Computer Pests are a liability. They are malicious programs, propagated throughout the Internet, that go beyond typical viruses. Corporations and government agencies with sites on the Internet who fail to rid themselves of them invite legal risk and public embarrassment. Although many network managers don't think about it, recent legislation and judicial opinions seem to lean towards emphasizing that managers have a legal responsibility to police what is happening within their computer systems. As computer systems assume an ever-larger role in modern society, the trend in the legal system is to hold the custodians of those systems accountable for security. The person enforcing that accountability might be a regulator, a shareholder, an employee, a customer or anyone - including a fellow corporate resident of the Internet - who suffers on account of lax security.

What are Computer Pests?
Computer pests are a large and growing class of miscreant computer code that are different from mere viruses. They include: trojan horses, spyware, hacker tools (such as password crackers, network sniffers and keystroke loggers), remote administration tools, or tools used in distributed denial of services (DDoS) attacks. They are hidden, uninvited computer programs that reside like parasites on an information system. A computer pest might be the instrument of hacking, covert data gathering, vandalism, cyber-terrorism, commercial espionage, or employee sabotage. Since most users mistakenly trust their anti-virus software to deal with all malicious code, most pests go undetected, because they normally are not detected or removed by anti-virus software. Software to remove pests does exist, however, and due diligence would suggest that users run such software for system hygiene.

Vicarious Liability
One of the greatest liability risks from computer pests comes when crooks take advantage of someone else's computer facility to cause harm to others. The law might hold an organizations vicariously accountable for the actions or consequences of a malicious person who executes a computer pest thorough the organization's information resources. In AT&T v. Jiffy Lube International, 4 CCH Computer Cases para. 46,845 (U.S. Dist. Ct. Md. 1993), a corporate telecommunications customer, Jiffy Lube International, was held liable for long distance telephone charges run up by hackers. Using PCs, the hackers dialed into Jiffy Lube's PBX system, broke the password that allowed callers to access it remotely, and placed a flood of long distance calls, running up almost $56,000 in charges. The court said Jiffy Lube "created the vehicle and mechanism by which those long distance calls became possible. But for Jiffy Lube's installation of a telephone system with a remote access feature, the disputed calls could not have been made."In some cases it might appear the owner of an information system condones or at least tolerates harmful computer activity.

A court injunction practically put Napster, the peer-to-peer music service, out of business, forbidding it from continuing to tolerate and contribute to copyright infringement. Even though Napster was not actually transmitting pirated data, it helped copyright infringers meet each other so they could transmit pirated music over the Internet. Infringement was not Napster's stated purpose, but is was the practical effect of what was happening, and the court refused to tolerate it (A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001). Napster was similar to a company that tolerates pests on its information systems knowing they might be used to hurt someone else.

A computer pest might be a hacker tool planted by a company's own employee to enable him to hack into other sites, thus possibly exposing the company to liability. In May 2000, the operator of a financial web site, Wall Street Source, sued a competitor, IPO.com, when one of its employees allegedly used a stolen password to access Wall Street Source's site and alter or falsify information, seeking $800,000 in actual damages and $5 million in punitive damages ("Wall Street Source Sues IPO.com Alleging Employee Hacked Web Site," Cyberspace Lawyer, June 2000, vol. 5, no. 4 at 25).

Alternatively, a computer pest could be a Trojan horse or other malicious software, which would damage a corporate computer system and prevent it, for example, from serving the corporation's customers as promised. That could make the operator of a computer service liable to customers for poor service.

Negligence
Even if it did not condone or know about the pest, an organization hosting it might be liable for negligence. Under negligence law, a person is normally required to exercise reasonable care not to cause foreseeable injury to someone else. A DDoS attack can be caused by a particularly potent type of pest on the Internet. Litigation surrounding related types of dangers suggest a DDoS victim can successfully make the case that it is entitled to compensation from a negligent Internet administrator who allows his facilities to be used as an instrument for launching an attack (See "Distributed Denial of Service Attacks: Who Pays?" By Margaret Jane Radin www.mazunet-works.com/radin-toc.html).eBay v. Bidder's Edge (100 F. Supp. 2d 1058 (N.D. Cal. 2000), resembles DDos. The victim company (eBay) was entitled to an injunction against another company (Bidder's Edge) that had used a robot data gathering program against the victim, thereby robbing it of bandwidth and optimum system performance.

In Computer Tool & Engineering v. Northern States Power (2 CCH Computer Cases para. 46,282 (Minn. CT of App. 1990)), a telephone company that accidentally severed an underground power line was held liable to a computer owner for causing a power surge that damaged the computer. Is the damage from DDoS attacks foreseeable? A case can be made that it is. DDoS attacks have become so famous that all responsible Internet administrators know they are a threat, and can foresee that if their facilities are hosts to DDoS tools, they can cause injury to whomever the culprit targets. In February 2000 DDoS attacks broadsided such popular sites as Yahoo!, Amazon, CNN and eBay.

