I COZEN I O’CONNOR I ATTORNEYS I 2005 International … · ATTORNEYS I I I I I I I I I I I I...

IIIIIIIIIIIIIIII,

COZENO’CONNOR

ATTORNEYS

2005 International Insurance Seminar

BLOWING UP YOUR COMPANY

AND CASE BY ELECTRONIC RECORD AND DOCUMENT/V~LPRACTICE

WEDNESDAY, JUNE 22, 2005MARRIOrI FINANCIAL CENTER

85 WEST STREET

NEW YORK, NEW YORK

© Copyright 2005 by Cozen O’Connor. All Rights Reserved.

IIIIIIIIIIIIIIIIII

II.

III.

VI.

VII.

IX.

COZENO’CONNOR

2005 International Insurance Seminar

TABLE OF CONTENTS

Speaker Profiles

The Fundamentals of Electronic Discovery - PowerPoint Presentationwritten & presented by Thomas M. Jones, Esq.

Frequency of Identity Theft - PowerPoint Presentationwritten by Robert W. Hammesfahr, Esq. and Keith E. Horton, Esq.presented by Robert W. Hammesfahr, Esq.

Choice Point Class Actions and More - PowerPoint Presentationwritten by Robert W. Hammesfahr, Esq. and Keith E. Horton, Esq.presented by Vincent P. Pozzuto, Esq.

HIPAA Enforcement and Liability - PowerPoint Presentationwritten & presented by Katherine M. Layman, Esq.

Errors and Omissions Insurance - PowerPoint Presentationwritten & presented by Manny Cho of Carpenter Moore

Coverage for Risk: Survey of Key Contract Language - PowerPoint Presentationwritten by Robert W. Hammesfahr, Esq. and Keith E. Horton, Esq.presented by Robert W. Hammesfahr, Esq.

Claims for Breach of Contract Versus Professional Errors and OmissionsPowerPoint Presentationwritten & presented by Margaret A. Reetz, Esq.

Hacking and Downstream Liabilitywritten by Brian J. Walsh, Esq. and Erika L. Winkler

a.) exhibit-Computer Viruses and Civil Liability: A Conceptual Frameworkb.) exhibit-Downstream Liability for Attack Relay and Amplificationc,) exhibit-Can Hacking Victims Be Held Legally Liable?

III

COZENO’CONNOR

ATTORNEYS

IIIIIIIIIIII

SPEAKER PROFILES

AtlantaCharlotte

Cherry HillChicagoDallasDenverHouston

Las Vegas*London

Los AngelesNew York DowntownNew York Midtown

NewarkPhiladelphiaSan Diego

San FranciscoSeattle

TrentonWashington, DC

West ConshohockenWichita

Wilmington

*Affiliated with the Law Offices of J. Goldberg & D, Grossman.

These materials are intended to generally educate the participants on current legal issues. They are not intended to providelegal advice. Accordingly, these materials should not be relied upon without seeking specific legal advice on matters discussedherein.

Copyright © 2005 Cozen O’Connor. ALL RIGHTS RESERVED.

IIIII

COZEN’ RO CONNO oATTORNEYS

William P. ShelleyMemberVice Chair, National Insurance Litigation DepartmentPhiladelphia Office(215) [email protected]

!I!IIIIIIIIIII

AREAS OF EXPERIENCE- Alternative Dispute

Resolution- Appellate Pracnce- Commercial General Liability- Excess & Surplus Lines- Toxic & Other Mass Torts

EDUCATION

- J.D. Rutgers UniversitySchool of Law, 1979B.A. Rutgers University, 1976

BAR ADMISSIONS

- Pennsylvania- New Jersey- New York

COURT ADMISSIONS

- United States Supreme Cour~- New Jersey Supreme Court- New York Supreme Court

United States District Courtfor the District of New Jersey,the Eastern District ofPennsylvania, the Southern,Eastern, Northern and WesternDistricts of New York

- United States Court ofAppeals for the 3ra. 11 t~ andDistrict of Columbia Circuits

MEMBERSHIPS- American Bar Association- New Jersey State Bar

Association- Burlington County Bar

AssociationDefense Research Institute

William Patrick Shelley serves as vice chair of the firm’s NationalInsurance Litigation Department. His practice primarily focuses on complexinsurance coverage issues including general and professional liability andon the coordination of the defense of mass tort claims.

Currently, Bill serves as counsel for insurers in many major asbestoscoverage cases as well as associated bankruptcy proceedings pendingaround the country. He also serves as national counsel for Chubb Group ondirect action asbestos suits filed around the country. Bill also recently actedas coordinating counsel for a major insurer on lead paint coverage claims.

Bill has authored two major articles on insurance coverage for toxic tortclaims that are frequently cited by courts titled, "Toxic Torts and theAbsolute Pollution Exclusion Revisited" Tort Trial & Insurance PracticeLaw Journal, Vol. 30, No. 1 (Fall 2003), "Application of the AbsolutePollution Exclusion to Toxic Tort Claims: Will Courts Choose PolicyConstruction or Deconstruction," Tort & Insurance Law Journal, Vol. 33No. 3 Spring 1998. He is also the author of"Fundamentals of InsuranceCoverage Allocation," Mealey’s Litigation Report: Insurance, Vol 14, #9,January 5, 2000. Most recently, Bill co-authored "Unraveling The GordianKnot Of Asymptomatic Asbestos Claimants: Statutory, Precedential AndPolicy Reasons Why Unimpaired Asbestos Claimants Cannot Recover InBankruptcy," 3-10 Mealey’s Ash. Bankr. Rep., 22 (2004). Bill appeared inthe August 2003 edition of Metropolitan Corporate Counsel in the articletitled "Cozen O’Connor: Using All The Tools To Meet Clients’ Needs".

Bill’s seminar presentations include: Mealey’s Wall Street Forum: AsbestosConference (February, 2005); American Conference Institute: E-CommerceCoverage Claims (June, 2001); American Conference Institute - AsbestosLitigation: Co-Chair (October, 2001); Mealey’s Insurance CoverageAdvanced Allocation Seminar (February, 1998); and Mealey’s InsuranceCoverage 101 : Co-Chair (November, 2001 ).

Bill earned his bachelor of arts degree, with highest honors, at RutgersCollege in 1976 and his law degree at Rutgers School of Law in 1979. Hewas admitted to practice in New Jersey in 1979, in Pennsylvania in 1984,and in New York in 1989. He was selected a 2005 "Pennsylvania Super Lawyer"by his peers, appearing in Philadelphia Magazine and Pennsylvania SuperLawyers.

III

Craig RhinehartProfessional Biography

Di[ector for Complia~sce Markets and P~oducts

IIIIIIII!I

Craig Rhinehart directs FileNet’s Compliance Markets & Products and is aveteran in the enterprise content management (ECM) industry with over 20 yearsexperience with records management, content management, imaging and mediaasset solutions as vendor, integrator, consultant and end-user.

Craig joined FileNet in 2003 to develop the vision and strategy for a new suite ofproducts to address the records management and legal compliance challengesfacing companies today. The two first products, FileNet Records Manager andEmail Manager are evolutionary products that reduces risk and enable proof ofcompliance while simultaneously generating business value and a strong ROI forits’ customers.

Prior to joining FileNet, he was involved in IBM’s acquisition of recordsmanagement software company Tarian Software where he was Vice President ofWorldwide Marketing.

Craig has led industry research efforts to define, develop and prove ROI modelsfor both content and records management and is a requested speaker on avariety of electronic records management topics.

Considered an expert in electronic records management systems and the USDepartment of Defense 5015.2-STD certification program he currently serves asan advisor/board member on the ARMA Electronic Records Initiative.

Over the years, he has helped CNN, NFL, Exxon Mobil, Disney, ABC News,Verizon, ESPN, MCl, The Weather Channel, US Army, Honeywell, US Air Forceand others realize the benefits of records management and other ECM solutions.

III

COZENO’CONNOR°

ATTORNEYS

II!IIIIiIIi!IIII

AREAS OF EXPERIENCE- Advertising Liability

Agent/Broker LiabilityAppellate Practice

- Arson & Fraud- Bad Faith Litigation

Business Torts- Class Actions, Multi-District

Litigation and OtherConsolidated Claims

- Commercial General Liability- Construction Liability- Crisis Managemem- Directors’ & Officers’

LiabilityEmployment, Labor &Employee Benefits

- Environmental LawExcess & Surplus Lines

- Fidelity & Surety- Financial Risk Transfer- Medical Device & Drug

Litigation- Personal Lines- Products Liability- Property Insurance- Punitive Damages

Reinsurance- Security & Premises Liability- Technology & E-Commerce- Toxic & Other Mass Torts

EDUCATION

- J.D. Oklahoma CityUniversity School of Law,1976

- B.A. Central State University,1974

MEMBERSHIPSSeattle-King BarAssociation

- Washington State BarAssociation

- Oklahoma Bar Association- American Bar Association

Defense Research Institute- Washington Defense Trial

Lawyers Association

Thomas M. JonesMemberCo-Chair, Insurance Coverage DepartmentSeattle Office(206) [email protected]

Thomas M. Jones, who joined Cozen O’Connor in January 1986, is a Member of theFirm and serwes as the Co-Chair of the Insurance Coverage Practice Department. Mr.Jones’ practice spans many areas of law, including, Advertising Liability, Agent/BrokerLiability, Appellate Practice, Arson & Fraud, Bad Faith Litigation, Business Torts,Class Actions, Multi-District Litigation and Other Consolidated Claims, CommercialGeneral Liability, Construction Liability, Crisis Management, Directors’ & Officers’Liability, Labor & Employment, Environmental Law, Excess & Surplus Lines, Fidelity& Surety, Medical Device & Drug Litigation, Personal Lines, Products Liability,Property Insurance, Punitive Damages, Reinsurance, Security & Premises Liability,Technology & E-Commerce, and Toxic & Other Mass Torts.

Mr. Jones is a member of the Defense Research Institute, the Washington Defense TrialLawyers Association, the Washington State, Seattle-King County, American andOklahoma Bar Associations. He has acted as lead trial insurer counsel in some of thehighest profile insurance coverage cases in the country. Mr. Jones was also selected byhis peers as a "Super Lawyer" in Washington from 2000 - 2005.

Mr. Jones has also authored several published articles including "Insurance Issues forthe Insurer," (supplement) Washington Real Property Deskbook, Ch. 135, WashingtonState Bar Association, 3d Edition, 2001; "An Introduction to Insurance AllocationIssues in Multiple Trigger Cases," The Villanova Environmental Law Journal, Vol, 10,Issue 1, 1999; "Intellectual Property Coverage," Insurance Coverage: An Analysis ofthe Critical Issues, Continuing Legal Education Committee of the Washington State BarAssociation, 1999; "Claims for Advertising Injury Coverage: A Primer," Journal ofInsurance Coverage, Vol. 1, No. 4, Autumn 1998; "Washington State’s InsuranceRegulation for Environmental Claims: An Overview of Key Provisions and LegalIssues," Environmental Claims Journal, Vol. 9, No. 3, Spring 1997; and "ReinsuranceIssues Arising from the Settlement of Complex Claims," Insurance Litigation Reporter,Vol. 17, #12, 590, 1995.

Mr. Jones received his Bachelor of Arts degree from Central State University in 1974and earned his law degree at Oklahoma City University School of Law in 1976. Mr.Jones was admitted to practice in Oklahoma in 1977 and in Washington in 1983, allU.S. District Courts in Washington and Oklahoma, and the 9t~ and 10th Circuit Courts ofAppeal.

iII

COZENO’CONNOR.

ATTORNEYS

IIIIIIIIIIIIIIII

AREAS OF EXPERIENCE

Advertising Liability/PersonalInjuryBad Faith LitigationBusiness TortsClass Actions, Multi-DistrictLitigation & OtherConsolidated ClaimsCommercial General LiabilityDirectors’ & Officers’LiabilityExcess & Surplus LinesProfessional LiabilityPunitive DamagesReinsuranceTechnology & E-CommerceToxic & Other Mass Torts

EDUCATION

J.D. Northwestern UniversitySchool of Law, 1978B.A. Colgate University, 1975

MEMBERSHIPS

Defense Research InstituteChicago Bar AssociationAmerican Bar AssociationPLUS

PUBLICATIONS

Co-author, The Law ofReinsurance ClaimsCo-author, @Risk -lntemetand E-Commerce Insuranceand Reinsurance Issues

Robert W. HammesfahrMemberChair, International Insurance Practice GroupChicago Office(312) 382-3101rhammes fahr@cozen .corn

Robert Hammesfahr is a Member of the Firm and Chair of Cozen O’Connor’sInternational Insurance Practice Group. He has more than 20 years of experience inlitigating and counseling a broad spectrum of clients involved in excess liability,coverage, and reinsurance cases. He has represented insurers and reinsurers inconnection with containing major litigation threats and defended against coverageclaims arising from mass tort, pollution and latent injury, technology, employmentpractices and professional indemnity claims. This work has included analysis of awide variety of insurance policies and reinsurance contracts, advice on reservationof rights and defenses and defense of claims, numerous negotiations of complexliability claims for excess insurers, multi-party coverage disputes for directinsurers and disputes involving reinsurance and retrocessions.

Mr. Hammesfahr’s litigation and arbitration experience includes:

¯ Coordination of health hazard coverage litigation for a large number ofinsurers

¯ Analysis of reinsurance issues in connection with the formation of a multi-billion financial reinsurer

¯ Work on disputes involving allocation issues in connection with numerouscedents and contracts

o Monitoring of technology and IP exposures for technology errors andomissions insurers

¯ Appearance in over 50 major coverage and bad-faith cases and over 100reinsurance disputes

Mr. Hammesfahr’s counseling work includes:

Development of employment practices liability insurance policies

Development of policy wordings for high tech policyholders

Advice on insurance risk securitization and alternative risk transfer

¯ Auditing and reserving advice for excess insurers and reinsurers

Mr. Hammesfahr is the author of leading treatise on punitive damages, reinsuranceand technology insurance and reinsurance issues as well as over 30 articles. Priorto joining Cozen O’Connor, Mr. Hammesfahr was Chairman of Blatt,HammesFahr and Eaton and a partner at Peterson & Ross. He was voted an Illinois"Super Lawyer" by bar association peers, as reported by Chicago Magazine in2005.

III

COZENO’CONNOR°

ATTORNEYS

III

Traci M.MemberPhiladelphia Office(215) [email protected]

Ribeiro

IIIIII!IiIII

AREAS OF EXPERIENCEAdvertising Liability andPersonal InjuryBad Faith LitigationE-Commerce, Interact andCyber-Peril Insurance LawInsurance Corporate andRegulatory

EDUCATION

J.D., American University -Washington College of Law,1995

- B.A., Hofstra University, 1992

MEMBERSHIPS

- Philadelphia Bar Association- Pcmnsylvania Bar Association- American BarAssociation- Phi Beta Kappa- TIPS Fidelity & Surety Law

Committee

PUBLICATIONS

- "Insurance Laws of EasternEurope," American BarAssociation, 1994

Traci M. Ribeiro joined Cozen O’Connor in January, 2001 and practiceswith the insurance litigation group. She focuses her practice on insurancecoverage, insurance corporate and regulatory, and e-commerce issues. Tracirepresents insurers in complex insurance coverage litigation in state andfederal courts in both the first and third party liability context. Recently,Traci has been involved in complex mediations involving the defense ofmass tort claims. She also provides counsel to insurers with respect to stateand federal regulatory issues, and is a frequent lecturer on e-commerceliabilities under property and liability insurance policies.

Traci joined Cozen O’Connor from Wolf, Block, Schorr and Solis-CohenLLP where she practiced in the complex liability, surety and fidelitypractice in the firm’s litigation department.

From 1997-1998 Traci served as an attorney for American InternationalGroup, Inc. (AIG). In her post, she provided legal counsel to AIG membercompanies including National Union, American Home, New Hampshire,and American International Underwriters on all regulatory aspects of theirprofessional liability divisions as well as several other product lines.

Prior to joining AIG, Traci served as the intemational policy analyst for theNational Association of Insurance Commissioners, where she providedlegal counsel to the International Association of Insurance Supervisors andadvised the United States Trade Representative Office (USTR) and stateinsurance regulators with respect to international trade agreements’ affect onstate insurance laws.

Traci received her bachelor of arts degree from Hofstra University in 1992.In !995, she received her law degree from American University’sWashington College of Law. She is a member of Phi Beta Kappa and thePhiladelphia, Pennsylvania and American Bar Associations. Traci isadmitted to practice in New York and Pennsylvania.

II!

COZENO’CONNOR.

ATTORNEYS

Vincent P.New York Office(212) [email protected]

Pozzuto

IIIII

AREAS OF EXPERIENCE

Casualty & Property DefenseConstruction ClaimsProfessional Liability

EDUCATION

J.D. Brooklyn Law School.1995B.A. Fordham University,1992

Vincent P. Pozzuto is an associate in the New York office. His practice primarilyinvolves defending casualty defense eases including premise liability claims, toxictorts, construction accidents, products liability claims, ground surface accidents,and professional negligence claims. He also has significant experience indefending brokers and financial institutions in NASD arbitrations.

Mr. Pozzuto received his bachelor of arts degree from Fordham University in 1992and earned his law degree at Brooklyn Law School in 1995. He is admitted topractice in New Jersey and New York.

Prior to joimng the Firm in May 2000, Mr. Pozzuto was an associate with the firmCostello, Shea & Gaffney, LLP.

II!

COZEN’ RO CONNO oATTORNEYS

II!I!IIII!IiII

AREAS OF EXPERIENCEHealth Law

EDUCATION

- J.D. Temple University Schoolof Law, cure laude, 1993B.A. University of Michigan,with distinction, 1971

MEMBERSHIPSPennsylvania Bar Association,Health Law SectionAmerican Health LawyersAssociation, Health LawSectionNational Health LawyersAssociationPennsylvania Society forHealthcare AttorneysPennsylvania Health CareAssociation’s Lawyers inLong Term Care SpecialtyCouncilMember, Board of Directors,American Red Cross BloodServices, Penn-Jersey Region

Katherine M.MemberPhiladelphia Office1215) [email protected]

Layman

Katherine M. Layman, a Member of the Firm, practices in the Health LawDepartment where she handles a variety of litigation, regulatory, and transactionalmatters. She has wide-ranging experience in staff privileges issues and litigation,survey and compliance issues for long term care providers, licensure issues, fraudand abuse, clinical laboratory and pharmacy issues, HIPAA and privacy, andregulatory compliance in the operation of Medicare, Medicaid, and other thirdparty reimbursement programs. She has co-authored a number of articlesincluding "Fraud and Abuse Initiatives and Medicaid and Medicare Compliance inthe Long Term Care Sector," "Guidance for Handling Surveyors and GovernmentInvestigators," and "Nursing Homes Under Attack." She has spoken widely onH~AA issues and has written several columns for Medical Economics concerning"H]PAA: Frequently Asked Questions". Ms. Layman has also made severalpresentations to the Pennsylvania Health Care Association on survey-relatedissues.

Ms. Layman earned her Bachelor of Arts degree, with distinction, from theUniversity of Michigan in 1971. She eamed her law degree, cure laude, fromTemple University School of Law in 1993, where she served on the Temple LawReview. Upon graduation from law school, she served as a law clerk to theHonorable James M. Kelly, of the United States District Court for the EasternDistrict of Pennsylvania. She is admitted to practice in Pennsylvania and to theSupreme Court of Pennsylvania and the United States District Court for theEastern District of Pennsylvania.

Ms. Layman is a member of the Health Law Sections of the Pennsylvania BarAssociation and the American Bar Association, as well as the National HealthLawyers Association. Ms. Layman serves on the Pennsylvania Health CareAssociation’s Lawyers in Long Term Care Specialty Council and she served on theAct 142 Advisory Committee to the Pennsylvania Department of Public WelfareBureau of Hearings and Appeals. She is a member of the Board of Directors of theAmerican Red Cross Blood Services, Penn-Jersey Region.

IiIII!!IiIIIIII!iII

Manny Cho, Senior Broker, E&O Division Manager

As the manager of the E&O Group, Manny has works with industry leading technologyand financial services companies in the acquisition of Professional Liability, MediaLiability, Intellectual Property and Network Security / Loss of Income products.

Before joining Carpenter Moore, Manny worked as the Regional Technology Managerfor AIG (American International Group). Manny was instrumental in establishing thetechnology insurance practice for AIG in California and the Pacific Northwest. Mannywas actively involved in the development, sales and marketing of AIG’s ProfessionalLiability and Network Security (netAdvantage) products.

The majority of Manny’s career was spent with the Chubb Group of InsuranceCompanies where he held various positions. Prior to his departure, Marmy was themanager of their Technology Practice in Pleasanton, California.

Manny holds a B.S. in Finance from the University of Illinois.

III

COZENO’CONNOR°

ATTORNEYS

AREAS OF EXPERIENCE

Insurance CoverageReinsurance CoverageInsurance DefensePremises, Product, MedicalMalpractice, Errors &Omission LiabilityMass Tort Litigation

EDUCATION

J.D. DePaul University, 1986B.A. University of Illinois,Urbana-Champaign, 1983

MEMBERSHIPSAmerican Bar AssociationIllinois State Bar AssociationChicago Bar AssociationThe State Bar of CaliforniaThe New York State Bar

Margaret A.AssociateChicago Office(312) [email protected]

Reetz

Margaret Reetz joined Cozen O’Connor’s Chicago office in August 2001.She has over 15 years of experience advising clients in direct defense andinsurance related matters. Peggy focuses her practice on insurance,reinsurance and e-commerce matters.

Peggy’s experience includes litigating and counseling a broad spectrum ofclients in direct defense, excess liability, coverage, and reinsurance cases.She has represented insurers and reinsurers in connection with containingmajor litigation threats and defended against coverage claims arising frompollution, product liability, business interruption and technology claims.This includes extensive analysis of insurance policies and reinsurancecontracts, negotiations of complex liability claims for excess carriers andreinsurers, multi-party coverage disputes for direct insurers and disputesinvolving reinsurance and retrocessions. Peggy is a co-author ofReinsurance Claims (Reactions Publications, 2004).

Immediately prior to joining Cozen O’Connor, Peggy was a Manager in theClaims Advisory Group of Ernst & Young. In that capacity, she advisedself-insured, insurer and reinsurance entities as to their business practicesand claim-related issues.

From 1987 to 1999, Peggy practiced in both California and New York withthe law firm ofMendes & Mount, where she was a Non-Equity Partner.

!!i

COZENO’CONNOR

ATTORNEYS

II!iIIiIIII!IiI

THE FUNDAMENTALS OF ELECTRONIC DISCOVERYPOWERPOINT PRESENTATION

written & presented/~yThomas M. Jones, Esq.

[email protected] O’CONNOR1201 Third Avenue

Washington Mutual Tower, Suite 5200Seattle, WA 98101

(206) 340-1000 or (800) 423-1950www.cozen.com

AtlantaCharlotte


Las Vegas*London




TorontoTrenton

Washington, DCWest Conshohocken

WichitaWilmington

*Affiliated with the Law Offices oF J. Goldberg & D. Grossman.

These materials are intended to generally educate the participants on current legal issues. They are not intended to provide legal advice.Accordingly, these materials should not be relied upon without seeking specific legal advice on matters discussed herein.

Copyright © 2005 Cozen O’Connor. AU. RIGHTS RESERVED.

IIII!II

/~~heFundamentals of ~-~lectronic Discovery ~1

Thomas M. Jones, Esq. ~Cozen O’Connor ~ J

Sea_ttle~ I

1III1

Sample Interrogatories

Identify all email systems in use, including but notlimited to the following:

a) Ust all email software and versions presently used by you andthe dates Of use;

b) Identify all hardware that has been used or is currently in use asa server for the emait system induing ~ name;

¢) Identify the speot~c type of hardware that was used as terminalsnto the email system (including home PCs, laptops, desk’tops,cell phones, personal digital assistants (~PDAS"), et~.) and itscurrent location;

d) S~te how many users there have been on each e.mail system(delineate between pa~ and current users);

I1III

Sample Interrogatories (cont.)

e) State whether the email is encrypted in any way and listpasswords for all users;

r’} Identify all users known to you who have generated emailrelated to the subject matter of this litigation;

g) Identify all email known tO you (including creation date,recipient(s) and sender) that relate to, reference or arerelevant to t~e subject matter of this litigati(~n.

IIIIIII


2. Identi~ and describe each computer that has been, or ~scurrently, in use by you or your employees (includingdesktop computers, PDAs, portable, laptop and notebookcomputers, cell phones, etc.), including but not limited tothe following:a) Computer type, brand and model number;b) Computers that have been re-formatted, had t~e operating Sysr.em

reinstalled or have been overwritten, and identify the date of eacheve.n~;

c) The current location of each computer ident~ed in your response tothis interrogatory;

d) The brand and version of alt software., including operating system,private and custom-developed applications, commercial applicationsand shareware for eao~ coml~ter identified;

I1I11


e) The communications and connectivity for each computer,including but not limited to terminal-to-mainframeemulation, data download and/or upload capability tomainframe, and computer-to-computer connections vianetwork, modem and/or direct connection;

f) All computers that have been used to store, receive orgenerate data related to the subject matter of thislitigation.

I1111


3. As to each computer network, identify the following:a) Brand and version number of the network operating

system currently or previously in use (include dates of allupgrades);

b) Quantity and configuration of all network servers andworkstations;

c) Person(s) (past and present including dates) responsible forthe ongoing operations, maintenance, expansion, archiviogand upkeep of the network;

d) Brand name and version number of all applications andother sot%rare residing on each network in use,including but not limited to electronic mail andapplications.

IIIiIII


Describe in detail all inter-connectivity bebveen the computersystem at [opposing party] in [office location] and the compotersystem at [opposing party #2] in [office location #2] including adescription of the following:a) All possible ways in which electronic data is shared between

locations;b) The method of transmission;c) The type(s~ of data transferred;d) The names of all individuals possessing the capability for

such transfer, including a list of names of authorized outsideusers of [opposing party’s] electronic mail system;

e) The individual r~ponsibie for supervising inter-connectivity.

IIIII


5. As to data backups performed on all computer Systemscurrently or previously in use, identify the following:a) A~I procedureS and pev~ces used to back up the software and the

data including but not limited to name(s) of backup software used,the frequency of the backup process, and type of tape backupdriveS, including narr~ and version numl3er, ~/pe of media (i.e.,DLT, 4mm, 8ram, AIT). S~ate the capacity Ibytes) and totalamount of reformation (gigabytes) stored on each tape;

b) Descdbe the tape or backup rotation and explain how backup datais maintained and stata whether the backups are full or incremental(attach a copy of all rotation schedules)

II1II


c) State whether backup storage media is kept off-site or on-site. Include the location of each backup, and a descriptionof the process for archiving and retrieving on-site media;

d) The individual(s) who conducts the backup and theindividual who supervises this process;

e) Provide a detailed list of all backup sets, regardless of themagnetic media on which they reside, showing currentlocation, custodian, date of backup, a description ofbackup content, and a full inventory of all archives.

IIIIIII


6.Identify all extra-routine backups applicable forany sewers identified in response to theseinterrogatories, such as quarterly archivalbackup, yearly backup, etc., and identify thecurrent location of any such backups.

11!11

Sample Interrogatories (cont.)For any server, workstation, laptop or home PC thathas been "wiped clean’; defragmented, orreformatted such that you claim that the informationon the hard drive is permanently destroyed, identifythe following:a) The date on which each drive was wiped, reformattedor defragmented;b) The method or program used (e.g., WipeDisk, WipeFile,BurnI~, Data Eraser, etc.);

IIIII

~ Sample Interrogatories (cont.)

8, Identify and attach any and all versions of document/data retentionpolicies used by you and identify documents or classes of documentsthat were subject to scheduled destruction. Attach copies of documentdesthJct~on inventodes/Iogs/schadules containing pocuments relevantto this action. ALtach a copy of any disaster recovery p~an Also ~ate:a) Tile dato, if any, of the suspension of this policy i/~ tonto or any

aspect of said POI~’ in response to this I~gat~n;b) A description by topic, creation date, user or bytes of any and all

data that has been detetad or in any way destroyed after thecommencement of this litigation. State whether the deletion ordestruction of any data pursuant to said data retention policyoccurred through automation or by user acoon;

c) Whether any company-wide mstructJon regarding the suspension ofsaid data reter~don/destruction policy OCCUrred after or relemd t~the commencement of this litigation and, if so, identJf~, theindividual responsible for enforcing said suspension.

4

IIIIIII


9.Identify any users who had backup systems intheir PCs and describe the nature of the backup.

11111


:~0. Identify the person(s) responsible formaintaining any schedule of redeployment orcirculation of existing equipment and describethe system or process for redeployment,

IIIII


11. Identify any data that has been deleted,physically destroyed, discarded, damaged(physically or logically), or overwritten,whether pursuant to a document retentionpolicy or otherwise, since the commencementof this litigation. Specifically, identify thosedocuments that relate to or reference thesubject matter of the above-referencedlitigation.

IIIIiII


12. Identify any user who has downloaded any filesin excess of ten (10) megabytes on anycomputer identified above since thecommencement of this litigation.

11!I1


13. Identify and describe all backup tapes in yourpossession including:a) Types and number of tapes in your possession (such

as DLT, AIT, Mammoth, 4mm, 8ram)b) Capacity (bytes) and total amount of information

(gigabytes) stored on each tape;c) All tapes that have been re-initialized or

overwritten since commencement of thislitigation, and state the date of said occurrence.

IIIII

Planning Electronic Discovery

Every sound litigation plan should include astrategy for responding to discovery requests.The strategy can be broken roughly into fivecategories:

¯ Data Preservation¯ , Data Collection¯ Data Review¯ Data Protection¯ Data Production

6

II

Proposed Amendmentsto the F.R.C.P.

¯ On August 10, 2004, the Standing Committeeon Rules of Practice and Procedure approvedfor publication and public comment severalproposed amendments to the Federal CivilRules that specifically address electronicdiscovery. A copy of the proposedamendments, and the Committee Notes, canbe found athttp://www.uscourts.govlrules/comment2005/CVAug04.pdf

Proposed Amendmentsto the F.R.C.P.

(cont.)¯ The public had until February 15, 2005 to

comment to the Secretary to the StandingCommittee regarding the proposedamendments, by submitting comments inwriting, or by testifying at one of three publicmeetings which were held at various datesprior to the February 15 deadline. Theearliest the proposed rules may go into effectis December 1, 2006.

Federal CourtE-Discovery Guidelines

¯ At least two federal district courts have adopted electronicdiscovery guidelines or standards to be observed by litigantsappearing ~n their courts:U.S. District Court in the District of Delaware, Default Standardsfor Discovery of Electronic Documents ("E-Discovery"), availableat h~;//www.d~.uscourt,o_ov/Announce/HotPaoes21.htmU.S. District Court for the District of Kansas, ElectronicDiscovery Guidelines, available athttp://www.ksd, uscou rts.gov/attorney/elecb’onicdiscoveryg uidelines.pdf

See htto://www.ediscovervlaw.com/cal-resoun-ms-htm for links tothe Delaware and Kansas guidelines.

IIIIIII

Many Organizations areUnprepared for

Electronic Discovery¯ Although awareness of electronic discovery issues is becoming

more widespread, many organizations are nonetheless ill-pre..~a, red for the possibility of el .ec~. n.ic inform.ation being usedin i~tigation. A 2000 survey conoucteo at the American BarAssociation - Section of Utigation 2000 Annual M~eting showed,82 percent of respondents reported that their clients do nothave an established protocol for handling electronic discoveryre~ueStSo

¯ 60 percent of respondents said that in 30-60 percent of theircases involving electronic discovery their clients were notaware that e ectronic information cou d later become evidence.

IIIII

Many Organizations areUnprepared for

Electronic Discovery (cont.)¯ Most recently, a 2003 survey of records

management professionals elicited a numberof similarly troubling revelations:

¯ 47 percent of the organizations representeddid not include electronic records in theirretention schedules.

¯ 58 percent of the respondents’ organizationsdo not have any formal email retention policy.

1I111

¯ In its mvisod August 3, 2004 report to the Standing Committee,the Advisory Committee stressed the importance of addressingissues retat~l to electronic discovery now:Case law is emengi .rig, but it is not consistent and discoverydisputes are rare~y me subject of appellate review.The uncertainties and problems lawyers, litigants, and judgesface in handling eL-~-~ronic discovery under the present federaJdiscovery rules are reflected in the growing demand foradditional rules in this area. At least four 0nited States districtcourts have adopted local rules to address electronic discovery,and many more are under consideration. Two states have, andmore are considering, court rules specifically addressing these

II

The pmposeo amendments cover five related areas, some aspectsof which am described in more detail below:

¯ a) eady atLention to issues reJatJ~g to electronic discovery, Includingthe form of production, preservation of electronically storedinformaUon, and problems of reviewing eJectronically storedinformation for privilege;b) discovery of eb~:tronically stored information that: is not reasonabiyac(~ssible;

¯ cl the assett~n of privilege after production;¯ d) the applicadon of P.~tes 33 and 34 to eted~nically stored

information; and¯ e) a limit on sonctJons under Rule 37 for the loss of electronically

stored informat~n as a result of the routine operation of computersystems.

IIIII

DATA PROTECTIONDiscovery of Electronic

DocumentsIn examining the current treatment of electronic discovery ~nthe courts, it is necessary to consider four issues:

¯ The extent to which existing discovery rules apply toelectronic discovery.

¯ The extent to which the courts are willing to protectparties from burdensome or expensive electronicdiscovery.

¯ The extent to which the courts are willing to shift thecost of electronic discovery from the responding partyto the requesting party.

