The blame game: can Internet service providers escape liability for semantic attacks? .

I. INTRODUCTION

Recent news articles and publications by experts seem to predict that courts will not be lenient toward Internet service providers ("ISPs") (1) who fail to protect against semantic attacks. (2) A semantic attack targets the assigned meaning to content such as posting

The recent decision in Hart v. Internet Wire, Inc. addressed the liability of an Internet service provider against such a semantic attack. (4) In Hart, Mark Simeon Jakob ("Jakob") was employed by Internet Wire, a news wire service which distributes corporate news to the public. (5) Jakob bought short (6) positions on 3,000 shares of Emulex stock, expecting the price of the shares to drop. (7) Jakob faced a loss of almost $97,000 when the price of the stock started to climb. (8) Using his knowledge of the internal methods with which press releases are submitted to and published on Internet Wire, he then schemed to drive down the price by publishing a false press release. (9)

Jakob posed as an Emulex public relations executive and sent an e-mail to Internet Wire, requesting that the press release be published. (10) The Internet Wire staff treated the press release as authentic. (11) The press release described various problems at Emulex, including the restatement of earnings, the resignation of the company's CEO, and a SEC investigation into the company's practices. (12) Internet Wire published the press release the next morning. (13) Bloomberg, the worldwide news organization, picked up the story from Internet Wire and issued the statement. (14) Bloomberg did not investigate the veracity of the press release. (15) Within sixteen minutes of the Bloomberg headline, the Emulex share price dropped by sixty dollars. (16) NASDAQ halted trading and Emulex exposed the fraudulent release. (17) Bloomberg then reported that the press release had been false, and the stock price climbed back to the price at which it normally traded. (18)

During those sixteen minutes, Jakob was able to cover his position at a profit. (19) And despite a recovery of the stock price, the fraudulent press release caused an "estimated $2.2 billion lost market capitalization and $1.10 million in loss to investors in Emulex securities." (20) A class action suit for securities fraud was filed on behalf of those persons who had sold common stock or call options or who had purchased put options in Emulex after the market opened until trading halted. (21) The court determined that the plaintiffs had failed to adequately plead scienter and the case was dismissed with leave to replead. (22)

Another type of attack that can cause severe economic losses is what Margaret Jane Radin, Professor of Law at Stanford Law School, aptly names "netjacking." (23) A Distributed Denial of Service ("DDoS") is a severe form of netjacking. (24) Rather than break into a system to steal data, a hacker attempts to prevent users from accessing their own network for reasons known only to the hacker, such as "revenge, economical or political gain, or just plain nastiness." (25) A DDoS attack may be deliberate or accidental, but it is "considered to take place only when access to a computer or network is intentionally blocked as a result of some malicious action." (26)

The Computer Security Institute, based in San Francisco, released its 2001 Computer Crime and Security Survey in which 186 of 538 total respondents collectively reported approximately $378 million in financial losses in the past year due to computer security breaches. (27) Other statistics included a report of 85 percent of respondents experiencing breaches of their computer security systems, 70 percent pointing to their Internet connections as a frequent point of attack, and 31 percent stating that their internal systems were targeted for attack. (28) Denial of service attacks

resulted in a reported loss of millions of dollars to Yahoo!, Amazon.com, and Ebay in February 2000 alone. (29)

Radin provides this helpful chart of the DDoS chain of actors and vulnerabilities: (30)

DDOS PARTICIPANT               KEY VULNERABILITIES

Individual computer users      Open operating system
                               architecture, high bandwidth
                               connections.

Portals and commerce sites     Lack of awareness; lack of
                               personnel, technology

Corporations/online business   Attack modes keep changing,
sites                          distributed attacks hard to trace
                               in real time

Network infrastructure and     Unwitting conduit for malicious
service providers              packets

If an ISP were subject to a DDoS attack, would it be liable for the financial losses incurred to the users of its site? If the plaintiffs had adequately pled their case, could Internet Wire and Bloomberg have defended themselves with defenses normally used in securities fraud cases? Would they be subject to any other causes of action or have any other defenses? Some ISPs have improved their detection of viruses, worms, and other threats. Therefore, by engaging in semantic attacks or assaults on meaning, hackers are finding different, subtle ways to attack and spread misinformation, especially now that the Internet has become a popular medium for obtaining news. Would a court expect defendants to safeguard against such semantic attacks?

Part II of this Note examines possible claims against an ISP. Part III analyzes the strengths and weaknesses of possible defenses an ISP could utilize in the event it is charged with failure to protect against a semantic attack. Finally, Part IV examines the future implications of this topic in an environment now focused on preventing new forms of cyber terrorism.

II. CLAIMS

A. Federal Statutes

Congress addressed hacker liability in the Electronic Communications Privacy Act (31) and the Computer Fraud and Abuse Act. (32) This current law, however, "is not clear[] ... regarding a company's duty to protect its computer network from third-party glitches within its own system." (33) The Gramm-Leach-Bliley Act (34) guidelines "suggest a number of security measures that banks, credit unions, and other financial institutions should implement to protect their computer databases." (35) Every state, with the exception of Vermont, has enacted computer crime legislation. (36)

Nevertheless, a statute addressing the liability of private companies does not currently exist. Therefore, whether courts would hold Internet sites (37) liable for security breaches of their databases that contain customers' private information is unclear. (38)

B. Breach of Contract

Raul suggests that the contract model "might apply in the context of parties who have contracted to provide and receive data storage or processing services, but would not generally apply in the case of security breaches affecting individuals or other third parties." (39) In contrast, Radin argues that contractual disclaimers are "legally efficacious in some contexts, but not always." (40) While she concedes that "contractual disclaimers are not binding on third parties who are not parties to the contract," (41) Radin notes that "not all contracts are valid and enforceable." (42) If a contract is of invalid formation or of invalid content, it could be unenforceable. (43) Radin believes that a court will scrutinize terms of service for over reaching, especially to determine whether there was unequal bargaining power between an ISP and an individual consumer. (44)

Courts in various jurisdictions differ as to whether they would allow an ISP to shift its own negligence to the other party in its contract. (45) Radin uses the AOL contractual disclaimer as an example of an attempt to shield itself from a DDoS attack:

