Thank you for sharing!

Your article was successfully shared with the contacts you provided.
There’s a new champion of the Internet in town. Better known for taking on Wall Street brokers and analysts, he is none other than New York Attorney General Elliot Spitzer. While Spitzer was breaking tidal waves over Wall Street last year, his Internet division, led by Chief Ken Dreifach and Assistant Attorney General David Stampley, was quietly laying the groundwork for a new legal theory of recovery: inadequate computer security. Why should Florida businesses pay attention? In a recent New York state appellate case, Spitzer’s office was given the green light to protect the interests of individuals all over the nation, not just those in New York state. So if you do business in New York, and it is hard not to, Spitzer is protecting all of your customers no matter where they call home. Over the last several years the attorney general’s Internet division has aggressively pursued businesses that promised security and privacy to their customers but failed to deliver. The office took lead roles in a number of high-profile Internet privacy cases, including the multistate prosecution of Internet advertiser DoubleClick. The Internet division also broke new ground with its prosecution of Eli Lilly when the drug company exposed the e-mail addresses of Prozac patients who registered at the company’s Web site. But the most significant instance for cyberlaw may have been the matter of Ziff Davis Media Inc. It marks the first time reasonable computer security standards have been defined for Internet businesses. The attorney general’s investigation started out as a typical Internet unfair and deceptive trade practices case, but was quickly resolved before the matter went to court. Ziff Davis, a New York-based print and online publisher of computer magazines like PC Week, offered a free limited subscription to a computer gaming magazine as a marketing tool for selling paid subscriptions. Thousands of readers responded, and about 50 opted for full-paid subscriptions by providing their name, address and credit card information on a Web site Ziff Davis created for that purpose. In an all-too-familiar scenario these days, hackers got access to the subscriber list, including customer credit card numbers, when Ziff Davis’ Web host failed to take even the most basic precautions to protect consumer data. Subscriber data was left out in the open, unencrypted, on a publicly accessible server with no authentication controls. To make things easy for the hackers, whoever created the Web page wrote the name of the file where subscriber data was stored right there in the code so anyone could find it. Within minutes of going online with the promotion, the subscriber list with credit card numbers was posted on an Internet bulletin board. By the time Ziff Davis got its act together, more than 12,000 of its readers who had registered on its site had their names and e-mail addresses spread across the Internet. To make amends, Ziff Davis agreed to pay $500 to each subscriber whose credit card information was exposed. The publisher also paid a $100,000 fine to the states of New York, California and Vermont. While the fine was certainly big, the precedent set by the Ziff Davis settlement could turn out to be monumental. The Ziff Davis settlement agreement listed seven “reasonable steps” the publisher agrees to take in the future to preserve the privacy, security and integrity of the consumer data it collects on the Internet. The seven steps include basic precautions like storing data on protected servers and encrypting data in protected files. The settlement also requires Ziff Davis to use automated security tools, such as intrusion detection systems and firewalls. According to the New York attorney general, Ziff Davis’ failure to take these precautions was unreasonable. Sounds an awful lot like negligence to me. Can a private lawsuit for negligent computer security be far behind? Companies that fail to follow the Ziff Davis Internet security guidelines risk the ire of Spitzer, not to mention private suits for damages. And unless you have purchased digital risk or cyberliability insurance, don’t bother looking to your general liability policies for coverage when the plaintiffs’ lawyers come knocking. Joel Rothman is vice president and general counsel of security software company Cylant. He welcomes questions and comments at [email protected]. If you are interested in submitting an article to law.com, please click herefor our submission guidelines.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.