You have read about the cyberdangers of hacking, privacy breaches, ISP/ASP instability, unprotected wireless networks and server flood attacks that cause business outages, but have you considered the full extent of the liability that results from these events as well as from expanding legislation regulating online activities and Web site maintenance? 

Losses caused by e-risks can lead directly to corporate liability and lawsuits. Companies that collect and store, but do not protect, personal information risk being sued by angry customers. Companies that breach their privacy policies face potential litigation and negative publicity. And federal law that treats government (.gov) Web sites like government-owned buildings under the Americans with Disabilities Act (ADA) (and thus mandates equal access to Web sites for physically disabled people) could eventually be extended to private business Web sites, expanding the potential for liability even further.

Even solid security—firewalls, intrusion detection software, anti-virus software, back-ups, passwords and encryption—does not provide total protection from these types of liability (or even protection from the intruders and errors they are designed to intercept). Although strong security, solid network loss-control practices and good old-fashioned human vigilance can mitigate cyberperils and keep them at a manageable level, the human errors that inevitably occur within a company’s decision-making process cannot be protected by such technological security solutions. 

Privacy Policy Breaches and Data Mismanagement
Most companies have some type of privacy policy posted on their Web site. But, how many actually adhere to the promises their privacy policy makes and what happens if a business breaches that policy? The exposure resulting from breached privacy policies is potentially large. As more and more privacy policies are created and online transactions increase, customer awareness of privacy issues develops and federal and state enforcement of privacy policies swells along with the chances of class action lawsuits. 

The potential liability businesses face is not abstract. To date, violations of privacy and data security practices have led to actions by the Federal Trade Commission (FTC) and numerous states, and to various multimillion dollar class action lawsuits as well. Actions have been brought on claims including breach of contract and personal injury due to the release of personally identifiable information:

• Alexa/Amazon: Five different class-action lawsuits were filed against Amazon.com’s Internet subsidiary Alexa (Supnick v. Amazon.com and Alexa Internet (2000) in the U.S. District Court for the Western District of Washington). 

It was alleged that Alexa silently collected personal data from Web surfers and sent the data to Amazon without first obtaining users’ consent, which is in violation of Alexa’s privacy policy. The class-action cases were settled on April 20, 2001 when Alexa agreed to remove personal data from its database and pay up to $1.9 million dollars to its customers ($40 per individual whose information was found on the Alexa database).  

• Eli Lilly: The FTC brought charges against Eli Lilly when an employee of its pharmaceutical company unintentionally disclosed the personal medical information of various customers to each other. Eli Lilly has not, to date, been sued by consumers regarding this mistake. 

Instead, the FTC issued a complaint regarding Eli Lilly’s unauthorized disclosure of its consumers’ sensitive personal information. The complaint resulted in a January 2002 Consent Agreement between Eli Lilly and the FTC, whereby Eli Lilly must employ proper safeguards to protect customers’ personal information from any reasonably anticipated threats to its security and confidentiality.    ‚

• Toys R Us: There are two facets to the Toys R Us case: 

1. New Jersey’s Division of Consumer Affairs investigated and brought charges against Toys R Us for violating its own privacy policy by sharing customers’ personal information with another firm, Coremetrics. Toyrus.com used cookies to track the personal information of its customers and then shared that information with third parties, without alerting customers and giving them a chance to opt out of the practice. The charges resulted in a December 2001 settlement between Toys R Us and New Jersey, which required Toys R Us to pay a fine of $50,000 and revamp its protection of personal information by providing a “complete and accurate summary” regarding the disclosure of personal information and cookie use.

2. A class action suit was brought against Toys R Us in the U.S. District Court for the Northern District of California that charged Toys R Us with violating its privacy policy by giving marketers access to customer data without customers’ consent. The suit is still pending. 

Maintaining Customer Trust
The end goal for business is to make money. One of the best ways to make money is to customize products, services and technology to directly address individual customers’ wants and needs. To do this, businesses must collect personal information. The challenge for makers of Web-based services is to use customer information while maintaining customer trust. To maintain customer trust while using personal information, businesses need to construct a privacy strategy with risk management, legal, information technology, customer service and human resources to comprehensively manage the customer data they collect. This strategy should go hand-in-hand with the business’s security program. Privacy practices should include: assessments of current data protection practices, analysis and incorporation of relevant privacy and security laws, employee training and periodic monitoring. 

After the privacy practices have been developed and agreed upon, the risk manager should help the business write a privacy policy that accurately reflects those practices. Once the privacy policy is published, it absolutely must be adhered to. Otherwise, a business faces legal liability (from both the FTC and class-action suits), loss of customer trust, diminished brand recognition and, ultimately, falling revenue. Monitoring the day-to-day compliance with privacy practices and conducting third-party audits can verify that the business is protecting personal information as its privacy policy says it does.

Web Site Discrimination Liability
One area of liability that is not discussed quite as commonly relates to Web site accessibility. If a person’s disability precludes his or her ability to access information on a Web site, that organization is discriminating against disabled persons under the ADA—at least for government sites. The federal Workforce Investment Act, Section 508, requires federal (.gov) Web sites to provide equal access to disabled individuals, analogous to the requirements for physical buildings under the ADA. While this law may not create a traditional e-risk (i.e., no malicious attack involved), noncompliance creates very real liability for the federal government because it concerns the management of online activity along with Web site design and maintenance. This signals a potential future liability trend for corporations and other organizations. 