   UNDER NO CIRCUMSTANCES SHALL
   AMERICA ONLINE, ITS SUBSIDIARIES, OR
   ITS LICENSORS BE LIABLE FOR ANY
   DIRECT, INDIRECT, PUNITIVE,
   INCIDENTAL, SPECIAL, OR
   CONSEQUENTIAL DAMAGES THAT RESULT
   FROM THE USE OF, OR INABILITY TO USE,
   THIS SITE. THIS LIMITATION APPLIES
   WHETHER THE ALLEGED LIABILITY IS BASED
   ON CONTRACT, TORT, NEGLIGENCE, STRICT
   LIABILITY, OR ANY OTHER BASIS, EVEN IF
   AMERICA ONLINE HAS BEEN ADVISED OF
   THE POSSIBILITY OF SUCH DAMAGE.
   BECAUSE SOME JURISDICTIONS DO NOT
   ALLOW THE EXCLUSION OR LIMITATION
   OF INCIDENTAL OR CONSEQUENTIAL
   DAMAGES, AMERICA ONLINE'S LIABILITY
   IN SUCH JURISDICTIONS SHALL BE
   LIMITED TO THE EXTENT PERMITTED BY
   LAW. (46)

Whether a court would find this disclaimer valid and enforceable depends on such factors as the choice of law, choice of forum, and whether courts in those jurisdictions approve of contracts of adhesion. (47)

C. Tort Liability

Another available claim appears under the tort model. Applying this theory, victims of security breaches would need to prove the following elements to recover for damages: "(1) a reasonable duty of care necessary to prevent security breaches, (2) a breach of that duty, (3) a proximate relationship between the breach of the duty and the injury, and (4) actual loss or damage sustained as a result of the breach." (48) Nevertheless, establishing a standard duty of care for all Internet service providers is difficult, unwieldy, and may even promote hacking. (49) In the Hart case, Jakob was an employee of Internet Wire; (50) therefore, the plaintiffs could have also pursued a vicarious liability claim under the theory of respondeat superior. (51)

D. Securities Fraud and 10b-5 Claims

A securities fraud claim can arise under section 10b-5 of the Securities Exchange Act of 1934. (52) This was the claim used by the class action plaintiffs in Hart v. Internet Wire. (53) In Hart, the court noted that to "satisfy the scienter element of Section 10(b), a complaint must allege facts giving rise to a strong inference that the defendant acted with `intent to deceive, manipulate, or defraud,"' (54) and that "[f]ailure to plead this basic element is grounds for dismissal of a Section 10(b) claim." (55)

Nevertheless, given the monetary and reputation losses that ISPs suffer in the wake of a semantic attack, plaintiffs will have difficulty alleging that an ISP willfully intended to "deceive, manipulate, or defraud" (56) itself or its customers by allowing a hacker to invade its website. While the securities fraud claim that the Hart plaintiffs alleged was in the context of a false press release published by an Internet news wire service, the same difficulty exists in other types of semantic attacks. As a provider of Internet news, Internet Wire wants to maintain a reputation as a publisher of truthful information. Since publishing a false press release would undermine this goal, the company lacks the requisite willful intent. Additionally, claims of misrepresentation and intent to defraud may fail because they are often elements of a 10b-5 claim, and if the elements cannot be proven as part of a whole case, proving each element as a separate case will be difficult.

Commentator Robert Prentice believes that a 10b-5 claim can succeed. (57) He describes a hypothetical "[e]mployee[] with [l]oose [l]ips." (58) Such a situation arises when a company's insider uses an alias to post a rumor promoting the stock either to help the company, raise the stock price, or sell personal holdings. (59)

Prentice asserts that "such anonymous postings violate the manipulation provisions of [section] 10(b) and are actionable.... The individual actors are liable, and the company is probably liable as well on a respondeat superior basis." (60) Employees participating in news groups or chat rooms would also be liable under 10b-5. (61) Prentice argues that such participation is similar "to an employee's appearing and speaking at the meeting of an investment club." (62) The investment club might believe that the employee is authorized to speak on his company's behalf, even though the company believes otherwise. (63) Thus, "[any] statements could be treated as disclosures by the company. Any inaccuracies could lead to finn liability for misrepresentation under Rule 10b-5. Prentice further postulates that "even accurate disclosures could be viewed as illicitly `selective' and invite insider trading liability...." (64)

III. DEFENSES

A. Procedural

The first line of defense should be procedural. A 12(b)(6) (65) motion to dismiss should be the initial response. The plaintiff will have difficulty meeting his burden of persuasion when the ISP claims lack of awareness or lack of the requisite intent. (66) For example, the plaintiffs in Hart failed to adequately plead that the defendants either knew that the press release was false or doubted its validity at the time of its publication. (67) Since the plaintiffs did not allege this element of their [section] 10b-5 claim, the defendants prevailed on their 12(b)(6) motion. (68)

B. Constitutional Claims

In general, ISPs have managed to avoid liability for hate speech and defamatory messages posted online and in chat rooms. (69) Hate speech online is distinguishable from semantic attacks. Posters of hate speech online use the ISP as a forum to disseminate speeches and writings. A semantic attack wreaks havoc by taking advantage of the breaches in computer security; it changes the content of information online or disrupts service, thereby causing dissemination of false information and economic loss.

In Zeran v. America Online, Inc., the plaintiff Zeran sued America Online ("AOL") for an unreasonable delay in removing defamatory messages posted by an unidentified third party, for not posting a retraction of those messages, and for failing to screen for subsequent similar postings. (70) Zeran argued on appeal that [section] 230 of the Communications Decency Act of 1996 (the "CDA") rendered interactive computer service providers, like AOL, liable for "possess[ing] notice of defamatory material posted through their services." (71) He also asserted that [section] 230 did not apply to him because his claim for AOL's negligence arose before the CDA was enacted. (72)

The issue was whether AOL could be held liable for defamatory speech initiated by a third party. (73) Section 230 provides, in relevant part, that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." (74) The court explained that the plain language of [section] 230 "creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service." (75) This section also "precludes courts from entertaining claims that would place a computer service provider in a publisher's role. Thus, lawsuits seeking to hold a service provider liable for its exercise of a publisher's traditional editorial functions--such as its decision to publish, withdraw, postpone or alter content--are barred." (76) The congressional public policy rationale was to prevent "deter[rence of] harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties' potentially injurious messages." (77)

Zeran next argued that knowledge of the defamatory language was sufficient to impose notice liability on AOL. (78) The court rejected this argument, stating that notice liability would defeat the purpose of [section] 230 and "reinforce[] service providers' incentives to restrict speech and abstain from self-regulation." (79) The court continued:

