Can I Get Busted For Someone Else's Cyber Attack? - Technologist
Technologist - The FindLaw Legal Technology Blog

Can I Get Busted For Someone Else's Cyber Attack?

FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.

Businesses, governments, and individuals rightly are concerned about potentially becoming victims of Cyber crimes and attacks.

However, should there also be worry that the blame for such crimes and attacks could be directed to the innocent who had no intent and took no affirmative action in furtherance of evil deeds?

Maybe. Let's explore a hypothetical. Assume that a disgruntled Cyber terrorist on a remote mountain top wants to wreak havoc on a major commercial Web site.

Assume also that the terrorist launches a distributed denial of service attack on the major commercial Web site.

In an effort to cover his tracks, the terrorist routes the attack via an innocent third-party site. As a result, the major commercial site shuts down, after being relentlessly bombarded with packets of information, last emanating from the "zombie" third-party site, as originally triggered by the terrorist.

Naturally, the terrorist could have criminal and civil liability for the attack. But he may be difficult to track down, he could be overseas, and even if found, he may not have any financial resources to satisfy any legal judgment against him.

While the major commercial Web site might like to know that the terrorist will get put behind bars in prison. But the commercial site would want to be made whole financially. The shut down of its site caused business interruption to the tune of millions of dollars.

So, from whom can the major commercial Web site recover? The innocent third-party site?

Again, perhaps.

When these types of attacks were fairly unknown, they were not anticipated and foreseeable. But now, the major commercial Web site might argue that these types of attacks are known to be with us, and thus, Web sites not only have a duty to implement enough security measures to protect themselves from harm, but they also should do enough to make sure they are not the launching pad for attacks by others to others.

The commercial Web site would argue that what happened was foreseeable, and because the third-party site did not implement current security measures, it is liable under a negligence theory.

The third-party site would counter by pointing out that this particular attack was not foreseeable and that it has no independent to protect the commercial Web site. Who is right?

This is the stuff of litigation coming to a courtroom near you. The outcome in a given case would depend on the factual circumstances.

Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes.  His Web site is http://www.sinrodlaw.com and he can be reached at ejsinrod@duanemorris.com.  To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

Related Resources: