[2677] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed May 13 00:19:03 1998
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net, unicorn@schloss.li
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Wed, 13 May 1998 16:09:18 (NZST)
[Followups trimmed somewhat]
Black Unicorn <unicorn@schloss.li> writes:
>I've been watching trends which might suggest that a firm could be sued for
>failing to exercise due diligence in their information protection efforts.
>Shareholder derivative suits would be the most interesting from a legal point
>of view because the cause-effect chain doesn't need to be very strong for one
>such to succeed. So, under what circumstances would Microsoft (which is
>exceptionally well represented from a legal standpoint, by the way) be
>potentially liable for a security oversight?
I wrote a paper on encryption and e-commerce about 2 years ago
(http://www.cs.auckland.ac.nz/~pgut001/pubs/icommerce.pdf, rather in need of
update in some areas) which briefly covers this issue in the section
"Liabilities of Weak Encryption/Poor Security", but from the angle of having
stockholders sue the company directors for negligence if they use known weak
security and the company stock price slips due to this. For example everyone
even vaguely involved in computers and security knows that US-exportable
crypto is no good (it's certainly had press coverage in every imaginable
medium), so a company which relied on this for security would make itself a
prime target for negligence lawsuits when their security was breached. The
paper gives a few references for further info, for example the US Federal
Sentencing Guidelines for Organisation Defendants which give clear guidelines
for judges when sentencing corporations found guilty in federal liability
cases. There's only about a page of stuff there (I'm a cryptographer, not a
lawyer), but I'd be interested in any thoughts people have on this.
Peter.