¯ The extent to which, in resolving the three prior~ssues, courts treat electronic discovery differentlyfrom traditional discovery.

1 Discovery (cont.)

¯ It is axiomatic that electronically stored information isdiscoverable under Rule 34 of the Federal Rules of CivilProcedure if it otherwise meets the relevancy standardprescribed by the ru/es.

¯ Rules 26(b) and 34 of the Federal Rules of Civil Procedureinstruct that computer-stored information is discoverableunder the same rules that pertain to tangible, writtenrnatedals.

¯ Although Rule 26(c) allows a court to issue protective ordersagainst oppressive or harassing discovery, and Rule 26(b)(2)directs the court to prevent or control unduly burdensomediscovery, neither provision provides the court withsubstantial guidance as to the meaning of those phrases.

9

II

SCOPE OF DISCOVERY

¯ For purposes of ~etermining the appropriate scope ofdiscovery beyond the initial disclosure requirements, therelevant inquiry is whether the request for electronicdiscovery is ~reasonably calculated to lead to the discovery of

admissible evidence". Rule 26(b)(].).¯ An electronic discovery request must typically specify the

various electronic sources the requesting party seeks toexamine in discovery.

¯ One influential opinion in this area has suggested that "a testrun" or "sampling" procedure can be a helpful solution. See¯/¢Peek v. Ashrcroft, 202 FRD 31, 34 (D.D.C. 200i).

!IIIIiI!I!II

Judicial Protection AgainstBurdensome Electronic Discovery¯ Generally, courts have hek:l that inconvenience and expense are not

valid reasons for the denial of electronic discovery.¯ Courts have applied this reasoning where the responding party must

bear the additional expense of translating electronic data in a useableform. Typically, courts have relied on a =reasonableness" standard.

¯ In several instances, however, courts have ~ againstburdensome electronic discovery. ~ Playboy EntP_fpri~, Inc., v.We//e~, 60 F.S~pp.2d ].050 (S.D. Cal. ].999)

¯ In the P/ayl.~oyEnterpri~case, a distr~ct court held that in permittingdiscovery Of electronically stored data, the producing party must be"protected againsl: undue burden and expense and/or invasion ofprivileged matter." Tne cour~ appointed a neutra| computer expert toserve as an officer of the court and creai0e a "mirror image" ofdefendants hard ddve. Tne court allowed defense counsel to view therecovered documents and to produce only those docurr~nts that wererespens~ve and re, rant.

Other Objections toProduction of Electronic Data

¯ Attorney-client privilege¯ The overriding principle in considering the application of

the attorney-client privilege is whether or not the clientwas seeking a legal opinion or legal services with respectto the communication at issue. If so, those legal opinionsand legal services are what is protected by the privilege.

¯ In determining the confidentiality of communication, it isthe intent of the client that controls.

¯ The communication will usually be deemed confidentialwhere the client has a reasonable expectation of privacyand confidentiality.

¯ However, both intentional and inadvertent disclosureshave been deemed to waive the privilege.

10

IIIIIiI

Work Product Doctrine

The work product doctrine has been codified in Federal Rule ofCivil Procedure 26(b)(3). It protects research, analysis, legaltheories, mental impressions, and notes and memorandaprepared in "anticipation of litigation or for trial" from disclosureto opposing counsel.¯ The question of wf~ther a document is subject to the work

product privilege is: was that document prepared by or forthe party (by an attorney or otherwise in anticipation oflitigation?

¯ Like the attorney-client privilege, the work product protectioncan be waived by disclosure to any party other than one witha common interest in the subject matter, by disclosure to agovernment agency, or through deposition testimony to theextent that it is used to refresh a witness’s recollection. -

IIIII

How the Privilege Applies toEle~ronic Documents

¯ Electronic information and documents are subject to the san~protection as traditional documents including the attorney-clientprivi|ege, and the work product doctrine. Insurers should bemingful of these traditional protections when creating electronicdocuments, and endeavor to create and protect appropriateprivilege accordingly.

¯ For example, e-mail and other communicatmn to and from counse~should be ciearty marked as privileged.

¯ LitJcjation databases created by and with the input from counselshould be clearly marked as protected work product.

= Documents relevant to litigation should be carefully identified andorganized. This will prevent a later need to perform a system widesearch to recover documents and information responsive to anadverse party’s discovery requests.

¯ Clear labeling and organization lessens the chances ofinadvertent production.

IIIII

Privilege (cont.)

Does the Internet offer the requisite level of objectivelyreasonable expectations of privacy, such thatcommunications sent via e-mail over this network willmaintain their privilege? As long as attorneys and clientshave objectively reasonable expectations of privacy intheir communication, the communication should beprotected.

¯ In fact, the Electronic Communications Privacy Act of1986 makes unauthorized interception of= e-maitmessages a federal crime.

]]

IIIIIII

E-mail Solutions

The following provisions should be included in any e-mail usein the company in consideration of privilege issues:¯ The e-mail system is the property of the employer,¯ E-mail correspondence is to be kept confidential by the

employee.¯ E-mail message recipient lists must be thoroughly

reviewed by the composer for accuracy before being sent.¯ Employees should archive important messages by subject

and delete groups when no longer needed,¯ if a company’s e-mail has a two-tiered delete function,

employees must perform a final deletion of all previouslydeleted messages on a regularly scheduled basis.Messages that need to be saved should be archived,

DATA COLLECTION

An initial step in both the collection andthe preservation process is to determinethe scope and sources of electronicdocuments being requested. One of thefirst questions you should consider is thetypes of documents which are responsiveto the request.

111I1

TYPES OF DATA

Data falls into roughF/three categories: primary, secondary, an(;tertiary.

Primary data is comprksed of emaJl and other "active data" such aswore processing files, spreadsheets, presentations, and databases.

Active data can be thought of as everything electronic that is currentlyavailable for use - the documents a company keeps; readily availableand accessible orl hard drives, serve~, and so on.

Secondary data consists of less acoessibie data such as system backupdata and archival or legacy data. This data is generally kept forhistorical reference, and iS often difficult or expensive to retrieve.

Because the cost of backup tape restoration, retrieval, and translationmay be very high, the burden and expense involved in the recoveryprocess may OUt weigh the probative value of the material to berecovered.

12

IIIiI

TYPES OF DATA (cont.)

Tertiary date includes data that exists despite no active effortto maintein or save it. The most common example oftertiary date is remnants of files that were either neversaved, or were actively deleted. Deleting an electronicdocument merely renames the file, and marks the file spaceas being available for overriding if that particular space onthe hard drive is needed in the future.

Because recovery of tertiary date generally requires theassistance of a forensics expert, a par~ who demandsdeleted material will often be required to absorb some or allof the cost. An obvious exception would be in instenceswhere the request is necessary due to willful violation of apreservation order ....

IIIIIIiII

I¯

¯

¯

LOCATING POTENTIALLYRESPONSIVE DOCUMENTS

After you have identified the types of documentsthat may be relevant, you need to identify wherethose documents are located. This is a two-foldprocess.

First is the matter of identifying the potentialcustodians, or who has the documents.Second is the question of the actual, physicaldisposition of the documents - i.e., where,physically, do the documents reside?

LOCATING POTENTIALLYRESPONSIVE DOCUMENTS (cont.)

¯ Once you have made initial determinations regarding the natureand location of I)otentialty relevant documents, you shouldconsider whether you have a need for forensic or other expertadvice. This is often unnecessary because, in the majodty ofcases, the parties can find everything they need responsive tothe m:lUeSt in easily accessible locations.

mm One standard exception is in cases where there is crucial archaicor deleted date that needs to be recovered.

¯ Another situation that may warrant reteining an ex~)ert is where, you intend to object to discovery requests on the basis of undue

burden or costs.

13

IIIIlIi

LOCATING POTENTIALLYRESPONSIVE DOCUMENTS (cont.)The next step in document collection is to formulete a collection protocol.

There are a few key points to keep in mind.

One is to incorporate custodian interviews as port of t~ collectionprocess, if possible. Custodian interviews can be used to ensure allsources and custodians Of relevant documents have been identified.~ can also make th~ co##ect~on more eff’~z~ent, by focusing yourcoHeci~on offo~.

Another aspect of e~abtishing a collection protocol is to inOude adescdpl~on of the guidelines procedures followed in collecting theaocuments. On a technical level, it is important to make sure that ~par~, ~tc~ng the colh~’t~lg understends the need to rr~intain the integrib/of the electronic data

!I!I1

LOCATING POTENTIALLYRESPONSIVE DOCUMENTS (cont.)

¯ The format in which you will collect the documents, aswe~ as the step-by-step procedures used in the collection,should be included in your collection guidelines.

¯ Electronic documents are easily alterable. To avoidpotential claims of evidence spoliation, be aware of themany ways that electronic documents may be altered.Turning on a computer system; using automatic updatefields; recycling backup tapes; system maintenanceactivities; saving new data; or instal~ing new software mayall inadvertently cause documents to be altered,

IItiI

DATA REVIEWProduction of Electronic Documents -

eviewing and Protecting Client Documents¯ In a typical case, the most time-consuming and expensive

aspect of electronic discovery is the review of documents.

iReview is crucial for two main purposes: to identify the specificdocuments responsive to the opponent’s request for production,and to protect a dient’s documents.As part of eslz~lJshing your plan of attack for the review, youwill want to consider the volume and complexity of the review.Where discovery threatens to he prohibitively expensive, youwill want to try to control discovery costs by limiting reviewwhere possible. Them are several steps you can ~ake to limitreview: filing objections to overbroad requests; negotiatingscope with opposing counsel (e.g., identifying limited number ofcustodians, agreeing on search terms to narrow universe ofdocuments to be reviewed, etc.); or moving for a protective ~border if necessary .......

14

l1

The Manner in Which YouConduct the Review Will Also

Affect CostsWhenever possible, take advantage of technology to make your reviewmore efficient, and to locate responsive docume~s more quiCl~y.MOre advanced technologies include the use of duplicate suppressionand document mapping. Duplicate suppression tachnoiogles can Deused to identify and suppress up front the duplicative documentsexisting within the documents you’ve selected. This technology isespecially useful when applied to e~naii, because of the hightyrepetitive nature and t~/pically wide distribution of e-maiLDocument mapping is an example Of cutting edge technolegy thatallows an attorney t~ streamline review by organizing documentsgraphically. By grouping similar documents together graphically,document mapping technologies facilitate a quick and ef~ientreview of the documents.

11!1!

DATA PRODUCTIONProduction

The final aspect of your strategy for responding toelectronic discovery reauests is production.

¯ In addition to reaching an agreement regarding theschedule and deadlines for production, is the issue of theformat in which the documents will be produced.

¯ Format type:¯hard~opy; or¯electronic f~rmat

If production in electronic format is considered, you will needto decide between various electronic formats, such as nativeformat, or electronically imaged formats (e.g., PDF or TIFFimages).¯ On-site inspections (protocols)

Ii

11

Format

¯ Another advantage of electronic format over hardcopy isthat loading documents into a litigation support databasetypically requires that the documents be in electronicformat. By agreeing to production in electronic format,parties can avoid the considerable expense of scanningand imaging required to convert hard copy back toelectronic form.

15

II!I!!I

Cost-Shifting

Of potentially enormous importance to control the costs ofdiscovery is the issue of cost allocation. Will a pa~yrequired to respond to a discovery request be forced tobear the full cost of preparing this response, and, if not,on what basis can cost be allocated?Rules 26(c} and 26(b)(2) empower a court to shift costswhere it deems it necessary. Two cases represent theseminal decisions to date, Rowe Entertainment v. WilliamI~orr~, and Zubulake v. UB~

U.S. District Court Judge Shira A. Scheindlin of theSouthern District of New York released a set of guidelinesfor splitting e-discovery costs. Then, on July 2~l, 2003,she issued a ruling applying those guidelines to the caseat issue.

Ii!iI

Cost-Shifting (cont.) - Zubulake I

In Zubulake v. UBS Warburg, LLC, et aL, (’Zubu.~ke I), JudgeScheindlin rejected the idea that the requesting party shouldalways pay for the restoration.Instead, she enumerated seven elements to consider whenallocating such costs:¯ the extent to which the request is speGifically tailored to discover,

relevant information;¯ the availabilit~ of such inforrnation fmrn other sources;¯ the total cost of procluc’don, compared to the amount in

controversy;¯ the total cost of produc~on, compared to the r~ources available to

each party;¯ the relative ability of each par~y to control costs, an~ its incentives

to do so;¯ the impartance of issues at stake in the litigal~on; an~¯ the relative be~fits to the parties of obtaining the information.

I!IiIII

Zubulake I (cont.)

¯ Judge Scheindlin emphasized these elements providedguidance only. She held that ’~vhen evaluating cost-shifting, the central question must be, does the requestimpose an ’undue burden or expense’ on the respondingparty?"

¯ Judge Scheindlin then ordered UBS to restore theinformation on five of the 94 back up tapes, and topresent the court with a more accurate cost estimate.

]6

I!!iI!

¯

¯

Zubulake II

¯ UBS came back with a figure of $273,649.39 --$165,954.67 for restoring and searching the tapes, andanother $107,694.72 for attorneys and paralegals toreview the documents. In her July decision, JudgeScheindlin addressed these two items separately.First, she ruled that Zubulake should pay for 1/4 of therestoration costs.The attorney review time, however, was solely UBS’sresponsibility. Judge Scheindlin held that: "theresponding party should always bear the costs ofreviewing and producing electronic data once it has beenconverted to an accessible form."

Requesting Electronic Productionfrom the Opposition

¯ Just as every sound litigation plan must include a strategyfor responding to discovery requests, it also requiressimilar attention be given to how you will obtain thedocuments and information you need from the opposingpart,/.

¯ Much of the information need regarding the custodiansand locations of documents should be disclosed by theother party during Rule 26(a)(1) disclosures.

¯ You can also address electronic discovery issues duringthe Rule 26(t) meet and confer.

¯ Also, you can conduct a Rule 30(b)(6) deposition touncover important information about electronic evidencecontrolled by your opponent.

DATA PRESERVATIONPreservation and Recovery of Relevant

Evidence¯ .~ ~r~’t ~’tep in making discovery requests is ~o ensure that your

opponent is on notice of the need to preserve all potentiallyrelevant documents. One very concrete action you can take isto send a preservation of evidence letter to your adversary.

¯ There are several e~ernents to include in your preservatJonletter:¯ Identify the individuals, by name or by position within the

organization, and¯ Who may possess relevant e~ectronic evidence.

¯ Describe the types of evidence to be preserved, both in terms ofsubject matter and of possible locations of evidence.

¯ Finally, ask that the evidence be located immediately and

¯ Preservation of evidence letters can reduce the risk that youropposing party will destroy relevant documents. - ....

,

!IIIiII

Preservation and Recovery ofEvidence (cont.)

Where willful destruction of evidence is a real risk in yourcase, be prepared to take action beyond issuing thepreservation of evidence letter.If you have cause to think that the opposing party is aptto alter or destroy relevant electronic evidence, it may beprudent to obtain an order to preserve evidence, and anorder permitting the seizure of computers and storagemedia.If you can show the risk of destruction is particularly high,i.e., showing faces demonstrating that the adverse has theopportunity to conceal or destroy evidence, anddemonstrating that the party is likely to take theopportunity for deceptive conduct, exparte reliefmay be possible.

III

Preservation and Recovery ofEvidence (cont.)

¯ Despite the precautions you take, you may discover thatrelevant evidence has been altered or deleted, eitherinnocently or maliciously.

¯ Where the altered or deleted files are likely to containinformation that is both relevant and probative, you maywant to consult with a computer forensics expert torecover the missing evidence.

¯ Even if the court allows the recovery, the expense willoften be borne by the requesting party.

¯ Where the destruction is malicious, the offending party ismore likely to be held responsible for the expense ofrecovery data using forensics.

Two-Way Street Rule

¯ A final word of caution regarding making discoveryrequests is to emphasize the "Two-Way Street" rule.

¯ Think of it as the golden rule: What you do unto others,will likely be done to you. Be careful in making requestsor demands that you would not want to have made uponyou, or with which it would be difficult or impossible foryou to comply.

18

I!IIIII

The Duty to PreserveElectronic Information

A person or entity has a duty topreserve electronic information it knowsor reasonably should know is or will bediscoverable in pending or reasonablyforeseeable litigation,The growing trend is for courts toattach the obligation to preservedocuments earlier than the filing of acomplaint.

!i

The Duty to Preserve is Broad

The duty to preserve evidence is as broad as theconcomitant duty to produce evidence.While a party need not preserve every documentin its possession, it must preserve documentsand electronic information it knows or reasonablyshould know are relevant, likely to lead to thediscovery of relevant evidence, or are reasonablylikely to be or have been requested duringdiscovery.The prudent course of action is to preserve alldata and information as are feasible once theduty to preserve attaches.

Affirmative Obligation to TakeEffective Steps to PreventDestruction of Evidence

The duty to preserve information imposes anobligation on senior management and their counselto take effective affirmative steps to preserve theinformation and prohibit unauthorized destruction ofthe documents, or information.The dub/to preserve electronic data requires morethan just preventing the intentional deletion ofdocuments and data. It also may require the partyto preserve backup tapes containing relevantinformation, and the duty may require a party topreserve residual deleted data.

19

IIIII

Sarbanes-Oxley Act

The passage of the Sarbanes-Oxley Act inJuly 2002 creates duties for publicly tradedcorporations to protect and retain certainelectronic information.

Sanctions

¯ Courts have the authority to sanction theimproper destruction or spoliation of electronicdocuments and evidence. Spoliation is theintentional destruction, mutilation, significantalteration, or concealment of discoverableinformation, where the failure to preserveproperty for another’s use as evidence, inpending or reasonably foreseeable litigation.

¯ To be actionable, spoliation also must prejudiceor otherwise damage the right of a party to bdngan action.

Sanctions (cont.)

A federal court’s power to sanction spoliationstems from Rule 37 of the Federal Rules of CivilProcedure, and the court’s inherent powers.Courts have available a relatively wide variety ofsanctions for spoliation, i.e., breach of the dutyto preserve. This relief ranges from apresumption that the destroyed evidence wouldhelp the case of the opposing party, to theexclusion of other evidence, to dismissal of theaction (or default judgment)in more egregiouscases. Monetary sanctions may also be availableagainst the spoliator as well.

2O

IIiIiI

Sanctions (cont.)

¯ In imposing sanctions, a court will generallyengage ~n the following analysis. Courts will firstassess (1) the fault or culpability of the spoliator,and (2) the prejudice to the opposing party.After evaluating fault and prejudice, courts applya proportionality analysis to determine theappropriate sanction that will be the least harsheffective sanction. Obviously, the greater theculpability and prejudice, the more harsh thesanction.

Culpability

There is a division among and between thecircuit courts regarding the level of culpabilitynecessary for the imposition of sanctions forspoliation. Some courts hold that this questionhas been resolved by the U.S. Supreme Court,but the courts have not reached a consistentapplication of this standard. Other circuitsappear to require a showing of bad faith tojustify the imposition of sanctions for spoliationunder the courts’ inherent powers, but the courtsdiffer on the meaning of "bad faith" and whetherit is required. Courts within the same drcuiteven differ on this auestion.

Prejudice

¯ A court will not sanction spoliation unless there issome prejudice to the opposing party arisingfrom the spoliation. Thus, where copies orcumulative evidence is destroyed, sanctions arenot warranted. On the other hand, where theevidence is central to the case, dismissal or itsequivalent may be appropriate.

2]

I!

Proportionality

Courts generally must apply the least harshsanction to properly address spoliation. A courtmust weigh the culpability of the partyresponsible for the spoliation and consider theprejudice to the opposing party. The court mustthen determine what sanctions are appropriateand what is the least harsh appropriate sanction.In other words, the punishment must fit thecrime, and it should be the least severe effectivepunishment.

Proportionality (cont.)

¯ The sanctions imposed should serve one or more remedialpurposes: punishment, accurate fact finding (remedyingevidentiary imbalance caused by the spoliation), andcompensation. Thus if the conduct is egregious, thepunishment will be severe. ]f the conduct is lessegregious but creates an evidentiary imbalance, the courtwill use presumptions and the exclusion of other evidenceto cure the imbalance.

¯ Monetary sanctions are also available to punish. On theother hand, monetary sanctions are sometimes imposedto cover the cost of rectifying the situation caused by thedestruction of evidence, rather than as a punishment.

Tort of Spoliation

Finally, there is the possibilib/that an aggrieved partycould bring an action for the tort of spoliation. Thetort is not widely recognized, however, as mostcourts that have considered the issue have refused torecogmze the tort. Nonetheless, the few jurisdictionsthat have recognized the tort of spoliation permit aparty to recover damages against a third party thathas failed to preserve evidence.The majority view, however, is that the tort ofspoliation suffers from too many infirmities to be aviable cause of action.

22

I

Creating Valid, EffectiveData Retention Policies

1. Systematically develop data retentionpolicies.

2. Address all data files - electronic records.3. Address all media, including microfilm and

machine-readable computer records.4. Obtain written acknowledgement & approval

from all personnel who will be subject to oraffected by proposed data retention policies,procedures & destruction schedules.

Creating Valid, EffectiveData Retention Policies

5. Systematically destroy data according to established datadestruction procedures & schedules.

6. Strictly control, carefully manage & regularly audit general! compliance with data retention policies.

t7. S uspend the scheduled destruction of all potentially

relevant data whenever litigation, government investigationor audit is pending or imminent.

8. Naintain documentation regarding the creation &implementation of the data retention policies.

l_~Requirements Imposed by Effective

Data Retention Policies

¯ Data is maintained according to applicable statutes &regulations, or otherwise preserved on_q_~y as tong asnecessary, as specified by data destruction schedules.

2. Data necessary to the general conduct of business aresystematically filed for ready accessibility, as required

3. Data permanentiy maintained by legal or businessrequirement are catalogued & preserved on electronicmedia affording economical storage & easy access.

23

I

II!IIIIIIII

Requirements Imposed by EffectiveData Retention Policies

4. Regarding data potentially relevant to pending or~ litigation or investigation, a mechanismtrigger by policy immediately susoends compliance withdata retention procedures & destruction schedules,enabling the prompt identification, isolation &preservation of such data.

S. All other data is destroyed.6. However, any uncertainty regarding compliance with

data retention policies must be resolved by retention.

The Critical Element of All Electronic DataRetention Policies

An administrative mechanism must be established toassure the IMMEDIATE suspension of scheduled datadestruction, when it is determined that specific datamay be relevant to a pending or foreseeable law suitor government investigation.Absent the existence & exercise of this mechanism,data retention policies will not insulate againstjudicial sanction for spoliation of evidence, based ona routinely scheduled destruction of electronic data.

I

24

III

COZENO’CONNOR

ATTORNEYS

FREQUENCY OF IDENTITY THEFTPOWE RPOINT PRESENTATION

lIlIIIIIIIIIII

written/~,yRobert W. Hammesfahr, Esq. and Keith E. Horton, Esq.

presented/~,vRobert W. Hammesfahr, Esq.

rhammesfah [email protected] O’CONNOR

Suite 1500, 222 South Riverside PlazaChicago, IL 60606

(312) 382-31 O0 or (877) 992-6036www.cozen.com

AtlantaCharlotte

Cherry HillChicago

DallasDenverHouston

Las Vegas*London




TorontoTrenton


WichitaWilmington

*Affiliated with the Law Offices of J. Goldberg & D. Grossman.



IIIIIII

Blowing Up Your Company and Case by ElectronicRecord and Document Malpractice

Frequency of Identity TheftJune 22, 2005Presenter:

Robert W. Hammesfahr, Chicago

COZENO’CONNOR.

ATTORNEYS

IIIIIIIIII

Frequency of Identity Theft

What is identity theft?

"identity theft occurs when someone uses your personalinformation such as your name, Social Security number,credit card number or other identifying information,without your permission to commit fraud or other crimes."

Frequency ofldentityTheft

¯ Identity theft is not limited to financial records

¯ Reported cases of identity theft include:¯ Medical/dental records¯ Employment Records¯ Drivers License information¯ Photographs¯ Travel records¯ Instant messaging/online usage¯ "entertainment activities"¯ ut|l~ty/teteph~e records

COZENO’CONNO~

COZEN

II

II


¯ First Amendment Right to P~vacy

Four main types of pdvacy dghts have been recognized:

- Unreasonable intrusion upon the seclusion of another

- False light

- Disclosure of pdvate facts

- Appropriation of a person’s identity

II

IIIIIIIII


¯ StandardofRecovery

In order to recover for an invasion of privacy offense, thedefendant’s conduct must be "highly offensive to areasonable person, "

Frequency ofldentityTheft

2

IIIII!I


¯ What is private ?¯ "There are virtually no online activities or services that

guarantee absolute privacy."1

¯ "Privacy is not something that I’m merely entitled to, it’san absolute prerequisite."2

COZEN

!IIII!I


¯ Number of Reported Identity Theft Cases

- Between January and December 200z,, Consumer Sentinel. thecomplaint database developed and maintained by the FTC.received over 635,000 consumer fraud and identity theftcomplaints. Consumers reported losses from fraud of more than$547million.

- Credit card fraud (28%) was the most comman form of rel3ortedidentify theft followed by phone or utilities fraud (19%}, bank fraud(18%), and employment fraud (13%),

II

II

COZENO’CONNOR

ATTORNEYS

CHOICEPOINT CLASS ACTIONS AND MOREPOWERPOINT PRESENTATION

IIIIIIIIIIIIIIl

wriffen ~vRobert W. Hammesfahr, Esq. and Keith E. Horton, Esq.

presented/~,vVincent P. Pozzuto, Esq.

[email protected] O’CONNOR

16th Floor, 45 BroadwayNew York, NY 10006

(212) 509-9400 or (800) 437-7040www.cozen.com

AtlantaCharlotte


Los Vegas*London



San FranciscoSeattleTorontoTrenton


WichitaWilmington




IIIIi

Blowing Up Your Company and Case by ElectronicRecord and Document Malpractice

ChoicePoint Class Actions & MoreJune 22, 2005Presenter:

Vincent Pozzuto, New York, NY

COZENO’CONNOR.

ATI[ORNEYS

!IIII

ChoicePoint Class Actions & More

ChoicePoint "Illegal Data Access" Class Action Lawsuits¯ Facts

¯ Provider of identification and credential vedfication services

¯ 10/04: Discovered identity thef~ of dat~ of up to 145.000 ir~dividuals, Names. Addresses. SSNs. Credi~ Reports. etc.

¯ PJ05: Notified consumers (delay requeste~/:)y law enforcement)

¯ 10/04 to 02/05: Certain officers of the Company sold Choicepointcommon stock while in poseessioa of nonpublic information

¯ Government agencies and consumers investigate and sue

IIIIIII


ChoicePoint "Illegal Data Access" Class Action Lawsuits

¯ More than 20 class action lawsuits have been filed to date

¯ Several Class Action Lawsuits consolidated in April 2005,including the lead case, Harrington v. ChoicePoint, CV05-1294

¯ Goldberg v. ChoicePoint, Inc. CV05-2016 (C.D. CaL)¯ Harrington v. Cho/cePoint, CV05 1294 (C.D. Cal.}¯ Salladayv, ChoicePoint, CV05-1683 (C.D. Cal.)¯ Cloy v. CholcePoint, CV05--1993 (C.D. Cal.)

!IIIi

ChoicePoint Class Actions & MoreCase Calmes of A~tion

Hardmjton v. C~t Fair C~edit Repo~ng Act (FCRA)

Remedy sought

IIIII


¯ More Pending/Potential Lawsuits

¯ California Dept. of Social Services¯ Security breach exposes SSNs and contact info of 1.4 million

9roviders and clients (Oct. 2004)¯ Bank of America

¯ Data on 1,2 million federal employees stolen (Disclosed Feb.20O5)

¯ CitiFinencial (Citigroup)¯ Lost in shipment a box of computer tapes with pnvate account

information for 3.9 million customem (June 20O5).¯ BJ’sWholesaleClub

¯ $13 miJ. in customers’ claims for failure to encrypt datatransmissions. Settlement reached with FTC (June 2005)

Lexis-Nexis¯ Intruders misappropriate passwords and renords on 32.000

people in the U.S. (Disclosed March 2005)

II!II 2

III

COZENO’CONNOR

ATTORNEYS

! HIPAA ENFORCEMENT AND LIABILITY

POWERPOINT PRESENTATION

IIIIII

IIIIII

written & presentedKatherine M. Layman, Esq.

COZEN O’CONNOR

1900 Market StreetPhiladelphia, PA 19103

(215) 665-2000 or (800) 523-2900www.cozen.com

AtlantaCharlotte

Cherry HillChicago

DallasDenverHouston

Las Vegas*London




TorontoTrenton


WichitaWilmington


These materials are intended to generally educate the participants on current legal issues. They are not intended to provide legal advice.Accordingly, these materials should not be relied upon without seeking specific legal advice on malters discussed herein.


IIIiI

COZENO’CONNOR

ATTO~NSYS

Insurance Coverage SeminarHI PAA Enforcement

and LiabilityJune 22, 2005

Katherine M. LaymanklaymanL~,cozen.com

215-665-2746

IIIII

OCR & Enforcement

COZENO’CONNOR

¯ HIPAA Privacy- Enforcement is carded out by Office For Civil Rights (OCR)

11,280 coml~laints flied as of Apd12005¯ 61% closed.

168 to DOJ for investigation

¯ HIPAA Security - Enforcement by CMS

!IIII

OCR EnforcementExample

¯ Small rural clinic¯ Fired employee a whistleblower¯ Clinic did not cooperate --> resulted in 2

day on-site inspection

I!!I!

Proposed Enforcement Rule(April 18, 2005)

¯ Expands application to all administrativesimplification rules

¯ HHS Philosophy: Voluntary Compliance¯ Should be final by September 2005

IIII

CO~N

Proposed Enforcement RuleBusiness Associates

¯ A covered entity that complies with rulesregarding BA Agreements will not be heldliable for BA’s violation of the rules

Proposed Enforcement RuleAffirmative Defenses

¯ Violation is a criminal offense -, DOJ¯ Lack of knowledge

CE must demonstrate it had measures in place toidentify and follow-up on violations

¯ Violation is due to "reasonable cause" and notwillful neglect

2

IIlII

HIPAA Civil Penalties

COZENO’CONNOR

¯ $100 per violation¯ $25,000 maximum fine per year,

per person, for like violations

COZENHIPAA Criminal Penalties ~-N~

- $50,000 fine and/or1 year ~n prison (~

False Pretenses:- $100,000 fine and/or- 5 years in prison

Really Bad Intent (e,g., commercial gain. malicious harm):- $250.000 fine and/or

10 years in prison

First HIPAA Conviction

U.S.v. Gibson (W.D. Wash. Aug. 2004)

Seattle Cancer Care Alliance phlebotomist obtained the SSN and otheridentifying information of a patient

¯ Used the information to obtain fraudulent credit cards - ran up chargesof about $9,000

The patient conducted his own investigetJon when he received notices ofcard issuance and collection agency calls for nonpayment of bills --police and credit card companies would not investigate.

3

It

!iiI!i!IlI!Il

First HIPAA Conviction(Cont’d)

COZENO’CONNOR

¯ Calling the crime one of the "most deplorable I~ewitnessed in 15 years on the bench," U.S. District JudgeRicardo S. Martinez sentenced the health-care worker to16 months in pdson after a guilty plea.

¯ Charged for "personal gain"

¯ NOTE: First case prosecuted under HIPAAfocused onan individual and not a CE. Will this happen again?

COZENO’CONNOR

Criminal EnforcementJune 1, 2005 DOJ Opinion

¯ Penalties for criminal violation of HIPAA apply tocovered entities - not employees.

¯ "If CE is not an individual, general principles ofcorporate criminal liability will determine theentity’s liability and that of individuals within theentit?/, including directors, officers andemployees."

Criminal Enforcement(Cont’d)

COZENO’CONNOI~

¯ Conduct of these individuals may beprosecuted under principles of aiding andabetting liability or conspiracy liability.

4

iiiI

Potential Causes of Action

Common law invasion of pdvacyComputer invasion of privacy (e.g., Virginia)Malpractice: breach of confidentialityBreach of contractFTC: Unfair or deceptive practices (Section 5(a))

¯ Eli Lilly disclosure of names of Prozac users¯ Case settled - no fines¯ Attorneys fees?

Wire Fraud

c~z~

!iI!Ii 5

ERRORS AND OMISSIONS INSURANCEPOWERPOINT PRESENTATION

wriffen & presentedManny Cho

Senior BrokerE & O Division Manager

Carpenter Moore

I

IIiIllIiIIiIIIII

I!!i!iI!!iI!!!!!iII

!

II!!!!I III!II

IIII

IIIIIIIIIIIIIIIIIII

IIIIIIIIIIIIIIIIlII

IIIIIIIIIIIIIIIIIII

II!

COZENO’CONNOR

ATTORNEYS

COVERAGE FOR RISK: SURVEY OF KEY CONTRACT LANGUAGEPOWERPOINT PRESENTATION

III!I

iIIIIiIii

wrilten /~yRobert W. Hammesfahr, Esq. and Keith E. Horton, Esq.

f~resenleaI h);Robert W. Hammesfahr, Esq.



(312) 382-3100 or (877) 992-6036www.cozen.com

AtlantaCharlotte

Cherry HillChicago

DallasDenver

HoustonLos Vegas*

LondonLos Angeles

New York DowntownNew York Midtown



TorontoTrenton


WichitaWilmington




IIIIIiI

Blowing Up Your Company and Case byElectronic Record and Document Malpractice

Coverage for Risk: Survey of Key Contract LanguageJune 22, 2005

Presenter:Robert W. Hammesfahr. Chicago

COZENO’CONNOR.

