Failure to implement adequate information protection not only exposes your business to the risk of unwanted network intruders; it also exposes you to the risk that courts will make your business decisions for you. In the absence of a national security standard, courts have been willing to step in and make decisions for businesses who have delayed in establishing aggressive security measures, and they have done so based on several theories: privacy of personal information; protection of trade secret information; and concern about the impact of hostile technology on the U.S. economy's critical infrastructure. The cases described below show courts' willingness to bite back when network security systems lack the necessary teeth.
Security Standards and the Courts
In the absence of a clear security standard for each industry, courts will likely establish their own security standard by using 20/20 hindsight. In Cyber Promotions v. Apex Global Information Services, 1997 WL 634384 (E.D. Pa. 1997), Apex Global contracted to provide ISP services for Cyber. At the time of the contract, Apex Global knew that Cyber regularly sent unsolicited commercial email ("spam"), and it imposed a 30–day without cause termination provision in the contract. In September 1997, only 6 months after the contract was signed, Apex Global suffered a massive flood attack directed at Cyber that completely consumed Apex Global's bandwidth. Apex Global responded by immediately terminating Cyber's use of its service.
Cyber then filed a temporary restraining order (TRO) and preliminary injunction. In granting the TRO against Apex Global, the court noted that security requirements evolve, and Apex Global had not taken significant steps to deal with ping attacks. The court noted that the only security step taken by Apex Global was to remove Cyber from its network; Apex Global had not hired a security expert or attempted to install a router to control potentially hostile ping attacks. The court's basic approach to Apex Global was this: "Other ISPs are able to mitigate retaliatory actions by pingers, why not you?" The TRO was granted and Apex Global was directed to reinstate service to Cyber. This result appears to have been substantially influenced by the fact that the court noted that Apex Global had not taken the same measures as other reputable Internet service providers had taken to mitigate similar attacks. Apex Global had not taken significant steps to deal with pings, besides attempting to use a screening program and removing Cyber from its system.
Did you know that virus attacks and the damage caused by these attacks is completely foreseeable and that you have a due diligence obligation to secure your systems against such attacks? Probably not. Neither did the sophisticated telecommunications giant, Verizon. In re Verizon Related Reduction Claim, 2003 Me. PUC Lexis 181 (Maine Public Utilities Comm. April 30, 2003). Verizon made a substantial monthly payment to the Competitive Local Exchange Carriers in Maine for use of the system, unless a waiver was granted by the Utility Commission due to events beyond Verizon's control. On January 23, 2003, the Verizon operating system was attacked by the Slammer Worm. In order to quarantine the rapidly spreading virus – and insure the safety of its network and systems – the company shut down its network on January 25 or 26. Verizon claimed that it exercised reasonable, prudent judgment, consistent with industry practices, in operating its cyber facilities. Verizon acknowledged that at the time of the attack it had not applied the Slammer software patch and that the particular attack that occurred was beyond Verizon's control. Nevertheless, Verizon asked the Utility Board to waive a substantial portion of their monthly payment because they had to shut down their system due to the attack.
Like the Apex Global case, Verizon's competitors AT&T and WorldCom inserted themselves into the dispute and objected to the Verizon waiver request by noting that Microsoft had warned the carriers that the Slammer Worm patch application was critical three months earlier; that Verizon was negligent in not applying and testing the patch; that they, AT&T, had applied the patch in two days and as a result had not suffered system damage; that the Slammer Worm attack was foreseeable; and that Verizon should reasonably be expected to keep abreast of critical vulnerabilities to its network. The Commission noted that AT&T and WorldCom had cited and recorded damage.
The Commission agreed with the argument of AT&T and WorldCom, holding that sophisticated worm attacks are foreseeable, that the company did not take all reasonable and prudent steps to avoid the potential damages, that the company had not adequately documented the steps it was taking to test, evaluate and eventually install various software patches, and it had not provided specific evidence of its knowledge and analysis of the vulnerabilities of its system.
The significant aspect of this decision and the Apex Global decision is, of course, that courts and administrative organizations are, in the absence of a clearly defined security standard properly applied, taking matters into their own hands and deciding what is appropriate information security conduct for a company to follow. Perhaps equally significant, the courts and administrative bodies are relying heavily on input from the company's competitors regarding what the company should have done and how it failed.
