Gaming Strategy
Featured Stories
Legal News Financial News Casino Opening and Remodeling News Gaming Industry Executives Author Home Author Archives Search Articles Subscribe
Newsletter Signup
Stay informed with the
NEW Casino City Times newsletter!
Recent Articles
Mark Grossman

Liability for You if You're Hacked

30 June 2000

Any computer that's connected to the Internet with a high-speed connection has the potential to be used as a weapon of mass destruction or disruption by terrorists, hackers, criminals and pranksters. If your computer is used that way, you may find yourself being sued for the ensuing damage.

About a month ago, in a column that I wrote about the infamous Love Bug, I wrote, "Prediction-it's just a matter of time before computer crime becomes an instrument for killing or injuring people." I still don't know of that happening, however if you don't believe it will, let's look at two of the most recent news stories of the last few weeks. Things are "progressing."

Cell Phone Attack

Reuters reported that the worm-type virus, called Timofonica, had hit customers of Spain's Movistar service, sending text messages scrolling across the screens of their cellular phones.

It was the first virus known to target cell phones. It's significance is that copycat virus writers will take the cue and now start targeting cell phone and other hand-held smart devices like Palms and Microsoft's Pocket PC computers.

Security is always measure, countermeasure, counter-counter measure and so on. So, one response was that Symantec announced the development of the first anti-virus software for the Palm OS platform. This, just days after the discovery of the first cell phone virus, proved that viruses can move swiftly to the world of hand-held smart devices. Isn't capitalism amazing?

Your Home Computer May Be a Zombie

Next, we have reports that investigators had unraveled a possible future attack on major websites. Its method was insidiously simple. The hackers planted a rogue program on unprotected home computers connected to high speed Internet connections. If you have a cable modem or DSL connection, you're vulnerable. Your computer could become somebody else's zombie foisting an attack on other computers.

Two thousand computers are known to be compromised. At any point, the hackers could order this army of zombie computers to launch crippling attacks on other computers.

Don't underestimate the computing power of your home Pentium III. Part of an army of 2000 zombie computers, it's tremendous computing power.

Potential Liability

Can you be "sued" if a hacker uses your computer as a weapon in an attack against other computers? Usually, framing the question in terms of "sued" is the wrong way to do it because the answer is always "yes." After all, anyone can sue anybody for anything.

Generally, the question should be framed as can you be held "liable" or in other words, will you lose if you're sued. The short answer to this question is that my research has failed to find a case where that was the result.

Generally, the law is reluctant to hold a person or corporation responsible for the wrongful acts of another. Having said that, there are many examples of situations where a court may hold you responsible for the criminal or civil wrong of another. Two examples would include lending your car to somebody you know is drunk who then has an "accident" and leaving a gun readily available to a child who then kills or injures somebody with it.

If you have a computer connected to the Internet, whether it's your home or office system, the question that should concern you is "can you be sued?" It should concern you because you can be if your computer is used by a hacker to inflict harm on other computers.

Computer law is simply not a well-developed area of the law. It's all too new and since law always develops behind new technology, the right answer to the question, "can you be held responsible" is "yes" you can be although you might be the first case where it happened.

You shouldn't take comfort in my statement that I couldn't find a case finding liability. The threat is too new and it will take 50 states a bit of time to develop case law and statutes to cope with this new type of threat.

My prediction is that courts will find liability against computer owners who negligently allow their computers to be a launching pad for attacks by hackers, terrorists and others. It's an area that's ripe for new law and you should be responsible for acting like a responsible computer owner.

You can't leave a weapon of mass destruction lying around available to the first taker and defend with "but I didn't do it, he did." Every computer has the ability to become part of a weapon of mass destruction. Moreover, if you don't think a computer can be a part of a weapon of mass destruction, then think about the billions of dollars of damage caused by the Love Bug.

I think that courts will begin to find computer owners responsible for their insecure systems connected to the Net. The legal standard will be "negligence" and that's the key to this being a reasonable doctrine.

It's unfortunate, but sometimes it seems that our legal system and Americans have forgotten about the concept of negligence. All too often, I would summarize the attitude of many as "if something bad happens, somebody else should pay."

That's wrong, but it's so darn American. People slip on perfectly clean floors in a supermarket and they're calling their lawyer on their cell phone before they hit the ground. Sometimes bad things happen and nobody should pay.

In law school, I remember going through a series of slip and fall cases involving banana peals. The point the cases made was that you needed to consider the color of the banana peal.

If it was perfectly yellow at the time of the fall, the store owner shouldn't be held responsible because a "reasonably prudent store owner" cannot be expected to clean up banana peals immediately after they hit the ground. On the other hand, if the peal was dark and dry, that would be evidence that the peal had been there a long time. In that case, a store owner could be held responsible because a "reasonably prudent store owner" could be expected to periodically clean the floors to prevent accidents.

The point that I'm trying to make is that "negligence" is the key concept.

I'm not suggesting that courts will or should find liability every time a computer is hijacked and turned into a zombie. Rather, I'm suggesting that if you don't act like a "reasonably prudent computer owner," you may find yourself at the wrong end of a losing lawsuit.

Law usually develops from a needed public policy. As a burgeoning Internet dependent society, we need people to quickly learn good computing habits. The law can foster the development of these habits by holding people responsible for the misuse of their computers if they act negligently.

What that means is that if your business controls computers tied to the Net through a high speed connection, and you have a firewall in place, and take other reasonable measures to insure security, you will not be liable if your computer is misused.

The flip side is that if you choose to ignore the obvious threat, you will pay for your shear stupidity.

The company with the firewall that was breached is a sympathetic figure and as much a victim as the company attacked. The company without any security or an insufficient or "negligent" security scheme in place is begging for a court to make it pay for its stupidity and carelessness.

The answer is to be a responsible computer owner. The law will never expect you to have perfect security in place. It's not possible. Reasonable security is the key. Consult your technical experts on how you get that in place-immediately.

Liability for You if You're Hacked is republished from
Mark Grossman
Mark Grossman