   If computer service providers were subject to
   distributor liability, they would face potential
   liability each time they receive notice of a
   potentially defamatory statement--from any party,
   concerning any message. Each notification would
   require a careful yet rapid investigation of the
   circumstances surrounding the posted information,
   a legal judgment concerning the information's
   defamatory character, and an on-the-spot editorial
   decision whether to risk liability by allowing the
   continued publication of that information....
   Because service providers would be subject to
   liability only for the publication of information,
   and not for its removal, they would have a natural
   incentive simply to remove messages upon
   notification, whether the contents were defamatory
   or not.... Thus, like strict liability, liability upon
   notice has a chilling effect on the freedom of
   Internet speech. (80)

Zeran also argued the legal distinction between the terms "distributor" and "publisher," since a different standard of liability attaches to each in the context of defamatory messages. (81) The court dismissed this claim as well, stating that notice does not transform an original publisher into a distributor. (82) Rather, the contrary is true. When an ISP receives notice of a defamatory posting, it becomes a publisher. (83) At that point, "[t]he computer service provider must decide whether to publish, edit, or withdraw the posting. In this respect, Zeran seeks to impose liability on AOL for assuming the role for which [section] 230 specifically proscribes liability--the publisher role." (84)

The Zeran court decided that AOL was not liable in its role as a publisher for the defamatory messages posted on its service. (85) In addition, the third party's identity was unknown. (86) The Hart defendants could analogize the Zeran court's no-liability decision to their position if the article that Jakob posted contained defamatory information about Emulex. According to the Zeran court, the inclusion of such defamatory information would provide greater protection, and Internet Wire and Bloomberg could have a defense against their failure to investigate the accuracy of the statements in the article. If the story, however, contained no defamatory messages, this argument could lose some of its strength.

C. Contract

A possible defense for an ISP exists under a contract theory. "Most courts will adhere to the traditional privity of contract requirement, which restricts liability for injuries to those arising from the exchange of goods or services between the parties to a contract." (87) Therefore, "under a contract theory, a victim of a hacker attack launched via a third party's unsecure computer system would have no claim against the third party, because of the absence of a contractual relationship with the victim." (88)

D. Tort

A significant obstacle in recovering under a tort theory is the economic loss rule. (89) This rule is traditionally invoked to deny plaintiffs recovery for economic losses in the absence of physical damages. (90) Using this rule could deny the victim plaintiffs damages in a computer security breach case. A possible exception could exist by applying the rule from People Express Airlines v. Consolidated Railway. (91) If the victim is foreseeable, a court may award damages, despite an absence of physical harm. (92) Radin notes that courts have sometimes rejected liability of third-party defendants where the level of risk or ability to anticipate the risk exposure was disproportionate to the party's role. (93) ISPs also could argue that victim plaintiffs assumed the risk of providing information on the website with knowledge that a breach of security could occur.

E. Corporate

A plaintiff might argue that a type of agency relationship exists between the ISP and the hacker who attacks its website. In corporate law, prior acts by an agent do not bind the principal since the agent does not have actual, apparent, or inherent authority. (94) If the principal, however, agrees with the prior acts and ratifies the prior acts as if originally authorized by the principal, then the agent acts with actual authority. (95) For example, if Agent lacks actual authority to tell third party Buyer that Buyer can have a discount, but subsequently Principal tells Agent that Principal thinks the discount is a good idea, Agent's prior act of giving the discount is ratified and it is as if Agent did act with actual authority. (96)

A major limitation is that at the time of ratification the principal has to have the capacity to ratify both when the original act was affected by the agent and at the time the principal seeks to ratify. Silence does not equal ratification. Since the purpose in creating a website is conceivably not to create a host for the hacker, establishing an agency relationship will be difficult. Therefore, the claim that a website's failure to implement security measures to protect against semantic attacks creates a host for the hacker implicitly linking both will probably fail.

Nevertheless, a plaintiff can argue that an agency relationship is established by the type of attack, such as one in which a hacker gaining entry into a network by undermining its security measures. This can be accomplished "by setting up programs that try millions of passwords until one is accepted." (97) For instance, "[a] hacker may set up `sniffers,' programs that check data to find encrypted or sensitive information. Once [the sniffers] gather the information they can decode it, or if unencrypted, use it directly to find out more about a network and penetrate it more easily." (98) If an ISP knows that its security is being undermined, but it takes no preventive measures to protect against future attacks, and a future attack does occur, a plaintiff's argument may be bolstered.

Another possible argument by a plaintiff is that, like the fiduciary duty that runs from a corporation's directors to that corporation's shareholders, a similar duty should be created between an ISP and the user of its website. One type of duty usually referenced is a duty of care. (99) Under the duty of care standard, directors occupy a fiduciary relationship to the corporation and must exercise the care of ordinarily prudent and diligent persons in like positions under similar circumstances. (100) The basic objective standard is that a director shall perform in good faith in a manner he reasonably believes to be in the best interest of the corporation. (101)

The duty of care standard is shielded by the business judgment rule ("BJR"). (102) The BJR protects the decisions of directors regarding management of the corporation from shareholders who disagree with that decision. (103) Courts generally defer to the decision of directors and the BJR and will not review a director's decision even if it is a wrong or poor decision. (104) The courts acknowledge that they have neither the expertise required nor the proper role to make business decisions. (105)

The policy rationale underlying such deference is to allow directors to implement business decisions without fear of a lawsuit in order to realize the shareholders' goal of wanting directors to take risks to produce profit even though mistakes may be costly. (106) The effect of judicial review on such business decisions, which thereby possibly could create liability for directors, "could make directors overly cautious, resulting in reduced shareholder value." (107) Directors of an ISP could argue that the decision of whether to implement security software falls within the ambit of the B JR. Directors could cite such things as cost, time, and efficiency as reasons for not wanting to implement security measures. (108)

A potential counterclaim is that an Internet company's assets are, generally speaking, limited to its website's content and the team of individuals behind that website. Therefore, the website's managers owe a duty to protect the investment that comprises the main value of a shareholder's ownership of stock. In an agency relationship, the principal tends to be the least cost avoider. (109) In an Internet company, however, the assets are limited to the content and human capital, so it may not be the "deep pocket" that shareholders expect.

