Brace yourself: You could be legally responsible for world-wide network security.
OK, that may be an overstatement, but it does capture the essence of what's ahead.
Companies that pass viruses, worms or any type of malware to other companies via electronic transmissions such as e-mail could find themselves in court, say legal and security experts. And they could be held liable for damage done, even if they unintentionally spread such cyberpests.
"There's very little question that it's going to come. The concept of due diligence has done nothing but push its way out into the consciousness of everyone in this country," says Charles Hibnick, chief systems security architect at AvMed Health Plans, a health insurance company in Miami.
The stage is being set for such action, experts say. National laws, government agencies and private organisations are setting new standards for network and Internet security. Meanwhile, lawyers are testing various legal theories for punishing cyberspace criminals. And some companies with established relationships are signing contracts detailing security expectations that prohibit even the accidental transmission of malware.
Given all this, can litigation be far off?
"I do think we are looking at this type of litigation in the future. And I think it's going to happen sooner rather than later," says Rodger Cole, a litigation partner at Californian law firm Fenwick & West.
In fact, some companies are already pursuing other businesses, albeit quietly, to recoup losses resulting from computer-related problems, says Julie Davis, executive vice president at Aon Affinity Insurance Services in San Jose and co-author of e-Risk: Liabilities in a Wired World.
Some cases involve companies inadvertently releasing viruses, worms and the like, she says. Others involve contractual liability in situations where companies had agreements to keep systems secure. Davis says these cases haven't wound up in court - yet - because executives prefer to avoid the media spotlight on such issues.
"You certainly have claims. What people usually do is turn it against their own corporate insurance policies," she says, adding that traditional policies generally won't cover such claims, however.
Given the state of electronic communications, the potential for getting into trouble is staggering.
"If you're operating on the Internet today, there is some level of constant attack activity," says Art Manion, an Internet security analyst at the CERT Co-ordination Centre at Carnegie Mellon University's Software Engineering Institute.
Viruses, worms, Trojan horses, botnet zombies, distributed denial-of-service attacks, hacking, blended threats - they're all out there, and many can hitch rides with e-mails and electronic transmissions, including instant messages.
"We're up to 60,000 different viruses out there," observes Jeff Platon, vice president of product and technology marketing for security at Cisco Systems.
The threat is growing as computers and systems become increasingly connected, not only through the Internet but through business partnerships that establish connections and interfaces.
"My security depends on everybody else's security. And that's even more true when you have a closer relationship with someone," Manion explains. "When you open the door to someone else, you're just extending the trust - and the risk."
Companies might think their borders are secure, but if they have a connection to a business partner, perhaps that partner's borders aren't as strong, Manion says. That's a weak link that can let something bad get through.
"There certainly is a great deal of concern regarding the impact of viruses on the modern enterprise and IT infrastructure. The impact can be extraordinary, and the results can be disastrous," says attorney Gregg Kirchhoefer, a partner in the intellectual property and technology transaction practice at Chicago lawyers Kirkland & Ellis.
Bringing legal action in such cases is complex, experts say. It's difficult to quantify loss: How can a company prove the exact dollar amount of lost business if a virus knocks out e-mail for a day? It's also difficult, if not impossible, to prove the origins of malware.
"But certainly a creative lawyer could come up with a variety of methods in which liability could be inferred," says Sandra Jeskie, a partner in the trial department at Philadelphia-based Duane Morris and a member of the board of the Computer Law Association. "I could see a negligence claim, even if it might be difficult to prove. I could make an argument that if you got infected and transmitted it to me, you did not properly protect me because you were so lax."
The question of negligence comes down to established standards, and computer security standards are evolving. US laws such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, along with industry standards such as ISO 17799 and BS7799, have created expectations for companies to meet.
"Companies have to be aware that their behaviour, their security and their technology will be measured against something, either standards in the industry or what they told their customers they'd be doing," says Melise Blakeslee, a partner in the Washington office of the technology transactions and e-business group at law firm McDermott Will & Emery.
Claiming negligence isn't the only potential legal strategy. Some lawyers say trespass, intentional interference with existing or prospective business relations and disturbance of quiet enjoyment could apply as well.
"These are common law doctrines from England. Here the disturbance would be disturbing your own right to use your computer servers," Cole explains. "[Lawyers] have creatively used old legal doctrine to address the question of liability with spam, and I think the next wave of litigation will be in the virus area."
Far-fetched? Not quite. Jeskie points to the case of Intel vs Hamidi in 2003, where Intel accused former employee Kourosh Kenneth Hamidi of trespass for inappropriate use of e-mail. Although Intel was unsuccessful in its claim, Jeskie says the well-known case shows how old laws can be used today.
Making it contractual
Companies are also using contracts to prevent such situations, experts say. "It is becoming increasingly common to see a clause that deals with the other party's duties to deal with worms and viruses and other types of things that can cause disruptions," Blakeslee says.
These clauses give companies another course of legal action: They can claim breach of contract if malware gets through and the contractual security measures weren't up to snuff.
"You can track the use of that language with the growth of viruses," Kirchhoefer says.
Not everyone sees increasing litigation forthcoming, however, especially in cases where malware is passed along via e-mail.
"Yes, people are thinking about the general topic, but liability for sending a virus through an e-mail looks to be one of the more difficult places for a successful lawsuit. And if you see a case like that, it's going to be a real fluke," says Benjamin Wright, a Dallas attorney who wrote Business Law and Computer Security (SANS Press, 2004).
Kirchhoefer agrees that a negligence lawsuit against a company that passed along malware via e-mail would be a hard case to win. After all, he says, both companies share responsibility for keeping their systems safe.
But that won't keep companies from filing suit, some say.
"We're always looking for someone else to assume the blame, to assume the liability," says Nancy Flynn, founder and executive director of The ePolicy Institute in Columbus, Ohio. "So it would make sense that at some point someone will try to sue over the issue of a virus getting into the system."