ATTORNEYS

II

Survey of Key Contract Language

The Scope of Coverage

¯ Professional Services¯ Hardware¯ Software¯ Consulting¯ Media

¯ Services are generally designated within the policy¯ Actual or Alleged Failure to Perform Services

IIIIIII


¯ Definitions¯ Network Operations Secunty¯ E&O¯ Media¯ Cyber-Extortion

IIIIIIIIII


¯ Network Operations Security

Network Operations Secudty means th(~e activities performed by theInsured. or others on the lnsured’s behalf to ensure againstUnauthorized Access to and the Unauthorized Use of the tnsured’sComputer System.


Technology and Internet Errors & Omissions LiabilityCoverage

The Company will pay on behaff of the Insured all sums in excess of theDeductiVe that the Insured shall become legally obligated to pay asDamages and Claims Expenses because of a Claim first made against theInsured and reported to the Company dudng the Policy Peded by reason of aWrongful Act c~’nmitted on or subsequent to the Retroactive Date specifiedin Item X of the Declaredons and before the end of the Policy Period,


Media

¯ Media Services mear~s:a) the gathering, collection or m~ing of Media Material fm inol~ionin any Media Communi~tion; orb) the publication, di~inat~ ~ rel~ ~ Med~ Material in anyMedia ~mmuni~tton in the o~inaw cou~ of the ~ureds’busing.

~ia C0mmuni~tion m~ns any c~mun~tion of Media Materialby way of m~ia, r~ardte~ of the Oatum or fo~ of ~h~u~on and r~a~l~ of any media ~.

¯ Media Ma~r~l mes~ matedal of any f~ or nature whatever,inctudi~ ~t not I~t~ to w~s, ~ta, ~p~er ~i~, imag~,graphi~ and mus~.

2

!IiII


¯ Cyber-ExtortionExtortion claim mear~s any claim in the form of a threat or connected

II

IIIIIIIII


¯ Key Exclusions¯ Prior Ac~s¯ Breach of Contract¯ Damages¯ Proscribed Activities¯ Intentional Acts


¯ Prior Acts

¯ ¯’We shaft not be/iabk~ for any damages or claims expet~ses directlyindirectly adsthg out of or in any way altdbutabto to... any claim orcircumstance arising from any wrongful act prior to the retroactivedate of this Policy or where you knew Or could reasonably naveforeseen such wrongful act may be the basis of a claim.’*

3

IIIII


¯ Breach of Contract

"We shall not be liable for any damages or claims expenses directly orindirectly arising out of or in any way attributable to;.., any liabilityassumed under any contract or agreement iectuding any breach ofexpress warranty or guarantee, except and to the extent you would havebeen liable in the absence of such contract or agreement."(ACE London Safeonline Policy Wording for Safe Enterprise)

Liability assumed under contract, agreement, writterl or oral; excep~Jesfor liability would have had even in the absence of suchcontrac+Jagreement.(ACE Computer & Technology Products & Services ProfessionalLiability)

!I!iI


Damages¯ Damages rneansa compensatorymonetaryjuclgement, award

Or settlement, other than;(a) your future royalties or future profits, restitution, disgorgement of

orofits, or the costs of complying with orders granting injunctiverelie~

(bj return or offset of fees. charges, or commissions for gcoos orservices airsedy provided or contracted to be i~revkled;

(c) punitive or exemplary (unless insurable by law). treble or otherdamages that are assessed in pat1 to punish the defendant or todeter others:

(d) damages pursuant to federal, state or local statutory law other thancompensatory:

(e) any amounts owed under any express or implied contract; and(t) any amounts for which you are not liable, or for which there is no

legal recourse against you.

II!II1I


¯ Proscribed Activities

¯ We shall not be liable for any damages or claims expenses directly orindireotty adsiag out of or in any way attributable to... gamb~ng,pomagraphy, or the sale or provision of prohibited, restricted orregulated items including but not limited to alcoholic beverage, firearms,tobacco, or drugs.

4

I!IIi

i

I

I

I


¯ IntentionalActs

¯ "~/V]e will not cover claims of loss.., alleging or arising out of adishonest, fraudulent, criminal or malicious act, error or omission, or anyintentional Or knowing violation of the law, or gaining of any profit oradvantage to which you are not legally entitled."

Conclusion

Do organizations buy insurance to help manage cybersecurity risks?

5

iII

COZENO’CONNOR

ATTORNEYS

IIIII

i

CLAIMS FOR BREACH OF CONTRACT VERSUS PROFESSIONAL ERRORS AND OMISSIONSPOWERPOINT PRESENTATION

wriffen & presenfed /~vMargart A. Reetz, Esq.



(312) 382-3100 or (877) 992-6036w~vw.cozen.com

AtlantaCharlotte

Cherry HillChicago

DallasDenver

HoustonLas Vegas*

LondonLos Angeles

New York DowntownNew York Midtown



TorontoTrenton


WichitaWilmington


These materials are intended to generally educate the participants on current legal issues. They are not intended to provide legal advice.Accordingly, these materials shou(d not be relied upon without seeking specific legal advice on matters discussed herein.


IIIII

Claims for Broach of Contract Versus ProfessionalErrors and Omissions

iIIi!iI!I!

Your Parents Never Heard of or Worried aboutThese Types of Claims

New -~ypes of Claims

Errors and omissions in design or use of technology, internet, website

Theft or misuse of data

New causes of action -cyber piracy, cyber squatting, domain name theft, cyDer stac~=ng,identity theft, etc.

Breach of Contract, Professional E&O, UnfairBusiness Practices

¯ Emerging Laws/Trends in Litigation

The rise of the unfair business practice claims

Breach of contract claims

New statutes and regulations

New tort theories

New Claimants/Plaintiff Law Firms

IIIIIII

Claims for Breach of Contracts Caused by ProfessionalErrors and Omissions

~ ~...~ -Case Examples

!II!IIIiI

Claims for ¯teeth of Contracts Caused by ProfessionalErrors and Omissions

C̄ase Examples

oB¢ Manufacturing Company:

Breach of Contract Versus ProfessioealErrors and Omissions

¯ Allegations include:- Breach of Contract- Breach of Warranty(ies)- Fraud- Negligence

- Negligent misrepresentations- Negligent failure to perform- Advice

- Unjust Enrichment

iI

IIIII

Licensing and Other Agreements

¯ Loss control starts with the controlling agreements:¯ licensing agreement;¯ indemnification in vendor agreen~nts;¯ web site terms of use;¯ privacy statements;¯ terms of sale of goods, click ware and shrink ware,

III!I

Professional E&O

¯ New Policies

Third arty - CGL with Advertising Liability andPersonal Injury to CGL with no AL/PISpecialty Tech e and o re mJsc e & omedia and content, copyright, trademarkand other IP, cyber extortion, privacy,public relations, and compliance

First Party - property damage due to physical injuryplus perhaps valuable paper includingelectronic storage

Cyber First Party - damage to data and electronic storage

IIIII

Breach of Contract versus Professional Errors andOmissions

¯ The Policy is a pay on behalf of wordino that pays as a result of any claim first

insurers in writing during the policy period

¯ A "wr0ngful act" is defined as alleged breaches of duty or neglect or omisston

0

II

IIIII

Breach of Contract]Professional Errors and Omissions

IIIII


IIII


¯ Co~,erage issue(s):

II

IIIII


Case Law Emerging

Compare w~ CGL Policies:American Family MutuaJ Insurance Co. v. Amedcan Girl Inc., f/PJaPleasant Company Inc., The Renschler Company Inc. v. West AmericanInsurance Co., et aL, 673 N.W.2d 65, 80 (Wis. 2004)Ren~chler was hired by Amedcan GJd ti’,c., to work on the design andconstruction of a warehouse. Renschler subcontraCted w~ a soilsengineer to analyze the soil conditions at the site. Pursuant to theengineers recommendations that the soil was poor and should beprepared, Renschier proceeded w~th "surcharging" or preparing the siteby placing heavy fill on it to compress the so~t. After the buiMing wascompleted, significant sinking of the foundation occurred, causing seriousphysical damage to the building.The Wisc. Supreme Court¯ The contractual liability exclusion does not exclude coverage for all

breach of contraCt liability, the majority held.¯ It applies only where the insured has cor~tractuatly assumed the

liability of a third party as in indemnity or hold-hamliass agreements,which are not present in th~s case, it held.

IIII

Privacy versus Seclusion Claims

IIIII

Privacy/Seclusion - Statutes and Law

¯ Electronic Communications Privacy Act (ECPA)¯ Fair Credit Reporting Act (FCRA)/Fair and Accurate

Credit Transactions Act (FACT)- Permits consumers to obtain free credit report- Lenders and credit agencies must implement

procedures to identify identity theft¯ Telephone Consumer Protection Act (TCPA)¯ Federal Trade Commission¯ Common law invasion of privacy

II

IIIII

Privacy/Seclusion Claims

¯ Unsolicited email, phone calls and faxes¯ Disclosure of personal information (finances~

medical records etc.)

IIIII

Claims Seeking Damages for Privacy andSeclusion Violations

¯ What does it mean to violatesomeone’s dght of pdvacy?

¯ The dght of pdvacy is invadedby:¯ unreasonable intrusion

upon the seclusion ofanother

¯ appropriation of another’sname or likeness

¯ unreasonable publicitygiven to another’s privatelife

¯ pubtic~ty that unreasonablyplaces another in a falselight before the public

0

IIIII


Private causes of action are allowed under the TCPA."A person who has rece~vad mere than one telephone callwithin any 12-month pedod by or on behalf of the same entityin violation of the regulations prescribed under this subsectionmay, if otherwise permitted by the laws or rules of court of aState bdng in an approphate court of that State--(A} an actionbased on a violation of the regulations prescribed under thissubsection to enjoin such violation,(B) an action to recover foractual monetary loss from such a violation, or to receive up to$500 in damages for each such violation, whichever is greater,or (C) both such a~ons."Treble damages may be awarded for willful violations.

II

IIIII


¯ Coverage cases unaer TCPA:¯ Unsolicited fax advertisements are covered under advertising

injury provisions¯ Cases include:

Hooters of Augusta v. American Global InsuranceCompany and Zurich /nsurance Company

Court: a layman undemtands his dgl~t to be left alone toinClude being left alone at wod~ by advertisers sending

within the meaning of AGIC’s policy and that Nichoison(claimant) suffered an invasion of privacy;

- Universal Underwriters Ins. Co. v. Automotive Network, Inc.- Park University Enterprises,/nc. v. American Casualty

Company of Reading, Pa.

IIII!IIIII


insu~era~s a~ged ~CPA ~otations (whiCh deals with the ...... f

Recovery of Defense Fees - Reservation ofRights Letters

¯ Recent ltlinois Supreme Court Decision: GeneralAgents v. MidwestSporting.

¯ Insurer rsserved rights but provided a defe’nse to tbe insured who wassued by the City ot~Chisego and Cook County over inappropdste gunsales.

¯ Insurer sent at= ROR letter dated Dec. 3, 1998 but agreed to defend.Insurer filed a DJ action on Oct. 28, 1999, seeking a declaration that it did

¯ Rejecting the majo~t~ trend (Cal., Colo, Fta, La., Minn.) that allows for

parties."

II

III

COZENO’CONNOR

ATTORNEYS

IIIIII!IIIIIIi

HACKING AND DOWNSTREAM LIABILITY

wrifenBrian J. Walsh, Esq.COZEN O’CONNOR

16th Floor, 45 BroadwayNew York NY, 10006

(212) 509-9400 or (800) 437-7040www.cozen.com

AtlantaCharlotte

Cherry HillChicago

DallasDenverHouston

Las Vegas*London




TorontoTrenton


WichitaWilmington

*A~’liated with the Law Offices of J. Goldberg & D. Grossman.



II

!IIIIIII!IIIIII

I. Introduction

Each year, computer hackers are getting more destructive: "Total damage [in 2004] was at least$17.5 billion, a record -- and 30% higher than 2003, according to research firm ComputerEconomics Inc." 1 Civil suits asserting liability of innocent middlemen are likely to increase as aresult of this rise in computer hacking. As hackers are often difficult to track down, judgment-proof, or both, the ultimate victims of computer hacking will increasingly look to downstreamliability as a way to hold "innocent" parties with deep pockets responsible for the resultingdamage.2

II. Scenarios for Trouble

A. Possible Scenarios

Hacking is a widespread and diverse phenomenon. All of the following scenarios can and haveoccurred.

¯ A hacker disables a website operated by a large brokerage firm so that its customerscannot trade for several hours. On that day, the stock market is volatile, and a class ofcustomers suffers financial losses.

¯ Hackers target a web-based banking service gaining access to usernames and passwords,putting individual bank accounts at risk.

A hacker targets an employee who works from home accessing her employer’s internalnetwork over the Internet. The theft and subsequent dissemination of confidential clientor third-party information, such as trade secrets, leads to large-scale damage.

A hacker emails a virus to an employee of a company through an attachment. B’semployee unintentionally forwards the infected email attachment to her friend who worksat a hospital. The virus infects the hospital’s internal server and dangerously alters patientfiles, causing harm or death.

Hackers gain control of unsuspecting users’ computers and use those machines to flood atargeted site or service with junk messages, overwhelming the site, thereby making itinaccessible to legitimate customers.

B. Potential Defendants

¯ The hacker, if you can find him.¯ Internet service providers (ISPs) that failed to properly secure their networks.

II

Brian Grow, Hacker Hunters, Business Week, May 30, 2005, at 74.W. Reid Wittliff, Computer Hacking and Liability Issues: When Does Liability Attach?, at

http://www.gdhm.com/pdf/wrw-hack article.pdf.

I

IIiIiI!IiIIII

Companies with computers used as "bounce sites" or as "zombies" to launch attacks.3Companies that hired a known hacker and gave him or her access to high bandwidth anda computer.

III. Who Pays?

A. The Innocent Middleman?

1. At present, there is no liability for an innocent middleman.

If the middleman had no knowledge of the attack, did not aid in the attack, and had adequatesecurity systems in place to prevent hackers from targeting the network, courts are not likely tohold the middleman responsible. Our society looks to punish the bad actor, and the innocentmiddleman does not fit that role. However, whether the middleman is, in fact, innocent, will be afact-specific inquiry.

2. If there is no physical damage, the economic loss doctrine may bar recovery.

Case law distinguishes physical harm, which includes property damage and bodily injury, fromeconomic harm. If, somehow, the middleman is not "innocent" and is, in fact, negligent in someway, it still may not be liable for damages to a third party under the economic loss doctrine.Under the doctrine, a tort claim will not succeed if economic damages are the only injury to theplaintiff. Notwithstanding special exceptions, a plaintiff can generally recover in negligenceactions for actual physical damage to personal or real property and personal injury, but not forpurely financial damages. However, if the injured party suffers bodily injury or property damage,such as corrupted or erased data, this rule may not apply depending on case law in the relevantjurisdiction.

B. The Hacker?

If the bad actor is a known hacker, federal and state laws mandate criminal prosecution.However, it is not easy to find the bad actor. Hackers can launch attacks from anywhere in theworld. Even if hackers are domestic and nearby, hackers may be able to avoid detection byerasing any sign of their invasions. Furthermore, hackers are often judgment-proof: either theydo not have any assets, or they have them well hidden. Therefore, the victims are likely to seekjoint and several liability for the middleman who arguably exposed them to the risk.

C. The Injured Party?

At present, the hacking victim is paying for the damage caused by online hacking, allowingcompanies and consumers to unfairly assume the losses.

3 A computer is used as a "bounce" site when it allows the hacker’s connection to "bounce" off

its server to another machine. A system is considered a "zombie" when a hacker programs it toperform the illicit task without the knowledge of their system operators.

II

IiIIIIIIIII!I

IV. Proposals

A. Theories of Liability for the "Innocent" Middleman

The damage resulting from computer hacking can consist of immediate financial loss, damage toreputation, and consumer distrust. As lawsuits increase, plaintiffs may rely on various legaltheories in an attempt to recover against a middleman, especially if the true ’bad actor’ is not anideal defendant.

1. Negligence

The core of the downstream liability issue is negligence. Common Law negligence requires thatfour elements be satisfied for a successful claim: duty, breach of duty, causation, damages. Thethreshold question of whether a duty exists between the middleman and the injured third partymay be difficult to answer.

The well settled "no duty" doctrine, which holds that there is no duty to protect another from thecriminal acts of a third party, if strictly applied, would mean that if a company’s unsecuredcomputers were hacked and used as a mechanism to launch attacks against other systems, thecompany would not be liable to third parties, even if it was without any security systems inplace. Such a rule, however, is not unconditional. Courts have recognized certain situations inwhich a duty to protect a party from the criminal acts of another may arise:

(1) a property owner who maintains control over the property owes a duty to exercisereasonable care to maintain premises in safe condition, including those precautions toprotect from foreseeable criminal acts of third parties; 4(2) a person with a special relationship with a third party may owe a duty to control thatparty’s conductS; and(3) a person who has created a dangerous situation owes a duty to prevent harm to othersbecause of the situation that person created.6

Situations (2) and (3) are unlikely to be on point for cases of downstream "innocent middleman"liability. Situation (1), however, regarding typical premises liability, is closely analogous to anegligence claim arising from hacking. An invitee harmed on a property owner’s property is in asimilar situation to a company’s network attacked by hackers while hosted by an ISP. The ISPhas control over the online system and is responsible for protecting foreseeable harm. What isforeseeable is, of course, fact-specific.

Assuming a recognizable duty, courts will look to see whether the middleman has breached theduty. At present, there is no universally accepted standard of care to apply. General tort lawdefines the duty as the actions taken by a reasonable and prudent person to prevent unreasonable

I See Newell v. Swiss Reassurance Company, lnc., 580 N.Y.S.2d 361 (Sup. Ct. 1992);TimberwalkApartments, Partners, Inc. v. Cain, 972 S.W.2d 749, 756 (Tex. 1998).See Tarasoff v. Regents of University of California, 17 Cal.3d 425; 551 P.2d 334 (1976).See Medina v. City and County of Denver, 960 F.2d 1493 (10th Cir. 1992).

I

II!IIIIIiIII

I!II

risks of harm. Therefore, to ascertain breach, courts will look at several factors, such as how themiddleman company could have prevented the loss.

Should a Court apply the cost-benefit approach7, under which unreasonable risks are those thatthe company could cost-effectively eliminate, it would weigh the cost of untaken measuresagainst the value of reducing all foreseeable risks, not just the risk that caused the damage atissue.8 In the hacking context, if only unreasonably expensive technology could eradicate anunknown virus, courts would probably consider the risk unavoidable as due care could not haveprevented it, and the defendant will escape liability.9

Once the plaintiff has established a breach of duty, he must then demonstrate causation in one oftwo ways. Cause-in-fact requires the plaintiff to prove that "but for" the middleman’s failure totake the reasonable precaution, the harm would not have occurred. For instance, if the securityadministrator forgot to scan the system for viruses, but the scan would not recognize the virusregardless, the untaken precaution would not have prevented the damage.I° Proximate causerequires that the middleman’s negligence be sufficiently related to foreseeable damage.However, if an intervening or superseding cause comes between that negligence and the injuredplaintiff, the amount of liability may be reduced or eliminated. For example, if a hacker gainsaccess to a network due to a blackout that disables the security system, the company did notproximately cause the damage.

If the plaintiff satisfies the aforementioned elements, the economic loss rule, supra, may still barrecovery.

2. Negligent hiring or supervision

Because this claim is only likely to arise if there is an identifiable hacker who is an employee ofa company with deep pockets, a lengthy discussion on this theory for recovery is beyond thescope of this paper; however, it is worth mentioning.

As it is unlikely that the hacker’s employer authorized the hacking, a claim for respondeatsuperior would probably fail. However, a plaintiff may be able to proceed under a negligentsupervision or negligent hiring theory. Employers have a duty to adequately hire, train andsupervise their staff members. If a plaintiff can demonstrate that the employer failed to takereasonable steps to protect third parties from misconduct of employees, a Court may imposeliability on the company. Likewise, if a company knows or should have known that it hired anemployee with a propensity to hack computers and provides such employee full access to theInternet, a court may find the company responsible for the results of the employee’s hacking.

7 Alternatively, the courts may look at industry custom or do a risk-utility test, which balances

the utility of the conduct against the likelihood and extent of harm.8 See U.S.v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947).9 Meiring de Villiers, Computer tZiruses and Civil Liability, 40 Tort & Ins. L.J. 123 (2004).1°1d"

11 "A claim based on negligent hiring and supervision requires a showing that defendants knew

of the employee’s propensity to [commit the alleged acts] or that defendants should have known

iIII!III!I!I

i

Additionally, an injured party may bring a negligent hiring claim if the middleman companyhired a network security administrator who did not properly secure the system. The employercould be held liable in hiring an unqualified employee if the employee’s failure to institutesecurity mechanisms caused the system’s vulnerability.

3. Breach of contract

Common Law breach of contract might apply if parties have contracted to provide and receivedata storage or processing services. Often, an online business enters into a contract with the ISPfor Interact service. The breadth of the contract terms determines the extent and scope of anyaction. However, such a claim is not likely to be successful in the case of security breachesinvolving individuals or third parties. Because courts tend to adhere to a privity of contractrequirement, a victim of a hacker attack launched from a third party’s unsecured computersystem would have no claim against the third party without a contractual relationship. For thisreason, the breach of contract claims that have the most chance at success would be those byconsumers or businesses against companies who promised specific hacker protection in thecontracts, or those whose contracts identify steps taken should a hacker compromise the system.

4. Strict products liability does not apply

The doctrine of strict products liability renders manufacturers of defective products liable to anyperson injured as a result of the defect, regardless ofprivity, foreseeability, or due care, if thedefect was a substantial factor in causing the injury.12 However, in a situation questioning theliability of an innocent middleman, like an ISP, the middleman is not passing any tangible goodthrough the stream of commerce. The ISP is providing a service, rather, and the middleman hasnot placed the tangible items, such as the computer, into the stream of commerce. The doctrineof strict products liability does not apply to services.13

B. What does the future hold? Proposals and changes in law and policy.

1. Should the innocent middleman bear the costs?

As it stands now, the injured party foots the bill for the damage caused by hacking, arguablycreating an unfair burden on the victim. Therefore, many have suggested that because"middleman" companies pay a relatively low cost to implement a security standard, compared to

IIII

of such propensity had they conducted an adequate hiring procedure." Honohan v. Martin’sFood of South Burlington, 679 N.¥.S.2d 478, 479 (Sup. Ct. 1998) (quoting Ray v. County ofDelaware, N.Y.S.2d 808, 809 (Sup. Ct. 1997))12 Vaniderstine v. Lane Pipe Corp., et al., 455 N.Y.S.2d 450 (1982).13 See Id. (holding that the erection of a highway guardrail was a service, and therefore the

county could be not be liable under strict liability for injuries sustained when a passenger strucka defective guardrail.); see also Simone v. L.[. Jewish Hillside Medical Center, 364 N.Y.S.2d 714(1975) (holding that the concept of strict products liability is inapplicable to the furnishing ofservices, such as blood transfusions.)

i

!IIIIIIIIIIIiI

the potentially tremendous cost to society, the middleman should take on this burden. Whenapplied to ISP middlemen, the increased security would lower consumer costs for Internet use.ISPs can employ security standards more cheaply than other parties can. The difficulty, however,is the lack of a designated standard.

2. Should there be a universal standard of care?

Establishing a standard of care is problematic. Companies have differing security needs,depending on size, field, value of data, and other factors.14 Additionally, uniformity may promotehacking by establishing minimum security measures for hackers to understand and surpass. In2001, several administrative agencies, including the FDIC and the Department of the Treasury,created and issued security guidelines for financial institutions under the 1999 Gramm-Leach-Bliley Act, requiring systematic monitoring, employee training, and encryption of customerinformation.15 Similarly, proposals under the Health Insurance Portability and AccountabilityAct of 1996 called for parallel measures among health care providers and insurance companies. 16

Whether there should be a standard of care pertaining to computer security, if the occurrences ofcomputer hacking steadily rise, courts or legislatures will more than likely develop a universalstandard to apply to these cases.

V. Conclusion

Presently, there is no downstream liability for innocent middleman for damage caused bycomputer hacking. The difficulties in proving aprimafacie case of negligence are tough burdensfor plaintiffs to overcome. However, we can expect successful claims against middlemen toincrease in the next several years.

Whether through regulations and statutes or through the common law of different jurisdictions,someone will find a way to get to these deep pockets. We now have the technology andsophistication to detect causation, making it easier to really know who is liable. Further, asdamages rise, pressure from injured parties and legislatures is likely to result in some sort ofpolicy change. With a reported 30% increase in damages from 2003 and 2004, and an unknowntotal cost for 2005, downstream liability from computer hacking is likely to be a landmark issueon dockets in the near future. As the law develops, we have a job as attorneys and industryprofessionals to regularly keep track of statutory proposals and ensure that our voices are heardon this issue.

II!I

14 Mary M. Calkins, They Shoot Trojan Horses, Don "t They? An Economic Analysis of Anti-

hacking Regulatory Models, 89 Geo. L. J. 171, 214-15 (2000).~ See 15 U.S.C. § 6801 et. seq. (2001); 12 C.F.R. § 30; 12 C.F.R. § 208; 12 C.F.R. § 225.16 See 63 Fed. Reg, 43,241, 43,241-77 (1998).

I

!!!

COMPUTER VIRUSES AND CFV"IL LIABILITY:A CONCEPTUAL FRAMEWORK

Meiring de Villiers

IIIiIIIIIIII

This article analyzes a negligence cause of action for inadvertenttran.,mission of a computer virm’. It provides an introductionto the principles of operation and detection of vhwses and an-alyzes the elements of negligence liability in the context of virusin.~bction. A final section diaz~tsses and analyzes litigation com-plicutions that are a direct result of the dynamic and uniquenature of virus and virus detection technology.

I. INTRODUCTION

The Internet and modern communications technology have stimulated un-precedented advances in electronic communication, commerce, and infor-mation access. These technologies also have dramatically increased thevulnerability of computer networks to hazards, such as malevolent softwareand rogue programs that are capable of spreading rapidly and causing wide-spread and substantial damage to electronic data and programs.~ The most

I. KEN DUNHAM, BI~ELOW’S VIRUS TROUBLESHOOTING POCRET REFERENCE xix-xxiii (2000)("Current Threat of Viruses" and "Interpreting the Threat."); .Jeffrey O. Kephart et al., Blue-print .[br a Computer Im.mune Syst~n, IBM Thomas J. Watson Research Center Report, at 1(originally presented at Virus Bulletin International Conference in San Francisco, California(Oct. 1-3, 1997), available at http://www.research.ibm.corn/antivirus/SciPapers/Kephart/VB97("There is legitimate concern that, within the next few years, the Internet will provide a fertilemedium for new breeds of computer viruses capable of spreading orders of magnitude fasterthan today’s viruses ... [T]he explosive growth of the Internet and the rapid emergence ofapplications that disregard the traditional boundaries between computers threaten to increasethe global spread rate of computer viruses by several orders of magnitude."); How Fasta VirusCan Spread, in PmL~P F~TES ET AL., THE COMPUTER VIRUS CRISIS 21 (2d ed. 1992); CareyNachenberg, Future ImperJbct, VIRUS BULL. (Aug. 1997) ("With the ubiquitous nature of thelnternet, new viruses can be made widely accessible within minutes."); BIzREPORT NEws,

Meiring de Villiers (mdv@uns’w.edu.au) is John Landerer Faculty Fellow at the Uni-versity of New South l, Vales School of Law in Sydney, Australia.

123

!i

IIIIIIIIIIIIIIII

124 Tort THai & Insurance Practice Law Journal, Fall 2004 (40:1)

notorious of these rogue programs is the so-called computer virus, a pro-gram capable of attaching itself to a host program, cloning itself, andspreading the cloned copies to other host programs, analogously to a bio-logical virus. In addition to replicating and spreading, many viruses are alsocapable of harm, such as information theft and corruption of electronicdata. This article focuses on the computer virus and its legal impact.

A collateral effect of the proliferation of malevolent software is exposureto legal liability, not only for the virus author and the intentional trans-mitter of a virus, but also for one who inadvertently transmits a virus. Anexample of the latter would be someone who unwittingly forwards an in-fected e-mail attachment. A civil action against an inadvertent transmitterwould most likely be pursued under a negligence theory, the most widelyused theory of liability in the law of torts.2

Negligence is a breach of the duty not to impose an unreasonable riskon society. It applies to any risk that can be characterized as unreasonable,including the risks associated with malevolent software.~ A victim of a virusattack may therefore bring legal action under a negligence theory againstanyone who failed to take reasonable care to eliminate or reduce the riskof virus infection.

Potential defendants in a virus case include such individuals as commer-cial software providers who sell infected products; entities involved in soft-ware distribution, such as website operators and participants in sharewarearrangements; and individuals who transmit infected e-mail attachments.The system operator in a workplace who becomes aware that an internalnetwork is infected with a virus may have a duty to external e-mail recip-ients to reduce or eliminate the risk of infection. This can be accomplishedby advising internal e-mail users, blocking all external e-mail traffic, orincluding warnings with outgoing e-mail, until the system has been dis-infected with reasonable certainty.4

Sept. 12, 2003 (reporting that five to fifteen new viruses are released on the Internet daily),at http://www.bizreport.com/print.php?art_id = 4917. For those interested in pursuing thescientific aspect further, IBM’s website at http://www.research.ibm.com/antivirus/SciPapers.htm provides hyperlinks to numerous papers on viruses, including many cited in this article.

2. See, e.g., James A. Henderson, Why Negligence Law Dominates Tort, 50 UCLA L. R~v.377 (2003). See also Gary T. Schwartz, The Vitality of Negligeuce and the Ethics of Strict Liability,15 GA. L. REv. 963 (1981); Gary T. Schwartz, The Beginning and the Possible End oJ’ModernAmerican Tort Law, 26 G^. L. REv. 601 (1992).

3. PROSS~R ^ND I4d.~’rON ON "rH~ LAw oF Toa’rs § 31 (Sth ed. 1984). R~ST^T~M~NT(SEcoND)OF Toa-rs, § 282 (1965) (describing negligence as conduct "which falls below the standardestablished by law for the protection of others against unreasonable risk of harm"); DAN B.Dou~s, Tn~ LAw o~ TORrS 258 (the plaintiffcan assert that any conduct counts as negligence).

4. Cz*w Ga~N~R~S, Tri~ LAws or Trim INT~RN~’r 61, 62 (1997). An English court held thata defendant who stored biological viruses had a duty to cattle owners who would be affectedby the spread of the virus. VVeller and Co. v. Foot and Mouth Disease Research Institute, 3 AllE.R. 560, 570 (1965) ("IT]he defendant’s duty to take care to avoid the escape of the viruswas due to the foreseeable fact that the virus might infect cattle in the neighborhood and

III

!!!!!!!!!!!!!!

Computer Viruses and Civil Liability 125

To pursue a successful negligence cause of action, a victim of viral in-fection must prove that (I) the defendant had a duty to the plaintiffto takereasonable care to avoid the infection, (2) there was a breach of that duty,(3) the breach was the actual and legal cause of the plaintiff’s loss, and(4) the breach resulted in actual harm.

Technology plays a crucial role in a negligence analysis involving virusinfection. Courts require a plaintiff to prove breach of duty in a negligenceaction by identifying an untaken precaution and showing that the precau-tion would have yielded greater benefits in accident reduction than its cost.Such a cost-benefit analysis requires a familiarity with the technology aswell as economics of viruses and virus detection.

Section II of this article reviews the principles of computer viruses andvirus detection technology. Section III presents an analytical frameworkfor the evaluation of a negligence cause of action in a virus context, in-cluding an analysis of legal and economic aspects of damages due to com-puter virus infection.

The dynamic nature of virus technology may complicate proof ofnegligence liability. The central element of a negligence plaintiff’s litiga-tion strategy is the cost-effective untaken precaution. Failure to take aparticular precaution may constitute breach, but the claim neverthelessmay fail on proximate cause grounds if, for instance, the virus evolvedunpredictably and caused an unforeseeable type of harm. An alternativeprecaution may pass the actual and proximate cause hurdles but wouldlikely not be cost-effective, and therefore fail the breach-of-duty element.Such interaction between the dynamic and volatile nature of virus tech-nology and the legal principles of negligence may create a Catch-22 situ-ation that leaves the virus victim without legal recourse. Section IV ana-lyzes and discusses these and other complications to litigation strategy. Afinal section discusses and concludes.

II. OPERATION AND STRUCTURE OF COMPUTER VIRUSES

A. Background

Malevolent software is intended to cause damage to or disrupt the opera-tion of a computer system. The most common of these rogue programs istheJcomputer virus. Other forms of malicious software include so-calledlogic bombs, worms, Trojan horses, and trap doors,s

cause them t’o die. The duty is accordingly owed to the owners of cattle in the neighborhood¯.."). Bulletin Boards, which allow downloading and uploading of software, are particularlyvulnerable to computer virus infection due to the sheer quantity of transactions performedthrough Bulletin Board Systems. See, e.g., FIT~s rT ^L., supra note 1, at 60.

5. See, e.g., DOROTHY E. D~mNG & PETI~I~ J. DEr~I~G, ]NTERNET BESIEGED 75-78 (1998).

!!