Some insurance providers sell professional liability or anti-hacker insurance policies to companies at risk of an information security breach. (110) If insurance companies provide coverage, defenses of ISPs may be weakened since now it is the insurance company with the deep pockets. (111)

F. Blaming Others

ISPs may be able to escape liability by blaming network service providers. Radin argues:

   Legal liability is sensitive to the state of the art
   on cost-effective precautions, both technology and
   practices. Right now, Web sites and network
   service providers are trying to fight attacks on a
   "retail" basis, site by site, attack program by attack
   program. Technologies are emerging, however,
   that tackle the problem "wholesale," on a network
   basis, by enabling backbone service providers and
   network intermediaries to analyze and screen
   attack traffic. When wholesale prevention becomes
   practical, courts will have reason to place the
   liability on network entities, because it will give
   these entities the incentive to implement the most
   efficient protective strategy. (112)

Nevertheless, it can be argued that the same defenses available to ISPs will be available to network entities. Radin provides the following diagram on who can best shoulder the blame:

POTENTIAL LIABILITY VS. ABILITY TO TAKE COST-EFFECTIVE
PRECAUTIONS (113)

DDOS PARTICIPANT       POTENTIAL     ABILITY TO TAKE
                       LIABILITY     COST-EFFECTIVE
                                     PRECAUTIONS

Individual computer    Negligible    None
users

Portals and            Moderate      Can implement security
commerce sites                       practices, but detection
                                     in real time remains
                                     difficult

Corporations/online   Moderate       Can implement security
business sites                       practices, but detection
                                     in real time remains
                                     difficult

Network               Moderate to    Can implement
infrastructure and    high           network-wide wholesale
service providers                    filtering technology

Radin dismisses the defenses in this next figure: (114)

CURRENT LEGAL ANALOGIES FOR DDOS LIABILITY

Traditional Common Carrier     Not applicable to ISPs and
Law                            network infrastructure
                               providers--their services are not
                               open to all

Communications Decency Act *   Not applicable: limits ISP
                               liability for passing through
                               defamatory or other
                               objectionable content

Digital Millenium Copyright    Not applicable; limits ISP
Act                            liability for hosting or
                               transmitting copyrighted content

* Section of Telecommunications Act of 1996

G. Risk Management

If an ISP does take steps to safeguard against a semantic attack, will this be enough to escape liability? Arguably, it should be since the nature of hackers is to find a weakness and every system is likely to have one bug that has escaped testing. For example, although not an ISP, but rather a software provider, Microsoft's Windows XP was at the center of controversy when the FBI's National Infrastructure Protection Center issued an alert that the universal plug and play feature contained a glitch that could result in a severe security breach. (115) Microsoft "acknowledged that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software." (116) The FBI was prompted to release the warning since "[t]he glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet." (117)

IV. FUTURE IMPLICATIONS

Criminal liability for hackers is impossible to escape, and the government is taking extra steps to prevent and punish those that engage in this conduct. (118) Civil liability may continue to standstill as the Federal Trade Commission ("FTC") recently announced that it will not seek new laws but will focus on strengthening existing privacy laws. (119) Higher level courts may be unwilling to decide on these types of cases until public policy becomes more resolute towards a particular course of action.

The situation could become ripe in the coming year, especially in the aftermath of the recent terrorist attacks. Government officials warn that cyberspace could be the next battleground. (120) Despite the prognostication that "`[i]t is only a matter of time before the convergence of bad guys and good stuff occurs,'" (121) cyberthreats are still considered "weapons of mass disruption" rather than "weapons of mass destruction." (122) Some computer security experts believe the DDoS attack to be "evidence of increasingly potent attacks by hackers, [o]ne of the forms of computer attack that is hardest to defend against, ... becoming more common and more disruptive, and `causing greater collateral damage.'" (123) Cyberterrorism advisor Richard Clarke believes an industry attitude change has occurred and that "high-technology executives are more willing to talk about building and buying more secure technologies." (124)

Congress also recognizes this commentary by experts. One expert testified on September 26, 2001 that "politically motivated web site defacements will likely continue to escalate during the war on terrorism." (125) He went on to cite semantic attacks as the "most serious consequence[] of web site defacement[]" (126) since it involves a subtle change in a web page's content, which would then disseminate false information. He stated that "[a] semantic attack on a news site or government agency site, causing its web servers to provide false information at a critical juncture in the war on terrorism, could have a significant impact on the American population." (127)

The federal government and the private sector are now making substantial investments in cyber security technologies. However, neither the private nor public sectors are adequately elucidating the fundamental principles that underlie complex, interconnected infrastructures, or developing key technologies or analytical methodologies crucial to protecting the information infrastructure. Therefore, the government becomes the only realistic underwriter to ensure that these technologies are developed. (128) If Congress follows this advice, it could enact legislation that either allocates funds to develop the technologies to protect the information infrastructure or limits the ISPs' liability as it did in the Digital Millennium Copyright Act. (129)

V. CONCLUSION

Semantic attacks are dangerous. False press releases can raise or lower the price of stocks; inaccurate news stories can lead to defamation; pictures can be doctored (130) and accepted as real; and information can literally be disseminated by just one click of the mouse, sending the information around the world and back again before a user even leaves his computer. Although public policy would dictate that ISPs take precautions to prevent and protect against semantic attacks, the possible claims of injured plaintiffs are still vague. The defenses available to ISPs, derived from aspects of constitutional, procedural, contract, tort, and corporate law provide some basis for proceeding with and potentially succeeding against such claims.

(1.) "[T]he term `service provider' means an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing, without modification to the content of the material as sent or received." 17 U.S.C. [section] 512(k)(1)(A) (Supp. V 1999) (emphasis added). The term can also mean "a provider of online services or network access, or the operator of facilities therefore ...." Id. [section] 512(k)(1)(B). Examples of Internet service providers include America Online ("AOL") and CompuServe. In addition, websites may qualify as service providers, as a court found the website Ebay to fit within the "broad definition of [[section] 512(k)(1)(B)] online `service provider [OSP].'" Hendrickson v. Ebay, Inc., 165 F. Supp. 2d. 1082, 1088 (C.D. Cal. 2001). "The term `Internet access provider' [IAP] means a person engaged in the business of providing a computer and communications facility through which a customer may obtain access to the Internet, but does not include a common carrier to the extent that it provides only telecommunications services." 47 U.S.C. [section] 151 (f)(2)(A) (1994). For the purposes of this Note, the terms ISP, IAP, and OSP will be used interchangeably. For a comprehensive judicial review of the nuanced distinctions between these terms, see ACLU v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996).