Regulators Demand Security
A computer pest also can be an espionage tool, helping a snoop steal personal or sensitive customer information, like credit card or social security numbers. The presence of snooping and other pests can precipitate sanctions by government regulators. US financial institutions, including banks, insurance companies and securities firms, as well as their subsidiaries and service providers, are subject to new information security regulations under the Gramm-Leach-Bliley Financial Services Modernization Act. The regulations are designed to promote the confidentiality and integrity [of] customer data. The regulations have been adopted by a host of government agencies that oversee financial institutions. They require institutions to assess risks to private customer data and take measures to control those risks. The risks could include the introduction of computer pests that allow vandals to access or abuse personal data. Regulatory examiners will be monitoring institutions for compliance, and shortcomings can lead to sanctions.

The OCC has also formally advised banks to safeguard themselves from cyber-terrorist threats, saying it expects banks "to protect the integrity, confidentiality, and availability of their information resources" (OCC Bulletin 99-9, March 5, 1999. www.occ.treas.gov/ftp/bulletin/99%2D9.txt). This means banks must not tolerate pests on their systems.Not only will financial regulators act against a financial institution; they will also punish a computer service bureau, which provides support services for banks, for failing to maintain internal control over its computer systems (Comptroller of the Currency, Admr. of Nat'l Banks, Cease and Desist Order Entered Against National Bank EDP Provider (Apr. 30, 1985) [1984-85 Transfer Binder] Fed. Bank L. Rep. (CCH) para. 86,238).

Similarly, new regulations 45 CFR Parts 160 and 164 under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) obligate healthcare institutions to institute security measures over patient information so it remains confidential. If an institution falls short on this obligation it could be subject to civil monetary penalties (www.hhs.gov/ocr/hippa/).Also, a growing number of American corporations are signing on to the EU-US Safe Harbor relating to the protection of private data collected about people in the European Union. Under the Safe Harbor's fourth principle, organizations collecting personal data must take reasonable precautions (which would include actions against pests) to guard against the loss, misuse or unauthorized access to or disclosure of the data.

Negative Public Pressure and Publicity
Even where legal action may not be possible, damage from computer pests attracts the public spotlight. Attention from law enforcement and the media may be more than enough reprimand for an Internet administrator to wish she had taken security more seriously. The University of Washington Medical Center was pilloried in the media when a hacker uncovered thousands of its electronic patient records ("Hacker Accesses Patient Records" Washington Post (12/09/00) p. E1; O'Harrow, Robert Jr.; G. Farrell, "Medical Records Particularly Vulnerable to ID theft", USA Today, Dec. 12,2000, 3B). Western Union was blushing when Hackers stole s15,700 customer credit and debit card numbers from its web site (M. Rafter, "Under Siege", The Industry Standard, Dec. 11, 2000, p. 162, 166).In Finland, the operator of an anonymous Internet re-mailer shut down his system under pressure from the Finnish police even though it was not clear the operator had violated any particular Finnish law. The service, which forwarded millions of messages a day in a way that hid the identities of the original senders, was accused of facilitating distribution of child pornography (European Developments, Finland, Cyberspace Lawyer, Dec. 1996, vol. 1, no. 9, at 23).

SEC Enforcement Action Against Public Companies
Securities laws require companies to maintain control over their assets and information systems, which by implication means companies must rid themselves of vermin like computer pests. The portions of the Securities Exchange Act of 1934 known as the Foreign Corrupt Practices Act require that publicly owned companies protect their assets and maintain internal control over assets (15 U.S.C. Section 78m(b)(2)(A) et seq). The Securities and Exchange Commission routinely brings actions against companies for wasting assets and maintaining lax internal controls, such as in computer systems. In SEC v. National Business Communications Corp. the SEC charged the company failed to protect its computers from unauthorized access (SEC Litig. Release No. 11223, Sept. 19, 1986 and SEC Litig. Release No. 11229, Sept. 26, 1986).

Similarly, the SEC took action against Material Sciences Corporation for failing to protect its inventory management computer system from access and abuse by unauthorized people ("MSC's computer system...lacked safeguards to prevent inappropriate manual computer entry of general ledger information." In the Matter of Material Sciences Corporation, Securities Exchange Act 1934, Release No. 41930, Sept. 28, 1999).

Management Liability to Shareholders
Information resources are among a corporation's most valuable assets, and management has a fiduciary duty to preserve those assets from wasting and abuse, such as from hackers and pests. If management is sufficiently negligent in stewarding the assets, it can be liable in damages to shareholders. Although the so-called business judgment rule often protects officers and directors from liability for negligence, shareholders con overcome that protection in extreme cases.

Conclusion
The penalties for computer pests are more than sufficient motivation for companies to avoid them. You are at risk if you set yourself up to be an instrument of some else's illegal software. As a class, computer pests are only in their infancy today, but you can expect them to become more common, more disruptive, and far more numerous.

(Benjamin Wright is a Dallas, Texas-based attorney and founding author of the book the Law of Electronic Commerce. For more of his writing on pests, see http://www.safersite.com.)