II!IIIIIIIIIIIII

126 Tort Trial & Insurance Practice Law Jommal, Fall 2004 (40:1)

The term "virus," Latin for "poison," was first formally defined by Dr.Fred Cohen in 1983,6 even though the concept goes back to John yonNeumann’s studies of self-replicating mathematical automata in the 1940s.7

Dr. Cohen describes a computer virus as a series of instructions (in otherwords, a program) that (i) infects other computer programs and systemsby attaching itself to a host program in the target system, (ii) executes whenthe host is executed, and (iii) spreads by cloning itself, or part of itself, andattaching the copies to other host programs on the system or network. Inaddition, many viruses have a so-called payload capable of harmful side-effects, such as data corruption.~

A virus may infect a computer or a network through several possiblepoints of entry, including via an infected file downloaded from the Internet,through Web browsing, via an infected e-mail attachment, or even throughinfected commercial shrinkwrapped software.° The recent trend in virustransmission has been a decrease in infected diskettes and an increase ininfection through e-mail attachments. In a 1996 national survey, for in-stance, approximately 9 percent of respondents listed e-mail attachmentsas the means of infection of their most recent virus incident, while 71percent put the blame on infected diskettes. In 2003, the correspondingnumbers were 88 percent for e-mail attachments and zero for diskettes?°

As the definition suggests, computer viruses consist of three basic mod-ules or mechanisms, namely an infection mechanism, a payload trigger, andthe payload. The infection mechanism allows the virus to replicate and

6. Fred Cohen, Computer Viruses (1985) (unpublished Ph.D. dissertation, University ofSouthern California) (on file with the University of Southern California library).

7. Jeffrey O. Kephart et HI., Fighting Computer Viruses, Sci. AM., Nov. 1997, at 55. Dr.Gregory Benford published the idea of a computer virus as "unwanted code." Benford ap-parently wrote actual "viral" code, capable of replication. DENN~N~ & DENNiNg, supra note 5,at 74.

8. Jonr~ MACArEE & COL~N HAYNES, COMPtrrER V~RVSES, WORMS, DATA DIDLERS, K~ERPRO�RAMS, ^ND OTHER THREATS TO YOUR SYSTEM 26; FREDERICR B. COHEN, A SHORT COURSEON COMPUTER V~RUSES 1--2 (2d ed. 1994). In his Ph.D. dissertation, Dr. Cohen defined avirus simply as any program capabld of self-reproduction. This definition appears overly gen-eral. A literal interpretation of the definition would classify even programs such as compilersand editors as viral. DENNING & DEN~iN~, supra note 5, at 75.

9. There are three mechanisms through which a virus can infect a program. A virus mayattach itself to its host as a shell, as an add-on, or as intrusive code. A shell virus forms a shellaround the host code so that the latter effectively becomes an internal subroutine of the virus.The host program is replaced by a functionally equivalent program that includes the virus.The virus executes first and then allows the host code to begin executing. Boot programviruses are typically shell viruses. Most viruses are of the add-on variety. They become partof the host by appending their code to the host code, without altering the host code. Theviral code alters the order of execution, by executing itself first and then the host code. Macroviruses are typically add-on viruses. Intrusive viruses, in contrast, overwrite some or all of thehost code, replacing that with its own code. See, e.g., DENNING & DENNING, supra note 5, at8l; FITES ET AL., supra note 1, at 73-75.

10. INST. FOR COMPUTER SEC. ~ ADMIN., ICSA LABS 9TH ANNUAL COMPUTER VIRUS PREV-

ALENCE SURVEY 2003, "Fable 10, at 14, available at http://www.icslabs.com/2003avpsurvey/index.shml.

III

!!!iIIIIIii!iiIi


spread, analogously to a biological virus. This is the most salient propertyof a computer virus.~1 The infection module first searches for an appro-priate executable host program to infect. It then installs a copy of the virusinto the host, provided the host has not yet been infected.

When the host program executes, the virus is also executed. Upon ex-ecution, the virus typically performs the following sequence of actions. Itreplicates (clones) by copying itself to other executable programs on thecomputer?~ During execution, the virus program also checks whether atriggering condition is satisfied. When the condition is satisfied, the virusexecutes its harmful component, the so-called payload module. Triggeringevents come in a variety of forms, such as a certain number of infections,Michelangelo’s birthday, or the occurrence of a particular date. The Friday-the-13th virus, for instance, only activates its payload on dates with thecursed designation?3

Execution of the payload may produce harmful side effects, such as dc-struction or corruption of data in spreadsheets, word processing docu-ments, and databases and theft of passwords.~4 Some effects are particularlypernicious because they are subtle and undetectable until substantial harmhas been done: transposing numbers, moving decimal places, stealing pass-words and other sensitive information?~ Payloads are not necessarily de-structive and may involve no more than displaying a humorous message?6

Some virus strains do not destroy or corrupt information but consumevaluable computing resources,t7

11. Rogue PROgraMS: VIRUSES, WORMS, TROJAN HORSES 247 (LanceJ. Hoffman ed. 1990)("The ability to propagate is essential to a virus program."); DENNINg & DENNINg, supranote 5, at 73-75.

12. Potential target hosts include application and system programs and the master bootrecord of the hard disks or floppy disks in the computer.

13. See, e.g., Eric J. Sinrod & William P. Rei!ly, Cyber Crimes: A Practical Approach to theApplication of Federal Computer Crime Laws, 16 SANTA Cr~AV.~ COMPUTER & Hmn T~cn. L.J.177,217 n.176 (2000).

14. JAN HRUSKA, COMPUTER VIRUSES AND ANTI-VIRuS WARFARE 17, 17--18 (1990) (In ad-dition to self-replicating code, viruses often also contain a payload. The payload is capable ofproducing malicious side effects.). See also COheN, supra note 8, at 8-15 (examples of malig-nant viruses and what they do); MACAFE~ & HAS’N~S, supra note 8, at 61.

15. M~C^F~E & HAYNES, supra note 8, at 61.16. Sinrod & Reflly, supra note 13, at 218 (describing the W95.LoveSong.998 virus, de-

signed to trigger a lovesong on a particular date).17. Viruses can cause economic losses, e.g., by filling up available memory space, slowing

down the execution of important programs, locking keyboards, adding messages to printeroutput, and effectively disabling a computer system by altering its boot sector. The Melissavirus, for instance, mailed copies of itself to everyone in the victim’s e-mail address book,resulting in clogged e-mail servers and even system crashes. See, e.g., FITES ET AL., supra note 1,at 23-24 ("The Christmas card [virus] stopped a major international mail system just byfilling up all available storage capacity."); Sinrod & Reilly, supra note 13, at 218 (describingthe Melissa virus).

See Section Ill(D), inf!’a, for an analysis of damages from computer virus infection. Forexamples of benign viruses and how they operate, see, e.g., Con~, supra note 8, at 15-21.

i!

IIIIIIIIIiIIIIII

128 Tort Trial & Insurance Practice Law Journal, Fall 2004 (40:1)

It was once believed that viruses could not be transmitted by data filessuch as e-mail attachments. Viruses such as the infamous Melissa taughtus otherwise. Melissa typically arrived in the e-mail inbox of its victimdisguised as an e-mail message with a Microsoft Word attachment. Whenthe recipient opened the attachment, Melissa executed. First, it checkedwhether the recipient had the Microsoft Outlook e-mail program on itscomputer. If so, Melissa would mail a copy of itself to the first fifty namesin Outlook’s address book, creating the appearance to the fifty new recip-ients that the infected person had sent them a personal e-mail message.Melissa would then repeat the process with each of the fifty recipients ofthe infected e-mail message (provided they had Outlook) by automaticallytransmitting clones of itself to fifty more people.~s A Melissa attack fre-quently escalated and resulted in clogged e-mail servers and system crashes.

B. Technical Antivirus DefensesAntivirus technology comes in two broad categories: virus-specific and ge-neric. Virus-specific technology, such as signature scanners, detect knownviruses by identifying patterns that are unique to each virus strain. These"identifying patterns" are analogous to human fingerprints. Generic tech-nology detects the presence of a virus by recognizing generic viruslikebehavior, usually without identifying the particular strain.

A virus-specific scanner typically makes a specific announcement, suchas that "the operating system is infected with (say) the Cascade virus," whileits generic counterpart may simply say, "the operating system is (or maybe) infected with an (unidentified) virus." Virus-specific technology is moreaccurate and produces fewer false positives, but generic technology is betterat detecting unknown viruses. Heuristic techniques combine virus-specificscanning with generic detection, providing a significantly broadened rangeof detection.

Technical antivirus defenses come in four varieties, namely scanners,activity monitors, integrity checkers, and heuristic techniques.~9 Scannersare virus-specific, while activity monitors and integrity checkers are ge-neric. Activity monitors look out for suspicious, viruslike activity in thecomputer. Integrity checkers sound an alarm when they detect suspiciousmodifications to computer files.

1. Scanners

Scanners are the most widely used antivirus defense. A scanner reads exe-cutable files and searches for known virus patterns. These patterns, or "sig-

18. DAVID HARLEY IUr AL., VIRUSES REVEALED: UNDERSTAND AND COUNTER J~/IALICIOU$

SOFTWARE 406-- 10 (2001).19. See, e.g., DENNING & DENNING, .mpra note 5, at 90-93; DUNHAM, .mpra note 1, at 78-

83, 102-08.

III

ii

ii

iIIIII

Computer Viruse.r and Civil Liability 129

natures," are the most reliable technical indicator of the presence of a virus~n a computer system. A virus signature consists of patterns of hexadecimaldigits embedded in the viral code that are unique to the strain.2° Thesesignatures are created by human experts, such as researchers at IBM’s HighIntegrity Computing Laboratory, who scrutinize viral code and extract sec-tions of code with unusual patterns. The selected byte patterns then con-stitute the signature of the virus.2~ The scanner announces a match with~ts database of known viral signatures as a possible virus.

The virus signature pattern is selected to be a reliable indicator of thepresence of a virus. An ideal virus signature gives neither false negativesnor false positives.22 In other words, it should ideally always identi~ thevirus when present and never give a false alarm when it is not.23 The IBMHigh Integrity Computing Laboratory has developed an optimal statisticalsignature extraction technique that examines all sections of code in a virusand selects the byte strings that minimize the incidence of false positivesand negatives.24

Scanners are easy to use, but they are limited to detecting known virussignatures. A scanner’s signature database has to be continually updated, aburdensome requirement in an environment where new viruses appear rap-idly. Use of scanners is further complicated by the occurrence of false pos-itives. This occurs when a viral pattern in the database matches code thatis in reality a harmless component of otherwise legitimate data. A shortand simple signature pattern will be found too often in innocent softwareand produce many false positives. Viruses with longer and more complexpatterns will less often give a false positive, but at the expense of more falsenegatives.25 Finally, as the number of known viruses grows, the scanningprocess will inevitably slow down as a larger set of possibilities has to beevaluated.U, ,~

20. HRusw, supra note 14, at 42.21. Jeffrey O. Kephart et al., Automatic Extraction of Computer Vi~us Signatures, in PRo-

CEEDINGS OF THE 4TH VIRUS BULLET1N INTERI~ATIONAL CONFERENCE (R. Ford ed., 1994), avail-able at http://www.research.ibm.com/antivirus/SciPapers/Kephart/VB94/vb94.html/179- 94,at2.

22. A false positive is an erroneous report of the activity or presence of a virus where thereis none. A false negative is the failure to report the presence of a virus when a virus is in factpresent.

23. HRVSKA, supra note 14, at 42. For short descriptions and hexadecimal patterns of se-lected known viruses, .tee id. at 43-52; Kephart et al., supra note 1, at 11 ("[A] signatureextractor must select a virus signature carefully to avoid both false negatives and false positives.That is, the signature must be found in every instance of the virus, and must almost neveroccur in uninfected programs."). False positives have reportedly triggered a lawsuit by asoftware vendor, who felt falsely accused, against an antivirus software vendor. Id.

24. Kephart et al., supra note 21, at 179-94.25. Du~,~, supra note 1, at 78-83; Kephart et al., supra note 7. See also Sandeep Kumar

& Eugene H. Spafford, A Generic Virus Scanner in C+ +, Technical Report CSD-TR-92-062, Dep’t of Computer Science, Indiana University, at 6-8, available at ftp://Ftp.cerias.purdue.edu/pub/papers/sandeep-kumar/kumar-spaf-scanner.pdf.

26. See, e.g., Pete Lindstrom, The Hidden Costs of Virus Protection, Sw~ R~s. R~v. 5 (June

II!IIIIII!IIIIII

130 Tort THai & Insurance Practice Law Journal, Fall 2004 (40:1)

2. Activity Monitors

Activity monitors are resident programs that monitor activities in the com-puter for behavior commonly associated with viruses. Suspicious activitiesinclude operations such as attempts to rewrite the boot sector, format adisk, or modify parts of main memory. When suspicious activity is detected,the monitor may simply halt execution and issue a warning to alert theuser, or take definite action to neutralize the activity.27 Activity monitors,unlike scanners, do not need to know the signature of a virus to detect it.It works for all viruses, known as well as unknown. Its function is to rec-ognize suspicious behavior, regardless of the identity of the culprit.

The greatest strength of activity monitors is their ability to detect un-known virus strains, but they also have significant weaknesses. They canonly detect viruses that are actually being executed, possibly after substan-tial harm has been done. A virus, furthermore, may become activated be-fore the monitor code and thus escape detection until well after execution.A virus also may be programmed to alter monitor code on machines thatdo not have protection against such modification. A further disadvantageof activity monitors is the lack of unambiguous and foolproof rules gov-erning what constitutes suspicious activity. This may result in false alarmswhen legitimate activities resemble viruslike behavior. Recurrent false alarmsultimately may lead users to ignore warnings from the monitor. Conversely,not all illegitimate activity may be recognized as such, leading to falsenegatives.28

3. Integrity Checkers

Integrity checkers look for unauthorized changes in system areas and files.The typical integrity checker is a program that generates a code, known asa checksum, for files that are to be protected from viral infection. A filechecksum, for instance, may be some arithmetic calculation based on thetotal number of bytes in the file, the numerical value of the file size, andthe creation date. The checksum effectively operates as a signature of thefile. These checksums are periodically recomputed and compared to theoriginal checksum. Tampering with a file will change its checksum. Hence,if the recomputed values do not match the original checksum, the file haspresumably been modified since the previous check and a warning is issued.

2003) ("In this day of 80,000 + known viruses and frequent discovery of new ones, the sizeof the signature file can be large, particularly if the updates are sent out as cumulative ones.Large updates can clog the network pipelines ... and reduce the frequency that an admin-istrator will push them out to the end users.").

27. Kumar & Spafford, supra note 25, at 3-4.28. HRvsr.a, supra note 14, at 75.

III

IIIIIIIIIIIIII


Since viruses modify and change the contents of the files they infect, achange in the checksum may be a sign of viral infection.29

The advantage of integrity checking is that it detects most instances ofviral infection, as infection must alter the file being infected. The maindrawback is that it tends to generate many false alarms, as a file can changefor legitimate reasons unrelated to virus infection?~ On some systems, forinstance, files change whenever they are executed. A relatively large num-ber of false alarms may trigger compliance lapses, as users may ignorewarnings or simply not use the utility. Integrity checking works best onstatic files, such as system utilities, but is, of course, inadequate for filesthat naturally change frequently, such as Word documents.

4. Heuristic Detection Methods

A fourth category of virus detectors uses heuristic detection methods. Heu-ristic rules are rules that solve complex problems fairly well and fairlyquickly, but less than perfectly. Virus detection is an example of a complexproblem that is amenable to heuristic solution. It has been proven math-ematically that it is impossible to write a program that is capable of deter-mining with 100 percent accuracy whether a particular program is infectedwith a virus, from the set of all possible viruses, known as well as un-known.3~ Heuristic virus detection methods accept such limitations andattempt to achieve a solution, namely a detection rate that is acceptable,albeit below the (unachievable) perfect rate.

Heuristic virus detection methods examine executable code and scruti-nize its structure, logic, and instructions for evidence ofviruslike behavior.Based on this examination, the program makes an assessment of the like-lihood that the scrutinized program is a virus, by tallying up a score. In-structions to send an e-mail message with an attachment to everyone in anaddress book, for instance, would add significantly to the score. Otherhigh-scoring routines include capabilities to replicate, hide from detection,and execute some kind of payload. When a certain threshold score isreached, the code is classified as malevolent and the user so notified.

The assessment is necessarily less than perfect and occasionally providesfalse positives and negatives. Many legitimate programs, including even

29. FITES ET AL., supra note 1, at 69-76 (Figures 5.2-5.5); Dor~n^ra, supra note 1, at 79.See alw Kumar & Spafford, supra note 25, at 5-6.

30. FITES ET ^L., supra note 1, at 125.31. Diomidis Spinellis, Reliable Identification of Bounded-Length Viruses ls NP-Complete, 49:1

IEEE TR~r~S^CTmtaS Or~ INFOataAT~O~ THEORY 280, 282 (Jan. 2003) (stating that theoreticallyperfect detection is in the general case undecidable, and for known viruses, NP-complete.);Nachenberg, supra note 1 ; See also Francisco Fernandez, Heuristic Engines, h, PROCEEnlto~S orTHE 1 ITH INTERNATIONAL VIRUS BULLETIN CONFERENCE 407--44 (Sept. 2001); David M. Chess& Steve R. White, An Undetectable Computer Virus, at http://www.research.ibm.com/antivirus/SciPapers/VB2000DC.htm.

III

II!III!!I!IIII

132 Tort THai & Insurance Practice Law Journal, Fall 2004 (40.’1)

some antivirus programs, perform operations that resemble viruslike be-havior.~2 Nevertheless, state-of-the-art heuristic scanners typically achievea 70 percent to 80 percent success rate at detecting unknown viruses.33

A heurisuc scanner typically operates in two phases. The scanning al-gorithm first narrows the search by, for instance, identifying the locationmost likely to contain a virus. It then analyzes the code from that locationto determine its likely behavior upon execution. A static heuristic scanner,for instance, compares the code from the most likely location to a databaseof byte sequences commonly associated with viruslike behavior.~4 The al-gorithm then decides whether to classify the code as viral.3s

A dynamic heuristic scanner uses central processing unit (CPU)36 emu-lation. It typically loads suspect code into a virtual computer, emulates itsexecution, and observes its behavior. Because it is only a virtual computer,viruslike behavior can safely be observed in what is essentially a laboratorysetting, with no need to be concerned about real damage. The program ismonitored for suspicious behavior while it runs.37

Although dynamic heuristics can be time-consuming due to the rela-tively slow CPU emulation process, they are sometimes superior to staticheuristics. This will be the case when the suspect code (i) is obscure andnot easily recognizable as viral in its static state but (ii) clearly reveals itsviral nature in a dynamic state.

A major advantage of heuristic scanning is its ability to detect viruses,including unknown strains, before they execute and cause damage. Othergeneric antivirus technologies, such as behavior monitoring and integritychecking, can only detect and eliminate a virus after exhibition of suspiciousbehavior, usually after execution. Heuristic scanning is also capable of de-tecting novel and unknown virus strains, the signatures of which have notyct been catalogued. Such strains cannot be detected by conventional scan-ners, which only recognize known signatures. Heuristic scanners are capableof detecting even polymorphic viruses, a complex virus family that compli-cates detection by changing their signatures from infection to infection.~8

32. Fernandez, supra note 31, at 409 ("Many genuine programs use sequences of instruc-tions that resemble those used by viruses. Programs that use low-level disk access methods,TSRs, encryption utilities, and even anti-virus packages can all, at times, carry out tasks thatare performed by viruses.").

33. Nachenberg, supra note 1, at 7.34. Certain byte sequences, for instance, are associated with decryption loops to unscram-

ble a polymorphic virus when an infected routine is executed. If it finds a match, e.g., thescanner detects the presence of a decryption loop typical of a polymorphic virus, it cataloguesthis behavior.

35. Kumar & Spafford, supra note 25, at 4-5 ("Detection by static analysis/policyadherence.").

36. The CPU, or central processing unit, of a computer is responsible for data processingand computation..See, e.g., HRusv~, supra note 14, at 115; D. BE/qDER, COMPUTER LAW: Ev~-DEfaCE Arid PROCEDURE § 2.02, at 2-7, 9 (1982).

37. Kumar & Spafford, s~upra note 25, at4.38. Polymorphic viruses have the ability to "mutate" byvarying the code sequences written

III

III

Computer Hruses and Civil Liability 13 3

The explosive growth in new virus strains has made reliable detection andidentification of individual strains very costly, making heuristics more im-portant and increasingly prevalent.39 Commercial heuristic scanners includeIBM’s AntiV-irus boot scanner and Symantec’s Bloodhound technology.

We now turn to a formal analysis of negligence in a virus context.

IIl. VIRUS INFECTION AS NEGLIGENCE CAUSE OF ACTION

A product, a service, or conduct cannot and does not have to be perfectlysafe to avoid liability. Society does not benefit from products that are ex-cessively safe, such as bugfree software and automobiles built like armoredcars and limited to top speeds of twenty miles per hour. Even if bugfreesoftware were feasible, the resources consumed in achieving it would makethe product prohibitively expensive when it is finally released, and alsolikely obsolete.

Society does not benefit from products that are too risky either. Societybenefits most from an optimal level of safety.4° In this section, we explorethe legal meaning of these concepts and the closely related question: howsafe does a product, including an intangible such as a computer program,have to be to avoid liability?

Any risk in principle can be reduced or eliminated, at a cost. For manyrisks, this cost exceeds the benefit of the risk reduction. We call such risks"unavoidable." Risks that, on the other hand, can be reduced at a cost lessthan the benefit of the reduction are called "avoidable." Unavoidable risksprovide a net benefit to society and, as a matter of public policy, shouldnot be eliminated. The converse is true in the case of avoidable risks.

The law of negligence recognizes this distinction and limits liability toharm caused by avoidable risks. The primary legal meaning of the termnegligence is conduct that is unreasonably risky; in other words, conductthat imposes an avoidable risk on society.4~

to target files. To detect such viruses requires a more complex algorithm than simple patternmatching. See, e.g., DEr~t~N~ & DE~ra~ra~, supra note 5, at 89.

39. Nachenberg, supra note 1, at 9.40. BEraD~R, supra note 36, at 8-41 to 8-42 n.108; C. Cno, Ara I~TRODISCTmr~ TO SORT-

WAR~ QUALITY COr~’rROL 4, at 12-13 (1980) (a software provider is under a duty to investresources in program debugging only up to the point where the cost of additional debuggingwould outweigh the benefits of further error reduction); Thomas G. Wolpert, Product Liabilityand Software Implicated in Personal Injury, D~r. Cott~. J. 519, 523 (Oct. 1993) ("By the time aproduct is completely debugged, or nearly so, most likely it is obsolete.") See also IVARS PE-T~RSO~, FAX^L DEFECX 166 (1995) ("We live in an imperfect world . .. Absolute safety, ifattainable, would.., cost more than it’s worth.").

4!. PROSSER AND KEETON ON THE LAW OF TORTS, supra note 3, § 31; Do,ss, supra note 3,at 275 ("Negligence is conduct that creates or fails to avoid unreasonable risks of foreseeableharm to others."), The term also refers to the cause of action, namely the legal rules andprocedures that govern a negligence lawsuit. Id. at 269.

III

!I!Ii!!IiII!

i!I

134 Tort Trial ¢_r Insurance Practice Law ~Tournal, Fall 2004 (40:1)

The remainder of this section discusses and analyzes the legal principlesthat define the dividing line between avoidable and unavoidable risks, andapplies the principles in the context of computer virus infection.42

The plaintiff in a negligence action has to prove the following elementsto establish his or her claim.

1. A legal duty on the part of the defendant not to expose the plaintiff tounreasonable risks.

2. A breach of the duty; namely, a failure on the part of the defendant toconform to the norm of reasonableness.

3. A causal connection between defendant’s conduct and plaintiff’s harm. Thiselement includes actual as well as proximate cause. Defendant’s negligenceis the actual cause of the plaintiff’s harm if, but for the negligence, the harmwould not have occurred. Proximate causation means that the defendant’sconduct must be reasonably closely related to the plaintiff’s harm.

4. Actual damage resulting from the defendant’s negligence.

We now turn to an analysis of these elements in a computer virus context.

A. Duty

The first step in a negligence analysis considers whether the defendant hada duty to the plaintiff to act with due care or, conversely, whether theplaintiff is entitled to protection against the defendant’s conduct.43 But howand where do we draw the line that divides the plaintiffs who are entitledto such protection from those who are not? Professor Richard Epsteinphrases the rhetorical question, "[w]ho, then, in law, is my neighbor?" Hefinds an answer in Donoghue v. Stevenson: My neighbors are "persons whoare so closely and directly affected by my act that I ought reasonably tohave them in contemplation as being so affected when I am directing mymind to the acts or omissions which are called in question."~

The courts frequently analyze the duty issue as a matter of public policy.A defendant has a duty to the plaintiffif a balancing of policy considerationsdictates that the plaintiff is entitled to legal protection against the defen-dam’s conduct.45 The policy benchmark is based on fairness under the

42. Liability for iutentional transmission of a virus is governed by criminal law. A softwareprovider who intentionally transmits a computer virus with the purpose of stealing, destroy-ing, or corrupting data in the computer of his competitor may be prosecuted under criminalstatutes such as the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. This act is the principalfederal statute governing computer-related abuses, such as transmission of harmful code.

43. PROSSER ^rap KEETON ON ThE Law or ToR’rs, supra note 3, at 357 n.14.44. Donoghue v. Stevenson, [ 19321 App. Cas. 562,580 (H.L. Scot. 1932) (cited in Rmn^RO

A. EPSTEIN, SIMPLE RULES POR A COMPLEX WORLD 196 (1995)).45. Brennen v. City of Eugene, 591 P.2d 719 (Or. 1979); Bigbee v. Pac. Tel. & Tel. Co.,

183 Cal. Rptr. 535 (Ct. App. 1982); PROSSER AND KEETON ON THE LAW OF TORTS, supranote 3, at 358 ("[D]uty is not sacrosanct in itself, but is only an expression of the sum totalof those considerations of policy which lead the law to say that the defendant is entitled toprotection.").

IiIIIIIIIIIIIIII


contemporary standards of a reasonable person.~ Prosser succinctly sum-marizes, "[n]o better general statement can be made than that the courtswill find a duty where, in general, reasonable persons would recognize itand agree that it exists."47

In fleshing out the reasonable person policy benchmark of duty, courtsconsider factors such as the relationship between the parties, the nature ofthe risk, the opportunity and ability to take care, the public interest,48 andwhether the defendant created the risk that caused the loss.~°

Courts are more likely to recognize a duty in cases where the defendantpossesses a "special relationship" with the plaintiff,s° A common carrier,for instance, has a duty to aid a passenger in trouble, an innkeeper to aida guest, and an employer to aid an employee injured or endangered in thecourse of his employment,s* The law does not, however, impose a generalduty to aid another human being who is in grave, even mortal, danger. Achampion swimmer, for instance, is not required to help a child drowningbefore his eyes, nor is anyone required to warn someone about to stick hishand into a milling machine,s2

Given the high level of awareness and publicity surrounding virus attacksand computer security, courts are likely to find that software providers anddistributors generally do have a duty not to impose an unreasonable riskof viral infection on those foreseeably affected.~ A software provider, forinstance, who invites customers to download a software product from acommercial website creates a risk that the software may contain a virus.

46. Casebolt v. Cowan, 829 P.2d 352, 356 (Colo. 1992) ("The question whether a dutyshould be imposed in a particular ease is essentially one of fairness under contemporarystandards--whether reasonable persons would recognize a duty and agree that it exists."). Seealvo Hopkins v. Fox & Lazo Realtors, 625 A.2d 1110 (N.J. 1993) ("Whether a person owes aduty of reasonable care toward another turns on whether the imposition of such a duty satisfiesan abiding sense of basic fairness under all of the circumstances in light of considerations ofpublic policy.").

47. PROSSER AND KEETON ON THE LAW OF TORTS, supra note 3, at 359.48. Hopkins, 625 A.2d at 1110.49. ~Veirum v. RKO Gem, Inc., 15 Cal. 3d 40, 46 (1975).50. Lopez v. S. Cal. Rapid Transit Dist., 710 P.2d 907, 911 (Cal. 1985); see also "Farasoffv.

Regents of Univ. of Cal., 551 P.2d 334, 342 (Cal. 1976).51. PROSSER AND KEETON ON THE LAW OF TORTS, supra note 3, at 376, 377 nn.32-42.52. Handiboe v. McCarthy, 151 S.E.2d 905 (Ga. Ct. App. 1966) (no duty to rescue child

drowning in swimming pool); Chastain v. Fuqua Indust., Inc., 275 S.E.2d 679 (Ga. Ct. App.1980) (no duty to warn child about dangerous defect in lawn mower).

53. FITES ET AL., supra note 1 at 141, 142 (Bulletin Board System operators provide a forumfor exchange of information, data, and software. Hence, a BBS operator may have a duty toscreen uploaded software for malicious components or, at least, warn users to use caution inusing downloaded software.); Palsgraf v. Long Island R.R. Co., 162 N.E. 99 (N.Y. 1928)(establishing the precedent that a duty is extended only to those foreseeably affected). See alsoDavid L. Gripman, The Doors Are Locked but the Thieves and Vandals Are Still Getting In: AProposal in Tort to Alleviate Corporate America’s Cybe~Crime Proble~n, 16 J. MARSHALL J. COM-PUTER & INFO. L. 167, 170 (1997).

III

!!

136 Tot~ Trial & In.mrance Practice Law Journal, Fall 2004 (40:1)

Everyone who downloads the software is within the scope of the risk ofvirus infection and may have a cause of action if harmed by a virus.

B. Breach

"Breach of duty" refers to a violation of the duty to avoid unreasonablerisks of harm to others. The legal standard of reasonableness against whichthe defendant’s conduct is to be measured is known as the "reasonableperson" standard. The reasonable person standard imposes on all peoplethe duty to "exercise the care that would be exercised by a reasonable andprudent person under the same or similar circumstances to avoid or min-imize reasonably foreseeable risks of harms to others."54

Courts have interpreted the reasonable person standard in three broadways.ss First, the reasonable person is endowed with characteristics, suchas a certain level of knowledge and ability. The reasonable person has short-comings that the community would tolerate but is otherwise a model ofpropriety and personifies the community ideal of appropriate behavior. Heis allowed to forget occasionally, for instance, but is presumed never to dosomething "unreasonable" such as crossing the street on a red light at abusy intersection,s~ The defendant’s conduct is then compared to thatwhich can be expected from this hypothetical reasonable person. The de-fendant is considered to be in breach of her duty of due care if her conductdoes not measure up to this standard.

Under a second interpretation of the reasonable person standard, a courtmay adopt rules of conduct, the violation of which is considered primafacie negligence. Violation of a statute, such as a speed limit, is an exampleof prima facie negligence.

Finally, courts define the reasonableness of a risk in terms of a balanceof its costs and benefits,s7 Under the cost-benefit approach, avoidable risksthat can be eliminated cost-effectively are considered unreasonable. Failureto eliminate or reduce such risks constitutes a breach of duty. When harmresults from an unavoidable risk, on the other hand, the defendant escapesliability,sS

Professor Henry Terry appears to have been the first to define reason-ableness of conduct in terms of a cost-benefit balancing,s9 This approachis an analytical embodiment of the reasonable person standard, and has

54. O.W. HOLMI~S, THI~ COMMON L^W (1881) (the negligence standard is objective, "basedon the abilities of a reasonable person, and not the actual abilities of individuals").

55. See generally DoaRs, supra note 3, at 279.56~ PROSSER AND KEETON ON THE Law oF TORTS, supra note 3, § 32.57. DORRS, supra note 3, at 279.58. PROSSER AND KEETON ON THE LAW OF TORTS, supra note 3, § 29 ("lAin accident is

considered unavoidable or inevitable at law if it was not proximately caused by the negligenceof any party to the action, or to the accident.").

59. Henry Terry, Negligence, 29 HARV. L. REv. 40 (1915).

!I!!I!!I


become part of mainstream negligence analysis,a° In fact, this is how courtsactually decide negligence cases?~ Cost-benefit balancing applies naturallyin a virus context, and the availability of cost-benefit models of viruses andantivirus defenses in the computer security literature makes it logical andfeasible.~2

Courts apply the cost-benefit approach in a negligence case by focusingon precautions the defendant could have taken but did not.~3 The courtsimpose on the negligence plaintiff the burden to specify an untaken precau-tion that would have prevented the accident, if taken. The defendant willthen be considered negligent if the benefits of risk reduction provided bythe pleaded precaution exceed its cost.64

The role of the untaken precaution in negligence law is well illustratedin Cooley v. Public Service Co.~s In Cooley, the plaintiffsuffered harm from aloud noise over a telephone wire. She suggested two untaken precautionsthat would have prevented the harm, namely (i) a strategically positionedwire mesh basket and (ii) insulating the wires. The court ruled that neitheruntaken precaution constituted a breach of duty. Both precautions wouldhave increased the risk of electrocution to passersby sufficiently to out-weigh the benefits in harm reduction.

In a negligence case, more than one umaken precaution may have greaterbenefits than costs, and the plaintiff may allege several precautions in thealternative. The court may base a finding of negligence on one or more ofthe pleaded untaken precautions.6a The Cooley court noted that there may

60. Do~as, supra note 3, at 267.61. Mark E Grady, ~ntaken Precautions’, 18 J. LI~G^L STUD. 139 (1989) (courts actually

decide negligence cases by balancing the costs and benefits of the untaken precaution).62. See, e.g., Fred Cohen, A Cost Analysis of Typical Computer Virttres and Defenses, in COM-

VUTEaS & SEC. 10 (1991).63. Grady, supra note 61, at 139. The "untaken precautions" approach is how courts ac-

t~ally decide negligence cases. The positive economic theory of breach of duty posits thatnegligence law aims to minimize social cost. Under this theory, a software provider wouldescape liability by taking the cost-minimizing amount of precaution. The global social cost-minimization approach is a theoretical idealization, while the untaken precautions approachis a more realistic description of how courts actually determine negligence.