(2.) See Sarah Faulkner, Invasion of the Information Snatchers: Creating Liability for Corporations with Vulnerable Computer Networks, 18 J. MARSHALL J. COMPUTER & INFO. L. 1019 (2000); Jeff Nemerofsky, The Crime of "Interruption of Computer Services to Authorized Users" Have You Ever Heard of It?, 6 RICH. J.L. & TECH. 23 (Spring 2000), at http://www.law.richmond.edu/jolt/v6i5/article2.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal); Margaret Jane Radin, Distributed Denial of Service Attacks: Who Pays?, at http://www.mazunetworks.com/radin-print.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Journal); Alan Charles Raul, et al., Liability for Computer Glitches and Online Security Lapses, Sidley Austin Brown & Wood (Aug. 2001), at http://www.sidley.com/cyberlaw/features/liability.asp (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal); Carl S. Kaplan, Can Hacking Victims Be Held Legally Liable?, N.Y. TIMES, Aug. 24, 2001, available at http://www.nytimes.com/2001/08/24/ technology/24CYBERLAW.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(3.) See Vatis Statement, infra note 125. Bruce Schneier, CTO of Counterpane Internet Security, believes that there are three waves of network attacks. The first is physical such as attacking computers, wires, and electronics. He believes this wave is easy to solve simply by reducing the dependencies on any one computer. Bruce Schneier, Semantic Network Attacks: Industry Trend or Event, 43 COMM. OF THE ASSOC. FOR COMPUTING MACHINERY [ACM] 168, 168 (2000). The second wave is syntactic, which is attacking vulnerabilities in software products, for example. Id. Although the solution is not easy, at least the security problem has been recognized. Id. Schneier believes the third wave of semantic attacks to be the most devastating. He warns against believing everything you read:

   How often have you needed the answer to a question and
   searched for it on the Web? How often have you taken the
   time to corroborate the veracity of that information, by
   examining the credentials of the site, finding alternate
   opinions, and so on? Even if you did, how often do you think
   writers make things up, blindly accept "facts" from other
   writers, or make mistakes in translation? On the political
   scene, we've seen many examples of false information being
   reported, getting amplified by other reporters, and eventually
   being believed as true. Someone with malicious intent can do
   the same thing.

Id.

(4.) 145 F. Supp. 2d 360 (S.D.N.Y. 2001).

(5.) Id. at 362.

(6.) A short sale is "[s]elling a security that the seller does not own but is committed to repurchasing eventually. It is used to capitalize on an expected decline in the security's price." Yahoo! Finance, at http://finance.yahoo.com/ (selecting "Glossary" link and then letter "s") (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(7.) Hart, 145 F. Supp. 2d at 362.

(8.) Id. at 363.

(9.) Id.

(10.) Id.

(11.) Id.

(12.) Id.

(13.) Id.

(14.) Id.

(15.) Id.

(16.) Id. at 363-64.

(17.) Id. at 364.

(18.) Id.

(19.) Id. at 363.

(20.) Id. Schneier argues that semantic attacks are serious because "[c]omputer processes are rigid in the type of inputs they accept," much less than a human. Schneier, supra note 3, at 168. Computers do not demand corroborating evidence, know what it is, or even how to use it. As a result, "[t]he people who lost the most in the Emulex hoax were the ones with preprogrammed sell orders." Id.

(21.) A call option is "[a]n option contract that gives its holder the fight (but not the obligation) to purchase a specified number of shares of the underlying stock at the given strike price, on or before the expiration date of the contract." Yahoo! Finance, at http:// finance.yahoo.com/ (selecting "Glossary" link and then letter "c") (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). A put option is a "security [that] gives investors the right to sell (or put) a fixed number of shares at a fixed price within a given period. An investor, for example, might wish to have the fight to sell shares of a stock at a certain price by a certain time in order to protect, or hedge, an existing investment." Id. at http:// finance.yahoo.com/ (selecting "Glossary" link and then letter "p") (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). A put option is the opposite of a call option. See id.

(22.) Hart, 145 F. Supp. 2d at 366, 371. The plaintiffs did file an amended complaint, which the court dismissed with prejudice because "to state a claim, a complaint to be sufficient must allege that defendants acted with the required state of mind, viz., scienter, which is `intent to deceive, manipulate, or defraud'" and the plaintiffs' complaint did not qualify. Hart v. Internet Wire, Inc., 163 F. Supp. 2d 316, 321 (S.D.N.Y. 2001) (citing Lanza v. Drexel & Co., 479 F.2d 1277, 1301 (2d Cir. 1973).

(23.) Radin, supra note 2. She defines "netjacking" as "the Internet's susceptibility to manipulation and attack by mischievous or malicious intruders." Id.

(24.) Radin describes a DDoS attack as follows:

   In a DDoS attack, intruders commandeer unsuspecting users'
   computers and use these distributed "zombies" to flood a
   target site or service with junk messages. The junk messages
   overwhelm the servers of the victim and cause that site to
   experience a period of "denial of service" to its legitimate
   customers. The success of typical DDoS attacks involves the
   "cooperation" of a number of players, or a chain of actors.
   The chain consists of (1) computer users whose machines are
   commandeered by intruders; (2) portals, corporate and other
   Internet sites that are targets or "victims" of attacks; and (3)
   network intermediaries (i.e., various kinds of ISPs and hosting
   service providers) and backbone network services providers,
  who deliver the messages that constitute the attack.

Id.

(25.) Nemerofsky, supra note 2. Often, hackers claim that they are trying to help expose weaknesses in website security by hacking into them. Clint Boulton & Brian McWilliams, Another E-Commerce Site Suffers Hack Attack (Mar. 2, 2000), at http://www.internetnews.com/ec-news/ article/0,,4_314341,00.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). A hacker by the name of "Curador" breached the security of SalesGate.com by accessing 2,000 customer records containing credit card numbers and other personal information. Id. Curador posted the credit card numbers to his website and stated "`[m]aybe one day people will set up their sites properly before they start trading because otherwise this won't be the last page I post to the NET.'" Id. Another hacker used this similar defense when explaining why he entered Yahoo!'s news pages and inserted false quotes and information into stories. Brian Bergstein, Hacker's Changes to Yahoo Site Highlight A Web Danger, SOUTH BEND TRIB., Sept. 25, 2001, at B5.

(26.) Nemerofsky, supra note 2.

(27.) Raul, supra note 2 (citing Computer Security Institute, Financial Losses Due to Internet Intrusions, Trade Secret Theft and Other Cyber Crimes Soar, at http://www.gocsi.com/prelea_000321.htm (2001 statistics document expired) (on file with the Rutgers Computer & Technology Law Journal) [hereinafter CSI Report].

