Verizon discovered a valuable lesson when it pursued civil action against the State of Maine’s Public Utility Commission for a rebate because of the negative impact resulting from the Slammer worm. In Maine, the telecommunication providers sublease lines from the State’s Public Utility Commission. At the time the attack took place, a remedy from Microsoft was available for several months. A common opposing argument is that the larger the company, the more difficult it becomes to apply software patches. While many networking and security professionals believe that best practices or regulatory statutes such as HIPAA (Health Insurance Portability & Accountability Act), GLB (Graham Leach-Bliley) or even Sarbanes-Oxley do not take into consideration the size and scope of each business. However, it doesn’t have to from a legal liability standpoint!

The Defendant, The State of Maine, utilized a fairly unheard of legal principle, the “Neighbor Policy”. Defense argued that AT&T and WorldCom, both telecommunication providers like Verizon, applied the patches as recommended by Microsoft and neither of these parties filed suit because they were not harmed. This information was utilized to attack Verizon’s claim and the judge not only found in favor of the defendant but also went on record to state that these types of attacks are foreseeable and preventable.

Even though the defense won, they lost. Consider how much money was spent on legal representation in protecting their position? Still think you’re ready for court? Given the United States current legal landscape and what is now being framed for certain case law, perhaps the use of legal counsel should be rethought. Rather than rely on legal representation post facto, consider utilizing it preemptively while designing, managing and executing your business’ security posture. If in-house counsel is not trained or experienced enough in understanding this critical area, it is then wise to utilize independent legal representation.


Very few law firms specialize in this area, and only a handful or attorneys are skilled enough as litigators in information security. Because of this the legal community is rapidly embracing information security and understands a market exists for such practices. In fact, the American Bar Association has printed materials for standards on this subject matter. Rather than conduct business as usual and rely on the odds - which are not in your favor. It would be wise to understand that the cost of defining why you shouldn’t or cannot afford to apply prudent security strategies often equals or surpasses why you should. Hackers are no longer interested in the spectacle of breaching a system and winning praise from peers. The hackers of today are more organized, better funded, work in groups without national boundaries, including organized crime, and are setting their sites on you.

Still think you’re ready to go to court?