The seminal articles on the positive economic theory of negligence include John Brown,Toward an Economic Theory of Liability, 2 J. L~G^L STUD. 323 (1973); W. Landes & R. Posner,A Tbeoty of Negligence, 1J. L~^~ STUD. 29 (1972); S. Shavell, Strict Liabili~. versus Negligence,9J. L~^~ Swap. 1 (1980).

64. Grady, supra note 61, at 139, 143 (1989) (the courts "take the plaintiff’s allegations ofthe untaken precautions of the defendant and ask, in light of the precautions that had beentaken, whether some particular precaution promised benefits (in accident reduction) greaterthan its associated costs"); Delisi v. St. Luke’s Episcopal-Presbyterian Hosp., Inc., 701 S.W.2d170 (Mo. Ct. App. 1985) (plaintiff had to prove physician’s breach of duty by specifying theantibiotic he should have been given).

65. 10 A.2d 673 (N.H. 1940).66. In Bolton v. Stone, [1951] App. Cas. 850 H.L., the plaintiffwas hit by a Cricket ball

and pleaded three untaken precautions, namely failure to erect a sufficient fence, failure toplace the cricket pitch further from the road, and failure to prevent cricket balls from fallinginto the road.

!i

!I!!!


exist a cost-effective precaution, other than the ones actually pleaded, thatwould have satisfied the breach requirement. It is, however, the plaintiff’sburden to identify and plead such a precaution, if indeed it exists.

The cost-benefit approach was first formally adopted by the courts ina decision by Judge Learned Hand, in United States v. Carroll Towing Co.67

In Carroll Towing, a barge broke loose and caused an accident. The accidentcould have been avoided if, for instance, the owner of the barge had hadan employee on board who could have prevented the barge from breakingaway. According to Judge Hand, "the owner’s duty.., to provide againstresulting injuries is a function of three variables: (1) The probability that[the barge] will break away; (2) the gravity of the resulting injury, if shedoes; [and] (3) the burden of adequate precautions.’’~

Denoting the burden of precaution by B, amount of harm by L, and theprobability of harm by P, Judge Hand provided his celebrated formula:Liability would be imposed ifB is less than the product of L and P; in otherwords, when the burden of precaution is less than the expected damagesavoided.~,’~

The negligence calculus weighs the cost of an untaken precaution againstthe value of the reduction in all foreseeable risks that the precaution wouldhave achieved, not just the risk that actually materialized.TM In Judge Hand’sassessment, the benefit of the reduction in all foreseeable risks that wouldhave resulted from having a bargee on board exceeded the cost of the

67. 159 F.2d 169 (2d Cir. 1947).68. Judge Hand summarized the principles of negligence in Carroll Towing: "Since there

are occasions when every vessel will break away.., and.., become a menace to those abouther, the owner’s duty.., to provide against resulting injuries is a function of three variables:(I) The probability that she will break away; (2) the gravity of the resulting injury if she does;(3) the burden of adequate precautions." Denoting the probability by P, the injury by L, andthe burden by B, liability depends on whether B is less than P times L. Id. at 173.

69. See also Indiana Consol. Ins. Co. v. Mathew, 402 N.E.2d 1000 (Ind. Ct. App. 1980)(court discussed the factors involved in negligence analysis, without formally quantifyingthem, to reach decision that defendant’s action was reasonable).

70. See, e.g., RESTATEMENT (SEcoND) OF TORTS ~ 281(b), cmt. e (1965): "Conduct is neg-ligent because it tends to subject the interests of another to an unreasonable risk of harm.Such a risk may be made up of a number of different hazards, which frequently are of a moreor less definite character. The actor’s negligence lies in subjecting the other to the aggregateof such hazards."

See also In re Polemis & Furness, Withy & Co, [1921] 3 K.B. 560 (C.A.). In Polemis, thedefendant’s workman dropped a plank into the hold of a ship, causing a spark that caused anexplosion of gasoline vapor. The resultant fire destroyed the ship and its cargo. The arbitratorsfound that the fire was an unforeseeable consequence of the workman’s act but that there wasnevertheless a breach of duty. The key to the finding of negligence is the fact that courts basetheir analysis of untaken precautions on a balancing of all foreseeable risks (not just the riskthat materialized) against the cost of the untaken precaution. In finding for the plaintiff inPolemis, Lord Justice Scrutton stated, "[i]n the present case it was negligent in dischargingcargo to knock down the planks of the temporary staging, for they might easily cause somedamage either to workmen, or cargo, or the ship [by denting it]." ld. at 577.


bargee. The barge owner therefore breached his duty of due care by failingto have a bargee on board.

Like general errors, virus strains can be classified as avoidable or un-avoidable. The transmission of a virus strain that a reasonably careful pro-vider would detect and eliminate is an avoidable strain; an unavoidablestrain is one that even due care would not have prevented. An example ofan unavoidable virus is an unknown, complex strain that could only bedetected and eliminated at unreasonably high cost, by, for instance, imple-menting expensive and sophisticated scanning techniques based on artifi-cial intelligence technology. If the computing environment is such that thestakes are not particularly high, it may not be cost-effective to acquire andimplement the expensive technology required to detect such a complexvirus.

~l’he universe of all virus strains therefore can be divided into an avoid-able and an unavoidable subset, as illustrated in the following diagram.

All Virus Strains

Unavoidable set

set

The following numerical example illustrates application of the cost-benefit principle to prove breach of duty in a virus context. A hypotheticalcommercial software provider uses a signature scanner7~ to scan for virusesin her software products. A virus escapes detection and finds its way intoa product sold to a customer. The virus causes harm in the computer systemof the customer. The culprit virus is a novel strain that has been documentedfairly recently for the first time. It was not detected because its signature wasnot included in the database of the software provider’s scanner.

The customer contemplates a negligence lawsuit. She must prove thedefendant software provider’s breach of duty by showing that the defendant

71. See Section II.B, Technical Antivirus Defenses, supra, for a discussion of technologiessuch as signature scanners.

IIIi,IIIIIIIIIIII


could have used an alternative cost-effective precaution that would haveavoided the virus.

The plaintiff has several pleading options. Potential untaken precautionsinclude more frequent updating of the signature database, or perhaps useof a generic scanner that does not depend on an updated database. Eachoption has its own set of costs and benefits that have to be tallied to evaluateits cost-effectiveness in order to establish liability.

Consider, for instance, the plaintiff’s pleading that the software providershould have updated the signature database of her scanner more frequently.This incremental precaution (based on the numbers in this stylized ex-ample) is efficient, because doing so would add three cents to the firm’saverage cost of production but would reduce the expected accident loss byeight cents. The numerical data for the example are summarized in Table 1,below.72

Table 1

Firm’s costBehavior of production Probability Loss if Expected Full costof firm per unit of infection infection loss per unit

Current 40 cents 1/100,000 $10,000 I0 cents 50 centsProposed 43 cents 1/500,000 $10,000 2 cents 45 cents

The first column lists the defendant’s alternative precautions, namelyscanning at the current rate and scanning at the proposed increased rate,respectively. The second column lists the total production cost per unit ofsoftware for each precaution option. The third column lists the probabil-ities of virus transmission corresponding to the respective precautions; thefifth, the expected losses from a virus attack; and the final column, the fullcost per unit of software product, namely production plus expected acci-dent costs. We assume that a virus attack will result in expected damagesof $10,000.

With the software provider’s current level of precaution, the productioncost per unit is forty cents, the chance of an infection is 1/100,000, and theloss if an infection occurs is $10,000. The expected accident loss per unittherefore is ten cents (1/100,000 × $10,000), and the total cost per unitof software is fifty cents. If, on the other hand, the software provider im-plemented the proposed precaution pleaded by the plaintiff, the productioncost would be forty-three cents, the probability of infection would decline

72. Based on an example in A.M. POLINSKY, INTRODUCTION TO Law AND ECONOMICS 98(Table I 1) (1983),

Ii!!


to 1/500,000, and the expected loss would be two cents, giving a total costper software unit of forty-five cents.

Given this information, it is clear that the untaken precaution is efficient,and the plaintiff would prevail on the issue of breach. Although increasingthe frequency of signature database updating to the level suggested by theplaintiff would increase production costs by three cents per unit, it lowersexpected accident losses by eight cents.

C. Cause in Fact

A plaintiff must show that the defendant’s negligence was the cause in factof the plaintiff’s harm. Courts usually employ the "but-for" test to deter-mine cause in fact. Under this test, plaintiff’s failure to take a precautionis the cause in fact of the harm if the precaution would have avoided theharm. In other words, but for the precaution, the harm would not haveoccurred.

A plaintiff may fail the but-for test if she pleads the "wrong" untakenprecaution. Suppose, for example, that a product manufacturer negligentlyfails to put a warning about a product hazard in the owner’s manual. A userof the product is subsequently injured because of the hazard. If the injuredplaintiff admitted he had never read the manual, the manufacturer’s neg-ligent failure to warn would not be a but-for cause of the customer’s injury.An unread warning would not have been helpful to the user.73

The but-for principle applies similarly in a virus context. Due care maydictate that a virus scanner signature database be updated once a month.If the defendant admits, or discovery shows, that he skipped a month,breach is easily established. If, however, the virus strain is a sufficientlynovel variety, its signature would not have been included even in theskipped update. A scanner with a database updated at the due care levelwould still not have detected the particular strain that caused the harm.Failure to take this precaution constitutes breach of duty but is not an actualcause of the infection.

This hypothetical is illustrated in Figure 2, a timeline of events. The"dot" symbols (o) represent the defendant’s actual frequency of signature

73. DoBBs, supra note 3, at 410. See also McDowall v. Great W. Ry., 1903, 2 K.B. 331(C.A.), rev’g [1902] 1 K.B. 618 (An improperly secured railcar became loose and injured theplaintiffs. The court held that failure to secure the car behind its catchpoint constitutednegligence but that the precaution would not have prevented the plaintiff’s injuries, as evi-dence suggested that they were determined to set the car free. The cause-in-fact requirementwas therefore not met and the negligence action failed. Failure to take the pleaded untakenprecaution constitutes negligence but was not the cause in fact of the accident. Hence, plain-tiff’s negligence action properly failed.).

I!!

142 Tort THal& Insurance Practice Law Journal, Fall 2004 (40:1)

database updating. Each dot represents an update. The "cross" (x) symbolsrepresent the plaintiff’s proposed frequency, the untaken precaution.

Figure 2

¯ Defendant’s actual updating frequencyx Plaintiff’s proposed updating frequency

New strain infectsplaintiff’s system

New virusstrain comes Signature of newinto existence strain firstat this point incorporated

in this update

In this illustration, failure to undertake the plaintiff’s pleaded untakenprecaution is not the actual cause of the harm. As illustrated, the new virusstrain appeared after an update, infected the plaintiff’s system, and causedharm before the next proposed update. The update prior to the virus’sappearance would not have contained its signature, and the subsequentupdate was too late. The culprit virus therefore could not have been de-tected, even with plaintiff’s proposed superior precaution, just as the un-read manual, in the previous example, would not have prevented the plain-tiff’s harm. The pleaded untaken precaution therefore fails on actual causegrounds, even though failing to take it does constitute a breach of duty.

D. Proximate Cam’e

The plaintiffin a negligence action has to prove that the defendant’s breachwas not only the cause in fact but also the proximate, or legal, cause of theplaintiff’s harm. The proximate cause requirement limits liability to caseswhere the defendant’s conduct is "reasonably related" to the plaintiff’sharm.74 Proximate cause may be absent, for instance, if the accident was

74. Proximate cause limitations on liability are imposed where, as a matter of principle,policy, and practicality, the court believes liability is inappropriate. See, e.g., the dissentingopinion of Judge Andrews, in Palsgrafv. Long Island R.R., 248 N.Y. 339, 352,162 N.E. 99,103 (1928): "Vqqaat we do mean by the word ’proximate’ is that, because of convenience, ofpublic policy, of a rough sense of justice, the law arbitrarily declines to trace a series of eventsbeyond a certain point. This is not logic. It is practical politics."

!!I


due to the unforeseeable and independent intervention of a second tort-feasor. Absent proximate cause, the first tortfeasor would escape liabilityeven if his breach and actual causation have been clearly demonstrated.

A crisp formulation of the proximate cause requirement is that the re-alized harm must be within the scope of risk foreseeably created by thedefendant, and the plaintiff must belong to the class of persons foreseeablyput at risk by the defendant’s conduct,ys

Proximate cause applies to two broad categories of cases, namely thoseinvolving (i) multiple risks and (ii) concurrent efficient causes.7~ A multiple-risks case typically involves two risks, both of which would have been re-duced by the defendant’s untaken precaution. The first is the primary risk,which was clearly foreseeable to a reasonable person, and the second anancillary risk, which would not have been reasonably foreseeable. Suppose,for instance, a surgeon performs a vasectomy negligently and a child isborn. The child grows up and sets fire to a house. The owner of the housesues the doctor for negligence. This is clearly a multiple-risks case. Theprimary risk consists of foreseeable medical complications due to the in-competent vasectomy, including an unwanted pregnancy. The ancillary riskis the (unforeseeable) risk that the conceived child may grow up to be acriminal.77 The proximate cause issue is whether the defendant should beheld liable for the harm due to the ancillary risk.

A concurrent-efficient-causes case involves multiple causes, all of whichare actual causes of the same harm.7~ In a typical concurrent-efficient-causes case, an original wrongdoer and a subsequent intervening party areboth responsible for the plaintiff’s harm. Suppose, for instance, a techni-cian negligently fails to Fasten the wheels of plaintiff’s car properly. Awheelcomes off, leaving the plaintiff stranded on a busy highway. The strandedplaintiff is subsequently struck by a passing driver who Failed to pay atten-tion. The technician and the inattentive driver were both negligent and areboth concurrent efficient causes of the plaintiff’s harm. The proximatecause issue is whether the second tortfeasor’s act should cut off the liabilityof the first.

Proximate cause is a dualism consisting of two separate doctrines or tests.One doctrine applies to multiple-risks cases and the other to concurrent-efficient-causes cases. VVhen both situations, multiple risks as well as con-current efficient causes, are present in the same case, both proximate cause

75. DoBss, rupra note 3, at 444. See also Sinram v. Pennsylvania R.R. Co., 61 E2d 767, 771(2d Cir. 1932) (L. Hand, J.) ("[T]he usual test is ... whether the damage could be foreseenby the actor when he acted; not indeed the precise train of events, but similar damage to thesame class of persons.").

76. Grady, supra note 61, at 296 ("Proximate cause is a dualism.").77. Based on a hypothetical in Do~s, supra note 3, at 444.78. Grady, supra note 61, at 299.

III

I

144 Tort Trial iv Insurance Practice Law Journal, Fall 2004 (4&l)

doctrines apply and the requirements for both have to be satisfied for prox-imate cause to exist.79

The reasonable foresight doctrine applies to cases of multiple risks,where a primary and ancillary risk both caused the plaintiff’s harm. Thisdoctrine establishes the conditions under which the tortfeasor who createdthe primary risk will be held liable for actual harm that has resulted fromthe ancillary risk. The bungled vasectomy is a typical reasonable foresightcase. The reasonable foresight doctrine determines whether the surgeonwould be held liable for damage caused by the ancillary risk, namely therisk that an unwanted pregnancy may produce a future criminal.

The direct consequences doctrine of proximate cause applies to casesinvolving multiple efficient causes. The doctrine examines concurrent causesto determine whether the person responsible for the second cause has cutoff the liability of the person responsible for the first cause. The "loosewheel" case is a typical direct consequences case. The direct consequencesdoctrine would determine whether the intervening tortfeasor (the inatten-tive driver who struck the stranded plaintiff) would cut off the liability ofthe original tortfeasor (the negligent automobile technician). Some acci-dents involve purely multiple risks, while others involve purely concurrentcauses. In some cases, however, both doctrines apply.

Application of the two proximate cause doctrines is greatly simplifiedand clarified when we divide the cases to which they apply into distinctparadigms. We now turn to an analysis of the paradigms within eachdoctrine.

1. Paradigms in Direct Consequences Doctrine

The direct consequences doctrine is divided into five paradigms, namely(i) no intervening tort, (ii) encourage free radicals, (iii) dependent compli-ance error, (iv) no corrective precaution, and (v) independent interveningtort.go

The no intervening tort paradigm is the default paradigm. It preservesproximate cause if no tort by anyone else has intervened between the origi-nal defendant’s negligence and the plaintiff’s harm, as long as the type ofharm was foreseeable. In this paradigm, the original tortfeasor is not onlythe direct cause of the harm but also the only wrongdoer. A speeding andunobservant driver who strikes a pedestrian walking carefully in a crosswalkis a clear example of a case within the no intervening tort paradigm.

Under the encourage free radicals paradigm, proximate cause is pre-served if the defcndant’s wrongdoing created a tempting opportunity forjudgment-proof people. Proximate cause is preserved under the dependent

79. Id. at 298.80. ld. at 301-21.


compliance error paradigm if the defendant’s wrongdoing has increasedthe likelihood that the victim will be harmed by someone else’s inadvertentnegligence. Proximate cause is broken under the no corrective precauuonparadigm if a third party with an opportunity and duty to prevent theplaintiff’s harm intentionally fails to do so. Paradigm (v) cuts off the origi-nal tortfeasor’s liability if an independent intervening tort caused the plain-tiff’s harm.

Encourage free radicals and dependent compliance error are the mostinteresting and relevant paradigms ~n a computer virus context. We nowturn to a detailed analysis of these paradigms.

a. Encourage Free Radicals

Negligence law is the most basic form of safety regulation, but it is anineffective deterrent against defendants who are shielded from liability byanonymity, insufficient assets, lack of mental capacity, or lack of good judg-ment. Such trouble-prone individuals are termed "free radicals" because oftheir tendency to bond with trouble. Examples of free radicals includechildren, anonymous crowds, criminals, mentally incompetent individuals,hackers, and computer virus authors.~ The deterrence rationale of negli-gence law would be defeated if responsible people who foreseeably en-courage free radicals to be negligent were allowed to escape judgment byshifting liability to the latter. Common law negligence rules therefore pre-scrve the liability of the responsible individuals.~2

Satcher v. James H. Drew Shows, Inc.s3 illustrates the free radicals para-digm. In Satcher, the plaintiff bought a ticket for a ride on the bumper carsm an amusement park. A group of mental patients on an excursion joinedthe plaintiff’s group. VVhen the ride started, the patients converged on thedefendant and repeatedly crashed into her from all angles, injuring herneck permanently. The plaintiff filed suit, alleging that the defendantowner and operator of the ride had been negligent in allowing the patientsto target and injure her. The appellate court reversed the trial court’s de-cision for the defendant on the grounds that the defendant had encouragedfree radicals.

Another free radicals case is presented by Weirum v. RKO General, Inc.~4

The defendant radio station broadcast a contest in which a disk jockeywould drive throughout Los Angeles. He would stop occasionally and an-nounce his location on the radio. Teenagers would race to meet the diskjockey and he would give a prize to the first one who reached him. Even-

81. ld. at 306-12.82. ld. at 308.83. 177 S.E.2d 846 (Ga. Ct. App. 1970).84. 539 P.2d 36 (Cal. 1975).

146 Tort Trial & Insurance Practice Law Journal, Fall 2004 (40:l)

tually, two racing teenagers were involved in a road accident, killing theplaintiff’s deceased. There were two concurrent efficient causes of the ac-cident, namely the organizers of the contest and the reckless teenage driv-ers. The radio station negligently encouraged the free radical teenagers todrive recklessly. The wrongdoing of the teenagers therefore did not cut offthe defendant radio station’s liability. The defendant radio station was heldjointly liable with the teens and, as the deeper pocket, likely paid most ofthe damages.

(i) Limitatiom" on Liability for Encouraging Free Radicals--The defendantwill not be liable for encouraging free radicals unless she did so negli-gently.~s This implies that the behavior of the free radicals must have beenex ante foreseeable, the actions of the free radicals must not have gone farbeyond the encouragement, and the opportunity created for them musthave been relatively scarce, to hold the defendant liable.

The defendant’s act of encouragement would not amount to negligenceunless the behavior of the free radicals was ex ante reasonably foreseeable.The defendant would not be liable for the actions of the free radicals ifeither they acted independently of the defendant’s actions or their behaviorwent far beyond the defendant’s encouragement. In Weh~um, for instance,it must have appeared reasonably probable to the radio station that itscontest would induce the kind of behavior that ultimately led to the acci-dent, in order to hold the station liable. If one of the contestants had shotanother in order to gain an advantage, the radio station would probablyhave escaped liability.~

If, besides the opportunity created by the defendant, several alternativeopportunities were available to the free radical to cause the same or similarharm, the defendant’s encouragement likely did not significantly increasethe probability of the harm. The defendant therefore may escape liabilityif the opportunity created for the free radicals is not particularly scarce. Aperson flashing a wad of $100 bills would probably not be liable for theharm caused by a fleeing thief who runs into and injures someone. Becauseof the availability to the thief of many other similar opportunities, the flashof money did not increase the likelihood of the type of harm that occurred.If the person had not flashed the money, a determined thief would havefound another opportunity.87

The person encouraged by the defendant may be a responsible citizenand not a free radical at all. In such a case, the defendant would escape

85. Grady, supra note 61, at 309 ("The pattern of EFR cases indicates that a defendant willnot be liable for free radical depredations unless it negligendy encouraged them.").

86. Id at 308.87. ld. at 310 ("The defendant, in order to be liable, must negligently provide some special

encouragement of wrongdoing that does not exist in the normal background of incitementsand opportunities.").

II

Computer Viruses and Civil Liabiliq 147

liability. If Bill Gates had responded to the Weirum radio broadcast byracing to collect the prize, his intervening conduct would have almost cer-tainly cut off the defendant’s liability. Likewise, in the unlikely event thatBill Gates would use a virus kit to create a virus that exploits a weaknessin Windows, the creator of the kit would escape liability. If, however, a freeradical, such as a judgment-proof hacker, did the same, proximate causalitywould likely not be broken.

(ii) Encouragement of Virus Authors--Virus authors, as the originators ofdangerous malevolent software, are, directly or indirectly, responsible forthe harm caused by their creations. As such, they are always potential tar-gets of lawsuits related to the harm. Virus authors often receive technicalassistance, such as access to virus kits on the Intemet that allow creationof custom viruses. Such virus tool kits, which enable people who have noknowledge of viruses to create their own, are commonly available on theInternet. Some of these kits are very user-friendly, with pull-down menusand online help available. Such a kit was used, for instance, to create theinfamous Kournikova virus?~

Although a virus kit is useful to someone who lacks technical proficiency,it is not particularly helpful to a technically skilled person. A skilled anddetermined virus author would not wait for a kit to appear on the Internet,just as a determined thief would not wait for someone to flash a wad of$100 bills before acting. The creator of a virus kit may escape liability if atechnically competent person downloaded and used the kit to create a virus.Even if the technically competent virus author were a judgment-proof freeradical, the fact that the kit did not provide a means or encouragementbeyond resources already available to the author cuts off liability of theoriginal creator of the kit.

Virus authors also get assistance and inspiration from existing virusesthat can be easily copied and modified. Once an original virus is created,altered versions are usually much easier to create than the original. Suchaltered versions may have capabilities that make them more pernicious thanthe original.~9 A virus named NewLove, for instance, was a more destruc-

88. See, e.g., htrp://www.cknow.com/vtutor/vtpolymorphic.hun; Sarah Gordon, Vir~ Writer~’:The End oflnnocence, IBM UVhite Paper, http://www.research.ibm.com/anfivirus/SciPapers/VB2000SG.htm (reporting the existence on the Internet of several sites with viruses in exe-cutable or source code form, available for download).

89. See, e.g., Jay Lyman, Authorities Investigate Romanian Virus Writer, at http://www.linuxinsider.comJperl/story/31500.html ("The amazing side of this peculiar situation is that twopeople are to stand trial for having modified original code of MSBIast.A (the first blasterworm), but the creator of the worm is still out there... Antivirus specialists concur in sayingthat such altered versions are not as difficult to create as the original."). The possibility ofvariants of well-known viruses has caused concern. Id. ("A senior official at the [FBI] toldTechNewsWorld that there is concern about variants and the implications of additional viruswriters.").

III

IIIIIIIIIIIIiIII

148 Tort TriaI& Insurance Practice Law Journal, Fall 2004 (40:1)

tive variant of the LoveLetter virus. NewLove was potymorphic, whichmade its detection more difficult than LoveLetter’s. It also overwrote fileson the hard disk that were not in use at the time of infection. Due to a(fortunate) programming error, NewLove could not spread as widely asLoveLetter, but ~t was much more destructive in computers to which it didspread.9°

Virus authors are also encouraged and helped by a variety of networksecurity flaws that allow and facilitate the transmission of viruses. TheBlaster worm, for ~nstance, exploited a security flaw in Microsoft’s Win-dows operating system to invade and crash computers.91

In practice, it is G ften easier to track down individuals who created op-portunities for virus authors than the authors themselves. Virus kits areoften posted on an identifiable Web page on the Internet and security flawscan be traced to the manufacturer, as in the case of the Microsoft Windowsflaw. If virus authors are free radicals, individuals who create these oppor-tunities for them would likely be the proximate cause of the harm. If theyare not free radicals, their wrongdoing may be considered an independentintervening tort and, as such, will cut off liability of the encouragers.

(iii) Are Virus Authors Free Radicals?--Virus authors have propertiescommonly associated with free radicals. They are often judgrnent-proofand shielded by the anonymity of cyberspace. Virus authors are also in-creasingly turning to organized crime. Furthermore, virus attacks are un-derreported and underprosecuted, and the probability of catching a hackeror virus author is comparatively low. Virus authors appear undeterred bythe threat of legal liability and often seem unconcerned about the problemscaused by their creations. All these factors are consistent with a free radicalprofile.

The anonymity of the Internet is often exploited by cybercriminals. Thiscomplicates the task of detecting computer crimes and tracking down of-fenders. It also makes it harder to obtain evidence against a wrongdoersuch as a virus author?2 Cyberspace provides the technology and oppor-tunity to a skilled operator to assume different identities, erase digital foot-prints, and transfer incriminating evidence electronically to innocent corn-

90. K. Zetter, When Love Came to Town: A Virt~ bzvestigation, PC WORLD, Apr. 18, 2004,available at http://www.pcworld.com/news/ar ticle/0,aid,33392,00.asp.

91. Danny Penman, Microsoft Monoculture Allows l~rus Spread, NEWSClENTIST ONLINENEWS, Sept. 25, 2003 ("lV]irus writers exploit human vulnerabilides as much as securityflaws.").

92. Gordon, supra note 88 ("IT]racing a virus author is extremely difficult if the virus writertakes adequate precautions against a possible investigation."); Ian C. Ballon, Alternative Cor-porate Responses to lntem~et Data Theft, 471 PLI/Pat. 737,739 (1997); M. Calkins, They Shoot7~’ojan Horses, Don’t They? An Economic Analysis of Anti-Hacking RegulatoT~ Models, 89 G~o.L.J. 171 (2000).

III

!!

Computer Hruses and Civil Liability 149

puters, often without leaving a trace.93 Suppose, for instance, a virus weretransmitted from the e-mail account of someone named Jill Smith and acopy of an identical virus were tracked down in the same account. Thismay look like a smoking gun but would likely not prove by a preponderanceof the evidence that Jill is the actual culprit. Someone may have hackedinto the Smith account, used it to launch a virus, and stored incriminatingfiles in the account.94

In several cases, cyber rogues were apprehended because of their reck-lessness or vanity. In May 2000, a virus named LoveLetter was releasedinto cyberspace. The virus first appeared in computers in Europe and Asia,hitting the European offices of Lucent Technologies, Credit Suisse, andthe German subsidiary of Microsoft.9s

When recipients clicked on the attachment in which it arrived, the virussent copies of itself, via Microsoft Outlook, to everyone in the user’s ad-dress book. It would then contact one of four Web pages hosted on SkyInternet, an Internet service provider (ISP) located in the Philippines, fromwhich the virus downloaded a Trojan horse. The Trojan horse then col-lected valuable usernames and passwords stored on the user’s system andsent them to a rogue e-mail address in the Philippines.’~6

Investigators tracked the origin of the LoveLetter virus by examiningthe log files of the ISP that hosted the Web pages from where the Trojanhorse was auto-downloaded. Investigators were able to pierce the anonym-ity of cyberspace, in part because of clues revealed by the perpetrator, per-haps out of vanity, such as a signature in the virus code.’~7

93. See, e.g., Ted Bridis, Microsof~ Offers Huge Cash Rewards for Catching Virus Writers, athttp://www.securityfocus.com/news/7371 ("Police around the world have been frustrated intheir efforts to trace some of the most damaging attacks across the Internet. Hackers easilycan erase their digital footprints, crisscross electronic borders and falsify trails to point atinnocent computers.").

94. M.D. Rasch, Criminal Law and the Intemzet, in THE INTERNET AND BUSINESS: A LAWYER’SGUIDE TO Tn~ E~ER~IN~ LE~^L ISSUES (Computer Law Ass’n). Online version is available athttp://www.cla.org/RuhBook/chp 11.htm. See also B~zREvoRT NEws, Sept. 12, 2003 ("Thereare many ways for virus writers to disguise themselves, including spreading the programsthrough unwittingly infected e-mail accounts. The anonymity of the Internet allows you touse any walnerable machine to launder your identity.").

95. The virus was written in Visual Basic code, the most common language for virus code,characterized by a "dot.vbs" extension. Many users did not observe the dot.vbs extensionbecause the Windows default setting hides file extensions.

96. Zetter, supra note 90.97. Investigators traced the origin of the posting to a prepaid account at Supernet, another

ISP in the Philippines. The LoveLetter virus was launched from two e-mail accounts, butthe prepaid account would have allowed the virus author to remain anonymous if he had notprovided additional incriminating evidence to investigators. The perpetrator was eventuallytracked down, in part because, perhaps out of vanity, he left a signature in the virus code.The signature consisted of his name, e-mail address, membership in an identifiable smallprogrammer’s group, and hometown (Manila). The perpetrator also used his own home com-puter to launch the virus and dialed the ISP using his home telephone. This allowed the ISPto determine the telephone number from its call-in log files.

!!

!!!!!!!!!!!!!!


The anonymity of cyberspace has enabled virus authors to graduate fromcyber-vandalism to organized crime. Virus writers are increasingly coop-erating with spammers and hackers to create viruses to hack into computersto steal confidential information, often hiding their identity by spoofingthe identity of the legitimate owner. Spammers are using viruses, for in-stance, to mass-distribute junk mail, by sending out viruses to take overcomputers and e-mail accounts and using them to mass-distribute spammessages.98 The owner of the hijacked computer usually does not know ithas been hijacked, although there are often subtle indications, such asslower Internet connection.99

To further enhance his anonymity, the spammer may use a remailer, i.e.,a server that forwards electronic mail to network addresses on behalf of anoriginal sender, who remains unknown. A remailer delivers the e-mail mes-sage without its original header, thus hiding the identity of the originalsender from the recipient. This ensures almost total anonymity for thespammer.~°°

Virus authors appear to be undeterred by the threat of legal action. In aleading study on the subject, Dr. Sarah Gordon examined the correlationbetween the number of new viruses in the wild and high-profile prosecu-tions of virus authors as a measure of the deterrence value of prosecution.Dr. Gordon reports that high-profile prosecutions have had limited deter-rent effect.~m

98. The virus named "Sobig F," for instance, is programmed to turn a computer into ahost that sends out spare e-mail messages, often without the knowledge of the owner. It iswidely believed that half a million copies of the virus named AVF were sent by a spammer.Unlike Melissa, the AV’F virus does not mail copies of itself out to everyone in the infectedcomputer’s address book. Instead, AVF makes the infected computer an intermediary byopening a backdoor in the infected machine through which spammers can distribute theirjunk mail.

99. Spare Virus Hijacks Computers, BBC NEws, at http://news.bbc.co.uk/l/hi/technology/3172967.stm; Jo Twist, Why People Write Computer Virt~’es, BBC N~ws, at http://news.bbc.co.uk/t/hi/technology/3172967~stm.

100. Spammers and Viruses Unite, BBC NEws, at http://news.bbc.co.uk/l/hi/technology/2988209.stm (describing the hijacking program called Proxy-Guzu, which would typically arriveas a spam message with an attachment. Opening the attachment triggers it to forward infor-mation about the hijacked account to a Hotmail account. This information then enables awould-be spammer to route mail through the hijacked computer. The source of this spamwould be very hard if not impossible to trace, especially if the spammer and the sender of thehijacking program employed anonymity-preserving techniques, such as a remailer.). See alsoLyman, supra note 89 (referring to "the difficulty of tracking down virus writers, particularlywhen they are skilled enough to cover their digital tracks, [so that] few offenders are evercaught").

101. Gordon, supra note 88 (finding no evidence that such prosecutions have alleviatedthe virus problem, as measured by the rate of creation of new viruses in the wild subsequentto high-profile prosecutions). See also R. Lemos, ’Tis the Season for Computer Viruses (1999),at http://www.zdnet.co.uk/news/1999/49/ns-12098.html. It is well known that even after theauthor of the Melissa virus had been apprehended (and expected to be sentenced to a multiyearprison term), the appearance of new viruses on the Internet continued to proliferate and atan increasing rate.

!!

