Hotmail Incident sparks 'Downstream Liability' concerns

press release

London, UK, 09:30 GMT 2nd September 1999 - The Hotmail incident of 30th August, which compromised the privacy of over 40 Million e-mail users, has highlighted a much bigger and escalating problem - Downstream Liability, which is the real possibility of litigation arising from customers and businesses that have bought a product or a service from a vendor in good faith and have surrendered personal and financial information about themselves for a declared purpose only.

The e-mail privacy threat is just one issue. The multi-billion Dollar retail e-commerce market is about on-line shopping, banking and share dealing. Where there are on-line deposits being taken of millions of credit card numbers or complete medical histories and personal details are being stored for the sale of insurance products and other personal goods, the subject of Downstream Liability takes on a much more stark dimension.

Asset or Liability?
Most on-line businesses have been incurring losses in their pursuit of member database assets collected from loyal users. In at least 250 on-line businesses world wide the number of members surrendering personal, medical or financial details exceeds five million. The cost of servicing data piracy or financial losses law suits from such a large number of individuals may prove to be overwhelming for even some of the most established on-line brand names. For example, if one of these firms had to compensate each one of their members for loss of privacy or other damages the total cost could amount to Billions of Dollars. Previously data piracy issues involved smaller scale theft because it is physically not feasible to pirate several million paper records, without being noticed over time.

Unprofessional Approach
"What we are seeing at present is an unprofessional approach to on-line security and privacy. Every time there is a nick or a cut the vendor simply applies an electronic equivalent of an 'elasto-plaster'. We will continue to see this approach of temporary soft patching until the day that major lawsuits start hitting on-line businesses. Thereafter the commitment to bespoke security architecture will become common place", said DK Matai, Managing Director of mi2g software.

New Software Products
The internet has created a 'gold rush' to bring new software products to market in just a few months, most of them with large security holes like Swiss cheese. Over 1,700 serious on-line security breaches with potential Downstream Liability consequences have been monitored by mi2g software in the first half of 1999. This figure is likely to exceed 3,000 by the end of this year.

Even though software applications and operating systems can be re-designed at an architectural level to be more secure, with some of the obvious holes plugged, they are not being developed from scratch with security as the focus because of cost reasons. The extra time and cost of security has been ignored by company directors against making a profit as soon as possible.

Expert Legal View
"Directors must realise that their standard terms of contract may not prevent their company from being liable for these security breaches. Those terms may be void, unenforceable or ineffective, particularly in the countries where the problem causes damage. This is a global problem which cannot be swept under the broad carpet of US law", said Larry Cohen, Head of Intellectual Property at Hammond Suddards, a leading UK law firm.

Bespoke Security Architecture
Other than the issue of correct legal advice, the answer to most dynamic security problems that regularly afflict businesses lies in a properly funded bespoke security architecture to which the board of directors commits itself completely at the design stage or major upgrade stage. There must be continuous and adaptive prevention rather than incidental cure of hacker or virus breach. A bespoke security architecture coupled with operating environment diversity ensures business continuity even when trading under the threat of non-stop Cyber Attack on one dominant operating system.


Editor's Notes:

1. This is an issue with international ramifications. Data protection across the EU is being harmonised, and the directives are in place. Businesses need to ensure that their approach is consistent across Europe. Meanwhile, the US is relying on self regulation, and with a prohibition on the transfer of computer data outside the EU becoming imminent, internal data transfer checks will have to be constructed by multi-nationals. Directors will have to be careful to ensure that EU data protection laws are not circumvented by inadvertent transfer due to lax procedures in the USA.

2. Cyber Warfare is when individuals acting via the internet or through viruses malevolently attack industry, business, social utilities and national security with an intent to cause disruption or damage. Such individuals need only a relatively simple computer capability to make such Cyber Attacks highly effective. mi2g successfully predicted the Cyber Attack to businesses, governments and financial markets in early January, which was brought home during the recent NATO-Serbia Cyber War between March and early June.

3. The total cost of servicing Cyber Warfare incidents world wide is likely to exceed $20 Billion in 1999 according to mi2g. In the last seven months, there have been three major virus attacks and several full scale Cyber Attacks. Melissa in March, Chernobyl in April and the fatal ExploreZip in June cost corporations huge unplanned and unbudgeted resources. The cost of disabled computers and their down time through each major worldwide Cyber Warfare incident is already exceeding $2.5 Billion.

4. Hammond Suddards is one of the UK's largest commercial law firms. Larry Cohen, as Head of Intellectual Property at Hammond Suddards leads a team of legal experts in Internet practice and e-commerce issues. Recently, he has been actively engaged in the campaign against Genetically Modified (GM) crop protesters, many of whom take an anarchist viewpoint and some of whom the Police believe were involved in the organisation of the Stop the City protest on June 18. These organisations have been using the Internet as their means of communication in order to co-ordinate protesters against the planting of GM foods and other genetically modified crops, while relying on Civil Liberties to try to prevent their own Cyber secrets being disclosed under court order.

5. mi2g software (www.mi2g.com) is a Central London based R&D focussed e-commerce technology enterprise that has already developed the main components to become a world-class player in secure e-commerce trading, broking and banking. mi2g pioneered the concept of secure internet lounges - industry specific portals - in early 1996.

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy