Hackers have to be found before they can be sued. Disgruntled shareholders may find it easier to sue the companies that allow their systems to be invaded.

Despite the rising incidence of 'hacktivity' and recent computer virus epidemics, some companies and organizations continue to minimize the issue of Internet security. Analysts are now predicting that those who have been lax in their security practices will begin to find themselves on the losing end of civil suits for negligence.

The extent of the problem was demonstrated by the Code Red worm debacle. Although patches for Code Red were available a month before the virus became active, only a minority of businesses bothered to install the patch. As a result, Code Red infected over 250,000 servers within the first nine hours of its activation.

Michael Rasmussen, a senior industry analyst for Giga Information Group, told NewsFactor Network that he believes the first of such cases will occur within the next year, as hackers and virus writers mount a greater threat to systems and data integrity than ever before.

The Code Red worm underscores the extent of the threat, "not for what it did but for what it could have done," Rasmussen told NewsFactor. "[Code Red] gave the attacker complete administrator access to systems, which means it had the potential to plunder data, delete files and destroy systems."

Risk Management

"The liability involved in not implementing and maintaining security controls throughout an organization will force many to take security more seriously," Rasmussen wrote in a recent brief addressing the topic.

Rasmussen argued that alleviating these concerns all boils down to an organization's risk management policies.

Wrote Rasmussen: "An organization has the option to accept the risk, mitigate the risk, or ensure the risk. But the acceptance of past risks will change as the cost of that acceptance grows higher."

Language of Money

Rasmussen went on to write that such costs will force organizations to examine their security postures more closely and gauge their premiums by them. And those premiums will likely include penalties generated by liability lawsuits.

Jennifer Stisa Granick, Esq., clinical director of the Center for Internet and Society at Stanford University Law School, told NewsFactor that civil liability suits, with the potential for monetary damages, inspire negligent companies to change their security procedures in ways that other methods such as security warnings or corporate best practice policies do not.

"Companies speak in the language of money. They only understand one thing, and that is profit," Granick told NewsFactor. "Only when there is some kind of financial bottom-line effect [does] a corporation have a motivation to do something different."

Downstream Liability

Though hackers and virus writers are the ones directly responsible for such acts as denial of service (DoS) attacks, it is the companies that suffer losses as a result of those acts that are likely to be held liable for civil damages, Granick said.

"A hacker breaks into your system. A hacker is probably a kid or a criminal, somebody who's going to spend all his money on a lawyer, not somebody from whom you can recoup," Granick said.

"The theory of 'downstream liability' is, 'Well, I could sue the hacker, but instead I'm going to go downstream and sue the company that let the hacker into their systems, as a result of which my system was damaged. They were negligent, and they didn't keep their security up to date. They let themselves be used by a hacker, and as a result I got hurt.'"

Standards of Care

Granick said that there are inherent problems in using civil liability as an enforcer of strong IT security.

While large corporations such as Microsoft (Nasdaq: MSFT) and AOL Time Warner (NYSE: AOL) have the resources necessary for handling the costs incurred by such cases, smaller businesses accused of negligence may find themselves faced with just one viable choice: going out of business.

Granick said that in order to keep these businesses from languishing, standards of care for the "little guys" would have to differ from those of the "800-pound gorillas."

Granick offered a couple of suggestions to level the playing field. First, small businesses could be exempted in some way, much as small businesses are now exempt from discrimination laws and similar regulations.

And second, some sort of government assistance could be established that helps these companies get up to speed.

However, quipped Granick, "I can hear all my hacker friends laughing about putting security in the hands of the government."