Thank you for sharing!

Your article was successfully shared with the contacts you provided.
A LURKING PROBLEM FOR BUSINESS For the Internet to deliver its full economic benefit, organizations and individuals need to feel confident about its reliability. “Netjacking” — the Internet’s susceptibility to manipulation and attack by mischievous or malicious intruders — is undermining this confidence. Distributed Denial of Service (DDoS) attacks are perhaps the most virulent form of netjacking because they jam servers and network infrastructure in a way that is hard to stop and prevents organizations and users from conducting important business. Estimated losses from well-publicized attacks on high-profile Web sites in February 2000 totaled $1.2 billion. Loss of customer goodwill, corporate reputation and public trust in the online economy were even greater. Unfortunately, any application or service that runs over Internet Protocol (IP) networks is potentially at risk, including the wave of new applications for cell phones and other mobile devices. The wide-ranging impact of the attacks makes DDoS everyone’s problem. What’s unclear is who bears responsibility for solving the problem, a question that is likely to be legally tested in the very near future. Who is most capable of taking effective precautions to prevent or diminish the incidence of DDoS attacks? And who will be subject to legal liability in the event of damage from such attacks? The two questions are closely linked, because the firms most capable of taking effective precautions are most likely those on whom courts will impose liability if they do not take such precautions. Impacted parties include ISPs, hosting providers, and other network service providers (NSPs), as well as operators of portals, commercial Web sites, and corporate applications and commercial services delivered over the Internet (subsequently referred to as “victims”). Businesses dependent on the Internet for revenue and reputation should be cognizant of the evolving issues surrounding DDoS liability and put in place proactive strategies to mitigate risks. In other words, they don’t want to wait for legal actions or legislation to force their hand. This paper examines the tort liability risks, related issues and potential business response. DDOS AND TORT LIABILITY In the case of a customer suing its network service provider, and in the case of users suing a victim site (an online brokerage firm, for example), DDoS attacks and the type of damage they cause seem reasonably foreseeable. Thus, traditional tort law principles could result in liability for negligence. However, it is important to keep in mind that the contract between the parties governs these kinds of cases. If there is no contract between the parties — such as between a victim site’s customers and its network service provider or Web hosting provider — the situation is less clear. The courts have sometimes rejected liability of third-party defendants where the level of risk or ability to anticipate the risk exposure was disproportionate to the party’s role. Courts have also limited third-party liability by excluding damages for merely “economic” loss, as opposed to damages for physical injuries to person or property. Of course, victims could overcome this defense by characterizing DDoS attacks as property damage. Recent cases involving spam and data-gathering have considered receipt of unwanted messages to be a physical harm to a victim’s system, and not mere “economic” loss. CAN ISPS AND NSPS CLAIM IMMUNITY FROM TORT LIABILITY? Network service providers may argue that as mere conduits of messages it is inappropriate to place any liabilities on them. This argument is not convincing. Courts have not hesitated to place liability on service providers in other contexts. Recent decisions on ISP liability (or the lack thereof) in the case of defamation and copyright infringement do not apply to DDoS attacks. RISK MANAGEMENT BY CONTRACT: WILL IT WORK? Network service providers may try to force their customers to take adequate precautions as a condition of providing service, using contracts that require the customer to implement specific precautions. Whether or not this strategy will work depends on the market; customers may not accept such contracts if less onerous ones are available from competitors. Network service providers may also try to force customers to take on liability themselves by using contracts that disclaim liability on the part of the service provider. Such contractual disclaimers are not always legally effective. First, contractual disclaimers are not binding on third parties who are not parties to the contract. Second, not all contracts are valid and enforceable. Two ways a contract could be found unenforceable are (1) invalid formation, where the court finds that no agreement was formed, or (2) invalid content, where the court finds that public policy disallows such an agreement. Some jurisdictions consider exculpation for one’s own negligence to be contrary to public policy. When a contract is challenged, courts determine whether it is a reasonable bargained-for exchange or whether, on the contrary, it looks onerous and coercive. Contracts between business entities of roughly equal bargaining power — for example, SLAs (Service Level Agreements) between high-profile Web sites and well-established Web hosting providers — are more likely to be presumed the result of bargained-for exchange. Contracts between parties of unequal bargaining power — for example, TOS (Terms of Service) agreements between service providers and individual consumers — are more likely to be held invalid for over-reaching. Well-drafted SLAs are likely to stand up between partners of roughly equal bargaining power as long as the contract keeps the case in a jurisdiction that does not disallow exculpation for one’s own negligence, curtailment of remedies, etc. At best, contractual exculpation is only a partial answer. As a loss-shifting strategy, it has two main drawbacks. First, it may not be cost-effective to pay attorneys to pursue motions to dismiss on the grounds of choice-of-law and disclaimer clauses, even if most of these motions are granted and only the occasional one is denied; investing in preventive technologies and practices may be cheaper. Second, these clauses do not protect against liability to third parties (the users, or the customers of the service provider’s customer) because those third parties have not agreed to the contract. The service provider may have to defend against suits by third parties in any case. TORT LIABILITY AND PREVENTIVE PRACTICES Courts generally set the legally required standard of care — that is, the practices necessary to avoid tort liability for negligence. What’s standard in the industry is often one indicator of what is reasonable. Thus, as firms in the e-business community implement best practices and technological safeguards, it may become legally necessary for ALL firms to utilize them. Competitive pressures may also speed this outcome, as firms offering safer service gain market share against firms with riskier service. Legal liability is sensitive to the state of the art on cost-effective precautions, both technology and practices. Right now, Web sites and network service providers are trying to fight attacks on a “retail” basis, site by site, attack program by attack program. Technologies are emerging, however, that tackle the problem “wholesale,” on a network basis, by enabling backbone service providers and network intermediaries to analyze and screen attack traffic. When wholesale prevention becomes practical, courts will have reason to place the liability on network entities, because it will give these entities the incentive to implement the most efficient protective strategy. IS LEGISLATION NEEDED? Victims of DDoS attacks might seek legislation to impose legal liability on network service providers. Or victim sites might seek legislation to immunize them against, or at least curtail, potential liability. It is too speculative to predict what legislation might look like, if enacted. However, a detailed regulatory structure is a likely possibility. Once reasonable precautionary measures become available for network service providers, they would most likely need to implement them in order to procure insurance. A better strategy might be to implement them as soon as feasible in order to avoid imposition of a regulatory structure. In essence, a DDoS market solution could forestall a more onerous regulatory solution. CONCLUSION AND RECOMMENDATIONS The legal situation right now is uncertain, as no reported court decisions have held e-businesses liable for DDoS attacks. But there is significant risk that in the near future target Web sites will be held liable to their customers for harm due to DDoS attacks. There is also significant risk that network intermediaries and backbone service providers will be held liable to target Web sites, and perhaps to ultimate users. In the current environment, network service providers, no less than potential victim sites, need to anticipate legal developments and implement well-considered risk management strategies. Adoption of industry-wide best practice policies, under continuing legal oversight, is recommended. Aggressive, well-informed use of preventive technologies is an important part of such a risk-management strategy. Margaret Jane Radin is the Wm. Benjamin Scott and Luna M. Scott Professor of Law at Stanford Law School and Co-Director of the Program on Law, Science and Technology. Mazu Networks, a provider of network infrastructure solutions for stopping DDoS attacks, commissioned Prof. Radin of Stanford Law School to prepare a white paper analyzing the liability issues surrounding DDoS. The foregoing is an executive summary of the paper. The full text of the paper can be found at Mazu Networks.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.