Under Section 508, the access granted to disabled individuals must be comparable to that offered to the general public. The law requires the federal government to restructure Web site content, design and functionality, so that disabled individuals will have access to, and use of, Web site information. Reconfigurations include text-to-speech screen-reading techniques used by the blind, larger text fonts for those with partial visual impairment, video images that have captions for the hard-of-hearing, and joysticks or voice-recognition software for those who cannot use their limbs. The need for this law is clear when considering how important Internet activities—shopping, banking, research, filing taxes—have become.

While it is true that Section 508 currently applies only to federal government Web sites, private businesses should be aware and concerned for two reasons. First, there are upward of 50 million disabled Americans. By not making Web sites universally accessible, businesses are denying themselves 20 percent of the United States population as potential customers.

Additionally, Section 508, like all federal laws, may eventually be extended to private businesses. Should this occur, and should the private business application of Section 508 mirror the ADA, potential liability costs and e-risks for businesses will grow exponentially. Simply attempting to visit a Web site to use the services of a business can result in brick-and-mortar types of ADA violations in many jurisdictions, resulting in an individual seeking and recovering attorneys’ fees, costs and damages. Moreover, plaintiffs filing ADA claims usually do not need to show any discriminatory intent on the part of the defendant, nor do they need to prove that the defendant had any knowledge of the alleged violation. If Section 508 is extended to private businesses, non-compliance could lead to costly litigation, negative publicity and loss of customer trust. Accommodations implemented now allow businesses to gain a new customer base and avoid future potential liability.

Creating Standards
In light of increasing Web-based liability, companies are examining not only network security measures but also diligent business practices. What complicates matters is the current lack of industry definitions for acceptable standards of due care. Because technology is advancing so quickly and changes occur so rapidly, businesses often face the ambiguous question: How much security is enough? 

Clearly, standards need to be developed for network security. Network security standards need to clarify widely accepted principles, practices and guidelines that a business can implement to help avoid legal liability. To date, there are no hard standards in place that comprehensively cover network security risks, but certain frameworks, such as ISO17799 (an internationally recognized network security methodology), lay the groundwork in creating standards, and the FTC is developing processes for businesses to follow as well.

In July 2001, the FTC proposed “Standards for Safeguarding Customer Information,” which is required to be promulgated under the Gramm-Leach-Bliley Act. The objectives of the proposed rule are “to ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.” The proposed safeguard rule applies only to Gramm-Leach-Bliley and is expected to be finalized soon. Additionally, the FTC held a security workshop this past May to investigate information security issues affecting consumers, including emerging standards for business security.

Any standards that are created for network security should cover what businesses must do to satisfy a minimal level of due care for protecting against network-based security risks. Typically, industry best practices tend to form the parameters of due care standards. Some current examples include: firewalls, IDS, AV, encryption of data in transit and storage, data protection mechanisms (e.g., privacy protection, including self-assessments, personnel training and privacy monitoring), logging, back-ups, strong access control procedures (e.g., layered password protection), and appointment of a network-security point-person to be held accountable for network breaches.

At the very least, businesses faced with an absence of standards should analyze their network-based activities by asking what a reasonable person would do in the given circumstances. The “reasonable person standard” will also likely be included in the eventual development of overall security standards. It is the negligence standard under torts and, if satisfied, will help mitigate liability for businesses involved in network security breaches. The reasonable person standard finds its origins in the English Common Law and asks how a reasonable person, or business, would act given the same circumstances and foreseeable consequences. For our purposes, the reasonable person standard would translate into an objective and ideal business that always takes the necessary steps to protect against potential network security risks.  Under tort law, if the reasonable person standard is satisfied, then a business has a good chance of not being held legally liable for network breaches and problems. A court will probably find a business “reasonable” if it follows the aforementioned network security best practices.

One persistent problem with creating standards for network security is the evolving nature of technology. Because technology is continually advancing, businesses are better able to protect their networks, but outside parties are also figuring out new ways to penetrate business networks. Standards, therefore, need to be flexible and should be based on structure, organization and accountability, rather than on technical issues that can quickly become dated.

The preeminent way for risk managers to become involved with standard setting is by quickly implementing and following the industry best practices mentioned herein. In this way, risk managers will be able to protect their networks while insulating themselves from legal liability. 

Protecting Risk for Competitive Advantage The mosaic of cyberrisks for any company with an online presence constantly changes and grows more complex. Just as the risk manager may feel a confident grip on the now-common hacker attacks, new liabilities arise that can be triggered regardless of cybersecurity confidence.  In the effort to protect information technology, legal and senior management must work together to address these increasingly intertwined risks that risk managers must contend with. Competitive pressure mandates not only an online presence today, but also the successful recognition and treatment of the inherent risks in such a venture. Businesses that rise to this challenge will find that they have gained the ultimate advantage by increasing customer trust, repeat business, market reputation and, ultimately, financial profit.

Forms of Direct or Vicarious Network Liability • Bulletin board or e-mail-based defamation         • Web site-based intellectual property (copyright, trademark) infringement suits such as: copying and pasting articles and publishing as original content; deep-linking into third-party Web sites; framing third-party content; using trademarked meta-tags for search terms; and URL name ownership disputes • Holes contained in corporate Web sites (especially the ever increasing plug-n-play wireless networks WLAN) that allow hackers to “zombie” a server and then use the system as a launch pad for traceable cyberattacks against third parties • Potential employer liability when an employee authors and disperses harassing e-mails • Third-party monetary damages due to an inaccessible ASP system • Shareholders’ damages when an investor loses money due to decline in stock value because the business’s reputation was tarnished by a hacker breach • Property damage when a third party’s system or data is corrupted due to employee-infected e-mail