Legal Recourse for Denial of Service
With online commerce exploding, opportunities for computer crime and related damages also increase. Earlier this year, several giant e-commerce sites reported attacks that made their sites inaccessible. All spend a significant amount of money on security. People are asking what went wrong and whether laws protect against such attacks.
Denial of service attacks. These distributed denial of service attacks occurred when hackers broke into hundreds of other people's computers and used those computers to bombard streams of information at the target sites over the Internet. This resulted in service interruptions and lost revenues for the target sites, not to mention a blow to consumer and business confidence for online commerce.
Federal and state law. Numerous federal and state laws apply to hackers engaged in these destructive acts. Computer crime statutes prohibit the unauthorized access and use of a computer, as well as prohibit unlawfully denying another access to a computer - such as the result of the attacks. Laws also make it illegal to use a computer to commit crimes.
For example, under federal law, the Computer Fraud and Abuse Act prohibits unauthorized access to computers and networks. It also can be used to prosecute someone who causes the transmission of information, software or a command to intentionally cause damage.
The act has been applied in cases involving the Melissa virus author, as well as notorious hacker Kevin Mitnick. Criminal penalties vary, but typically include a fine and a prison term up to 20 years. The act also provides for restitution and civil causes of action in order to compensate the victim.
Many states have enacted laws to prohibit the use of computers to fraudulently obtain money, services or property. This includes situations in which a person uses a computer or computer network without authorization and with the intent to damage another person.
Florida was the first state to enact a computer crime statute. The state law makes it a crime to interfere with and deny another person's access to a computer. If the act is done to defraud or obtain property of any kind, the offender is guilty of a felony. Other state laws usually applied in the offline world, such as trespassing and fraud, may also apply.
Investigations and enforcement. For most small businesses, pursuing civil remedies against hackers will be cost-prohibitive and unsuccessful. The law relating to computer security breaches and damages is still developing and varies in different states and countries.
Recently, Attorney General Janet Reno said the FBI has initiated a federal investigation into the matters. "We are committed in every way possible to tracking down those who are responsible," she said. Since e-commerce is interstate, interference with e-commerce was justification to give the FBI authority to proceed.
The involvement of the FBI is critical. The Internet is global and decentralized, and it makes it easy to cover tracks.
From a practical perspective, it is extremely difficult to locate a hacker. Even with forensic computer techniques, tracking Internet criminals requires an unusual amount of cooperation among Internet service providers, businesses, security experts, governments and other law enforcement agencies.
Moreover, the attackers may not be in the United States. If the FBI finds that the attacker is in another country, persuading that country to allow the United States to extradite the hacker, or else enforce a judgment against the defendant in the foreign country, raises other complex international legal issues.
Prevention and deterrence. The exchange and storage of information over the Internet is generally insecure. Security is an issue that requires technological solutions and legal responses from all levels of online businesses.
Although there has been progress, break-ins of different forms will continue. Some hackers will steal money and information, and others will simply act maliciously.
Prevention is important. Generally, technical problems require technical solutions. In addition, for most online businesses, a good legal audit will include a review of Web site hosting agreements and software. Give particular attention to warranty provisions and limitations on liability.
Companies probably have the duty to act reasonably and with at least the standard of care accepted by other companies similarly situated in the industry. Talk to Web hosting companies and security consultants and discuss options, such as fire walls and more advanced solutions.
Most Web sites should also have a Terms and Conditions of Use Policy, clearly stating the conditions for visitors to access and use the Web site. If a visitor violates that policy, access rights should terminate immediately. Money damages may not be sufficient, and a court order enjoining the acts might be the best remedy. Furthermore, let visitors know the degree of security provided on the site and address limitations of liability for interruptions of service.
Evolving law and technology. In the final analysis, security breaches such as those experienced recently cost companies millions in lost revenues. These costs are incurred even when the breach results only in interrupted service and not theft of credit card or customer data. Highly publicized security problems also lower confidence in e-business solutions.
The doomsayers are convinced the attacks prove that even giant e-commerce sites are weak on security, and e-commerce must be doomed to fail. However, the irony is the problems were not at the target sites. The problems resulted from intrusions into the other computer systems, which were accessed through the Internet and used in the attacks.
The Internet's interconnected design is its beauty and its curse. All businesses connected to the Internet, big and small, need to address security and take preventive actions.
Laws related to online security must evolve quickly and need to be enforced. For this reason, the FBI's investigation of the recent attacks is a crucial response in the new Internet economy.
The enforcement of criminal laws, along with the development of new legal and technical initiatives, can deter destructive online attacks. Often companies cannot be steps ahead of savvy hackers. The challenge is to keep technology and the law at least close on their heels.