporation accordingly, the directors may be liable for damages in lawsuits brought by shareholders.147

In the United States, this kind of legal obligation, arising from general rules of corporate law (promulgated at the state level), has been strengthened by federal statutory obligations. The Sarbanes-Oxley Act of 2002 imposes a number of new requirements on the sale of corporate securities, prompted in large part by accounting scandals. Congress determined that cyber-security had become vital to the soundness of a corporation’s financial data. Therefore, Congress included a requirement that a corporation’s auditors publicly attest to the security of the corporations’ information systems.148

146 See the excellent article by Thomas J. Smedinghoff, “The Developing U.S. Legal Standard for Cyber-security,” Baker & McKenzie, Chicago (May 3, 2003), http://www.bmck.com/ecommerce/us%20cyber-security%20standards.pdf

147 Benjamin Wright, “The Legal Risks of Computer Pests and Hacker Tools,” Password (the ISSA Magazine), Feb. 2002, http://www.tecmetrics.com/legal_risks.htm.

148 Sarbanes-Oxley Act of 2002, Pub. Law 107-204.

Also under the law in various companies, publicly traded corporations must undergo annual financial audits by independent accounts. As accountants recognize that cyber-vulnerabilities may threaten the financial viability of a company, accountants increasingly including cybersecurity in the scope of their audits. A number of organizations have developed standards or guidelines for use by auditors.149

Contract Law

Businesses may also have a responsibility under contract law to protect the data of their customers from unauthorized access or destruction resulting from a cyber-security breach. Applying basic contract law principles in the cyber context, a company that represents that its system is secure, whether in a service contract or a privacy and security promise appearing on its website, could arguably be deemed to have entered into an agreement with a customer who has agreed to the contract or has proceeded to interact with the company in reliance on those assurances.150 This company may be subject to claims for breach of contract if the security of customer information is compromised in a cyber attack. Companies that offer web-based services may also have contractual responsibilities to consumers to maintain the availability of these services. If a site is rendered inoperable by a denial of service attack, the company may be subject to customer claims for breach of contract.151

Tort Law

Theoretically, the legal doctrine of torts (civil liability for the intentional or negligent causing of injury) could have application to various kinds of computer security failures.152 For example, applying traditional tort theory to the cyber context, if a company fails to take reasonable measures to protect a customer’s information from unauthorized disclosure as a result of a cyber-attack, the company could be subject to a claim for negligence. Where a company’s computers are used to launch a cyber attack against a third party, there may be potential for tort liability if the company failed to take widely-accepted measures to prevent its computers from being hijacked. Where an attack is launched by a company employee, victims may be able to obtain relief by showing that the defendant company engaged in negligent hiring or supervisory practices.153

For now, this is an area of the law that remains undeveloped, even in the United States, where tort lawsuits are common for a wide range of injuries. So far, courts have not held that there is a general legal duty to maintain one’s network secure. However, it may be just a matter of time before traditional theories of liability are applied to the field of computer security. At such time, courts could find the standard of care for computer security in industry “best practices,” guides and manuals issued by regulators or trade associations, and standards adopted by self-regulatory bodies.154

149 See, e.g., the Information Systems Audit and Control Association, http://www.isaca.org.

150 See, e.g., Michael Nugent, It Can’t Happen Here, Wall Street Technology Association, Ticker, A Technology Magazine For Industry Profession (2003) (Nugent), http://www.wsta.org/publications/articles/0402_article03.html.

151 Id

152 Margaret Jane Radin, “Distributed Denial of Service Attacks: Who Pays?, http://www.mazunetworks.com/white_papers/radin-print.html; Sarah Scalet, “See You in Court,” CIO Magazine, Nov. 1, 2001, http://www.cio.com/archive/110101/court_content.html.

153 Id., Michael Nugent, It Can’t Happen Here, Wall Street Technology Association, Ticker, A Technology Magazine For Industry Profession (2003), http://www.wsta.org/publications/articles/0402_article03.html.

154 As is made clear throughout this handbook, there is a growing body widely accepted computer security standards, ranging from the Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems to the information security standards adopted by nongovernmental standards bodies. See, e.g., Nugent, supra note ____(43) .