Hotmail Incident sparks 'Downstream Liability'
London, UK, 09:30 GMT 2nd September 1999 - The Hotmail incident of 30th
August, which compromised the privacy of over 40 Million e-mail users, has highlighted
a much bigger and escalating problem - Downstream Liability, which
is the real possibility of litigation arising from customers and businesses
that have bought a product or a service from a vendor in good faith and have
surrendered personal and financial information about themselves for a declared
The e-mail privacy threat is just one issue. The multi-billion Dollar retail
e-commerce market is about on-line shopping, banking and share dealing. Where
there are on-line deposits being taken of millions of credit card numbers or
complete medical histories and personal details are being stored for the sale
of insurance products and other personal goods, the subject of Downstream
Liability takes on a much more stark dimension.
Asset or Liability?
Most on-line businesses have been incurring losses in their pursuit of member
database assets collected from loyal users. In at least 250 on-line businesses
world wide the number of members surrendering personal, medical or financial
details exceeds five million. The cost of servicing data piracy or financial
losses law suits from such a large number of individuals may prove to be overwhelming
for even some of the most established on-line brand names. For example, if one
of these firms had to compensate each one of their members for loss of privacy
or other damages the total cost could amount to Billions of Dollars. Previously
data piracy issues involved smaller scale theft because it is physically not
feasible to pirate several million paper records, without being noticed over
"What we are seeing at present is an unprofessional
approach to on-line security and privacy. Every time there is a nick or a cut
the vendor simply applies an electronic equivalent of an 'elasto-plaster'. We
will continue to see this approach of temporary soft patching until the day
that major lawsuits start hitting on-line businesses. Thereafter the commitment
to bespoke security architecture will become common place",
said DK Matai, Managing Director of mi2g software.
New Software Products
The internet has created a 'gold rush' to bring new software products to market
in just a few months, most of them with large security holes like Swiss cheese.
Over 1,700 serious on-line security breaches with potential Downstream
Liability consequences have been monitored by mi2g software in
the first half of 1999. This figure is likely to exceed 3,000 by the end of
Even though software applications and operating systems can be re-designed
at an architectural level to be more secure, with some of the obvious holes
plugged, they are not being developed from scratch with security as the focus
because of cost reasons. The extra time and cost of security has been ignored
by company directors against making a profit as soon as possible.
Expert Legal View
"Directors must realise that their standard
terms of contract may not prevent their company from being liable for these
security breaches. Those terms may be void, unenforceable or ineffective, particularly
in the countries where the problem causes damage. This is a global problem which
cannot be swept under the broad carpet of US law", said Larry
Cohen, Head of Intellectual Property at Hammond Suddards, a leading UK law firm.
Bespoke Security Architecture
Other than the issue of correct legal advice, the answer to most dynamic security
problems that regularly afflict businesses lies in a properly funded bespoke
security architecture to which the board of directors commits itself completely
at the design stage or major upgrade stage. There must be continuous and adaptive
prevention rather than incidental cure of hacker or virus breach. A bespoke
security architecture coupled with operating environment diversity ensures business
continuity even when trading under the threat of non-stop Cyber Attack on one
dominant operating system.
1. This is an issue with international ramifications. Data protection across
the EU is being harmonised, and the directives are in place. Businesses need
to ensure that their approach is consistent across Europe. Meanwhile, the US
is relying on self regulation, and with a prohibition on the transfer of computer
data outside the EU becoming imminent, internal data transfer checks will have
to be constructed by multi-nationals. Directors will have to be careful to ensure
that EU data protection laws are not circumvented by inadvertent transfer due
to lax procedures in the USA.
2. Cyber Warfare is when individuals acting via the internet or through viruses
malevolently attack industry, business, social utilities and national security
with an intent to cause disruption or damage. Such individuals need only a relatively
simple computer capability to make such Cyber Attacks highly effective. mi2g
successfully predicted the Cyber Attack to businesses, governments and financial
markets in early January, which was brought home during the recent NATO-Serbia
Cyber War between March and early June.
3. The total cost of servicing Cyber Warfare incidents world wide is likely
to exceed $20 Billion in 1999 according to mi2g. In the last seven months,
there have been three major virus attacks and several full scale Cyber Attacks.
Melissa in March, Chernobyl in April and the fatal ExploreZip in June cost corporations
huge unplanned and unbudgeted resources. The cost of disabled computers and
their down time through each major worldwide Cyber Warfare incident is already
exceeding $2.5 Billion.
4. Hammond Suddards is one of the UK's largest commercial law firms. Larry
Cohen, as Head of Intellectual Property at Hammond Suddards leads a team of
legal experts in Internet practice and e-commerce issues. Recently, he has been
actively engaged in the campaign against Genetically Modified (GM) crop protesters,
many of whom take an anarchist viewpoint and some of whom the Police believe
were involved in the organisation of the Stop the City protest on June 18. These
organisations have been using the Internet as their means of communication in
order to co-ordinate protesters against the planting of GM foods and other genetically
modified crops, while relying on Civil Liberties to try to prevent their own
Cyber secrets being disclosed under court order.
5. mi2g software (www.mi2g.com) is a Central London based R&D focussed
e-commerce technology enterprise that has already developed the main components
to become a world-class player in secure e-commerce trading, broking and banking.
mi2g pioneered the concept of secure internet lounges - industry specific
portals - in early 1996.