IIlIIIIIIIIIIIIII

Computer bqruses and Civil Liability 151

Dr. Gordon’s conclusions were corroborated by another survey she under-took, in which virus authors and antivirus researchers were asked whetherthe arrest and prospective sentencing of the Melissa author would have anyimpact on the virus-writing community. All virus authors interviewed statedthat there would be no impact, immediate or long-term, while the antivirusresearchers were evenly split on the question. These results are consistentwith those of comparable surveys by other researchers.1°2

For example, a subsequent survey suggests that new laws will result inmore viruses than before. According to the survey results, a majority ofvirus authors would either be unaffected or actually encouraged by anti-virus legislation. A number of them claimed that criminalization of viruswriting would actually encourage them to create viruses, perhaps as a formof protest or civil disobedience.1°3

Laws against virus creation cannot be effective unless virus incidents arereported and perpetrators prosecuted. There is evidence that virus crimesare seriously underreported and, as a consequence, underprosecuted.*°4

Commenting on the ineffectiveness of the law to combat computer viruses,Grable writes, "[b]oth the federal and New York state criminal statutesaimed at virus terror are ineffective because ... [t]he combination of thelack of reporting plus the inherent difficulties in apprehending virus cre-ators leads to the present situation: unseen and unpunished virus origina-tors doing their damages unencumbered and unafraid."1°5

b. Dependent Compliance Error

The dependent compliance error paradigm applies where a defendant hasexposed the plaintiff to the compliance error--relatively innocent, inad-vertent negligence--of a third party. It preserves the liability of the originaldefendant when the compliance error results in injury to the plaintiff.

102. Gordon, supra note 88 (reference to a survey by A. Briney).103. ld.( reference to DefCon survey).104. ld. ("Minnesota statute §§ 609.87 to .89 presents an amendment which clearly defines

a destructive computer program, and which designates a maximum (prison term of) ten years;however, no cases have been reported. Should we conclude there are no virus problems inMinnesota?"). See also Michael K. Block & Joseph G. Sidak, The Cost of Antitrust Deterrence:Why Not Hang a Price-Fixer NoTv and Then? 68 GEo. L.J. 1131, 1131-32 (1980); Stevan D.Mitchell & Elizabeth A. Banker, Private Intrt~6on Response, 11 H^RV. J.L. & TEcn. 699, 704(1998).

105. Gordon, supra note 88 (quoting J. Grable, 73"eating Smallpox with Leeches: CriminalCulpability of Virt~ Writers and Better Ways to Beat Them at Their Own Game, 24 COMPUTERS& Law (Spring 1996)). See also id. ("[G]iven the small number of virus writers who have beenarrested and tried ... this lack of arrests is one of the primary indicators used by some toargue that laws are not a good deterrent."); Vir~ts Writers Di~sult to Fi~d i~ Cybw~pace,BmR~voar N~ws (Sept. 2003) (reporting that it took eighteen days to track down the authorof the Blaster worm, even though the author left a clear trail behind, including his aliasstitched into the virus code, and references to a website registered in his name), available athttp://www.bizreport.com/print.php?art_id = 4917.

I!

iiII!!IIIIIIIIIi

Tort Trial ~ Imurance Practice Law Journal, Fa# 2004 (40:1)

In Hairston v. Alexander Tank and Equipment Co.,~°6 a technician negli-gently failed to fasten the wheels of plaintiff’s car properly. A wheel cameoff, leaving the plaintiff stranded on a busy highway. The stranded plaintiffwas subsequently struck by a passing driver whose attention had inadver-tently lapsed. Liability of the original tortfeasor, the auto technician, waspreserved, because he had put the plaintiff in a situation where he wasexposed to a high likelihood of harm due to the compliance error of theinattentive driver.

This principle is particularly applicable to computer security. Consider,for instance, a computer security breach where a flaw, such as a bufferoverflow, allowed a virus to penetrate a network.1°7 The security apparatusof the network fails to detect and eliminate the virus and it causes consid-erable harm to one or more computers in the network.

In situations such as this, the security lapse that allowed the virus intothe system is foreseeable and likely due to a compliance error. The personresponsible for the buffer overflow in the software, however, provided theopportunity, and thus exposed the users of the network to the securitycompliance error. Under the dependent compliance error paradigm, there-fore, the liability of the person responsible for the buffer overflow will notbe cut off, in spite of the intervention of the subsequent security lapse.

The schematic diagram, below, summarizes the arguments in this sec-tion. It applies to a typical computing environment, such as the computernetwork in the preceding (buffer overflow) example. The rectangle, V, rep-resents the entire universe of virus strains. The virus universe consists of

106. 311 S.E.2d 559 (N.C. 1984).107. A buffer is a contiguous piece of memory, usually dedicated to temporary storage of

data. A buffer overflow occurs when a program tries to store more data in a buffer than it hasthe capacity for. The extra information overflows into adjacent buffers, overwriting or cor-rupting the legitimate data in the adjacent buffers. A buffer overflow has been described as"very much like pouring ten ounces of water in a glass designed to hold eight ounces. Ob-viously, when this happens, the water overflows the rim of the glass, spilling out somewhereand creating a mess. Here, the glass represents the buffer and the water represents appli-cation or user data." Mark E. Donaldson, Inside the Buffer Overflow Attack: Mechanism, Methodand Prevention, SANS INSTITUTE 2002 WroTE P^vEI~, available at http://www.sans.org/rr/whitepapers/securecode/386.php. System Administration, Audit, Network and Security (SANS)was founded in 1989 as a cooperative research and education organization, specializing incomputer security training and education. Buffer overflow is an increasingly common com-puter security attack on the integrity of data. The overflowing data, for instance, may containcode designed to trigger specific actions, such as modify data or disclose confidential infor-mation. Buffer overflows are often made possible because of poor programming practices. Anattacker exploits a buffer overflow by placing executable code in a buffer’s overflowing area.The attacker then overwrites the return address to point back to the buffer and execute theplanted overflow code. A programming flaw in Microsoft Outlook, for instance, made itvulnerable to a buffer overflow attack. An attacker could invade a target computer and over-flow a target area with extraneous data, simply by sending an appropriately coded e-mailmessage. This allowed the attacker to execute any code he desired on the recipient’s computer,including viral code. Microsoft has since created a patch to eliminate the vulnerability.

!i

iiI!IIIII

IIIIII

Computer l, qruses and Civil Liability 153

avoidable viruses (virus strains that could be detected and eliminated at acost less than its expected harm) and unavoidable viruses. In the diagram,the avoidable set is represented by the larger ellipse inside the rectangle,labeled V*, and the unavoidable set by the white area inside the rectanglebut outside the ellipse, labeled V-V*.

All Virus Strains, V

Unavoidable set,V-V*

Avoidable set,V"

Set actually avoided,VI

Set negligentlytransmitted, V*-V

The innermost, smaller, and darker ellipse, V~, represents the possibilitythat an avoidable virus nevertheless may be transmitted into the computingenvironment. In the absence of negligence, no strain in V* will be trans-mitted. In the event of negligence of a party, such as a security flaw in acomputer system or l~ailure to use reasonable antivirus precautions, somestrains in V* could enter the system, and only a subset of V* will be avoided.V~ represents the subset that will be avoided, and the rest of V*, the greyarea, denoted (V*-V~), represents the strains in V* that may enter thesystem due to the negligence. Virus strains in (V*-V~), as a subset of V*,should be detected if due care were taken. They will not be detected, how-ever, because they are outside of V’.

The remainder of this section argues that the set of negligently trans-mitted viruses, represented by (V*-V~), is large relative to the set of un-avoidable viruses, represented by (V-V*). The outer boundary of (V*-V’)is defined by V*, and the inner boundary by W. The larger V* (the "furtherout" the outer boundary) and the smaller V~ (the "further in" the innerboundary), the larger (V*-V~). We show in this subsection, that V* is largerelative to V and V~ is small relative to V*, resulting in a large (V*-V~). Avirus attack therefore likely involves negligence.

Most cases of virus infection governed by the negligence rule involve acompliance error. A defendant who exposes a plaintiff to the negligence ofa third party that results in a virus attack is therefore likely the proximatecause of the harm, under the dependent compliance error paradigm.

!!

IIIIIIIIIIIIIIII


This explains why, in the previous buffer overflow example, courts wouldlikely preserve the liability of an individual whose negligence was respon-sible for a buffer overflow in a computer system. The buffer overflow al-lowed a virus to enter the system and exposed users of the network to acompliance error by the network security administrator. The security per-son’s compliance error, namely failure to detect and eliminate the virus,allowed the virus to remain in the system and wreak havoc.

This conclusion remains valid, by a preponderance of the evidence, evenm cases where the culprit virus cannot be reliably identified as avoidableor unavoidable. The reason is that most viruses are avoidable and theirpresence likely attributable to a compliance error. The key factors thatdrive this theory are that V* is large and V~ small.

(i) V~ Is Large--The Learned Hand formula, B --- P × L, dictates that,to avoid liability, investment in antivirus precautions (B) should at leastequal the expected harm avoided (P × L). In this subsection, we argue thatV* is large for the following reasons. P × L is relatively large, so that thelegally mandated precaution level, B, must be large. The efficiency andeconomy of antivirus technology indicate that a substantial investment inprecautions will result in a large avoidable set, V*.

(ii) P × L Is Large--Expected harm from infection, P × L, is large,because the probability of virus infection, P, and the harm associated withvirus infection, L, are both large. P is large because of the substantial andincreasing prevalence of computer viruses on the Internet and in computernetworks. L is large because of the unique nature and unusual destructivepotential of viruses, both in an absolute sense, as well as compared to gen-eral computer security hazards.

(iii) P Is Large--virus prevalence is substantial and increasing.1°8 Ac-cording to the influential 2003 ICSA survey, 88 percent of respondentsperceived worsening of the virus problem.~°~ Virus prevalence statistics mthe survey support the pessimistic response. The following graph, con-structed from data in the ICSA Survey, illustrates the trend of an increasingvirus infection rate.

108. See. e.g., ICSA LARs 9TH t~tNUAL COMPUTER VIRUS PREVALENCE SURVEY 2003, .rapranote I0, at 23 ("There is little doubt that the global virus problem is worsening. After asomewhat quiet year in 2002, 2003 arrived with a vengeance. Beginning with the Slammerworm in January, to Mimail and its many variants in December, we have seen one of the mosteventful years ever for computer viruses. For the 8th year in a row, virus infections, virusdisasters and recovery costs increased.").

109. Qualified respondents to the survey work for companies and government agencieswith more than 500 PCs, two or more local area networks (LANs), and at least two remoteconnections.

III

IIIIIIIIIIIIII

Computer l, qruses and Civil Liability 155

I00

50

1996 97 98 99 2000 01 02 03Year

The high and increasing infection rate, which is a direct proxy for theprobability that any particular network will be hit by a virus attack duringa given time interval, suggests a high value for P in the Learned Handformula.

(iv) L Is Large--The expected harm associated with virus infection issignificant, both in an absolute sense, as well as relative to general computersecurity hazards and hardware and software errors. The greater inherentdanger of viruses is due to the generality, scope of harm, persistence, grow-ing payload severity, and advances in the spreading mechanism of the virusthreat.tl°

A typical traditional computer security breach is usually related to a par-ticular identifiable weakness, such as a security flaw that allows unautho-rized access to a hacker. Viral infection is a more general and more volatilesecurity threat, which makes it harder to plan a comprehensive preventivestrategy. It can enter the system or network in multiple ways, and any andevery program or data file is a potential target. It can be programmed tocarry virtually any conceivable resource-dissipating or destructive function,and to attach it to any part of a system or network..11

110. See generally COHEN, supra note 8, at 24-27; INST. FOR COMPUTER SEC. & ADMIN.,ICSA L^Bs 6TH ANNUAL COMVUT~B V~RuS PR~VALENC~ SUrvEy 2000. For a detailed analysisand discussion of the nature and origins of the unusual danger level associated with virusinfection, see Meiring de Villiers, Virus ex Machina Res lpsa Loquitur, 1 SX^~FORI~ T~cn. L.R~v., Section V.C (2003).

I 11. CoHEn, supra note 8, at 24 ("The virus spreads without violating any typical protectionpolicy, while it carries any desired attack code to the point of attack. You can think of it as amissile, a general purpose delivery system that can have any warhead you want to put on it.So a virus is a very general means for spreading an attack throughout an entire computersystem or network.").

ii!IIliI!

I!!IIi

156 Tort Trial & btJ’urance Practice Law Journal, Fall 2004 (40:1)

The chameleonlike evolution of virus technology poses unique chal-lenges to virus detection and elimination efforts. The shape and form ofviral attacks evolve continuously, as evidenced by the appearance of a pro-gression of stealth, polymorphic, macro, and e-mail viruses. Advances incomputer technology continuously open up new opportunities for viruswriters to exploit. Malevolent software exploiting e-mail technology is aprime example. Conventional wisdom once reassured that it was impossibleto become infected by a virus simply by reading an e-mail message. Thiswisdom was promptly shattered by advances in virus technology designedto exploit the unique characteristics, as well as obscure weaknesses andlittle-known flaws in new technologies. A family of viruses that exploiteda weakness in the JavaScript technology, for instance, was programmed toinfect e-mail attachments and, when the e-mail message was read, auto-matically compromise the computer system, without even having the useractually open the attachment.~2

The release of a computer virus has been likened to opening a bag offeathers on a tall building on a windy day. The Scores virus, for instance,was created to target a large company, EDS, but ended up attacking severalU.S. government agencies, including NASA and the Environmental Pro-tection Agency.’ ,3

The scope of potential harm caused by computer viruses is unprece-dented. In a typical conventional security breach, a hacker may access anaccount, obtain confidential data, and perhaps corrupt or destroy it. Thedamage could, of course, be substantial, but it is nevertheless limited tothe value of the data and contained within the system or network hackedinto. If, instead, a hacker accessed an account by releasing a virus into thesystem, the virus may spread across computers and networks, even to thosenot physically connected to the originally infected system.~ ~4 Whereas the

! 12. ROt3ER A. GR,MES, NI~L~C~OOS Molnt.l~ CODI~ 394 (2001). JavaScript is a languagedeveloped by Netscape in collaboration with Sun Microsystems to increase interactivity andcontrol on Internet Web pages, including the capability to manipulate browser windows. TheJavaScript e-mail worm, JS.KAK, which appeared at the end of 1999, exploited an obscureInternet Explorer security flaw to disrupt computer systems and destroy data. It infects e-mail attachments and, when the e-mail message is opened, automatically compromises thecomputer system, without having the user open the attachment. A related, but less-well-known and shorter-lived e-mail virus, the so-called BubbleBoy, exploited a security hole inthe Auto-Preview feature in Microsoft Outlook to send a copy of itself to every listing on theuser’s address list. BubbleBoy was one of the first attachment-resident viruses that did notrequire the user to open the attachment in order to do its harm.

113. A. Bissett & G. Shipton, Some Human Dimensions of Computer Virus Creation andInfection, 52 Ira’r. J. HuM~ra-Co~voT~ S’ruo~s 899, 903 (2000); E.L. Lmss, Sov~rw~l~ Ura~RSm~ (1990).

114. See, e.g., Robin A. Brooke, Deterring the Spread of Viruses Online: Can Tort Law Tightenthe "Net"? 17 R~v. L~wm. 343, 361 ("The market now provides enough statistics indicatingboth high risk and potentially widespread damage from virus attacks, while either program-ming prevention or off-the-shelf capabilities to detect viruses may impose a proportionally


conventional hacker can destroy data worth, say, an amount D, releasing avirus to do the same job can cause this harm several times over by spreadinginto N systems, causing damage of magnitude N × D, where N can bevery large. Although the two types of security breaches do similar damagein a particular computer, the virus’s greater inherent danger is that it canmultiply and repeat the destruction several times over.I*~

Dr. Fred Cohen provides a dramatic illustration: "Sitting at my Unix-based computer in Hudson, Ohio, I could launch a virus and reasonablyexpect it to spread through 40% of the Unix-based computers in the worldin a matter of days. That’s dramatically different from what we were dealingwith before viruses."1.6

A worm, the so-called Morris Worm, designed and released by a CornellUniversity student, effectively shut down the Internet and other networksconnected to it. *.7 It was not designed to damage any data, but conservativeestimates of the loss in computer resources and availability range between$10 million and $25 million?~

Dr. Cohen’s statement was published more than a decade ago. Today,viruses spread much faster, and there is every indication that virus trans-mission will continue to accelerate. The 2003 ICSA report remarks, forinstance, that whereas it took the early file viruses months to years to spreadwidely, subsequent macro viruses took weeks to months, mass mailers took

smaller burden."); id. at 348 ("Widespread proliferation of a virus originally undetectablebecomes compounded very quickly. Independent actors along the transmission chain can beunaware of malevolent software residing in their computer, network, files, or disks, even ifthey use virus protection software, because the software may not sufficiendy detect moresophisticated code."). See also ALLAN LtmOELL, Vmvs! vii (1989) ("Most mainframe computerscan be successfully subverted within an hour. Huge international networks with thousands ofcomputers can be opened up to an illicit intruder within days." (quoting Dr. Fred Cohen));Havs~t~, supra note 14, at 13 ("[N]ew viruses are highly destructive, programmed to formathard disks, destroy and corrupt data. As viral infections become more and more widespread,the danger of damage to data is increasing at an alarlning pace); id. at 14 ("The virus dangeris here to stay. In the USA, the Far East and Africa it has already reached epidemic proportions¯.. In just three months in the Spring of 1989, the number of separately identifiable virusesincreased from seven to seventeen.").

115. DUNHAIVl, supra note 1, at xx ("Just one virus infection can erase the contents of adrive, corrupt important files, or shut down a network.").

116. COHEN, supra note 8, at 25. See also Ga*NGRAS, supra note 4, at 58 ("A computerharboring a virus can, in a matter of hours, spread across continents, damaging data andprograms without reprieve."). See also Bradley S. Davis, It’s Virttr Season Again, Has YourComputer Been Vaccinated? A Sto-vey of Computer Crime Legislation as a Response to MalevolentSoftware, 72 WASH. U. L.Q. 379, 437 and accompanying text ("[A] user whose computer wasinfected could connect to an international network such as the Internet and upload a file ontothe network that contained a strain of malevolent software. If the software was not detectedby a scanning system.., on the host computer, infection could spread throughout the Internetthrough this simple exchange of data."); Hen, Fast a Virus Can Spread, supra note 1, at 21.

117. For an account of the "Internet Worm Incident," see, e.g., ROGUE PROGRAMS, supranote 11, at 203.

118. F~TES ET AL., supra note 1, at 51-52.

iI!IIiiI

i!!!IiII

158 Tort Trial & In.~rance Practice Law Journal, Fall 2004 (40:1)

days, Code Red took approximately twelve hours, and Klez spread aroundthe world in two and one-half hours,t~’~

A third major distinction that makes viruses more dangerous than gen-eral security hazards is their persistence. A virus can never really be entirelyeliminated from a system. Generally, when a programming error or secu-rity flaw is rectified, the specific problem can be considered eliminatedfrom the system. In the case of viruses, however, one can never be surethat a particular virus is gone for good. An infected program may be deletedand restored from a backup, but the backup may have been made after thebacked-up program was infected and, hence, contain a copy of the virus.Restoring the program will then also restore the virus. This may happen,for instance, in the case of a virus that lies dormant for a while. During itsdormancy, periodic backups also will back up the virus. When the virusbecomes active, deleting the infected program and restoring it from thebackup will only repeat the cycle22° Even if the backup is not contaminated,any user of the system with an infected floppy disk or contaminated e-mailcould reintroduce the virus into the disinfected system22

Many virus strains tend to survive progressively new generations of soft-ware. Replacing an old, infected spreadsheet program with a new and cleanversion will temporarily eliminate the virus, but the new version will notbe immune to the particular virus. If the virus makes its way back, perhapsvia an e-mail attachment, it will eventually reinfect the new program222

119. ICSA LABS 9TH A~r~U^L COMPUTER VIRUS PREV^LEr~CE SURVEy 2003, supra note 10,at 25.

120. Shane Coursen, How Much Is That Virus in the Window, ViRuS BULL. 15 (1996) (de-scribing a common virus named Ripper that slowly modifies data while the data are beingarchived, resulting in corrupted backups); DUtCH^M, supra note 1, at 129-30.

12 I. BROOK~, supra note 114, at 362 n.95 ("It is likely impossible to eradicate viruses com-pletely. Simply disinfecting a computer system could cost a staggering amount. In 1990,computer infection in the United States alone was estimated to be one percent, or about500,000 computers... Unfortunately, even having a virus removed provides no guarantee ofsafety from further virus harm. In the United States, 90 percent of all infected users experiencere-infection within 30 days of having the original virus removed."); Coursen, supra note 120,at 13 ("IT]he fix must be implemented in such a way that it is all-encompassing and simul-taneous across infected sites. Tending to one site and neglecting another will surely allow apersistent virus to work its way back again."); id. at 16 ("Cleaning your program of a virusdoes not guarantee that it will not come by for another visit. Just one leftover diskette orprogram can have a snowball effect and start another virus outbreak. Vv’ithin a matter ofhours, the entire business could be under siege again. Any time spent cleaning up from theinitial infection or outbreak can easily be lost in those few hours. The complete virus recoveryprocess would have to be repeated.").

122, See, e.g., Con~, supra note 8, at 27 ("Eventually you probably change every piece ofsoftware in you~~ computer system, but the virus may still persist, rvVhen you go from DOS2~01 to DOS 2.3, to 3.0, to 3.1 to 3.2 to 4.0 to 4.1 to 5.0 to 6.0 to 0S/2, the same virusesthat worked on DOS 2.01 almost certainly work on each of these updated operating systems.In fact, if you wrote a computer virus for the IBM 360 in 1965, chance[s} are it would runon every lJ3M-compatible mainframe computer today, because these computers are upwardlycompatible."). Some viruses do become extinct over time, however. See, e.g., DuNr~^~, supra

IIIiIi

II

II!

II

Computer IHruses and Civil Liability 159

Converting infected documents to a later version often also automaticallyconverts the virus to one compatible with the new format.~23

The latest Internet worms and mass mail viruses have more stayingpower--they remain virulent longer and spawn more variants. When in-fections do occur, it takes longer and costs more to disinfect systems andrecover from virus attacks.12~

The 2003 ICSA Survey reports an increase not only in prevalence ofvirus attacks but also in the severity of disasters. The survey defines a "virusdisaster" as "25 or more PCs infected at the same time with the same virus,or a virus incident causing significant damage or monetary loss to an or-ganization,m2s In the 2002 ICSA survey, eighty respondents reported adisaster, while the 2003 survey reported ninety-two disasters. Average di-saster recovery time increased slightly in 2003 over 2002. Recovery costs,however, increased significantly, by 23 percent, from a 2002 average of$81,000 to $100,000 in 2003. ~26 The survey also reports a growth in severityof virus payloads and consequences of infection, as well as changes in attackvectors (modes of distribution), the latter exacerbating the volatility andunpredictability of the virus threat.’27

The high danger rate associated with computer viruses makes them apotentially potent and destructive tool for a perpetrator of terrorism, in-dustrial espionage, and white-collar crime.~zs U.S. security agencies arereportedly investigating the use of malicious software seriously as a stra-tegic weapon/~’~ and the Pentagon established a SWAT team, administeredby the Computer Emergency Response Team Coordination Center, tocombat destructive programs, such as the Morris Worm?~°

note t, at xxi ("lMlany older Macintosh viruses do not function correctly on System 7.0 orlater. On PCs, many DOS file-infecting viruses are no longer as functional or successful inthe Windows operating system. Still, older viruses continue to work on older operating sys-tems and remain a threat for users of older systelns.").

123. Bissett & Shipton, supra note 113, at 899, 902.124. ICSA LARS 9Ta ArRiVAL CoravtrrER VIRUS PREVALENCE SURVEY 2003, supra note 10,

at 24.125. Id. at 1.126. "For the eighth year in a row, our survey respondents report that viruses are not only

more prevalent in their organizations, but are also more destructive, caused more real damageto data and systems, and are more costly than in past years. This despite increases in theiruse of antivirus products, improved updating and upgrading, better management of antivirussystems. Corporations are also spending more time, energy, and dollars in purchasing, in-stalling, and maintaining antivirus products without achieving their desired results." Id.

127. ld. at 6.128. FITES ET ^~-., supra note 1, at 50-53 (describing the use of viruses to perpetrate acts

of sabotage, terrorism, and industrial espionage); ConE~, supra note 8, at 151-52; CliffordStoll, Stalking the Wily Hacker, 31 COMMS. ACM 484 (1988).

129. Jay Peterzell, Spying and Sabotage ky Computer, Titan, Mar. 20, 1989, at 25 (cited inRo~;uE PROCR~raS, supra note 11, at 92 n.134).

130. Ro~u~ PROOR^~S, supra note 11, at 92 n.133.

I

IiIIiii!IIIIIiII


In summary, the expected harm from a virus attack, P x L, is relativelylarge. Applying the Learned Hand formula, it follows that the legally man-dated precaution level, B, must be large. We now argue that a large B impliesa large avoidable set, V*. The essence of the argument is that a large avoid-able set, V*, is (i) technologically feasible and (ii) legally mandated.

(v) .4 Large V* Is Technologically Feasible Antivirus software becameavailable soon after the first appearance of computer viruses and has be-come increasingly sophisticated and effective, in response to parallel ad-vances in virus technology. Although it is impossible to identify the pres-ence of a virus with 100 percent reliability,’3~ state-of-the-art technologyhas achieved close to a perfect detection rate of known viruses, and a de-tection rate of unknown virus strains perhaps as high as 80 percent andgrowing. State-of-the-art heuristic virus scanners, for instance, are capableof detecting at least 70 to 80 percent of unknown viruses.~32

Organizations such as Virus Bulletin, West Coast Labs, and others pe-riodically publish evaluations of commercial antivirus products. Virus Bul-letin, ~ an industry leader, uses a recently updated database of virus strainsto test antivirus software for its so-called 100 Percent Award. Productsreceive this award if they successfully detect all the strains in the database,suggesting that they are capable of detecting virtually all known strains.Antivirus software that have consistently made this grade include productssuch as Norton AntiVirus, Sophos Anti-Virus, and VirusScan.’34

West Coast Labs~s evaluates antivirus software for their ability to detectas well as eliminate viruses. Products such as Norton AntiVirus, VirusScan,and F-Secure, among others, have recently been certified for their abilityto detect and eliminate I00 percent of known virus strains.~36 Other or-ganizations, such as the Virus Test Center at the University of Hamburg,regularly test antivirus software and publish their results, including a listof software with a 100 percent detection rate.~7

Some of the most effective antivirus programs are available free ofcharge, at least for private users. Free software includes products such asVirusScan, which made Virus Bulletin’s 100 Percent Award list and re-ceived similar honors from West Coast Labs. Norton AntiVirus, an anti-virus product that has been similarly honored and that offers additional

131. Spinellis, supra note 31, at 280, 282 (stating that theoretically perfect detection is inthe general case undecidable, and for known viruses, NP-cornplete).

132. Nachenberg, supra note 1, at 7; Fernandez, supra note 31; Alex Shipp, Heuristic De-tection of Viruses Within e-Mail, in PROCEEDINGS 1 ITH ANNUAL VIRUS BULLETIN CONFERENCE,Sept~ 2001.

133. See http://www.virusbtn.corn.134. DUNHAM, supra note 1, at 150-51 (Table 6.3).135. See http:i/www.check-mark.corn.136. DUNH^M, supra note 1, at 154 (Table 6.6).137. See http://agn-www.inforrnatik.uni-hamburg.de/vtc/naveng.htm.

I!i


features such as a user-friendly interface, powerful scan scheduling options,heuristic technology for the detection of unknown strains, and SafeZonequarantine protection, is available at modest cost at the time of writing.~s

A high detection rate is not limited to known virus strains. State-of-the-art heuristic scanners, such as Symantec’s Bloodhound technology andIBM’s AntiVirus boot scanner, are capable of detecting 70 to 80 percentof unknown viruses.~39 Heuristic technology is relatively inexpensive. Sy-mantec’s Bloodhound technology, for instance, is incorporated in the Nor-ton AntiVirus product.~4°

The technological trend is towards greater sophistication and effective-ness and an increasing detection rate. IBM, for instance, a major center ofvirus research, has been awarded a patent for an innovative automatic virusdetection system based on neural network technology?4~ The system usesartificial intelligence techniques that mimic the functioning of the humanbrain to enable it to identify previously unknown virus strains. The neuralnetwork is shown examples of infected and uninfected code (e.g., viral anduninfected boot sector samples) and learns to detect suspicious code. Carewas taken to minimize the occurrence of false alarms. The system report-edly captured 75 percent of new boot sector viruses that had come outsince its release, as well as two reports of false positives. Subsequent updatesof the product were designed to eliminate false positives of the kind thatoccurred.

Ambitious research programs are under way that augur well for an evengreater detection rate. The inventors of the IBM neural network technol-ogy view it as a precursor to an immune system for cyberspace that operatesanalogously to the human immune system. This envisioned cyber immunesystem will operate through the Internet to "inoculate" users globally to avirus within minutes of its initial detection)42

(vi) A Large V* Is Legally Mandated--Sophisticated antivirus technologymakes a large V* feasible.~3 V* is a legal concept, though, and encompassesmore than technological feasibility. V* is, by definition, the set of virus

138. At the time of writing (2004), the latest version of Symantec’s Norton AntiVirus wasavailable for less than $200. See also DuNnAM, supra note 1, at 158-59.

139. See discussion of heuristic detection technologies in Section II.B.4, supra.140. See also http://~v.symantec.com/nav/nav_mac/; Du~qH^M, supra note 1, at 158-59.141; Gerald Tesauro et al., Neural Networks for Computer Virus Recognition, ll:4IEEEExv~w

5-6 (Aug. 1996). See also Press Release, IBM, IBM Awarded Patent for Neural Network Tech-nology, available at http://www.av.ibm.com/BrealdngNews/Newsroom/97-10-27/.

142. J.O. Kephart et al, Computers and Epidemiology, 30:5 IEEE Sv~cxRo~ 20-173 (May1993).

143. A scanner with a properly updated signature database can detect close to 100 percentof known virus strains. Heuristic scanners, such as Symantec’s Bloodhound technology, candetect 70 to 80 percent of unknown viruses. IBM’s neural network virus detection technologycan capture 75 percent of new boot sector viruses. Innovative research promises that the trendtoward "perfect" virus detection and elimination will continue and perhaps accelerate.

I

162 Tort TriaI& In.mrance Practice Law Journal, Fall 2004 (40:1)

strains whose elimination is both technologically feasible as well as cost-effective. This subsection draws on the economics of virus precaution toshow that a large V* is not only technologically feasible but also cost-effective, hence within the scope of due care.

The Learned Hand formula, B -> P × L, dictates that, to avoid liability,investment in antivirus precautions, B, should at least equal the expectedharm avoided, P × L. We have argued that the high danger level associatedwith virus attacks (L), as well as a significant and increasing probability ofa virus attack (P), mandates a high investment in antiv~rus technology. Wenow explore estimates of the numerical value ofP × L (and thus orB) andobtain a quantitative estimate of the proportion of all virus strains avoidableby the Learned Hand efficient level of precaution. This proportion xs adirect estimate of the relative size of V*.

The ICSA survey reports that 92 of 300 respondents experienced at leastone incidence of a virus disaster over the one-year survey period, with anaverage recovery cost of $100,000.’~4 The survey states that the recoverycost figure likely underestimates the true cost by a factor of seven or eight,when considering direct as well as indirect costs)4s An adjusted recoverycost figure per disaster, therefore, in reality, may be closer to $700,000 to$800,000. In addition to disasters, the survey data also show an average of108 "ordinary" virus infections per month, per site.

If we take the recovery costs of a disaster to be $750,000 and 92/300 asthe probability that a particular site will experience a disaster in a givenyear, then the ex ante expected annual monetary loss from a disaster is$230,000. This is a conservauve estimate. It assumes, for instance, that eachof the respondents who reported experiencing at least one disaster duringthe survey year did experience only one disaster. It also does not includethe cost associated with ordinary infections (not disasters), which are muchmore numerous than disasters and also capable of significant damage.

A conservative estimate of the annual expected harm to an institutionfrom virus attacks amounting to a disaster is $230,000. This correspondsto the term P × L in the Learned Hand formula and has to be balancedby the same amount of precaution, B, to avoid liability. How much pro-tection does $230,000 buy? A recent competitive analysis of leading anti-virus vendors shows that Symantec’s premium antivirus product, the Sy-mantec AntiVirus Enterprise edition, is available at a fee of approximately$700,000 for a four-year/5,000-seat license with premium support. A simi-lar product, Sophos Corporate Connect Plus, is available for $156,250,

144. The survey defines a "virus disaster" as "2 $ or more PCs infected at the same timewith the same virus, or a virus incident causing significant damage or monetary loss to anorganization." ICSA LABS 9TH ANNUAL COMPUTER VIRUS PREVALENCE SURVEY 2003, supranote 10, at 1.

145. ld. at 2.

!II

IIIi

I

I

II

I


under similar terms?~ Both Symantec and Sophos are recipients of VirusBulletin’s 100 Percent Award. Products receive this award if they success-fully detect all the strains in a database compiled by Virus Bulletin, sug-gesting that they are capable of detecting virtually all known strains?47

These products also contain heuristic algorithms that enable them to detectmore than 80 percent of unknown virus strains.

Assuming, conservatively, that the Sophos and Symantec products arecapable of preventing 80 percent of disasters,~48 then an investment of be-tween $39,000 (Sophos) and $175,000 (Symantec) in antivirus precautionswill prevent expected damage amounting to $0.8 × $230,000 = $184,000.Both antivirus products are cost-effective, and therefore within the scopeof due care.

The detection of most viruses is not only technologically feasible butalso cost-effective. Most virus strains belong to V*. In fact, at least 80percent, perhaps in excess of 90 percent, of all strains, known as well asunknown, belong to V*. Having established that V* is large, we now arguethat V~ is small.

