A lawyer out of Virginia seems to think that he has found a way to sue those ellusive hackers that roam cyberspace looking for opportunities to steal information and profit from it. However, are the legal methods he is imploring good practice, or a waste and drain on valuable resources which end up punishing the wrong parties? That’s the question that was posed in The New York Times, on August 19, 2009, by Mr. Saul Hansell.
Mr. John L. Praed, counsel for Unspam Technologies, Inc., concedes that he will most likely never get the individuals responsible for cyber-attacks into court, but instead hopes to obtain details of the cyber-attacks, and names of the victims. All this in the hopes of assisting banks on improving their corporate cyber-security. The method used is called "John Doe suits" – so called this because the defendant cannot be identified – that allows for plaintiff attorneys’ to gain access to information from third parties (i.e. banks, more specifically, your bank) that can be forwarded on to the appropriate law enforcement agency and online security experts (and, of course, to aid in other civil lawsuits).
Mr. Praed is quoted in The Times as stating, "This lawsuit is intended to provide all those being victimized by this massive criminal enterprise the opportunity to come together to gather the data we need to fix the problem at a systems level[.]" I absolutely don’t agree with Mr. Praed’s comments that the problem must be fixed at the "systems level." Too the contrary, the problem must be fixed at the "people level," that’s how the viruses, trojans, et. al, end up in a computer system. We all know what the road to hell is paved with…And, kudos to Mr. Praed for thinking outside of the box, but I fail to see how he will get any real substantive traction by bringing these types of lawsuits. There are other ways of compelling a company to implement better cyber-security measures, and I would agree with Mr. Praed, that businesses right now are not motivated (by money) to secure mission-critical data (even though they say they are – just ask them if they have a data governance policy).
Naturally, third parties (i.e. banks) are not really open to the idea of "opening their books" up, and exposing their vulnerabilities for the whole world to see, even though in theory it sounds like a great idea (i.e. helping someone fight the "bad" guys). This is why organizations, be it for-profit or non-profit, need to get a data governance program in place and self-regulate(!) their mission-critical information. Leaving in the hands of lawyers, judges, legislators, or regulators, will only create a draconian solution that will not encourage and foster economic development (especially in the Information Age).
To read the article in full, please click here: Lawsuit Tries to Get at Hackers through Banks They Attack