(28.) Id.

(29.) Chet Dembeck, Teen Hacker Arrest Masks True Net Peril, E-COMMERCE TIMES (Apr. 20, 2000), at http://www.ecommercetimes.com/perl/story/ 3060.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). Radin believes the problem is more pervasive and that many DDoS attacks are under-reported since many attacks can go undetected and firms are afraid of the bad publicity and subsequent effect on its shareholders and customers. Radin, supra note 2. Radin also cites the indirect costs that are difficult to quantify because "DDoS attacks also take their toll on productivity, user access, and lost business opportunities." Id. See also Michael Lee, et al, Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal, 14 BERKELEY TECH. L.J. 839 (1999). Lee notes that

   MCI lost over fifty million dollars when hackers downloaded
   more than 50,000 credit card numbers, and Citibank lost ten
   million dollars when its computer network was compromised
   by a crime group in Russia. The service, repair, and restoration
   costs from such intrusions are also extensive. For example, in
   United States v. Morris, the labor costs to eradicate a computer
   virus and monitor the computer systems' recovery was
   estimated at up to $186 million.

Id. (citing David L. Gripman, The Doors are Locked but the Thieves and Vandals are Still Getting In: A Proposal in Tort to Alleviate Corporate America's Cyber-Crime Problem, 16 J. MARSHALL J. COMPUTER & INFO. C. 167, 169-70 (1997)).

(30.) Radin, supra note 2 at Figure 1.

(31.) 18 U.S.C. [section] 2701 (1994 and Supp. V 1999).

(32.) 18 U.S.C. [section] 1030 (1994 and Supp. V 1999).

(33.) Raul, supra note 2.

(34.) 15 U.S.C. [section] 6801 (1994).

(35.) Raul, supra note 2.

(36.) Nemerofsky, supra note 2. The crime of "`interruption of computer services to authorized users,'" entails "a violation of a series of federal and state computer-related crime laws which are designed to protect the authorized users of computer systems." Id. As more computer-related crimes are committed, "these statutes could prove to be a positive force in efforts to catch the electronic criminals of the future." Id. Statistics from January 1998 to December 1998 indicate that computer crimes are on the rise since "the Computer Emergency and Response Team Coordination Center (CERT/CC) received `41,871 e-mail messages and 1,001 hotline calls reporting computer security incidents or requesting information.'" In addition, [CERT/CC] received 262 vulnerability reports and handled 3,734 computer security incidents, affecting more than 18,990 sites during this same period." Id. (footnotes omitted).

(37.) CD Universe, Yahoo!, Amazon.com, and Ebay are some of the Internet sites that maintain databases of customers' private data, including addresses and credit card information.

(38.) Radin and Faulkner, supra note 2. Raul and Faulkner believe that regulation for these private industries is necessary, Raul, in particular, states:

   Although a move toward comprehensive regulation of Internet
   and computerized data service providers would represent a
   sharp deviation from current policy, where only banks, health
   care providers, and other companies that store inherently
   sensitive types of data face government regulation, further
   regulation or creative judicial theories cannot be ruled out.
   Computerized data service providers should carefully address
   their own security obligations and monitor litigation
   developments that may point toward evolving standards of
   care.

Id. (emphasis added). Radin, however, believes that it is speculative to conceive of what legislation may be enacted, but that a detailed regulatory structure is possible. Radin, supra note 2.

(39.) Raul, supra note 2.

(40.) Radin, supra note 2.

(41.) Id.

(42.) Id.

(43.) Id.

(44.) Id.

(45.) Id.

(46.) AOL.com Terms and Conditions of Use, available at http://www.aol.com/copyright.html (emphasis added) (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). Ebay includes the following in its privacy statement:

   Ebay uses industry standard practices to safeguard the
   confidentiality of your personal identifiable information,
   including "firewalls" and Secure Socket Layers. Ebay treats
   data as an asset that must be protected against loss and
   unauthorized access. We employ many different security
   techniques to protect such data from unauthorized access by
   users inside and outside the company. However, "perfect
   security" does not exist on the Internet.

Ebay Privacy Policy Section 10, at http://pages.ebay.com/help/community/pngpriv.html (emphasis added) (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(47.) Radin, supra note 2. For a detailed discussion of the relationship between contract and intellectual property law, see Raymond T. Nimmer, Breaking Barriers: The Relation Between Contract and Intellectual Property Law, 13 BERKELEY TECH. L.J. 827 (1998).

(48.) Raul, supra note 2. Raul analogizes this duty of care from cases dealing with a landlord's duty to protect tenants from foreseeable criminal acts in areas under a landlord's control, suggesting that the court will find a similar duty of care owed by a "computerized data service provider to its customer." Id. Raul states that just as landlords can take protective measures by hiring doormen, improving lighting, and installing new locks to avoid being held "responsible for protecting their tenants from foreseeable harm caused by criminals in their buildings, companies offering computerized data services need to assess their potential liability for protecting their customers, and other parties likely to be affected, from the criminal acts of third parties who used the company's computer systems as vehicles for their crimes." Id. See also Erin Kenneally, The Byte Stops Here: Duty and Liability for Negligent Internet Security, 16 COMPUTER SECURITY J. 1 (2000); Gripman, supra note 29.

(49.) Raul, supra note 2. As hackers gain an understanding of the standard, e.g. baseline security measures, and how to defeat them, the potential for even greater harm is increased. See id.

(50.) Hart, 145 F. Supp. 2d at 362.

(51.) See Mark Ishman, Comment, Computer Crimes and the Respondeat Superior Doctrine: Employers Beware, 6 B.U. J. SCI. & TECH. L. 6 (2000) (explaining the potential liability of an employer for an employee conducting illegal online activity at the workplace). In the context of copyright law, vicarious liability "is an `outgrowth' of respondeat superior." A&M Records v. Napster, Inc. [hereinafter Napster], 239 F.3d 1004, 1022 (9th Cir. 2001) (citing Fonovisa v. Cherry Auction, Inc., 76 F.3d 259, 262 (9th Cir. 1996)). In this context, "vicarious liability extends beyond an employer/employee relationship to cases in which a defendant `has the right and ability to supervise the infringing activity and also has a direct financial interest in such activities.'" Napster, 239 F.3d at 1022 (quoting Gershwin Publishing Corp. v. Columbia Artists Mgmt., Inc., 443 F.2d 1159, 1162 (2d Cir. 1971)). See also Alfred C. Yen, Internet Service Provider Liability for Subscriber Copyright Infringement, Enterprise Liability, and the First Amendment, 88 GEO. L.J. 1833, 1874 (2000) (stating that most ISPs lack "the requisite level of knowledge" for the imposition of contributory liability).