(vii) Vt ls Small--The diagram, below, represents the avoidable and un-avoidable virus strains associated with a typical computing environment.V* represents the avoidable set, as previously defined, and V~ representsthe set of viruses that will actually be prevented.

MI Virus Strains, V

V* (Avoidable Set)

V’ (Actually Avoided Set)

V~ is smaller than V*, because a rational, profit-maximizing defendant,such as a software provider, has an economic incentive to fall short of the

146. Total Cost of Ownership: A Comparison of Anti-Virus Software, SOPHOS WHITE PAI~ER,available at http://www.sophos.com/link/reportcio.

147. Duran^~a, supra note 1, at 150-51 (Table 6.3).148. The 80 percent figure is a conservative estimate. The technology we discuss is capable

of detecting and eliminating at least 80 percent of unknawn viruses and virtually 100 percentof known ones.

!!

164 Tort TriaI & Insurance Practice Law Journal, Fall 2004 (40:1)

legal standard of due care, resulting in the transmission of some virusstrains in V*. The grey area, between V* and V*, represents the virusesthat should be prevented, because they belong to V*, but will not, becauseof the precautionary lapse. The precautionary lapse is likely due to aninadvertent compliance error.

c. Compliance Error

In order to understand the nature and origin of a compliance error, wedistinguish between durable and nondurable precautions against harm. Adurable precaution typically has a long service life, once it is installed.Use of a durable precaution must usually be complemented by shorter-lived, nondurable precautions, which have to be repeated more frequentlythan durable precautions. A medical example illustrates the distinctionbetween durable and nondurable precautions. A kidney dialysis machineis a typical durable precaution. A dialysis machine has a long service lifeonce it is installed, but it cannot function properly without complemen-tary nondurable precautions, such as regular monitoring of the hemodi-alytic solution249

Antivirus precautions consist of a durable as well as nondurable com-ponent. Durable precautions, such as a virus scanner and signature data-base, must be complemented by nondurable precautions, such as regularlyupdating and maintaining the signature database and monitoring the out-put of the scanner2s° A "compliance error" is defined as a deviation fromperfect compliance with the (Learned Hand) nondurable precaution rate. ~5’

A compliance error is efficient, even though the courts equate it to neg-ligence. A rational, profit-maximizing entity such as a commercial softwareprovider will systematically fail to comply with the legally required non-durable antivirus precaution rate.

(i) Compliance Error Is Rational--Results in the law and economics lit-erature predict that there will be no negligent behavior under a negligencerule of liability, in the absence of errors about legal standards, when pre-caution is not random and when private parties have identical precautioncosts.’s: It seems, therefore, that the frequent occurrence of negligence insociety must be explained in terms of nonuniform precaution costs, orerrors by courts and private parties about the relevant legal standards, orthat precaution has a random or stochastic component.

149. Mark E Grady, Why Are People Negligent? Technology, Nondurable Precautiom; and theMedical Malpracttce Explosion, 82 Nw. U. L. R~v. 293,299 (1988).

150. A scanner reads software code and searches for known virus patterns that match anyof the viral patterns in its database. See Section II.B, supra, for a review of virus detectiontechnologies.

15 I. Mark E Grady, Res Ipsa Loquitur and Compliance E, rot, 142 U. PtNN. L. Rtv. 887.152. Id. at 889-91.

!Ii

I!iI

II


Dean Mark Grady has argued that none of these theories explains theprevalence of negligence entirely satisfactorily. Grady has proposed a the-ory according to which there is a pocket of strict liability within the neg-ligence rule. According to the theory, a rational injurer may find an occa-sional precautionary lapse economically efficient and thus preferable toperfectly consistent compliance with the legal standard of due care. Thefrequency of such lapses will increase as the due care standard becomesmore burdensome. The occasional lapse is rational and profit maximizing,as we argue below, but will nevertheless be classified as negligence by thecourts, because of the courts’ inability to distinguish between efficient andinefficient lapses.

The level of investment in durable and nondurahle antivirus precautionsrequired by negligence law is determined according to the Learned Handformula,is3 Scanners, for instance, come in a variety of degrees of sophis-tication (and cost), ranging from basic systems that detect only knownstrains, to heuristic artificial intelligence-based systems capable of detect-ing polymorphic viruses and even unknown strains. The optimal LearnedHand level of investment in scanning technology would be determined bybalancing the cost of acquiring and operating the technology against theexpected harm avoided. The optimal nondurable precaution level, such asfrequency of viral database updating, is determined similarly.

The courts require perfectly consistent compliance with the LearnedHand precautions to avoid a finding of negligence. If, for instance, thecourts require a viral signature database to be updated twice daily, theneven one deviation, such as one skipped update over, say, a two-year period,would be considered negligent.~s4 When the courts apply the LearnedHand formula to determine an efficient precaution level and rate, the cal-culation weighs the costs and benefits of the precaution each time it is per-formed but ignores the cost of consistently performing it over time. Con-sider a numerical example. Suppose the cost of a daily update is $10, andthe marginal benefit of the update is $11. Failure to perform even one suchupdate would be viewed as negligence by the courts. Over, say, 300 days,

153. See Section II.B, supra, on breach of duty.154. In Kehoe v. Central Park Amusonent Co., 52 E2d 916 (3d Cir. 1931), an amusement

park employee had to apply a brake to control the speed of the car each time the rollercoastercame around. ~vVhen he ~ailed to do so once, the car left the track. The court held that thecompliance error by itself constituted negligence, i.e., the court required perfect complianceand considered anything less as negligence. Id. at 917 ("If the brake was not applied to checkthe speed as the car approached.., it was clear negligence itself."). For other cases, see Grady,supra note 151, at 901. In Mackey v. Allen, 396 S.W’.2d 55 (Ky. 1965), plaintiff opened a"wrong" exterior door of a building and fell into a dark storage basement. The court heldthe owner of the building liable for failing to lock the door. But see Myers v. Beem, 712 P.2d1092 (Colo. Ct. App. 1985) (an action brought against an attorney for legal malpractice,holding that lawyers are not required to be infallible).

I!i!!i

II!I

166 Tort Trial t:r Insurance Practice Lmv Journal, Fall 2004 (40:1)

the courts expect 300 updates, because each of those updates, by itself, isLearned Hand efficient. However, the courts do not consider the cost ofconsistency, i.e., of never forgetting or lapsing inadvertently. Human natureis such that over a 300-day period, the person in charge of updating willoccasionally inadvertently fail to implement an update.

Human nature, being what it is, dictates that perfection is (perhaps in-finitely) expensive)ss Perfect consistency, i.e., ensuring that 300 updateswill actually be achieved over 300 days, would require additional measures,such as installing a monitoring device alerting the operator to a lapse, orperhaps additional human supervision, all of which are costly. Even assum-ing (heroically) that such measures would assure consistency, their cost maynevertheless be prohibitive to a rational software provider. Suppose, forinstance, that such a measure would add an additional $2 to the cost of anupdate. The marginal cost of an update ($12) is now more than the mar-ginal benefit ($11). Hence, perfect consistency is not in society’s interest.

An occasional lapse is also reasonable from the viewpoint of the softwareprovider: The marginal cost of perfect consistency is greater than the mar-ginal increase in liability exposure due to efficient negligence. The courtsnonetheless would consider such an efficient lapse to be negligence. Courtsact as if they ignore the additional cost of $2 to achieve perfect consistency.Efficient lapses can be expected to become more likely and more frequent,the more demanding and difficult the Learned Hand nondurable precau-tion rate, i.e., the more expensive perfect consistency becomes~

A major reason for the courts’ insistence on perfect compliance, in spiteof the inefficiency of such perfection, is that it is impossible or expensiveto determine whether any given deviation from perfect compliance is ef-ficient. Vv’ho can judge, for instance, whether a software provider or web-site operator’s mistake or momentary inattentiveness was an economic oruneconomic lapse? Courts, therefore, do not acknowledge efficient non-compliance where it is difficult to distinguish between efficient and inef-ficient noncompliance.

155. See, e.g., P~TERSOr~, supra note 40, at 194 ("Even under the best of circumstances, ourbrains don’t function perfectly. We do forget. We can be fooled. We make mistakes. Althoughcomplete failures rarely occur, neural systems often suffer local faults.").

156. The policy rationale behind the courts’ insistence on perfect compliance was ex-pressed by Lord Denning in Froom v. Butcher, 3 All E.R. 520, 527 (C.A. 1975) ("The casefor wearing seat belts is so strong that I do not think the law can admit forgetfulness as anexcuse. If it were, everyone would say: ’Oh, I forgot.’"). Instead of incurring the considerablemeasurement cost to distinguish between efficient and inefficient failures to comply, courtssimply equate any and all noncompliance to negligence. See also Grady, supra note 151, at906; W. LANDES ~: R. POSNER, THE ECONOMIC STRUCTURE OF TORT LAW 73 (1987). Courtstend to be forgiving, however, where the cost of ascertaining the efficiency of noncomplianceis low or zero. In cases where the deviation is demonstrably efficient or unavoidable, such asan accident resulting from a defendant’s (provable) temporary physical incapacitation, courtshave not imposed liability. See, e.g., cases cited in Grady, supra note 151, at 887 n.26. See also

!l!l


We argue that an efficient lapse, a compliance error, in antivirus precau-tions is particularly likely, due to the nature of the technology and eco-nomics of viruses and virus detection.

(ii) Virus Transmission Likely Involves Compliance Error--Negligence inantivirus precautions can occur in two ways, namely durable precautionsbelow the Learned Hand level and compliance errors.

A formal economic analysis of compliance error in the context of virusprevention has shown that a rational software provider will invest in du-rable antivirus precautions at the due care level required by negligence law.However, the provider will invest in nondurable precautions at a level be-low the due care level. It is cheaper to the provider to spend less on non-durable precautions and risk liability exposure, rather than incurring theeven higher cost of achieving perfectly consistent compliance with the le-gally imposed due care standard..57

Rational agents therefore will not fail in durable precautions but willlikely commit compliance errors. Investing in durable precautions up tothe efficient Learned Hand level is profit-maximizing because such in-vestment reduces the provider’s liability exposure by more than it costs. Acompliance error is efficient due to the high cost of perfect consistency,hence, likewise profit-maximizing. Most negligent behavior on the part ofrational, profit-maximizing software and service providers, therefore, willbe the result of compliance errors.

We now argue that virus prevention technology is particularly suscep-tible to compliance error. Compliance error has a high likelihood whereprecautions are characterized by a high durable level, complemented byhigh levels and intense rates of nondurable precautions. These conditionsmake it harder to achieve perfectly consistent compliance with the due carestandard and characterize virus prevention technology.

(iii) Antiviru~," Precautions Consist of Durable Precautions Complemented bya Significant Nondurable Component--Technical defenses against computerviruses consist of a durable precaution, complemented by essential non-durable precautions.*ss Durable antivirus precautions come in four maincategories, namely pattern scanners, activity monitors, integrity monitors,

Ballew v. Aiello, 422 S.W~2d 396 (Mo. Ct. App. 1967) (finding defendant not liable for neg-ligence because he was half asleep at the time he was allegedly negligent); Grady, supra note151, at 887 n.59 ("For faints and other slips, it is possible for courts to judge whether theyshould have been avoided. Indeed, courts’ measurement of unusual slips reintroduces thenegligence component back into the negligence rule.").

157. See de Villiers, supra note ! I0 (mathematical analysis of compliance error in viruscontext). See generally Grady, supra note 151 (seminal article on compliance error).

158. Cohen emphasizes the importance of nondurable precautions in an antiviral strategy:"Suppose we want to protect our house from water damage. It doesn’t matter how good aroof we buy ... We have to maintain the roof to keep the water out. It’s the same withprotecting information systems." CoHEre, supra note 8, at 148.

n!I!U!!Ili!lI

!!

168 Tort Trial ~ Insurance Practice Law a%urnal, Fall 2004 (40:1)

and heuristic scanners. 5~ The durable precautions are complemented bynondurable precautions. An activity monitor, for instance, halts executionor issues a warning when it senses viruslike behavior. This requires non-durable precautions in the form of human intervention, consisting of ob-servation and interpretation of monitor alerts and an appropriate response.

Virus scanners operate by searching for virus patterns in executable codeand alerting the user when an observed pattern matches a virus signaturestored in a s~gnature database. Nondurable precautions complementary toa scanner include regular maintenance and updating of the virus signaturedatabases, monitoring scanner output, and responding to a pattern match.An inadequately maintained signature database would reduce the effec-tiveness of a scanner, and virus alarms are worthless if ignored.

Several factors make compliance burdensome. Integrity checkers andheuristic scanners produce fewer false negatives but far more false positivesthan regular scanners. A large number of false positives make compliancemore burdensome and efficient lapses more likely. False positives tend todiminish the effectiveness of the antivirus strategy, perhaps to the point ofundermining confidence in the precaution. If the probability of a falsealarm were high enough, it may be rational and efficient for a humanoperator to ignore some alarms. An ignored alarm may turn out to be realand result in the transmission of a virus. If the Learned Hand precautionarylevel required attention to all alerts, the courts would view such a lapse asnegligence, even if the compliance error were efficient from the viewpointof the human operator.

Scanners require a frequently updated viral pattern database, as new vi-ruses are discovered at a high rate.j6° By the Learned Hand formula, thehigh danger rate associated with viral infection imposes a demanding non-durable precaution rate, such as a high database updating frequency anddiligent monitoring of and responding to all alarms, regardless of the fre-quency of prior false alarms. Some critical applications may require vir-tually continuous updating, incorporating new virus strains in real time, asthey are discovered.

159. See Section II.B, "Technical Antivirus Defenses," supra.160. IBM’s High Integrity Computing Laboratory reported, for instance, that by June

1991, new signatures were added to their collection at the rate of 0.6 per day. By June 1994,this rate had quadrupled to 2.4 per day and has since quadrupled yet again to more than 10a day. Kephart et al., supra note 21, at 179-94. See also Steve R. White et al., Anatomy of aCo’mrnercial-Grade Immune System, IBM Thomas J. Watson Research Center research paper,available at http://www.av.ibm.conaJScientificPapers/White/Anatomy/anatomy.html (in thelate 1990s, new viruses were discovered at the rate of eight to ten per day); Dv~n^ta, supranote 1, at xix ("[A]n estimated 5 to 10 new viruses are discovered daily, and this number isincreasing over time."); Jennifer Sullivan, IBM Takes Macro Viruses to the Cleaners, WmE~N~ws (Dec. 4, 1997) ("It is estimated that 10 to 15 new Word macro viruses.., are discoveredeach day.").

Iit,!I!iIli!!


This discussion of antivirus precautions suggests that they consist of ahigh durable component, complemented by high rates and intense levelsof nondurable precautions. The result is a high likelihood of a complianceerror. The higher and more intense the rate of precaution, the more bur-densome, hence more costly the cost of perfect compliance and the greaterthe likelihood of a compliance error..61

d. Conclusion

Most virus strains are avoidable, which implies that most cases of virusinfection involve negligence. Furthermore, most cases of virus infectiongoverned by the negligence rule involve a compliance error. When a viruspenetrates a network and causes harm, t~ailure to detect it in time is there-fore likely due to a compliance error. Liability of the individual who ex-posed network users to the compliance error will likely be preserved underthe dependent compliance error paradigm.

This conclusion remains valid, by a preponderance of the evidence, evenin cases where the culprit virus cannot be reliably identified as avoidableor unavoidable. Even when the virus is not identifiable,~62 it is likely avoid-able and likely involves a compliance error.

2. Paradigms in Reasonable Foresight DoctrineThe reasonable foresight doctrine governs multiple risks cases. The doc-trine includes five mutually exclusive paradigms, namely (i) minimal sys-tematic relationship, (ii) reasonably foreseeable harm, (iii) reasonable igno-rance of the relationship, (iv) correlated losses, and (v) adverse selection.~63

Under the minimal systematic relationship paradigm, an inadvertentlynegligent tortfeasor would not be held liable for coincidental harm thatresults from his or her negligence. To illustrate this paradigm, suppose ahypothetical defendant negligently exceeds the speed limit and arrives at aspot just in time to be struck by a falling tree. Although an injured passen-ger plaintiff may argue credibly that falling trees are foreseeable, the (co-incidental) accident is likely outside the scope of risk created by the defen-dant’s speeding. The defendant’s speeding created risks of traffic accidents,but it neither created the risk of the falling tree nor increased the proba-bility of its occurrence. The accident was therefore not within the scopeof the risk created by the defendant’s conduct, and liability fails on proxi-mate cause grounds. It is coincidental and not systematically related to thedefendant’s negligence.

161. See de Villiers, supra note 1 I0, ¶¶ 8-14 (describing possible complications in iden-tifying the exact virus strain responsible for certain harm).

162. Id.163. Mark E Grady, Proximate Cause Decoded, 50 UCLA L. R~v. 293,322 (2002).

!!

170 Tort Trial ~ Insurance Practice Law Jou~mal, Fall 2004 (40:1)

Suppose, on the other hand, that the tree had fallen in front of thespeeding driver and the car crashed into it. If it can be shown that theimpact could have been avoided had the driver traveled at a reasonablespeed, then the speeding driver’s negligence may have been a proximatecause of the accident. Failure to stop with a short reaction time is a fore-seeable risk of, and systematically related to, speeding.’"~

The reasonably foreseeable harm paradigm, described as the default par-adigm under the reasonable foresight doctrine, imposes liability where anex ante known systematic relationship exists between the defendant’s neg-ligence and the plaintiff’s harm?6s In O’Malley v. LaurelLine Bus Co.,’66 forinstance, the defendant’s bus driver let a passenger off in the middle of astreet, instead of at the regular bus stop. It was a dark and stormy night sothat the passenger did not realize where he was being let off. The courtheld the defendant liable for injuries sustained when the passenger wasstruck by a car. Letting people off in the middle of a street under suchconditions that they cannot ascertain the risks of dangerous traffic doeshave a foreseeable systematic relationship to their being struck by a car.

Under the reasonable ignorance of the relationship paradigm, proximatecausality is broken when, even though ex post there is clearly a systematicrelationship between the defendant’s untaken precaution and the harm,scientists would not have predicted the relationship ex ante. This paradigmis particularly relevant in a virus context, where scientific and technologicalstate of the art evolves rapidly and often unpredictably?67

The issue of ex ante scientific knowledge is illustrated in the followingclassic case, known as the "Wagon Mound."~6s A ship was anchored inAlaska’s Anchorage harbor. It negligently discharged oil into the water, butthere was no apparent fire hazard, because the oil was of a type that re-quired extremely high heat to ignite. Some debris, with a piece of cottonattached to it, floated on the water under the oil layer. The debris wascovered by the oil and invisible to any observer. A welder’s torch set offsparks that struck the cotton. The cotton smoldered for a while and even-tually acquired sufficient heat to ignite the oil, causing a fire that burneddown the dock. The dock owner sued the owner of the ship for damagesunder a negligence theory.

The oil spill created several risks, including hazards associated with waterpollution and fire. The fire hazard was unforeseeable, because of the nature

!!

164. Berry v. Borough of Sugar Notch, 191 Pa. 345 (1899); see also Grady, supra note 163,at 324.

165. Grady, supra note 163, at 326.166. 166 A. 868 (Pa. 1933).167. See Section I~.B, "Breach and Actual Cause Satisfied, but Proximate Cause Failed,"

infi’a, for a discussion and example of the role of reasonable ignorance of the relationship ina virus context.

168. Overseas "Fankship (U.K.), Limited v. Morts Dock & Eng’g Co., Ltd. (The WagonMound), [1961] A.C. 388 (Privy. Council 1961).


of the oil and the fact that the debris and cotton were out of sight. Therisk of pollution was foreseeable but did not cause the harm.

The court accepted the testimony of a distinguished scientist who tes-tified that the defendants could not reasonably have foreseen that the par-ticular kind ofoil would be flammable when spread on water.~‘’’ The PrivyCouncil therefore properly denied liability, and the suit failed on proximatecause grounds, namely reasonable ex ante ignorance of the relationshipbetween defendant’s untaken precaution and the harm.~7°

The correlated losses/moral hazard and adverse selection paradigms aremainly of historical interest, although they are based on sound public policyarguments that may be applicable in negligence cases.~7~ The New Yorkfire rule, which only permits recovery by the owner of the first propertyto which a fire spread, is a classic example of denial of liability under thecorrelated losses paradigrn,t72 The adverse selection paradigm denies lia-bility where, due to a heterogeneity of risks, the plaintiff would have re-ceived a better insurance bargain than others.~7J

The final element of a negligence cause of action is actual damages, towhich we now turn.

169. ld. at 413 ("The raison d’etre of furnace oil is, of course, that it shall burn, but I findthe [appellants] did not know and could not reasonably be expected to have known that it wascapable of being set afire when spread on water.").

170. See also Doughty v. Turner Mfg. Co., [1964] 1 Q.B. 518 (C.A.), a case where proximatecausality also turned on scientific state of the art. In Dougb.ty, a worker negligently knockedthe cover of a vat containing molten sodium cyanide into the molten liquid in the vat. Theplaintiffs were injured when a chemical reaction between the molten sodium cyanide and thecover, which was made of a combination of asbestos and cement known as sindayo, causedan eruption that resulted in injuries to the plaintiffs. The risk that the cover might splash themolten liquid onto someone was known and foreseeable, but the chemical reaction that ac-tually caused the harm was unknown and unpredictable at the time of the accident. Scientistslater demonstrated that at sufficiently high temperatures the sindayo compound underwenta chemical change that creates steam, which in turn caused the eruption that injured theplaintiff. None of this was known at the time of the accident. The court therefore held forthe plaintiff, stating that the defendant was reasonably ignorant of the chemical reaction thatcaused the injuries, ld. at 520, 525. The defendant escaped liability under the reasonableignorance paradigm.

171. Grady, .rupra note 163, at 330-31.172. See, e.g., Homac Corp. v. Sun Oil Co., 180 N.E. 172 (N.Y. 1932); Ryan v. N.Y. Cent.

R.R., 35 N.Y. 209 (1866) (Defendant negligendy ignited its own woodshed, from which thefire spread to the plaintiff’s house. The court denied liability, reasoning that first-party in-surance by homeowners would be more efficient than imposing unlimited liability on a de-fendant for mass fires caused by its own inadvertent negligence. Such liability would constitutea "punishment quite beyond the offence committed." ld. at 216-17). The fire rule seems tohave been limited to New York. Other courts have allowed recovery even when fire spreadover great distances and over obstacles. See, e.g., Cox v. Pa. R.R., 71 A. 250 (N.J. 1908)(recovery allowed for damage from fire that had spread beyond several buildings from itsorigin before destroying the plaintiff’s building). Even in New York, the doctrine was notalways followed. See, e.g., Webb v. Rome, Watertown & Ogdensburgh R.R. Co., 49 N.Y. 420(1872). Consistent with the "extent of harm" rule, it may apply to secondary victims of virusinfection. See also PIIOSSrR & KEI~TON ON TrlE L^w oF To~rrs, supra note 3, at 282-83 (Time& Space).

173. Grady, supra note 163, at 331.

!!

I72 7brt Trial & Insurance Practice Law Journal, Fall 2004 (40:1)

E. Damages

Damage resulting from virus infection can be classified into two broadcategories: pre-infection and post-infection damages. ~74 Pre-infection dam-ages include the cost of detecting, tracing, identifying, and removing a virusbefore it enters the system or network. Typical expenses include personneland managerial expenditures associated with the implementation and main-tenance of software designed to detect a virus automatically at the point ofentry as well as expenses for tracing the source of the virus, advising thesource, logging the incident, and communicating with the owner of thesystem on which the incident occurred.

Post-infection damages can be classified into two main categories:(i) impact of the presence of a virus on the computing environment, beforeexecution of the payload, and (ii) damage caused by execution of the payload.

Viruses modify the computing environment when they install their codeon a host program and overwrite or displace legitimate code. Partly over-written systems programs may become dysfunctional. Corrupted boot sec-tor code, for instance, may prevent an infected computer system from boot-ing and garbled spreadsheet formulas may make the program virtuallyunusable. Theft of resources, such as clock cycles, may slow down processesand, in the case of time-critical processes, cause them to behave unpre-dictably. Macro viruses, for instance, often disable menu options of Micro-soft Word. Viral invasion of space in main memory and on the hard diskmay result in impaired performance and disablement of some programs,including time-critical processes and resource-intensive software. In theabsence of virus detection software, these modifications are often unob-servable until execution of the payload?75 These viral actions neverthelesscause actual damage, by dissipating valuable computing resources and dis-abling or disrupting commercially valuable computer functions.

Virus attacks have effects beyond the money and other resources re-quired to recover from the attacks. In a survey of organizational effects ofvirus encounters, participants were asked about the organizational effectsof virus incidents on their company or working group. The following tableis a partial list of their greatest concerns, with the percentage of respon-dents reporting each effect.~76

174. David Harley, Nine Tenths of the Iceberg, ViRuS BOLL. 12 (Oct. 1999).175. ld. at 13 ("General incompatibility/de-stabilization issues can manifest themselves in

several ways. System software/applications/utilities display unpredictable behavior due to con-flicts with unauthorized memory-resident software. Symptoms include protection errors, par-ity errors, performance degradation, loss of access to volumes normally mounted and un~availability of data or applications.").

176. ICSA LARS 9TI-I Al~IqUAt. COMPUTER VIRUS PREVALENCE SURVI~y 2003, supra note 10,at 13 (Table 9).

!II

IIIIIIIiIiiIiI

Computer Viruses and Civil Liability

Response Percentage

Loss of productivity 76%Unavailability of PC 67%Corrupted files 58%Loss of access to data 50%Loss of data 47%

173

Damage from execution of the virus payload comes in three categories:loss of availability, integrity, and confidentiality of electronic informa-tion ?77 Attacks on ava ilability include renaming, deletion, and encryptionof files. Attacks on integrity include modification and corruption of dataand files, including garbling of spreadsheet formulas and destruction ofirreplaceable information. Attacks on confidentiality include security com-promises, such as capturing and forwarding of passwords, e-mail addresses,and other confidential files and information.

The ICSA 2003 survey on computer virus prevalence provides numericalestimates of the effects of virus attacks. The survey defines a "virus disaster"as "25 or more PCs infected at the same time with the same virus, or avirus incident causing significant damage or monetary loss to an organi-zation."~7~ Ninety-two participants in the survey reported disasters withaverage server downtime of seventeen hours.~79 Respondents also wereasked how many person-days were lost during the virus disaster that strucktheir company. The median time for full recovery was eleven person-days,and the average was twenty-four person-days. The average dollar cost perdisaster, including employee downtime, overtime to recover, data and in-formation loss, lost opportunities, etc., was in excess of $99,0007~°

Consequential, or secondary, damage is defined as (i) damage (both pre-and post-infection) due to secondary infection, namely damage to othercomputer systems to which the virus spreads; (ii) damage due to an inap-propriate response, such as unnecessarily destroying infected files thatcould be cheaply disinfected and restored; (iii) psychological damage, suchas loss of employee morale and opportunities lost due to a sense of inse-curity, bad publicity, and loss of reputation and credibility; (iv) the cost ofcleanup and disinfection, the cost of restoration of the computer systemand impaired data, and expenses related to upgrading computer security;(v) legal risks, such as exposure to civil and criminal liability; and (vi) punitive

177. Harley, rupra note 174, at 13.178. ICSA LABS 9wn ANNUAL COMPUTER VIRUS PREVALENCE SURVBY 2003, supra note 10,

at I.179. Id. at 10.180. ld. at 13.

I!I!I,!I|

I!iii

174 Tort Trial ~ Insurance Practice Law Journal, Fall 2004 (40:1)

action from parties with whom the victim had breached a contractualagreement.~st

Certain viruses attempt to conceal their presence on the computer sys-tem. Such concealment action may itself cause damage to the computingenvironment, independently of any harmful effect from execution of a pay-load. A virus may, for instance, attempt to thwart attempts to track it downby looking out for attempts to read the areas it occupies in memory andcrashing the system in order to shake its "pursuer."

No viruses have been known to cause direct damage to hardware (at leastat the time of writing), and losses are usually limited to destruction of dataand related direct and indirect costs. A virus may cause indirect physicalharm to hardware. Certain viruses are, for instance, capable of impairingthe operation of a computer by writing garbage to a computer chip. It isoften cheaper to repair the damage by discarding the entire motherboardthan to replace a soldered chip?82

A negligence theory of liability would be irrelevant if no damages wererecoverable. A doctrine in tort law, the so-called economic loss rule, ap-pears to significantly limit recovery for damages caused by virus infection.The doctrine denies a defendant’s liability for pure economic loss, namelyloss not based on physical harm to person or property. In a related article,we argue that damages related to viral infection, including pure economiclosses such as data corruption, are likely to be recoverable, the economicloss rule notwithstanding, because (i) a virus may cause physical harm dueto the malfunction of a computer system, in applications such as medicalsystems and aviation; (ii) a minority of jurisdictions have relaxed the ruleagainst recovery for pure economic loss; and (iii) an increasing number,perhaps a majority, of jurisdictions recognize electronic information as le-gally protected property2s3

IV. LITIGATION COMPLICATIONS

The unique and dynamic nature of virus technology may complicate aplaintiff’s litigation strategy. To succeed in a negligence action, the plaintiffhas to plead an untaken precaution that simultaneously satisfies the re-

181. HARLEY ET AL., supra note 18, at 97-100; DUNHAM, supra note 1, at7 (a user whoreceives a virus warning "may shut off the computer incorrectly, potentially damaging files,the operating system, or even hardware components like the hard drive"). See also ICSA LAss6Tn ANNUAL COMPV’rRs VIRUS PREVALENCE SURVEY 2000, supra note 1 I0, at 31 (’Fable 16) (22percent of respondents named loss of user confidence as a significant effect of a virusencounter).

182. H^RLEV E’r ^L., supra note 18, at 100. See also Bissett & Shipton, supra note I13, at899, 903 (describing the CIH virus, which overwrites memory, necessitating replacement ofthe memory chip).

183. See de Villiers, supra note 110, § V!.B (economic loss rule).

i

IIIIIIIIIIIIII


quirements of breach of duty as well as actual and proximate cause. In otherwords, the untaken precaution must be cost-effective and capable of pre-venting the harm if taken, and failure to take it must be reasonably relatedto actual harm.

In a given case there may exist precautions that clearly satisfy at leastone, perhaps several, of the elements but no precaution that simultaneouslysatisfies all the elements of a negligence action. Modifying the pleadingstrategy by selecting an alternative precaution may fill the gap but leaveyet a different subset of elements unsatisfied.

Antivirus technology is varied and sophisticated, reflecting antivirus re-searchers’ response to the equally volatile and sophisticated nature of thevirus threat, and a plaintiff usually has a rich array of untaken precautionsto choose from. There may nevertheless, in many cases, exist no choicethat simultaneously satisfies all the elements necessary to build a negligencecase. Such a Catch-22 dilemma can, of course, arise in any negligence case,but it is especially likely in virus cases, as we show in this section.*s4

A. Breach Satisfied but Actual Cause Failed

A plaintiff will prevail on the issue of breach if her pleaded untaken pre-caution is cost-effective. Breach can often be proved quite easily in a viruscontext, by pleading a trivial precautionary lapse with negligible marginalbenefit, yet even smaller cost, hence efficient. Suppose a software providerwho signs up for fifty-two signature database updates per year is offeredfour free updates. The software provider opts not to use some or all of thefree updates. The marginal cost, therefore, of increasing the updating fre-quency from fifty-two to, say, fifty-three times per year is approximatelyzero so that the fifty-third update is almost certainly efficient. However,the more trivial the lapse, the harder it is, generally, to establish actual andproximate causality. The fifty-third update, although efficient, is unlikelyto make a significant practical difference in computer security. Failure toimplement the fifty-third update will likely fail the but-for test of actualcausality of a virus attack.

Although the fifty-third update will likely fail the but-for test, there isample scope for the plaintiff to rethink her pleading choice. The rich arrayof available antivirus precautions virtually ensures the existence of an al-ternative precaution that would have prevented the virus, and thereforesatisfies actual causality. A generic technology, such as an activity monitor,for instance, does not need an updated signature database to detect a novelvirus strain. The virus that the fifty-third update failed to detect wouldtherefore likely have been snared by an activity monitor. Failure to use an

184. Grady, supra note 61, at 139.

III

IIIIIIIII|

!!!!!!!

176 Tort Trial & Insurance Practice Law Journal, Fall 2004 (4&1)

activity monitor will be an actual cause of the virus infection. It may, how-ever, not be cost-effective, hence, fail the breach requirement.

Generic virus detectors, such as activity monitors, are very efficient incertain computing environments and quite inefficient and resource-consuming in others. The particular environment in which the virus causedthe harm may be of the latter kind. The costs of the activity monitor mayoutweigh its benefits, so that failure to use it does not constitute a breachof duty, even though such failure is the actual cause of the virus harm.

Several factors may diminish the cost-effectiveness of an activity monitorin a particular computing environment. Activity monitors do not performwell with viruses that become activated before the monitor code and escapedetection until after they have executed and done their harm. Activitymonitors are also ineffective against viruses that are programmed to inter-fere with the operation of activity monitors. Certain virus strains, for in-stance, are programmed to sabotage the operation of activity monitors byaltering or corrupting monitor code. Some, but not all, machines and net-works have protection against such modification. A further drawback ofactivity monitors is that they can only detect viruses that are actually beingexecuted, which may be a significant detriment in sensitive applicationswhere a virus can wreak havoc before being caught by an activity monitor.

