Firewall Wizards mailing list archives
Re:
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 26 Aug 1999 19:40:26 -0400 (EDT)
On Thu, 26 Aug 1999, Rick Smith wrote:
almost any bank's physical security if one takes the time to look). What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar
[Warning: US-centric content] I don't think this test necessarily applies to current caselaw. While "best current practice" and "in the associated industry" come up constantly, the citations I've heard say that a case (Forgive me for not having a direct citation, I'm not sure where I stored the original comments anymore) in the early 1900's that applied to commercial shipping organizations and not providing lifevests to crewmembers applies and that "best common practice" isn't a high-enough standard no matter what an industry may think (at the time, few to no Great Lakes commercial fishing vessels issued lifejackets to crewmembers.) If there's conflicting caselaw, I'd like to know, and I'll dig up the exact citation for the above example, making lawyers nervious is almost as fun as grilling "technical sales support" people. I think "reasonable and prudent" is possibly a more accurate standard if you remove the industry association, but my information may be off or superceded by more extensive caselaw. IANAL and I don't play one on the 'Net, it's just my interpretation of what I've been told. I do think the distinction potentially important and worth a mention.
in practice. One can, of course, spell out security measures in a contract, or put in liability disclaimers. From what I understand as a non-lawyer, such things simply give the defendant some leverage in convincing a plaintiff not to sue or to settle for a reasonable amount when a disaster occurs.
I wonder though if they'd provide more interesting fodder for shareholder lawsuits? Especially for a security company whos marketing drivel could be misconstrued by an investor... "The Web site says it's secure, management represented it as a secure solution, yet obviously by the verbage on this contract there wasn't a plan to do sufficient dilligence..." More interesting, I think, would be a contributory negligence suit - either won or lost, it would make interesting precident. Especially by a 3rd party who isn't enjoined in a contract or license agreement. I'm still convinced sysadmin insurance will boom once the ambulance-chasers become packet-chasers. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280