In fact people can be held legally liable with or without a technical standard on disclosure, in any virtually jurisdiction worldwide.

Even an unsuccessful lawsuit can punish the respondent (defendant) because of the costs involved in defending him/herself.

A standard on disclosure would do more to protect a discloser than exposing them to risk.

Standards actually reduce the chance of success of a suit by providing a definition of what is reasonable caution in a circumstance. Of course a court could still ignore a standard, especially one set by something other than a legitimate agency with jurisdiction in that country.

If reasonable disclosure standards existed and were followed by the discloser, the discloser would likely be able to recover his/her legal costs on the basis that the original suit was frivolous (depending on the circumstances and jurisdiction).

The only reasons security risks (i.e. premature disclosers) haven't been sued are:

1. Leniency and lack of organization by those damaged (primarily the customers of the vendor), and

2. You can't get blood from a stone (you can't recover multi-million dollar looses from an ordinary person). Of course you can sue someone now and recover the money in a few years.

Probably the only reason the government hasn't gone after disclosers is that they have some kind of interest in having hacking and probing continue -- possibly to provide camouflage for their own activities -- possibly something else.

I'm not a lawyer, but I follow legal matters. (If I were a lawyer I'd have launched some class action suits against companies involved in premature disclosure. Some would be bound to win, and then I could retire on my fees.)


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/66/11120#11120