Monday, 25 February 2008

Remedy in Tort and Civil Suits (Internet Intermediaries)

The availability of the Internet Intermediary as co-targets for actions makes them susceptible to the actions of both their clients and also uninterested third parties for passing off and misleading and deceptive conduct. An action for intentional interference with business by unlawful means may also be possible. The tort of intentional interference with business by unlawful means may be available where the use of the trade mark is unlawful.

The courts generally seem willing to apply conventional fault-based tort principles to weigh up the behaviour of intermediaries. There instances in which comparatively egregious conduct has ended in the liability of the intermediary are few,[1] and the majority of cases conclude with the absolution of the intermediaries from blame.[2] Those circumstances that have resulted in a decision by the court that in effect states the intermediaries hold considerable accountability for the behaviour of any primary malfeasors have mutually in the EU and the US Congress resulted in the respective parliaments acting to overrule the decision through the legislative conceding of expansive exemptions from liability to the intermediaries.[3] The paths share not only the reflexive and unreflective fear that recognition of liability for intermediaries might be catastrophic to internet commerce; they also share a myopic focus on the idea that the inherent passivity of internet intermediaries makes it normatively inappropriate to impose responsibility on them for conduct of primary malfeasors. That idea is flawed both in its generalization about the passivity of intermediaries and in its failure to consider the possibility that the intermediaries might be the most effective sources of regulatory enforcement, without regard to their blameworthiness.

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[4]. In 47 U.S.C. §230, it is unambiguously stated as regarding internet regulation[5]: This act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[6] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[7] and subsequently amended in 1998,[8] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[9]
In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[10] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[11] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[12]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

Cyber Negligence
Not acting to correct a vulnerability in a computer system may give rise to an action in negligence if another party suffers loss or damage as the result of a cyber-attack or employee fraud. Given proximity[13], a conception first established in Caparo Industries Plc. v. Dickman, [1990][14] and reasonable foreseeability as established in Anns v. Merton London Borough Council, [1978][15] A.C. 728, the question of whether there exists a positive duty on a party to act so as to prevent criminals causing harm or economic loss to others will be likely found to exist in the cyber world. The test of reasonable foreseeability has however been rendered to a preliminary factual enquiry not to be incorporated into the legal test.

The Australian High Court regarded a parallel scenario, whether a party has a duty to take reasonable steps to prevent criminals causing injury to others in Triangle Shopping Centre Pty Ltd v Anzil[16]. The judgment restated the principle established by Brennan CJ in Sutherland Shire Council v Heyman[17]. The capacity of a plaintiff to recover hinges on the plaintiff’s ability to demonstrate a satisfactory nexus (e.g. a dependence or assumption of responsibility) between the plaintiff and the defendant such that it gives rise to a duty on the defendant to take reasonable steps to prevent third parties causing loss to the plaintiff[18]. Consequently, if a plaintiff in a case involving a breach of computer security could both demonstrate that the defendant did not in fact take reasonable measures to ensure the security of their computer systems (as against both internal and external assault), and they show the act of the third person (e.g. an attacker/hacker or even a fraudulent employee) occurred as a direct consequence of the defendant's own fault or breach of duty, then an action in negligence is likely to succeed.

Many organisations state that current standards of corporate governance for IT systems pose a problem due to the large number of competing standards. However, it needs to be taken into account that all of these standards maintain a minimum set of analogous requirements that few companies presently meet. Most of these standards, such as the PCI-DSS[19] and COBIT[20], set a requirement to monitor systems. COBIT control ME2 (Monitor and Evaluate Internal Controls) is measured through recording the “number of major internal control breaches”. PCI-DSS at 10.5.5 states a minimum requirement to “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”. As a general minimum, it may be seen that an organisation needs to maintain a sufficiently rigorous monitoring regime to meet these standards.

Installation guidelines provided by the Centre for Internet Security (CIS)[21] openly provide system benchmarks and scoring tools that contain the “consensus minimum due care security configuration recommendations” for the most widely deployed operating systems and applications in use. The baseline templates will not themselves stop a determined attacker, but could be used to demonstrate minimum due care and diligence.

It is interesting to contrast this general proposition with a peculiar case where the plaintiff went to great lengths in an attempt to recover loss caused by its own negligence, namely loss suffered due to computer fraud perpetrated by its own employee in its own system.

In Mercedes Benz (NSW) v ANZ and National Mutual Royal Savings Bank Ltd[22] (unreported), the Supreme Court of New South Wales considered if a duty to avert fraud would occur in cases where there is an anticipated prospect of loss. The Mercedes Benz employee responsible for the payroll system fraudulently misappropriated nearly $1.5 million by circumventing controls in the payroll software. Mercedes Benz alleged that the defendants, ANZ and NMRB, were negligent in paying on cheques that where fraudulently procured by the employee and in following her direction. The plaintiff's claim was dismissed by the court. It was held that employers who are careless in their controls to prevent fraud using only very simple systems for the analysis of employee activities will be responsible for the losses that result as a consequence of deceitful acts committed by the organisations’ employees.

The decision was founded on the judgment of Holt CJ in Hern v Nichols (1701)[23] that stated in "seeing somebody must be a loser by this deceit, it is more reason that he that employs and puts a trust and confidence in the deceiver should be a loser than a stranger"[24]. The question remains open as to the position that may result from unsound practices operated not by the plaintiff but by an organisation in supplying services under an outsourcing agreement. In either event, the requirement for an organisation to provide controls to ensure a minimum level of system security is clear.

The situation is further compounded in instances of cyber-attack that lead to a loss. An innocent third party that suffers an attack that originates from an inadequately secured system would be able to easily demonstrate a lack of reasonable care if the minimum consensus standards mentioned above are not achieved. Coupled with facts demonstrating that the attack originated from the defendant’s insecure system, the evidence would provide the requisite substantiation of both proximity and reasonable foreseeability.

[1].See A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D. Cal. 2000).
[2].For criticism of this perspective, see Landes & Lichtman.
[3].The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).
[4] The Communications Decency Act of 1996 (CDA)
[5].47 U.S.C. § 230(b) (2004) (emphasis added)
“It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and
(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.
[6] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v., LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)
[7].1996, Pub. L. 104-104, Title I, § 509.
[8].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).
[9].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.
[10].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).
[11].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 88.
[12].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)
[13] Proximity, a notion first established in Caparo Industries Plc. v. Dickman, [1990] 2 A.C. 605, is the initial phase of the assessment. The subsequent phase enquires as to whether there are policy considerations which would reduce or counteract the duty created under the initial stage. Mutually, the phases are to be met with reference to the facts of cases previously determined. The dearth of such cases would not however avert the courts from finding a duty of care.
[14] [1990] 2 A.C. 605
[15] [1978] A.C. 728
[16] Modbury Triangle Shopping Centre Pty Ltd v Anzil [2000] HCA 61.
[17] (1985) 157 CLR 424.
[18] Dixon J elucidated how a “special relationship” of this variety may occur in Smith v Leurs (1945) 70 CLR 256. This case was derived from an indication of occurrences that entail a special danger and the control or of actions or conduct of the third person; See also [2000] HCA 61, para 140.
[19] PCI-DSS (version 1.1) is the Payment Card Industry Data Security Standard and is contractually required to be adhered to by all merchants that process VISA, Mastercard and other payment card products. This requirement and standard is maintained by the PCI Standards Council at
[20] COBIT v 4.1 is the computer control objectives and standard maintained by ISACA at
[21] CIS benchmark and scoring tools are available from
[22] No. 50549 of 1990.
[23] (1701) 1 Salk 289
[24] Id., at 358.

No comments: