§ 7.02 Scope of the Problem

• Jurisdiction: United States
• Publication year: 2020

§ 7.02 Scope of the Problem

Although, for a variety of reasons,⁹ it is difficult to calculate the amount of damage caused by computer crime, computer security breaches and associated financial losses have soared. For example, according to a study conducted by the FBI, the cost to U.S. businesses of computer crime is approximately $67.2 billion per year.¹⁰ Over 60% of the respondents suffered a financial loss from computer security incidents over the preceding twelve month period with a total cost of $32 million for those respondents alone.¹¹ A previous survey while noting that losses per respondent had dropped in 2005 from 2004, found that there were two areas of increase—unauthorized access to information and theft of proprietary information.¹² Notably a previous year's survey had challenged the notion that the greatest threat to organizations comes from within, or that most hackers are "juveniles in joy-rides through space."¹³ Instead, the study showed that there is "much more illegal and unauthorized activity in cyberspace that corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly, and commonplace.¹⁴

Security breaches have effected companies in many different areas including Yahoo! Inc., Amazon.com., and eBay Inc. which reported that they lost millions of dollars as result of denial of service attacks. Even Microsoft Corporation, a leader in the field of computer security was victimized to a denial of service (DoS) attack,¹⁵ forcing the company to shut down many of its Web sites for hours. An intruder slipped past the Web site security systems of Playboy.com and obtained the personal information of an undisclosed number of customers of the site's e-commerce store. The hacker notified customers that he had stolen the information and, as proof, gave them their credit card numbers.

Companies should also be aware that breaches of the security of their computer systems may lead to liability to third parties for the unintended dissemination of proprietary or personal information or for the denial of service. For example, a third party may claim that a Web site operated by an online securities brokerage that suffers a denial of service attack that prevented the third party from completing trades for several hours, should be liable for the significant financial losses incurred as a result of the denial of service.

While Congress has enacted legislation regarding the responsibilities of institutions, such as banks and health care providers, that store highly sensitive information, the issue of whether the victims of computer intrusions or denial of service attacks may be held liable has not been litigated and existing law is not clear regarding a company's duty to protect its computer network from third-party threats or glitches within its own system. Third-party victims may seek redress under a number of legal theories, including breach of contract and negligence.

The breach of contract model might apply in the context of parties who have contracted to provide and receive data storage or processing services, but would not generally apply in the case of security breaches affecting individuals or other third parties. Most courts will adhere to the traditional privity of contract requirement, which restricts liability for injuries to those arising from the exchange of goods or services between the parties to a contract.¹⁶ As a result, under a contract theory, a victim of a hacker attack launched via a third party's unsecure computer system would have no claim against the other party, because of the absence of a contractual relationship with the victim.¹⁷

Alternatively in the absence of a valid contract, parties may use a tort theory to impose liability. Under this theory, companies that provide Internet service would be liable because they are in the best position to know the risks and to take precautions against them. Injured parties might be able to obtain damages from a company if they prove the following factors:

(1) a reasonable duty of care necessary to prevent security breaches;
(2) a breach of that duty;
(3) a proximate relationship between the breach of the duty and the injury; and
(4) actual loss or damage sustained as a result of the breach.

Although courts have not specifically...