The Evolving Computer Security Requirements for Trade Secret Protection
Computer security has been a fact of life for trade secret cases since computers were invented. The extent of the security measures taken by the owner of the trade secret need not be absolute, but must be reasonable under the circumstances, depending on the facts of the specific case. Each trade secret owner must assess the value of the protected material and the risk of its theft when devising reasonable security measures. Under this principle, courts must be able to establish that the security measures used by the victim to protect the trade secret were reasonably commensurate with the value of the trade secret. If information reaches the public domain all claims that the information is proprietary in nature and entitled to trade secret protection die.
While this sounds like a relatively low bar, the bar has been moving up – rapidly. In Weigh Systems South, Inc., V. Mark's Scales & Equipment, Inc., 68 S.W. 3d 299 (Ark. Sup. Ct. 2002), the problem of relative computer security was addressed. A former employee of Weigh Systems left and began working for its chief competitor, Scales & Equipment. Weigh Systems sued, alleging that its former employee had stolen proprietary information from its computers and given it to Scales. Weigh asserted that its customer lists, vendor list, pricing information, computer software, service agreement inventory checklist and marketing plans constitute trade secrets.
The court identified several factors material to its determination of whether information is a trade secret, including the extent of measures taken by the company to guard the secrecy of the information. The court also agreed with the chancellor's finding that the secrecy of Weigh's computer software had been compromised. Included in the court's observations was the fact that although Weigh technicians were supposed to change the default password to a password known only by Weigh when software was installed, this procedure was not always followed. The testimony further established that it was not uncommon for employees of Weigh to provide customers with the Weigh password. There was also testimony that a computer "bug" existed in Weigh's software that allowed the customer to gain access to the program without using a Weigh password, and that Weigh did not swiftly act to correct the "bug."
After reviewing the facts in the case, the court concluded that the information Weigh sought to protect is not a trade secret. They held that Weigh did not take adequate steps to protect the information from being acquired or duplicated by others. Because the information is not a trade secret, the court concluded that the former employee did not misappropriate the information from Weigh and affirmed the chancellor's ruling.
Web Page Security
The courts are now starting to weigh in on privacy lost due to weak computer security. The most dramatic and far–reaching example took place in December 2001, when a federal judge in Washington, D.C. shut down the Department of the Interior's webpage due to poor computer security. Cobell v. Norton, No. 1:96CV01285 (D.D.C. 2001).
The setting of the Cobell case is a class action in which American Indian trust beneficiaries seek restitution of funds lost or stolen due to Interior mismanagement– possibly billions of dollars. The plaintiffs questioned the security on the BIA Trust Fund website and the federal judge on the case ordered computer forensics experts to attempt to break into the system. It took them less than 15 minutes to find two ways to get into the system and alter Trust Fund records. The federal judge first ordered Interior to sever its Internet connections in December 2001 because consultants retained by the court determined that the trust accounts were vulnerable to hacking. The Bureau of Indian Affairs portion of the website was closed for two years. Imagine if a federal judge shutdown your internet connections, including your e–commerce site for two years?
While the Department of the Interior progressively implemented security upgrades approved by the court, the Bureau of Indian Affairs, which is the central repository of the trust records, has not met the court's security requirements and has remained offline. Frustrated by the Bureau's delays, on June 27, 2003, the court again ordered the Interior Department to disconnect from the internet all systems that house or provide access to American Indian trust data. They will be allowed to reconnect the systems when the court "has determined that all individual Indian trust data is properly secured." The court's ruling to cut off Interior's internet connections again came at the request of the plaintiffs in the case, who had sought a preliminary injunction to that effect to protect American Indian trust data. A spokesman for the Indian plaintiffs said the plaintiffs sought to have Interior's systems taken offline because "they wanted to make certain that the systems could be tested and the trust beneficiaries could be assured that their monies were safe." The American Indian trust lawsuits have taken seven years so far.
Conclusion
To think too long about doing a thing often becomes its undoing. Companies that delay necessary security infrastructure planning and spending for hostile intrusions risk the chance that courts will decide their destiny. This may include letting your competitors set the industry standards against which a court measures your actions. Better to act aggressively now and set the standards high, than to wait and leave your security decisions to some one else.