(52.) 15 U.S.C. [section] 78j(b) (1994); 17 C.F.R. [section] 240.10b-5 (2002).

(53.) 145 F. Supp. 2d at 365.

(54.) Id. at 366 (citing Ernst & Ernst v. Hochfelder, 425 U.S. 185, 193 (1976)).

(55.) Id.

(56.) Id.

(57.) Robert A. Prentice, The Future of Corporate Disclosure: The Internet, Securities Fraud and Rule 10b-5, 47 EMORY L.J. 1, 76 (1998) (footnote omitted).

(58.) Id. (alterations added).

(59.) Id. at 76-77.

(60.) Id. at 77.

(61.) Id.

(62.) Id.

(63.) Id.

(64.) Id. (alterations added).

(65.) FED. R. CIV. P. 12(b)(6) states in pertinent part that the following defense of "failure to state a claim upon which relief can be granted" is available to a pleader by a motion.

(66.) Hart, 145 F. Supp. 2d at 366.

(67.) Id. at 370.

(68.) Id.

(69.) See Zeran v. America Online Inc., 129 F.3d 327 (4th Cir. 1997); Lunney v. Prodigy Serv. Co., 94 N.Y.2d 242 (N.Y. 1999).

(70.) 129 F.3d at 328.

(71.) Id (alterations added).

(72.) Id.

(73.) Id. at 330. For further readings concerning this topic, see Jay M. Zitter, Liability of Internet Service Provider For Internet or E-Mail Defamation, 84 A.L.R. 5th 169 (2001).

(74.) 47 U.S.C. [section] 230(c)(1) (1994).

(75.) Zeran, 129 F.3d at 330.

(76.) Id.

(77.) Id. at 330-31 (alterations added).

(78.) Id. at 333.

(79.) Id.

(80.) Id. (internal citations omitted).

(81.) Id. at 331.

(82.) Id. at 331-32.

(83.) Id. at 332.

(84.) Id. at 332-33.

(85.) Id. at 328.

(86.) Id.

(87.) Raul, supra note 2.

(88.) Id.

(89.) See Robert L. Rabin, Tort Recovery for Negligently Inflicted Economic Loss: A Reassessment, 37 STAN. L. REV. 1513 (1985).

(90.) Id.

(91.) 495 A.2d 107 (N.J. 1985) (concluding that "a defendant who has breached his duty of care to avoid the risk of economic injury to particularly foreseeable plaintiffs may be held liable for actual economic losses that are proximately caused by its breach of duty ... [and] those economic losses are recoverable as damages when they are the natural and probable consequence of a defendant's negligence ... [because] they are reasonably to be anticipated in view of defendant's capacity to have foreseen that the particular plaintiff or identifiable class of plaintiffs ... is demonstrably within the risk created by defendant's negligence."). See also Rabin, supra note 89, at 1513. An argument exists that a website such as Amazon.com, which maintains customer information to ease data entry for repeated customers' order forms, could reasonably foresee that this customer would be an identifiable plaintiff and, therefore, the company would be liable to this plaintiff if a hacker accessed his information. In response, Amazon.com could assert the affirmative defense of assumption of the risk. Specifically, that the customer assumed the risk in supplying the website with private information despite the disclaimer's lack of a security guarantee. See discussion of contract defenses supra section III(C).

(92.) Raul, supra note 2. Radin also suggests that victims could overcome the "economic loss rule" by classifying a DDoS attack as property damage. Radin, supra note 2. Radin cites recent cases involving spam and data-gathering that have "considered receipt of unwanted messages to be a physical harm to a victim's system and not mere `economic' loss." Id. These cases include Ebay v. Bidder's Edge, 100 F. Supp 2d. 1058 (N.D. Cal. 2000); Register.com, Inc. v. Verio, Inc., 126 F. Supp 2d. 238 (S.D.N.Y. 2000); CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (S.D. Ohio 1997); America Online v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998); America Online v. IMS, 24 F. Supp 2d. 548 (E.D. Va. 1998); Thrifty-Tel, Inc. v. Bezenek, 54 Cal. Rptr. 2d 468 (Cal. Ct. App. 1996). Id. at n.13.

(93.) Radin, supra note 2.

(94.) See ARTHUR R. PINTO & DOUGLAS M. BRANSON, UNDERSTANDING CORPORATE LAW 112 (1999).

(95.) RESTATEMENT (SECOND) OF AGENCY [section] 82 (1958) (defines ratification as "the affirmance by a person of a prior act which did not bind him but which was done or professedly done on his account, whereby the act, as to some or all persons, is given effect as if originally authorized by him").

(96.) See Nogales Serv. Ctr. v. Atlantic Richfield Co., 613 P.2d 293 (Ariz. Ct. App. 1980).

(97.) David Mandeville, Hackers, Crackers and Trojan Horses: A Primer (Mar. 29, 1999) at http://www.cnn.com/TECH/specials/hackers/primer/(last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(98.) Id.

(99.) PINTO, supra note 94, at 182. The other duty usually referenced is the duty of loyalty. Id.

(100.) See RESTATEMENT (SECOND) OF AGENCY [section] 379; see also DEL. CODE ANN. tit. 8, [section] 141(e) (2001).

(101.) PINTO, supra note 94, at 182. The fiduciary duties of directors have largely developed through case law. Id. at 186. State corporate statutes, however, generally describe a duty of care. Id.

(102.) See id. at 190, n.40.

(103.) See id. at 185.

(104.) Id. at 191. The BJR is not a blanket shield against liability for directors of a corporation. Even though the BJR provides that a substantively unwise decision by a director or officer will not by itself be a lack of duty of care, three requirements must be met: 1) the director must not engage in self-dealing; 2) the decision must be informed and not grossly negligent; 3) and the decision must be rational. See Smith v. Van Gorkom, 488 A.2d 858 (Del. 1985); Kamin v. American Express Co., 383 N.Y.S.2d 807 (N.Y. Spec. Term 1976). Exceptions to the B JR include situations in which the director failed to exercise reasonable diligence, to supervise, or to act. It will also not apply when the director's conduct amounted to gross negligence, to a pursuit of his own social goals, or to ultra vires or wasteful acts. Additionally, the B JR does not take effect if the director's decision lacked a business purpose; created a no-win situation; was irrational or illegal; or was affected by a conflict of interest, fraud, or bad faith. PINTO, supra note 94 at 192.

