Requiring Foresight

I’m beginning my summer class in the Infosec program at James Madison University. The class is on Policy Ethics and the Law in Cyberspace. I’m sure over the upcoming weeks my opinions will change on this. But since I saw a related article over at CSO Online, I figured I’d post this article this week. I can always post updates later on.
One of our assigned readings for this week is on the TJ Hooper trial of 1931. Basically two tug boats were hauling barges of coal from Hampton Roads, Virginia to New York. During the trip a storm came up and the last barge in each barge train sunk. The otherside said that 90% of tugboats were equipped with radios to receive the weather forecast and if these operators had gotten the forecast then they would have taken refuge. The trial judge held that although a weather radio was not required by law or by maritime code that it was a best practice for the industry. Since the operator failed to follow best practices the tugboat was culpable.
You might ask why we are studying maritime law in a cyberlaw class. I suspect part of it has to do with the professors predilection for sailing. ๐Ÿ™‚ If we can be found at fault for incidents caused by our failure to follow industry best practices, we need to be able to prove the steps that we have taken to protect our systems.
In the context of reading this Hooper case, I found an article over at CSO Online called A Foreseeable Future. The article states that in cases related to 9/11 courts have held terrorism to be a foreseeable threat. I would imagine that the level of applicability of that decision is related to your companies exposure to terroristic concerns. An airline clearly knows it is exposed to terroristic threats. Why else do we have screenings. The World Trade Center was clearly on notice after the first attack with the truck bomb. Where I work, probably doesn’t have the same mandate.
However, this is still an important decision for us I.T. folk. CSOOnline states “typically a criminal act severs the liability of the defendant, but that doctrine has no application when the [action] is foreseeable.”
The article shows this in a case involving Verizon and the Maine Public Utilities Commission. Verizon felt that it was ok to violate their SLA because they were victimized by SLAMMER. It was ruled that
1. Security patches are foreseeable, they occur every month.
2. A reasonable man patches their systems (the competitors in ATT and Worldcom did patch successfully)
3. Verizon is accountable for the damage caused by their failure to patch.
I always wonder just who it is who establishes these best practices. To protect ourselves from judgment, we need to be able to prove in court that we follow best practice. The second recommendation of the article is that we pursue cyberinsurance (which will likely involve first proving that your company follows best practices).