5 min read

Business Technology: Security Vs. Nuisance Suits

In a perverse twist of logic, common sense, and decency, most companies don't publish a privacy policy because, by not having one, they avoid incurring the potential liability of possibly failing to adhere in all cases t
Why don't all or at least the vast majority of Web sites have privacy policies? I've asked this question of a number of intelligent people with solid knowledge of this area, and I've received a lot of different answers: it's too difficult, the lawyers are still reviewing it, we're trying to make it simple enough for people to understand but comprehensive enough to carry some weight, the technology hasn't caught up to the law, the law hasn't caught up to the technology, etc. But the answer that comes up most frequently is this: Companies expose themselves to too much risk by establishing and publishing their privacy policies. In a perverse twist of logic, common sense, and decency, most companies don't publish a privacy policy because, by not having one, they avoid incurring the potential liability of possibly failing to adhere in all cases to that policy. Maybe it's the cyberage equivalent of "don't ask, don't tell": If you don't state, they can't litigate.

Before I try to connect that to my main point, permit me an aside. Last week, in a story describing a new willingness among airline passengers to confront and attack would-be hijackers, The New York Times reported that in August 2000, a 19-year-old U.S. citizen tried to kick down the cockpit door of a Southwest Airlines plane and was subdued by passengers who overpowered him, then sat on him to keep him under control. The would-be hijacker died, apparently as a result of being unable to breathe while being restrained by the passengers. At this point in the story, science fiction or just sheer lunacy comes into play, so I will quote directly from the Times article: "No charges were filed in the man's asphyxiation, but a lawyer for the man's relatives said the death could have been avoided if flight attendants had been properly trained in restraint techniques." Ah, yes--those darned flight attendants again. They're probably also the ones responsible for all weather-related delays as well, because if they were just properly trained in weather control and climate change, they could clear the skies of such trivialities as storms and lightning.

"They are the names of men and women who began their day at a desk or in an airport, busy with life. They are the names of people who faced death, and in their last moments called home to say, 'Be brave.' And, 'I love you.' They are the names of passengers who defied their murderers and prevented the murder of others on the ground. They are the names of men and women who wore the uniform of the United States, and died at their posts. They are the names of rescuers, the ones whom death found running up the stairs and into the fires to help others."

--President George W. Bush, speaking during the National Day of Prayer and Remembrance, Sept. 14, 2001

So into this breach of litigious lunacy comes what many would consider to be a perfectly sound, reasonable, productive, and even patriotic idea spawned by the terrorist attacks of Sept. 11 and the promises of Osama bin Laden and others that the war on America has only just begun: U.S. companies should share information on security breaches they've suffered so we can all learn from our collective experiences and thus be better-prepared to keep our systems protected from possible terrorist attacks. Our own InformationWeek Daily E-mail newsletter and carried extensive coverage of the plan last week (, noting that Congress is reviewing proposed legislation that would encourage businesses to share security data with the federal government under the promise that such information would be kept private. The proposed law would shield companies engaged in such sharing from antitrust restrictions that might normally prevent such exchanges.

Makes a lot of sense, right? Establish something of a clearinghouse for ideas, processes, and technologies that can help prevent damage from terrorist attacks on IT systems; everybody benefits, right? In a perfect world--or even just a nonlitigious world--it would work very well indeed. But one can just imagine the trial lawyers drooling over the prospect of challenging the protection of such data, slobbering over the aroma of evidence--proof!!--that security has been unsecure and that some clients they can scrape up are thereby due hundreds of millions (with one-third of that going to the great plaintiff protectors). Or as one of our Daily readers put it: "If one company gets hit by a novel method of attack and fails to reveal that to the world, then others who get attacked in the same way can sue the first victim for its failure to provide them with the information they could have used to protect themselves."

Perhaps in the midst of these larger discussions, plans for muzzling the plaintiff bar can be hammered out. If not, what company in its right mind would expose itself to the potential for havoc wrought by tort lawyers fresh on the trail of "victims?"

[email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.