(105.) Id. at 191.

(106.) Id.

(107.) Id. at 191-92.

(108.) Some organizations, however, should have basic security measures in place. For example, the federal government should have adequate measures in place to protect against the access to sensitive information. This is especially critical given the discovery of the Moonlight Maze stealth attack. According to James Adams, chairman of security consultancy iDefense, this attack, launched in March 1998, which targeted sensitive, unclassified information, is the "`largest sustained cyberattack'" on the United States. Elinor Abreu, Epic Cyberattack Reveals Cracks in U.S. Defense (May 10, 2001) (citations omitted), available at http://www.cnn.com/2001/TECH/internet/05/10/3.year.cyberattack.idg/index.html (last visited Jan. 22, 2003) (on filed with the Rutgers Computer & Technology Law Journal). He argues that the United States needs a "deterrent strategy for cyberspace just like [the country] ha[s] for nuclear war or conventional war" and "It]he Department of Defense has to step up to the plate because they have the capability and the responsibility." Id. Investigators had yet to determine how many systems were attacked, how they were comprised, and even the responsible parties, although "some of the attacks appear to have originated from Russian Internet addresses.... "Id. Another commentator was more concerned with the private sector's ability to defend against cyberattacks, especially since the resources available to private sector companies are substantially less than those available to the government. Id. Nevertheless in the wake of the September 11th attacks, fear of the government's cyber-vulnerability has resurfaced. A series of studies the Pentagon conducted in the 1990s indicating that a "cyberattack on computer and communication systems could cripple the U.S. as severely as a physical attack ... [by] ... shut[ting] down water systems, power plants, railroads, airports, and oil and gas pipelines, all of which run on computer and communications systems ... [and which are] usually controlled by a central, vulnerable location[]" seems of immediate importance today. Dan Verton and Bob Brewin, Companies Warned About Possible Cyberattacks (Sept. 13, 2001), available at http://www.cnn.com/2001/TECH/internet/O9/13/cyber.terrorism.idg/ index.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal). See also, infra section IV.

(109.) At least one other author believes an ISP to be the least cost avoider. See Mary M. Calkins, Note, They Shoot Trojan Horses, Don't They? An Economic Analysis of Anti-Hacking Regulatory Models, 89 GEO. L.J. 171, 216 (2000). Although this is an attractive choice because it "shift[s] the costs of hacking to parties with more ability to pay[,] ... [t]he chief flaw is an unworkable standard of care." Id. She concedes that defining a uniform standard that applies to all ISPs and corporations would be difficult since most "base their security spending on their own needs or the desires of their customer base." Id. For example, those corporations with little to protect will choose a low-security environment. Id. Small companies might not have the resources to pay for costly security. Id. And, "some ISPs might choose to spend less on security because their customers, in return for cheap Internet access, are willing to assume the cost burden of their own security." Id.

(110.) See Raul, supra note 2.

(111.) See id.

(112.) Radin, supra note 2.

(113.) Id. at Figure 2

(114.) Id. at Figure 4

(115.) Associated Press, FBI Urges Consumers, Companies To Take Additional Steps To Safeguard Windows XP, available at http://www.sjbiz.com/articles0102/techbj010702.html (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(116.) Id.

(117.) Id.

(118.) The Department of Justice announced the formation of Computer Hacking and Intellectual Property (CHIP) units to combat cybercrime and intellectual property thefts. Press Release, Justice Department, CHIP, available at http://www.cybercrime.gov/chipfact.htm (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(119.) Jonathon Krim, FTC Will Not Seek New Privacy Laws, WASHINGTON POST, Oct. 5, 2001, at E1. Timothy Muffs, Chairman of the FTC, announced that new legislation was not currently needed to protect privacy because the private sector had undertaken efforts to protect consumers and their information and that consumers would naturally choose those companies that did have the best protections. Id. Nevertheless, Muds also announced that the FTC would "more aggressively monitor and take action against companies that violate their privacy policies, whether they do business online or not." Id. These comments seem to suggest that if the attacks that occurred in February 2000 against Amazon.com, Ebay, and Yahoo! occurred today, the FTC might seek action against those three websites for failure to protect their consumer information from cyber-attackers or hackers. A violation of the privacy policy would occur if the security or customer information, for example, was compromised.

(120.) John Schwartz, Cyberspace Seen as Potential Battleground, N.Y. TIMES, Nov. 23, 2001, at B5.

(121.) Id. (comments of terrorism expert Frank J. Cilluffo at the Center for Strategic and International Studies in Washington during Congressional testimony in October of 2001).

(122.) Id. Jeffrey A. Hunker, a former National Security Council official, believes that hacking would be used to further complicate matters such as "taking down key computers in financial or communications industries, after a bombing." Id.

(123.) Id.

(124.) Id.

(125.) "Information Technology--Essential Yet Vulnerable: How Prepared Are We for Attacks?": Oversight Hearing Before the House Committee on Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, 107th Cong. (2001) (statement of Michael A. Vatis, Director, Institute for Security Technology Studies at Dartmouth College) (commenting on cyber-terrorism and the state of U.S. preparedness) [hereinafter Vatis Statement], available at http://www.house.gov/reform/gefmir/hearings/2001 hearings/0926_computer_security/0926_vatis.htm (last visited Jan. 22, 2003) (on file with the Rutgers Computer & Technology Law Journal).

(126.) Id.

(127.) Id.

(128.) Id. (citing the White House Office of Science & Technology Policy White Paper on the Institute for Information Infrastructure Protection, July 11, 2000).

(129.) Pub. L. No. 105-304 100; 112 Stat. 2860 (Oct. 28, 1998).

(130.) One image circulated via e-mail after the September 11th attacks was of a man standing on top of one of the World Trade Center Towers with a plane bearing down on him. George Myers Jr., Bogus Photo One of Many Internet Deceptions, THE COLUMBUS DISPATCH, Oct. 1, 2001, at 01A. The picture was revealed to be a hoax, probably created through PhotoShop, but nevertheless illustrates the ease with which information can be created to deceive and "[t]he manipulation of content on credible news sites might be the clearest evidence of the Web's fallibility as a resource." Id.

Monica Vir, J.D. Candidate 2003, Rutgers School of Law--Newark. The author would like to thank the staff of the Rutgers Computer & Technology Law Journal for their editorial assistance.