A further disadvantage of activity monitors is the lack of unambiguousand foolproof rules governing what constitutes "suspicious" activity. Thismay result in false positive alarms when legitimate activities resemble vi-ruslike behavior and false negative alarms when illegitimate activity is notrecognized as such. The vulnerability of activity monitors to false alarmsmakes them relatively costly.*~s A high cost of dealing with false negativesand positives may outweigh the benefit provided by activity monitors in aparticular environment. An activity monitor may therefore not be cost-effective because of any or all of these factors, even though it may havebeen technically capable of detecting the culprit virus.

B. Breach and Actual Cause Sati~gqed, but Proximate Cause Failed

The rapid and often unpredictable development of virus technology intro-duces an element of unforeseeability into the behavior of viruses. New viruscreations often have the explicit goal of making detection harder and moreexpensive.~6 Innovations, undoubtedly designed with this goal in mind,

185. The technology is programmed to make a judgment call as to what constitutes "sus-picious behavior." There are, however, no clear and foolproof rules governing what constitutessuspicious activity. False alarms may consequently occur when legitimate activities resembleviruslike behavior. Recurrent false alarms may ultimately lead users to ignore warnings fromthe monitor. Conversely, not all "illegitimate" activity may be recognized as such, leading tofalse negatives.

186. See, e.g., Spinellis, supra note 31, at 280 ("Even early academic examples of viral codewere cleverly engineered to hinder the detection of the virus."). See also Ken L. Thompson,Reflections on Trusting Trust, 27:8 CoraMs. ACM 761-63 (Aug. 1984).

!!IIIIIIiiiII!II


include stealth viruses,~S7 polymorphic viruses, and metamorphic viruses. ~s"As a consequence, some virus strains are capable of transforming into ashape and causing a type of harm very different from what was ex anteforeseeable.

These and other unpredictable aspects of viruses may cause a negligenceaction to fail on proximate cause grounds, where foreseeability is an issue.In a particular virus incident, an ex post obvious systematic relationshipmay exist between the evolved virus and the harm it has caused. If, however,computer scientists could not ex ante foresee or predict this dynamic re-lationship, proximate cause may be broken and defendant’s liability cut off.

The following example illustrates this complication. Viruses can beroughly divided into two groups: those with a destructive payload and thosewithout a payload, or with a relatively harmless payload, such as display ofa humorous message. For the purposes of this example, we refer to the twotypes as "harmful" and "harmless" viruses, respectively?~9

Suppose a hypothetical software provider decides not to scan for "harm-less" viruses, perhaps to increase scanning speed and reduce costs, or be-cause of a perceived low likelihood of exposure to liability and damages.The provider purchases only signatures of new viruses that are known tobe harmful, at the time, for inclusion in his scanner database. The softwareprovider then sells a software product containing a harmless virus strainthat, by design, was not detected. This virus infects the computer networkof the purchaser of the infected program.

The virus happens to be a metamorphic virus,~9° a type of virus capableof mutating into a totally different virus species. In fact, it mutates into astrain with a malicious payload capable of destroying data. The mutatedstrain, now transformed into a harmful virus, erases the hard disk of itshost computer. The purchaser of the infected software contemplates a law-suit against the vendor on a negligence theory.

187. Stealth virus strains are designed to evade detection by assuming the appearance oflegitimate code when a scanner approaches. See, e.g., Kumar & Spafford, supra note 25; seealso D^wD FERBR^CHE, A P^TnOLOGY OE COMPVTEa VmvSES (1992), for a description of stealthviruses.

188. Polymorphic viruses change their signature from infection to infection, making themharder to detect. Metamorphic viruses are capable of changing not only their identity butalso their entire nature and function. See, e.g., Carey Nachenberg, Understanding and Man-aging Polymorpbic Viruses, Tn~ SvMar~’r~c E~a-~Rvms~ Pawas, Volume 30. See also Spinellis,.~vzpra note 3 I, at 280 ("Viruses that employ these techniques, such as W32/Simile[,] can bevery difficult to identify.").

189. Bissett & Shipton, supra note 113, at 899,903 ("Viruses may be classified as destructiveor nondestructive in their primary effect. The least destructive :.. simply print a... messageand then erase themselves .... Destructive effects include halting a legitimate program. Moredestructive viruses erase or corrupt data or programs belonging to legitimate users of thecomputer. ").

190. Metamorphic viruses are capable of changing not only their identity but their verynature. See, e.g., Nachenberg, supra note 188.

i!i

ii!i!IIIIIIIiIII


The plaintiff could easily prove breach of duty by arguing that the trivialmarginal cost to the software provider of scanning for "harmless" virusesis outweighed by the foreseeable harm from such viruses in the form ofconsumption of computing and personnel resources. Defendant, on theother hand, could credibly argue that proximate causality should be brokenunder the reasonable ignorance of the relationship paradigm. Although itis clear after the incident that a systematic relationship existed between theharm and the defendant’s untaken precaution (failure to scan for harmlessviruses), computer scientists were nevertheless unaware of this systematicrelationship ex ante. This systematic relationship originates from the abilityof harmless viruses to transform into harmful ones, which depends on theexistence and feasibility of metamorphic virus technology. This technologywas unknown ex ante, even to scientists.

C. Attempt to Fix Proximate Causality Fails Breach Test

The plaintiff in the foregoing metamorphic virus example may attempt tofix the proximate causality problem by rethinking his pleaded untaken pre-caution. Once the first harmless virus has morphed into a destructive one,the provider of the infected software can prevent further carnage by re-calling all his previously sold software products and rescanning them forall viruses, harmful as well as harmless. A plaintifftherefore may plead thatthe defendanL once the infection came to his or her attention, could havetaken this action. Failure to recall will he the proximate cause of any further(now foreseeable) harm from this type of virus, under the no interveningtort paradigm, or perhaps the reasonably foreseeable harm paradigm. Fail-ure to recall is, of course, also an actual cause of all further harm causedby the virus:

The plaintiff nevertheless may still find him- or herself stuck in a legalCatch-22. Empirical studies on the economic impact of product recallstrongly suggest that product recalls are very costly)~ In cases where hu-man lives are not at stake, as is usually the case with ordinary commercialsoftware, product recall may very likely not be cost-effective and failing toundertake it would not be a breach of duty. The plaintiffwho pleads prod-uct recall as an untaken precaution will likely be able to prove actual andproximate causality but, this time, fail on breach.

V. CONCLUSION

This article analyzes the elements of a negligence cause of action for in-advertent transmission of a computer virus. The analysis emphasizes the

191. See, e.g., Paul H. Rubin et al., Risky Products, Risky Stocks, 12 REGrdlm.TION 1, whichprovides empirical evidence of the costs associated with a product recall and states that "[o]nthe basis of this research, we conclude that product recalls are very costly, resulting in largedrops in the stock prices of affected firms... IT]he health and safety benefits to consumersmay not be worth the cost."

!!

IIIIIIIIIIIIIIIIIII


importance of an understanding of virus and virus detection technology, aswell as the economics of virus prevention, in negligence analysis. The clas-sic principles of negligence apply to a virus case, but a plaintiff’s case maybe significantly complicated by the unique and dynamic nature of the tech-nologies involved.

II!iIIIII

!!Ii!iI

Downstream Liability forAttack Relay and Amplification

[This article is an adaptation of a talk delivered at the RSA Conference 2002 in San Jose,California. All contents Copyright 2002 - Carnegie Mellon University, PennsylvaniaState Police, and White Wolf Security.]

Disclaimer

Points of view or opinions expressed in this presentation do not necessarily represent theofficial position or policies of the Pennsylvania State Police, Carnegie Mellon University,White Wolf Security, or RSA.

Who are the authors?

¯ Scott C. Zimmerman, CISSP, is a Research Associate at the Software EngineeringInstitute, Carnegie Mellon University.

¯ Ron Plesco, Esquire, is the Director of Policy for the Pennsylvania State Police.¯ Tim Rosenberg, Esquire, is the President and CEO of White Wolf Security

(www.whitewolfsecurity.com).

The Scenario

To demonstrate the concepts involved, we will use a simple and hypothetical scenario inwhich four distinct entities are involved:

o The first entity is Jane G. Jane is a network security administrator in the UnitedKingdom. She works for a company that does approximately US$200M isbusiness per year. Her yearly salary is US$55,000.

The second entity is Megacorp’s web server, a non-mission-critical machineaccessible from the Internet. MegaCorp is a US$10.4 billion/year publiccompany. The server is hosted internally, and is physically located at MegaCorp’sfacility in Iowa. MegaCorp exercises complete control over all aspects of the webserver.

3. The third entity is a web server that belongs to a non-profit research hospital inthe state of Washington.

4. The last entity is Mr. Big Star, who receives medical treatment at the researchhospital.

While accessing the Internet at work, Jane finds a six-month old vulnerability inMegacorp’s web server. Exploiting this vulnerability, Jane is able to gain privileged

II

!

III!II

iIi!

access to the system. From Megacorp’s system, Jane then discovers a month-oldvulnerability on the hospital system located in Washington state. She is able to exploitthis as well and gains privileged access to the hospital server. Once Jane is a privilegeduser on the hospital’s system, she is able to penetrate more deeply into the hospital’snetwork wherein she finds a database server containing sensitive patient records. Whilebrowsing the database, Jane G. stumbles on Mr. Big Star’s file and decides to download acopy.

Having finished her shift at work, Jane G. installs a Denial of Service attack tool on theMegaCorp server. She begins an attack against the hospital’s web server to throw theadministrators off her trail. She goes home and posts Mr. B. Star’s file to a web site inCanada and sends it to her friends on IRC.

The chain of entities looks like this:

i~ Jene (3.’s desk’top

Hospital server in Washington

MegaCorp’s Web Server

!!

IIIIiIIII!I

Parties Involved - Legal Issues

Before we can discuss the various legal theories under which the suits can be brought, wemust first articulate which parties are involved in the case. The plaintiff is the person orentity that was harmed by the act and is seeking restitution. The defendant is the personor entity accused of committing the act. In this scenario, potential plaintiffs include

¯ MegaCorp¯ The hospital¯ Mr. Big Star

Note that this is not an exhaustive list, as we are focusing on the specific group of directlyharmed individuals. Potential defendants include

¯ Jane G.¯ MegaCorp¯ The hospital

It may seem strange that the hospital, for example, may be both a plaintiff and adefendant, but in this case the hospital may seek damages from MegaCorp, and Mr. BigStar may seek damages from the hospital. Unfortunately, events such as these are akin toa multiple vehicle accident. We are presented with a large number of parties who havebeen harmed, none of which is exactly sure what happened. What will happen in both themultiple site attacks and the car accident is that all parties even remotely associated to theincident will be listed as possible defendants and/or plaintiffs. Once the case lands incourt, it is up to the jury and the legal system to decide who did what to whom, who willpay, and how much.

I The Legal Theories

We now have a series of possible parties to the case. The next portion of the analysis isidentification of the legal theories under which the parties might be sued. This is adifficult process as the law is a very specific creature. For the purposes of the nextsection, we are going to focus on downstream liability. The crux of the downstreamliability issue is negligence. Negligence consists of four parts: duty, breach, causation,and damages. We will approach each of these separately. Keep in mind that, in the realworld, separation of these items is extremely difficult as they are all closely linkedtogether.

Duty is simply defined as a prudent person’s obligation to use reasonable care. A moredetailed definition can be found in Prosser, Wade, and Schwartz’s Cases and Materials onTorts: "requiring the actor to conform to a certain standard of conduct, for the protectionof others against unreasonable risks". To use an automotive analogy, a driver has theduty to ensure his vehicle has fully functioning brakes and lights, good tread on the tires,and so forth. Furthermore, the driver of the vehicle has the duty to operate her car withreasonable care and not to drive recklessly. One of the most difficult aspects of showing

i

!

i

i

I

negligence is this: is there a clearly defined duty? In other words, regarding downstreamliability, does an owner of IT assets on the Internet have a duty to keep his systems secureand not to be used to hurt another? We believe the answer to this question is aresounding yes.

Assume for now that the duty exists; showing negligence means there must be a breach.For a breach to occur, the plaintiff must show that the defendant failed to perform herduty. In the worst case, the defendant did nothing at all to address network securityissues. In the less extreme case, the defendant could simply have failed to perform herduty to the appropriate standard. Either will suffice to show a breach in the duty, as longas the remainder of the requirements are met.

Causation means that the aforementioned breach caused the damages in the incident. Inthis case, you will have to show what each of the parties did (or didn’t do) which led tosome real damages. It is imperative for the plaintiff to directly link the breach in duty tovery specific damages, and show that the damages which would not have been incurredbut for the breach.

In order for damages to be awarded, something has to be harmed. Damages are brokendown into three types:

¯ Nominal -just enough to say ’you won’¯ Compensatory - repayment for actual and real damages¯ Punitive - Amount above compensatory to punish the defendant and make an

example so as to deter similar conduct in the future

In our scenario, disclosure of Mr. Big Star’s medical condition leads to termination ofcontract negotiations for a US$15M lead role. This dollar figure defines the damagescaused to Mr. Big Star by Jane G. through MegaCorp and the hospital. In some cases,the damages may not be as visible. Revenue lost through a disabled e-commerce site canbe quantified, but what about loss of consumer trust?

What role does Jane G.’s employer play in the event? Her employer provided thecomputer and Internet connection to perpetrate the act. The legal world has created atheory of vicarious liability in this case, known as Respondeat Superior. Under thistheory, the harmed plaintiffs may be able to sue Jane’s employer for compensation. Thisis beneficial from the plaintiff’s perspective as the employer typically has more financialresources than the employee. Under the theory of Respondeat Superior, an employercould be held vicariously liable for its employee’s actions:

¯ Where an employee is acting within the scope of employment and doingsomething in the furtherance of his work; and

¯ The employer is or should be exercising some control; then¯ The employer will be liable for the negligent acts of the employee

i

I

!

Jane G. is a network security administrator, and she conducted the attacks while at work,using her employer’s resources. If her employer has published policies in place, andenforces them regularly, it will be difficult to hold Jane’s employer vicariously liable. Tomake this determination, one will have to look at their employment practices and internalpolicies.

Jane G.’s employer may also have been negligent in its hiring practices (though we didnot directly address Jane’s background or character). If an employer hires a networksecurity administrator who has a questionable background, one of two things probablyhappened:

¯ The employer did not conduct a thorough background check.¯ The employer did conduct a background check but ignored the findings.

A similar situation would be that of a doctor who has committed malpractice at - and wasdismissed from - his last three positions. Hospital #4 hires him without conducting athorough background check, and the doctor commits malpractice yet again. The hospitalwould then be guilty of Negligent Hiring.

Keep in mind that negligence, vicarious liability, and negligent hiring all assume that aduty exists. Herein lies the difficulty: what is the due standard of care in a givensituation? What are the accepted best practices? What, exactly, should MegaCorp havedone to avoid being used as a conduit to the hospital intrusion? In general the duty isdefined as the actions taken by "a reasonable and prudent person". Unfortunately thisdefinition provides a wide range of possibilities: one person’s "reasonable" and"prudent" is another person’s "overkill" and yet another person’s "insufficient". Theproblem often becomes the need to discover what these terms mean in a given trade orindustry. However, a caveat applies: the tendency of an industry to be generallynegligent in its practices does not mean that the court will - or should - use these practicesas the de facto standard. Since our scenario deals with network security, the focus areashere will be architecture, patches, and personnel.

Architecture

One of the most widely-deployed network security measures is the firewall. In broadterms, this is a system that resides between the corporate network and the rest of theInternet, filtering traffic according to its configuration. Ten to fifteen years ago, firewallswere strange and almost unheard-of beasts. However, times have changed, and anyorganization that does not protect its network with a firewall is likely to be greeted withincredulity and dismay.

The Distributed Denial-of-Service attacks that affected prominent web sites in 2000 and2001 contained thousands upon thousands of spoofed packets. Spoofed packets can begenerated by freely available software tools, and contain an invalid or incorrect sourceaddress; the source address is not important as the flooding is meant to be a one-waycommunication. The DDoS attacks were made possible by the almost nonexistent use of

I

IIIIiI

egressf!ltering by network-connected entities. Egress filtering is a simple concept:examine packets as they leave the corporate network to ensure no inappropriate ormalicious traffic escapes into the world. For example, spoofed packets should not beallowed to leave the network because they do not bear a valid source address.

We would argue that an organization which owns/operates a connection to the lntemetand does not filter traffic is already in breach of its duty to protect its assets from misuseand abuse. The first two elements of a negligent cause of action have been met. All thatis missing is a hacker to come in and use the organization’s resources to hurt another.That incident will provide the causation and damages.

Patches

II!IIIlIiI

As Mr. Bruce Schneier has stated, the cycle of developing buggy software and thenrushing to develop patches does not work. However, until the software developmentprocess becomes as rigorous and precise as, for example, engine manufacturing, the patchtreadmill is the best the industry can offer. Working within this constraint, there is agreat deal of debate over the process of obtaining and installing necessary patches forapplications and operating systems. On one side are the proponents who feel that allpatches should be applied immediately. On the other side are those who cite any numberof patches in recent years that fixed one problem but created three more, and so they feelthat patching should be deferred until the patch is deemed safe and stable. Regardless ofwhich side of the ’patch war’ you take, installing patches is one of the best things anorganization can do to protect itself against automated attacks.

Personnel

The personnel issue is a sticky - and expensive - wicket for most organizations. Systemand network administrators are often overworked because their employers cannot or willnot hire additional personnel. In this situation, the system administrators must prioritizetheir tasks, and simply keeping everything running may fill 100% of their time. Howmany system administrators are enough? There is no clear formula like "one SA forevery fifty accountants", so the needs and structure of the organization must be used todetermine a suitable staffing level. In most cases, however, having only one person tocover any particular task is not a good idea: if only one person is on staff, what if hebecomes ill or goes on vacation? Has the organization made arrangements to providecoverage for this employee’s duties? Beyond the number of personnel, the roles of theindividuals are quite important. Can any named defendant identify who exactly isresponsible for security? Is this role documented?

This brings us to the topic of due diligence. In the area of network security, aseverywhere else, due diligence is not a fixed point: it is a sliding scale. There is nomagical line separating negligent from responsible, where an incremental move in acertain direction will cause a state change. Here are some clear-cut examples todemonstrate both sides:

i

Ii!Ii1I

¯ Negligent: a default operating system installation, with no firewall or patches, onaTl

Responsible: a hardened operating system with post installation changes behind arobust firewall

Scott’s Assessment of Due Diligence

This section is so named because the position taken in this section is Scott’s; he is notspeaking for any other personnel or organizations.

This section currently applies only to businesses, although it may eventually apply toindividuals. It defines a minimum standard of conduct for a very important reason:placing a system on the Internet, where it can potentially affect the systems of others,entails a certain level of organizational responsibility

II!II!IIII

Due Diligence Statement 1 of 2

Installation of security-related patches, when potential exists to harm a third party:

These patches should be installed no later than ten (10) calendar days after releaseof the patch by the vendor.

Many individuals will think that this interval is too short or (probably) far too short.(There is at least one person who thinks it is too long.) Many of the reasons given for thisinclude the fact that there are simply not enough personnel to handle the work. However,going back to the issue of organizational responsibility, the owner of the network has aduty to make sure the network is as safe as it can reasonably be made. This duty includeshaving access to the resources - i.e. personnel and equipment - needed to test and applypatches in a timely fashion.

Due Diligence Statement 2 of 2

Egress filtering should be enabled on the network perimeter.

As mentioned earlier, there is no legitimate business purpose for spoofed packets, andsimple set of rules on the firewall or border router can block this traffic before it affectssomeone else. These rules could likely remain static and still do the job, which is asclose as anything can get to "set it and forget it" in this arena.

This article has covered negligence and due diligence, but what happens if anorganization is negligent? The results of negligence can vary widely:

¯ No incident occurs - business as usual¯ Mild incident occurs- inconvenience¯ Serious incident occurs - substantial financial damage

I

II!it!

¯ Most serious incident occurs - life is lost

The DDoS attacks would be classified by most folks as a serious incident; eBay, CNN,and Yahoo! would almost certainly agree. However, a broad application of egressfiltering could have mitigated the damage.

What about sites with sensitive information?

The value of information is generally subjective. Ifa company’s trade secret- plans fora new and improved Super-Widget, for example - were stolen or corrupted, the companywould have a difficult time quantifying the amount of loss: no one can predict exactlyhow much money would have been made through the sales of the new product.

1II!IiIiII

What about sites with large amounts of bandwidth available?

Sites with large amounts of available bandwidth - or "big pipes" - are often targets ofattacks because the fast network connection can facilitate a number of nefariousactivities. The potential for damage can be more easily reckoned in this case: an OC-3can flood a T-l, but not vice-versa. One may argue the point that sites with big pipeshave a slightly greater responsibility to secure their networks, similar to the way that atractor-trailer driver needs to pay more attention to the function and condition of hisbrakes than a person on a bicycle: if the tractor-trailer goes out of control, the potentialfor damage is much greater.

What about sites that offer Service Level Agreements (SLA)?

Any reasonable SLA must account for the fact that the systems require maintenance.One way around downtime is to have a load-balancing cluster of machines, and takedown one at a time to install patches and so forth. The choice here is either to allocate asmall amount of time for maintenance now, or to allocate a potentially much largeramount of time later when something untoward happens, be it an intrusion or a softwarebug that corrupts database tables.

Back to the Group Presentation

Questions to ponder:

¯ Should the plaintiffs go after the ISPs? Why or why not?¯ Does anything change if Jane G.’s employer is an ISP?¯ Evaluate the potential for damages; how much prevention could this amount have

purchased?

Conclusion

I Case law is just starting on these issues; to date no far-reaching precedents have been set.Most organizations will want to avoid being on either side of such a landmark case.

IIIIIIIII!lIIIIIIII

Please use this article to speak to your in-house counsel or other legal professional inorder to dedicate more resources to the cause.

ICan Hacking Victims Be Held Legally Liable? Page 1 of 3

I

August 24, 2001

Can Hacking Victims Be Held Legally Liable?

By CARL S. KAPLAN

Suppose, Margaret Jane Radin of Stanford Law School wrote recently, thata Web site operated by a securities brokerage suffers a crippling attack by

hackers. The ability of its customers to conduct trades is hampered for severalhours, or even blocked entirely. Imagine, too, that on the day of the attack thestock market is volatile, and that many customers are trying unsuccessfully tobuy or sell stocks in a flash,

Of course, hackers are easy to blame. But what about the companies thatinvestors rely on to make trades? Are the brokerage firms and their networkproviders -- which failed to prevent the attack that harmed the site -- vulnerableto a second onslaught a nasty lawsuit from unhappy clients who lost money as aresult of the shutdown?

Professor Radin isn’t the only legal thinker posing this question. Another paperco-authored by two partners and a legal assistant at a major law firm, alsoconsiders whether companies that fail to take reasonable steps to protect theircomputer systems from malicious attacks or internal malfunctions are sittingducks for lawsuits.

So far, lawyers say, the answer is unclear. There have been no reported courtdecisions discussing the issue of a company’s liability for a hacker attack,according to Radin, an authority on intellectual property, electronic commerceand Internet law. But lawsuits in the near future are highly likely, she said.

In her paper, professor Radin examined the possible legal fallout from a"distributed denial of service" attack. This is a particularly troublesome form ofdigital mischief whereby hackers gain control of unsuspecting users’ computersand use those distributed machines to flood a targeted site or service with junkmessages, overwhelming the site and causing it to be inaccessible to legitimatecustomers. (Her study, "Distributed Denial of Service Attacks: Who Pays?"commissioned by Mazu Networks, Inc., a Cambridge, Mass.-based securitycompany, is available on the company’s site.)

Radin concluded that there is a "significant risk" that in the near future targetedWeb sites will be held liable to their customers for harm arising fromdistributed denial of service attacks. In addition, she reckoned that there isanother "significant risk" that the computer network companies that carry thehackers’ attack messages -- such as ISPs and backbone network providers -- willbe held accountable to the targeted Web sites, and perhaps to the sites’customers.

Ihttp://www.nytimes.com/2001/O8/24/technology/24CYBERLAW.html?ex=l l18548800&... 6/10/2005

ICan Hacking Victims Be Held Legally Liable? Page 2 of 3

!IIII

In the second paper, members of the cyberlaw practice group of Sidley AustinBrown & Wood, a national law firm, considered the growing legal danger facedby online service providers who suffer security breaches or the internal glitchesthat can compromise their customer’s information.

The study, "Liability for Computer Glitches and Online Security Lapses," byAlan Charles Raul and Frank R. Volpe, partners at the firm, and Gabriel S.Meyer a summer associate and J.D. candidate at Cornell University, waspublished earlier this month in a Bureau of National Affairs newsletter onelectronic-commerce and will be available shortly on the firm’s Web site. Itconcludes that e-commerce players must "demonstrate [a] willingness andability to implement aggressive security measures" if they wish to stave offsecurity breaches, avoid government intervention and escape, or at least limit,damages in a lawsuit.

IiI!I

Professor Radin, director of Stanford’s Program on Law, Science andTechnology, said in a telephone interview that companies need to begin takingseriously their potential legal liability for computer hacks. The vulnerability ofbusinesses to distributed denial of service assaults is staggering, she said, citinga survey which found that more than one-third of respondents had experienceddenial of service attacks. That figure, from the 2001 Computer Crime andSecurity Survey, conducted by the San Francisco-based Computer SecurityInstitute, may be the tip of the iceberg because companies, fearful of badpublicity, often under-report attacks. Direct losses from denial of service attackson Yahoo, eBay and others in February of last year have been estimated at $1.2billion by the Yankee Group, a consulting company.

"E-commerce is not going to take off if customers fear it won’t work in apinch," Radin said.

I

Moreover, said Radin, federal and state laws aimed at individual hackers haveshortcomings: Hackers are hard to trace and even when detected, are unlikely tohave the deep pockets coveted by victims and their lawyers.

In the brokerage Web site attack scenario, a customer or a class of customersthat suffered financial losses would sue the brokerage firm for damages,according to Radin. The firm, in its defense, might point to a section of itsTerms of Service agreement with its customers. That fine print, no doubt,would have a clause clearing itself of liability.

But whether that defense would prevail is not clear, said Radin, particularly if acourt finds the contract’s terms to be oppressive or overly weighted toward thecompany, or if the contract’s validity is in question due to questions over propercustomer consent.

! Also vulnerable to a negligence claim would be the network service providersand hosting companies, said Radin. There would be no contract defense forthese companies to fall back on with respect to the broker’s individualcustomers for the simple reason that there is no contract between them. On theother hand, the potential legal warfare between the brokerage and the network

Ihttp://www.nytimes.com/2001/O8/24/technology/24CYBERLAW.html?ex=l l18548800&... 6/10/2005

I Can Hacking Victims Be Held Legally Liable? Page 3 of 3

IIIII

providers would likely proceed under the terms of their business contracts.

To determine whether the corporate defendants are negligent, courts will look athow any losses could have been prevented. "A court is going to say it isnegligent of you not to implement preventative measures if they are reasonablyeffective and affordable," said Radin.

A jury will have to decide, in fact, if the company could have takenpreventative measures, said Radin. Trials will, therefore, be a battle of expertwitnesses, she predicted. But, she added: "I think as technology increases-- aseasy fixes become available -- it’s more likely that courts will beunsympathetic" to companies that have not done their utmost to block hackerinvasions. That is particularly true with respect to the Internet service providerswhich are in the best position to take system-wide precautions, she said.

Ii!II!

Meanwhile, Raul of Sidley Austin, which represents major communicationcompanies and firms doing business online, said that his clients "either are, orought to be" worried about their legal liability for malicious hacks orinadvertent glitches.

In his firm’s paper, Raul and his colleagues said that companies can seek tomanage their legal risks by adopting state-of-the-art security measuressuggested by industry groups and supporting federal laws aimed atstrengthening data security in the health and financial fields.

"Does a company have controls in place to prevent unauthorized access andcareless release of data," asked Raul. "Is the company training employees ininformation security?" Is it constantly assessing its vulnerability to intrusions orglitches? The answers are important because an aggressive plaintiffs lawyer issure to ask who was the person or unit responsible for data security? If thedefendant offers a weak response, said Raul, it will look "really bad."

C~oj~yr_ight 2002 T New York Times Com april I Permissions I Priv~

iII

http://www.nytimes.com/2001/O8/24/technology/24CYBERLAW.html?ex=1118548800&... 6/10/2005

PRINCIPAL OFFICE: PHILADELPHIA1900 Market StreetPhiladelphia, PA 19103-3508Tel: 215.665.2000 or 800.523.2900Fax: 215.665~2013For general information please contact:Joseph A. Gerber, Esq.

ATLANTASuite 2200, SunTrust Plaza303 Peachtree Street, NEAtlanta, GA 30308-3264Tel: 404~572.2000 or 800.890.1393Fax: 404.572.2199Contact: Samuel S. Woodhouse, Ill, Esq.

CHARLOI"I’ESuite 2100, 301 South College StreetOne Wachovia CenterCharlotte, NC 28202-6037Tel: 704.376.3400 or 800.762.3575Fax: 704.334.3351Contact: Jay M. Goldstein, Esq.

CHERRY HILLSuite 300, LibertyView457 HaddonfieldRoad, P.O. Box 5459Cherry Hill, NJ 08002-2220Tel: 856.910.5000 or 800.989.0499Fax: 856.910.5075Contact: Thomas McKay, Ill, Esq.

CHICAGOSuite 1500, 222 South Riverside PlazaChicago, IL 60606-6000Tel: 312.382.3100 or 877.992.6036Fax: 312.382.8910Contact: James I. Tarman, Esq.

DALLAS2300 Bank One Center, 1717 Main StreetDallas, TX 75201-7335Tel: 214.462.3000 or 800.448.1207Fax: 214.462.3299Contact: Lawrence T. Bowman, Esq.

DENVER707 17th Street, Suite 3100Denver, CO 80202Tel: 720.479.3900 or 877.467.0305Fax: 720.479.3890Contact: Brad W. Breslau, Esq.

HOUSTONOne Houston Center1221 McKinney, Suite 2900Houston, TX 77010Tel.: 832.214.3900 or 800.448.8502Fax: 832.214.3905Contact: Joseph A. Ziemianski, Esq.

LAS VEGAS*601 South Rancho, Suite 20Los Vegas, NV 89106Tel: 800.782.3366Contact: Joseph Goldberg, Esq."Affiliated with the law offices of J. Goldberg,and D Grossman.

LOS ANGELESSuite 2850, 777 South Figueroa StreetLos Angeles, CA 90017-5800Tel: 213.892.7900 or 800.563.1027Fax: 213.892.7999Contact: Mark S. Roth, Esq.

LONDON9th Floor, Fountain House, 130 Fenchurch StreetLondon, UKEC3M 5DJTel: 011.44.20.7864.2000Fax: 011.44.20.7864.2013Contact: Richard F. Allen, Esq.

NEW YORK45 E~roadway Atrium, Suite 1600New York, NY 10006-3792Tel: 212.509.9400 or 800.437.7040Fax: 212.509.9492Contact: Michael J. Sommi, Esq.

909 Third AvenueNew York, NY 10022Tel: 212.509.9400 or 800.437.7040Fax: 212.207-4938Contact: Michael J. Sommi, Esq.

NEWARKSuite 1900, One Newark Center1085 Raymond BoulevardNewark, NJ 07102-5211Tel: 973.286.1200 or 888.200.9521Fax: 973.242.2121Contact: Kevin M. Haas, Esq.

SAN DIEGOSuite 1610, 501 West BroadwaySan Diego, CA 92101-3536Tel: 619.234.1700 or 800.782.3366Fax: 619.234.7831Contact: Joann Setleck, Esq.

SAN FRANCISCOSuite 2400, 425 California StreetSan Francisco, CA 94104-2215Tel: 415.617.6100 or 800.818.0165Fax: 415.617.6101Contact: Forrest Booth, Esq.

PLEASE CO.ACT ANY OF OUR OFFICES FOR ADDITIONAL INFORMATION OR VISIT

SEATI’LESuite 5200, Washington Mutual Tower1201 Third AvenueSeattle, WA 98101-3071Tel: 206.340.1000 or 800.423.1950Fax: 206.621.8783Contact: Daniel Theveny, Esq.

TRENTON144-B West State StreetTrenton, NJ 08608Tel: 609.989.8620Contact: Jeffrey L. Nash, Esq.

TORONTOOne Queen Street EastSuite 2000Toronto, Ontario M5C 2W5Tel: 416.361.3200 or 888.727.9948Fax: 416.361.1405Contact: Sheila McKinlay, Esq.

WASHINGTON, DCSuite 500, 1667 K Street, NWWashington, DC 20006-1605Tel: 202.912.4800 or 800.540.1355Fax: 202.912.4830Contact: Barry Boss, Esq.

WEST CONSHOHOCKENSuite 400, 200 Four Falls Corporate CenterP.O. Box 800West Conshohocken, PA 19428-0800Tel: 610.94! .5400 or 800.379.0695Fax: 610.941.0711Contact: Ross Weiss, Esq.

WICHITANew England Financial Building8415 E. 21st Street North, Suite 220Wichita, KS 67206-2909Tel: 316.609.3380 or 866.698.0073Fax: 316.634.3837Contact: Kenneth R. Lang, Esq.

WILMINGTONSuite 1400, Chase Manhattan Centre1201 North Market StreetWilmington, DE 19801-1147Tel: 302.295.2000 or 888.207.2440Fax: 302.295.2013Contact: Mark E. Felger, Esq.

US ONLINE AT WWW COZEN.CaM

nn

n

m

I COZEN I O’CONNOR I ATTORNEYS I 2005 International … · ATTORNEYS I I I I I I I I I I I I...

Documents

Transcript of I COZEN I O’CONNOR I ATTORNEYS I 2005 International … · ATTORNEYS I I I I I I I I I I I I...