HACKING & COMPUTER
ICT security gerelateerde Blog
››› Nihil timendum est
| W44 - Week 44 - Weekvierenveertig
Imposing Tort Liability on the Software Industry
Some commentators argue that the software industry is mature enough to be held strictly liable in tort for damages caused by defects in its products. 1 The likely response from the computer industry would be to market devices with very limited functionality. This strict liability approach is appropriate for specialized devices, combining both hardware and software components and intended for very specific purposes, such as medical monitoring devices, power plant control systems, or network security appliances. In this case, the imposition of liability on the manufacturers of such devices for injuries and damage caused by their failure is certainly justified by the need to compensate victims and ensure reliability of the device's software and hardware components.
A strict liability approach, however, is not appropriate for today's general-purpose computers and the software designed to run on them. Imposition of such liability will make software prohibitively costly or significantly reduce the wide variety of features offered by today's software products and impede the flexibility computer
owners enjoy in picking and choosing software for their computers. At this time, neither consumers, legislators, nor the software industry itself seem ready for the imposition of across-the-board liability for defects in software products.
3. Private Actions as a Means of Improving Information Security Practices at Government Agencies
Attempts to use private actions to improve information security in government agencies did not bring much success either. For example, in Cobell v. Kempthorne, beneficiaries of Individual Indian Money trust accounts held by the United States government brought an action under the Administrative Procedure Act 1 and the common law of trusts against the federal government trustee seeking inter alia injunctive relief to force the Department of the Interior to disconnect from the network computer systems holding Indian trust data to protect its integrity and confidentiality. 2 Despite the shameful state of information system security at the Department of the Interior, 2 the D.C. Circuit overturned the preliminary injunction granted by the district court due to a lack of an imminent threat or specific reason to be concerned that the trust data stored in the Department's computers was a target. 2 Unfortunately, the Cobell court did not understand that any personal or financial information stored in any computer system connected to the Internet is a target for malicious hackers who are constantly probing computer systems for vulnerabilities in an attempt to gain unauthorized access to information and exploit it for illegal financial gains.
4. Civil Remedies Under the Computer Fraud and Abuse Act
Overall, given the global nature of the Internet, state civil remedies that vary from state to state cannot serve as a way of enforcing and promoting consistent information security measures aimed at prevention of online fraud. Federal civil remedies provided by the CFAA, however, are more closely aligned with the cross-jurisdictional nature of the Internet. But in many cases perpetrators of cybercrimes are either judgment proof, impossible to locate, or the total cost of litigation far exceeds the value of the remedy the court provides. For example, in Tyco International (U.S.) Inc. v. John Does, 1-3, the plaintiff, an ISP, sued a spammer for overloading the ISP's e-mail servers, alleging trespass to chattels and violation of the CFAA. 2 The ISP sought to enjoin the spammer from accessing its computer systems under the CFAA 2 and to recover damages, attorney's fees, and costs. 2 The court granted the injunction, awarded $10,621 in damages and costs, and denied recovery of attorney's fees. 2 The ISP, however, spent $136,000 just to track down the spammer. 2 As the Tyco case shows, the ex post compensatory damages and injunctive relief that the CFAA provides 2 are unlikely to make most of the victims of cybercrimes whole since the perpetrators are usually either judgment proof or very difficult, if not impossible, to locate and bring to justice. Therefore, suggestions to focus legislative effort on the new means used to perpetrate cybercrimes or on the consequences of such crimes rather than the inadequate security measures that made those crimes possible 3 will not yield effective means for combating and prevent cybercrimes. Written by James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles.