Re: The New Security Threat: Lawyers?

[Paul Robertson <proberts () patriot net>]

On Wed, 29 Jan 2003, Alan Rudd wrote:

> Ok group, just thought I would toss this one into your capable hands for 
> some fun dialog.  Although when you dig thru this it's scary.
>
> Alan Rudd
> Bytex Corp
> 508.422.9422
>
> "A number of security experts seem to believe that lawsuits resulting from
> lax, or simply ineffective, computer security are on the horizon. It's not

That's been said for most of the last 10 or so years, it hasn't proven to 
be true yet.  We'll be _worse_ off if it proves ever to happen[1].

> hard to picture. John Doe buys US$300 worth of stereo equipment online using
> a credit card; two days later, someone manages to crack the server  holding
> the customer information database, and John Doe becomes a victim of identity
> theft. After establishing which company is responsible for leaking his
> information, John Doe gets a lawyer and sues the company. Within a couple of
> months, it snowballs into a class-action suit after hundreds of other
> customers realize that their information was pilfered as well.

Sure it's hard to picture, I can't picture the same thing happening if 
someone breaks into the local mall and steals credit card receipts.

> "How about a scenario in which a company is struck by another Outlook virus
> that e-mails random files from a user's hard drive? All it takes is one
> confidential document landing in the wrong hands, and your company or
> organization could be facing a lawsuit from one of your partners or
> customers.

We've had viruses that did that, no lawsuits yet.

> "Software vendors, too, may find themselves liable for vulnerabilities in
> their products.
>
> "The language in End User License Agreements (EULAs) and so-called
> shrinkwrap licenses has protected companies against damages for products
> with security holes -- or at least that was the intent.
>
> "However, a recent ruling against Network Associates (NYSE: NET) proves that
> clauses in a EULA may be unenforceable -- allowing customers to sue a
> software or hardware vendor for damages if that vendor's products are not
> secure. I've never understood how companies could get away with such onerous
> license agreements, and the answer may be -- they can't.

I think it's a pretty large step to get from "can't publish reviews of a 
product isn't valid" to "liability limitation clause isn't valid."

I don't think the NY court explained its reasoning behind making that part 
of the EULA unenforcable well (it's also a state court, so there aren't 
widespread issues here for the industry as a whole- other than in doing 
business in the state of New York.)

Part of that case seems to hinge on misleading statements, and part on 
selective enforcement of the terms.  Also, there seems to have been some 
splitting of the restrictive cluase from the rest of the license 
agreement.

EFF has the opinion up at:

http://www.eff.org/IP/UCITA_UCC2B/spitzer-v-network-assic.pdf

I doubt this is really going to open any major legal ground.  Though I'm 
not a lawyer and don't play one on mailing lists.

Paul 
[1] For real positive change, have the SEC mandate reporting of security 
incidents and infections in a quarterly report.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

<<ATTACHMENT: winmail.dat>>