Skip to main content

Critical Information Infrastructure Protection and the Law An Overview of Key Issues (2003) / Chapter Skim
Currently Skimming:

3 Liability for Unsecured Systems and Networks
Pages 35-60

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 35...
... There are no comparable regulations, however, that require entities to conform to any specific practices designed to promote critical infrastructure protection. Symposium participants differed on whether it would be more effective to target hackers and other perpetrators (for the intentional harm caused)
Read the entire page →
From page 36...
... Domestic Jurisdiction Congress has passed a number of laws related to computer crime.3 These laws are generally focused on hackers and other individuals who use computer networks for illegal purposes.4 This section provides a brief overview of the key computer crime laws.5 3Many states also have computer crime laws that may affect critical information infrastructure protection. 4Many of the attacks that occur today are the result of malicious or indifferent acts by individuals Soften referred to as script kiddies,,'.
Read the entire page →
From page 37...
... , the court found Morris liable for damages caused by his actions because he knowingly accessed a computer even if he did not intentionally cause harm.7 Although the CFAA does not include provisions for critical information infrastructure protection per se, it has played a major role in prohibiting and sanctioning cyberattacks.8 Congress has continued to amend the CFAA over the last several years to increase its effectiveness as the threat and technology have evolved.9 Electronic Communications Privacy Act The Electronic Communications Privacy Act of 1986 (ECPA; 18 U.S.C.
Read the entire page →
From page 38...
... The unlawful access to stored communications provision, like the CFAA, protects the critical information infrastructure by enabling the prosecution of individuals who attempt to halt the flow of information to or from electronic storage systems. Fraud and Related Activity in Connection with Access Devices Section 102911 in Title 18 of the U.S.
Read the entire page →
From page 39...
... ; increased information sharing; strengthened criminal laws against terrorism; and enhancements to the government's legal authorities to conduct electronic surveillance. International Jurisdiction The nature of modern communications, including the Internet, makes international cooperation in cybersecurity of increasing importance.
Read the entire page →
From page 40...
... Civil liability, he argues, is "essential to insure proper incentives to create an optimal computer crime strategy." Although tort-based liability with regard to CIP is not well developed at present, many experts believe that a few CIP-related liability suits could 18Abraham D Sofaer and Seymour E
Read the entire page →
From page 43...
... An important component of civil liability is that it would allow a victim to recover losses from third parties if such parties were negligent or engaged in intentional misconduct and such negligence or misconduct was the proximate cause of the loss. In the Internet environment, such third parties may be the only source of recovery,22 since criminal law offers no compensation to the victim if the computer criminal cannot be identified or is judgment-proof (a likely scenario given the anonymity of the Internet and the lack of financial 22Civil lawsuits may be ineffective at recovering losses against third parties located outside the United States.
Read the entire page →
From page 44...
... Contract law is generally viewed as the only basis for bringing computer-related cases because other theories of liability are inapplicable for several reasons: (1) damages from computer crimes are almost always monetary, and courts have traditionally denied negligence claims for purely economic losses (see "Tort Law" section)
Read the entire page →
From page 45...
... It would also influence decisions about computing system development. As a consequence, the ability of tort law to motivate action on critical information infrastructure protection is one possible avenue to explore.
Read the entire page →
From page 46...
... As indicated in the cases set forth in Box 3.2, if a corporation (or service provider) knows or has reason to know that its computer networks are being used to cause harm, and it has the capacity to stop such harm from occurring, the corporation may be required to take action to avoid liability, especially if it derives a financial or other benefit from allowing its networks to be accessed by others.
Read the entire page →
From page 49...
... 2001. "Liability for Computer Glitches and Online Security Lapses," BNA Electronic Commerce Law Report, 6~31~:849 and Erin E
Read the entire page →
From page 50...
... Consolidated Rail Corporation, 1 he New Jersey Supreme Court concluded Mat "a defendant who has breached his duty of care to avoid Me risk of economic injury to particularly foreseeable plaintiffs may be held liable for actual economic losses Mat are proximately caused by its breach of duty.36 Similarly, if a court found Mat the likelihood of misconduct on networks was so great, the fact of the "intervening" criminal act would not necessarily be sufficient to break the chain of causation. Standards and Best Practices As a motivating factor for industry to adopt best practices, tort law can be a significant complement to standard-setting, because compliance with industry-wide standards is usually an acceptable demonstration of due care.
Read the entire page →
From page 51...
... The Health Insurance Portability and Accountability Act outlines the responsibilities that health care providers and insurers have with respect to security measures to protect electronic information. 39For example, the government recently announced that it was creating a security seal of approval that consists of a set of software standards that all DoD computers must meet.
Read the entire page →
From page 52...
... . Moreover, any improvement in network security achieved through a liability regime also could result in increased corporate liability for failing to follow sound information security procedures, even when data, systems, and networks are not actually put at risk.
Read the entire page →
From page 53...
... . The committee has found it useful to examine the potential duty owed by a few key players: Internet service providers, vendors, universities and colleges, and individual users (see Box 3.3~.
Read the entire page →
From page 56...
... Broadly speaking, regulation that may relate to CIIP could come from any combination of four imperatives: efficient economic conduct, national security, public health and safety, and consumer protection. The purpose of economic regulation is to control blithe Administrative Procedures Act defines the processes for rule-making followed by various agencies.
Read the entire page →
From page 57...
... An entirely different category of regulation consumer protection regulation also contributes to CIIP, albeit indirectly, because such regulations target major users or suppliers of the critical information infrastructure. For example, the Gramm-Leach-Bliley (GLB)
Read the entire page →
From page 58...
... Institutions that fail to comply could face potential FTC enforcement actions and potential liability under state consumer protection laws or common law claims (such as negligence) .46 Recent FTC settlements47 have established "reasonable security" as a written, comprehensive information security program that (1)
Read the entire page →
From page 59...
... Semancik, director of the Laboratory for Telecommunications Sciences at the National Security Agency, suggests that if we believe it is crucial that a company be up and operating for the sake of the country, then perhaps that company should be required to disclose the steps it is taking so the public can verify that the company is fulfilling its fiduciary responsibility. Consumer protection is also the umbrella under which regulation of product quality falls.
Read the entire page →
From page 60...
... Hank Perritt, CSTB member and dean and professor of law at Illinois Institute of Technology, Chicago-Kent College of Law, suggests that regulation is really about a fundamental choice: whether the need for a robust, reliable, critical information infrastructure is better met by a highly centralized approach the model for which is AT&T as it existed in 1965 or whether it is better served by a highly decentralized and very market-oriented and loosely regulated approach (such as is exemplified by the Internet) .54 Given how the economy and the information infrastructure have evolved, we have a decentralized system today.
Read the entire page →

Key Terms

  • tort law
  • computer networks
  • information infrastructure
  • security measures
  • held liable

  • information security
  • critical information
  • infrastructure protection
  • computer crime
  • critical infrastructure

  • service providers
  • computer network
  • network security
  • contract law
  • law enforcement

  • internet service
  • service provider
  • consumer protection
  • criminal law
  • critical infrastructures

  • usa patriot
  • third parties
  • home computer
  • information law
  • chicago law

  • tort liability
  • electronic communications
  • civil liability
  • economic loss
  • implementing regulations


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.