(Bear with me for a minute...) Historically, most US business law turns on the actions of a 'reasonable man'. If a reasonable man would (or would not) do thus-and-such, then if the plaintiff didn't (or did) do thus-and-such, s/he should be liable for the results of not taking (or taking) this action.
(It's actually still true today, except that the standards for 'reasonable man' have devolved to the IQ of an amoeba) Say for example, you design a computer peripheral - maybe a joy stick - and choose to use the industry standard 110v plug for the connection to the computer (they're available cheap and you can undercut the completion by 3 cents). Until somebody plugs the joy stick into a 110v socket and gets electrocuted. Absent any warning to the contrary, a lawyer could probably convince the jury that the manufacturer failed the 'reasonable man' standard. "Ladies and Gentlemen of the Jury, I submit that it LOOKS like a normal plug, how could the poor deceased plaintiff have known NOT TO PLUG THIS IN THE WALL?" If you hang a big tag on the plug that says "DO NOT PLUG INTO A WALL SOCKET", well, maybe you'll win and maybe you'll lose. The 'IT LOOKS LIKE A WALL PLUG' argument is still pretty strong. So, if it doesn't go into the wall, you don't make it look like that kind of plug. That's the 'reasonable man' theory applied to real products. So, what happens if somebody breaks in to a computer system, steals personal data and makes use of it? AFAIK, this hasn't been litigated in the area of computer systems exposed to end users (such as a web site). That might - if you had really, really deep pockets and a really, really smart lawyer - be a very interesting legal case. It would be a tough sell, to teach a jury enough about the 'standards' of the industry so that they could apply the 'reasonable man' theory. It's much easier to scare them with the bogey-man of 'identity theft'. But if you wanted to try to go that extra mile, then posts like our thread here, about what's reasonable protection in the case of this type of personal information, would be of interest to the lawyers trying to demonstrate the presence or absence of reasonable care to that reasonable man on the jury. Yeah, I know I'm spitting to windward here. They're gonna get the data anyway (or I can't board the ship), they'll probably stuff in into the same backend database and all I can do is hope that it's reasonably secure. BUT: The time to complain is when they start to move the strike zone, not when you realize years latter that it's disappeared. So, at a minimum, in the world of data protection and security, I'm gonna call 'em bad when I sees 'em as bad... -----Burton (NB: I'm not a lawyer, so this free advice and opinion is worth what you paid for it.) (No electrons were created or destroyed in the course of this pontification) -----Original Message----- From: Meritt James [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 10:11 AM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III; Security-Basics Subject: Re: Privacy Policy - we don't need no 'stinking privacy What do you think has keep James Bond in martini cash all of these years? Espionage has a long, long history. Welcome to physical security. [EMAIL PROTECTED] wrote: > > What if someone breaks into their site and steals your information? Might > you sue them? I think they, as a business, need to cover such > possibilities and so have to state it on their site. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
