In CSO Online, William Cook analyses recent changes in the legal concept of a "foreseeable event" as it applies to cybercrime in the United States:
"In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court... made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable." And as the 2004 E-Crime Watch Survey shows (see next item), computer intrusions and cyber-attacks are now common enough in certain industries that they can be considered "reasonably foreseeable." This idea is reinforced by a recent case involving the telecom carrier Verizon, where the State of Maine's Public Utilities Commission found that "viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies." Therefore, companies which don't quickly patch their web servers to fix known vulnerabilities may now be subject to legal liabilities for damage to their clients through loss of service, and licensed telecom carriers may be subject to penalties set by regulators.
Cook continues: "So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do? Three suggestions. First, companies must have 'court provable' security. They must be able to prove they use best practices with respect to policies for information management, security, implementation of those policies and disaster recovery plans... Second, buy cyberinsurance from a trusted broker with a national or international underwriter. Third, consider buying antiterrorist technology. Under the Support Anti-terrorism by Fostering Effective Technologies (Safety) Act, sellers of qualified antiterrorism technology (QATT) are provided with risk and litigation protections..."