A Duty of Care in Cyberspace

In this piece, I analyze the topic of “A Duty of Care in Cyberspace” and how it relates to cyberterrorism.

Definition

The Law.com Dictionary defines “a duty of care” as a requirement that a person act toward others and the public with the watchfulness, attention, caution, and prudence that a reasonable person in the circumstances would use. If a person’s actions do not meet this standard of care, we then consider the acts as negligent, and we may claim any damages resulting in a lawsuit for negligence (Anonymous, n.d.).

The 9/11 Class-action Suit

In the class-action litigation brought by families of the September 11th victims against the airlines, airport security companies, airplane manufacturers, and the owners and operators of the World Trade Center, the court examined two main elements:

• Whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed
• Whether the terrorist act was foreseeable

Upon finding that the case should go to a jury, the court stated that we impose a duty on a company when the relationship between the company and user requires the company to protect the user from the conduct of others. The court noted that we already depend on others to protect the quality of our water and the air we breathe. This duty of care extends to private companies as well (Cook, 2004).  So, now, how does “duty of care” relate to cyberspace and cyberterrorism?

Corporate Duty of Care

One of the major legal risks arising from cyber security breaches is the possibility of derivative suits against corporate officers and directors alleging that they have breached their duty of care by failing adequately to protect against security breaches. Directors and officers have a fiduciary obligation to use reasonable care in overseeing the business operations of the company, under the doctrine of corporate duty of care. See, e.g., In re Logue Mechanical Contracting Corp., 106 B.R. 436, 439 (Bankr. W.D. Pa. 1989). Traditionally, directors and officers could defend against a duty of care claim by showing that they acted with reasonable care by relying on information reasonably available to them. In the past few years, however, courts have expanded this reasonable care standard to create a duty of oversight requiring directors and officers to act affirmatively to assure that adequate information and compliance systems are in place (Matus, Polak, Mancini, & Nonna, 2002).

Private Sector Involvement and Funding

Next, we look at how the private sector must be involved in fighting cyberterrorism. Christopher Beggs and Matthew Butler wrote that organizations like the U.S. Department of Homeland Security, AusCert [in Australia], terrorism treaties, and other anti-cyberterrorism organizations need funding. This funding also needs to come from the private sector, as it too possesses a duty of care to people worldwide. However, they also must be a primary contributor to cyberterrorism policies, strategies, and technologies (Khosrowpour, Beggs, & Butler, 2004).

Software Developers

Software developers must consider security quality as they develop their products. Jennifer Chandler said that the negligence analysis requires that one consider the tradeoffs inherent in pressuring software developers to improve security quality. Should all, some, or no software developers owe a duty of care to users of cyberspace? What is the standard of reasonable care in software development? Negligence law does not demand perfection, and society would likely be unable to afford it. However, we may find certain forms of error or software development practices to be negligent (Chandler, 2005).

Hard Drives Disposal

Businesses must also take better care of disposing of old computer hard drives. According to a study conducted by a security firm (Rits Information Security), businesses are leaving personal information, including credit card numbers, customer data, and client files, on hard drives that are sold into the second-hand market. Firms have sourced drives, examined by Rits, openly on the Internet and in online auctions. The survey looked at the information remaining on the disk that unveiled some alarming results. In one case, some 300 credit card numbers from an organization involved in fundraising for a large charity event were present on one disk, while customer data from a major Irish bank was on another (O’Brien, 2005).

Disposing of Information

“Most people are not aware of the implications of pressing delete, doing a simple format, or overwriting the operating system,” said Vivienne Mee, Rits Security, speaking with ENN. “Home users in particular aren’t aware, but large organizations should be. The study did show that neither [parties] are using methods to securely dispose of information.” Failures to do so could leave firms open to action under Data Protection legislation. “They are in breach of legislation,” said Mee. “They have a duty of care” (O’Brien, 2005).

Online Forum Managers

In C-032986/03 Moshe Boshmitz v. Anat Aronowitz, Magistrates Court of Tel-Aviv Jaffa, Israeli Judge Shoshana Almagor held that the manager of an online forum (Ms. Anat Aronowitz) might be liable for the content published by the forum users on a theory of negligence. The Court held that it is “clear beyond doubt” that a forum manager (Ms. Aronowitz) has “conceptual duty of care” toward the Claimant (Dr. Moshe Boshmitz) in that she should have anticipated that harm might come to him due to the messages and is, therefore, liable for her content. The determination that the forum manager has a duty of care towards its forum users, to the extent of imposing liability for a failure to delete posts, establishes a greater responsibility for such function and may have a chilling effect on forum managers (particularly those who mostly perform this function voluntarily and as a hobby) (Kagan, 2007).

Safe Working Environment

Every organization has a duty of care to provide a safe working environment for its employees. This duty of care not only encompasses an employee’s physical safety but may also include their psychological safety and well-being. Due to the nature of a police officer’s job, we can neither avoid nor remove the stressors that cause emotional distress. Research, therefore, focuses on developing a holistic, proactive risk management framework that provides guidance on best practice for police agencies in fulfilling their psychological duty of care obligations to their employees (Anonymous, 2002).

Conclusion

In conclusion, a duty of care not only applies to individual persons, but it also applies to private companies. Hence, we now have corporate duty of care. Besides governments funding anti-cyberterrorism, the private sector must also contribute their fair share. However, expected not only to contribute to funding, they also must contribute primarily to developing cyberterrorism policies and technologies. Software developers also must take care not to be negligent in certain forms of software errors or software development practices. Furthermore, businesses must also take great care in disposing of computer hard drives with confidential and sensitive information stored in them.

Online forum managers must also take responsibility for negligent content published on their websites. They must display a duty of care towards their website users. Law enforcement organizations must also fulfill a psychological duty of care towards their police officers when they are under high emotional stress resulting from their jobs. Therefore, the concept of a duty of care is becoming pervasive throughout cyberspace and in the worldwide battle against cyberterrorism.

References

Anonymous (n.d.). LAW.com Dictionary. Retrieved from http://dictionary.law.com/.

Anonymous (2002, February). Current research: Development of a risk management strategy for duty of care issues relating to high-risk operational policing. ACPR [Australasian Centre for Policing Research] Bulletin, No. 11.

Chandler, J. A. (2005, September 8-10). Safety & security in a networked world: Balancing cyber-rights & responsibilities. An Oxford Internet Institute Conference. Retrieved from http://www.oii.ox.ac.uk/microsites/cybersafety/?view=programme&day=8&expand=yes.

Cook, W. (2004, May). A foreseeable future: For liability purposes, the courts have declared terrorism to be a predictable security threat. CSOs need to adapt if they want to survive. CSO Magazine. Retrieved from http://www.csoonline.com/read/050104/flashpoint.html.

Kagan, O. (2007, June 27). Internet law: Israeli court holds forum manager liable for user content. IBLS [Internet Business Law Services, Inc.] Internet Law – News Portal. Retrieved from http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1789.

Khosrowpour, M. (Ed., 2004). Beggs, C., & Butler, M. (2004). Developing New Strategies to Combat Cyberterrorism, pp. 388-390. Innovations Through Information Technology, Volume 1. 2004 IRMA [Information Resources Management Association] International Conference. Idea Group Inc (IGI), 1,458 pp.

Matus, W. C., Polak, V. L., Mancini, A. J. P., & Nonna, J. M. (2002, March 11). Now more than ever, cyber security audits are key. The National Law Review, p. C8-C10.

O’Brien, C. (2007, November 14). Used hard drives are ID theft paradise. ENN [Electric News Net]. Retrieved from http://www.electricnews.net/print/10123430.html.

###