April 2015 INTERNET LAW & STRATEGY

The Internet User's Duty of Care

Cybersecurity Brings New Level of Online Liability

By Jonathan Bick Jonathan Bick is Of Counsel at Brach Eichler LLC in Roseland, NJ. A member of our Board of Editors, he is also an adjunct professor at Pace and Rutgers law schools, and the author of 101 Things You Need to Know about Internet Law (Random House 2000). He can be reached at bickj@bicklaw.com.

The duty one Internet user has to another has changed, particularly with respect to cyber-security and privacy. Widespread breaches of Internet security result in a massive loss of valuable time and resources, reduced productivity, lost revenue and a diminishment of Internet privacy. Negligence by Internet users has enabled hackers and creators of viruses to exploit computer systems and engage in crime and unwanted computer intrusions.

Internet users are secondarily liable third parties for negligence when they fail to incorporate reasonable security into their Internet access systems and practices. This tort is premised upon the unacceptably high levels of risk of Internet-related difficulties, as well as the low cost of implementing software and procedures that would ameliorate or eliminate said difficulties.

Rapid technological change has allowed Internet users to implement meaningful remedies for online injuries, such as the theft of personal data, computer viruses or Internet fraud enabled by software failure. With an ever-increasing amount of sensitive information being exchanged on the Internet, the development of robust and trustworthy computer systems is now a duty owed by each Internet user to all other Internet users.

User Negligence

Internet-based negligence remedies are necessary because the only available defendant is often the negligent user whose security holes enabled the crime. Enforcing negligence torts related to an Internet user's behavior will encourage them to institute protective computer software and practices and provide incentives to improve the quality of their security and privacy practices. The imposition of potential liability induces preventive vigilance, while raising the failure to uphold a duty to other Internet users to the level of a tort also allows for the compensation of the victims of Internet bad acts. The absence of enforcement for negligent Internet activity enables Internet crime and breeds irresponsibility.

Internet users have a duty to protect others by taking reasonable steps to stop others from using his or her assets, both tangible (computer) and intangible (Facebook account), in harming others. For example, a duty exists for Internet users to engage in activities that prevent lapses in cybersecurity, which could expose others to a virus. Additionally, courts have found that banks have a duty to protect privacy (account information).

Controlling the 'Net

User control over tangible and intangible Internet assets was simply not possible 10 years ago. The technology associated with the Internet today allows users direct control over online communications because the Internet users control (via software or consented-to content access) what hardware and information is to be shared. This direct control brings an increased duty to act so as not to harm others, and the technological advances change the negligence equation for Internet users with respect to cybersecurity and privacy.

While certain bad actors trick Internet users into installing software that harms other Internet users, most of the harm to other users is due to intentional or negligent acts by individual users, even if the harm is actually a byproduct of the acts. Internet users expose other users to harm when they intentionally disable security software, so as to improve the speed of their uploads and downloads. Or they negligently employ vulnerable passwords or engage in risky behavior, such as downloading questionable material, such as free copyrighted content (e.g., music, videos or games).

Liability and Compensation

Courts have regularly found that third-party victims of intentional or negligent disabling of security may be compensated as a result of a tort-based lawsuit. Tort law evolved to protect the public against new dangers arising from new technology. Negligence emerged as the liability standard for nonintentional injuries caused by new technology. See, Restatement (Third) of Torts: Liability for Physical Harm §3 (discussing basic principles of negligence). This expansion of tort liability includes software and other intangibles such as information products. One California court, for example, imposed liability on the seller of an inaccurate instrument approach chart. See, Fluor Corp. v. Jeppesen & Co., 170 Cal. App. 3d 468, 476 (Ct. App. 1985).

Courts have had little difficulty extending liability for bad software when the design defect causes physical injury or death. A New Jersey court applied product liability law in a case in which the brakes of a tractor-trailer failed because of defective software on the vehicle's onboard computer. See, Roberts v. Rich Foods, 654 A.2d 1365 (N.J. 1995).

A landlord's duty to minimize risk to tenants may also serve as a model for expanding liability to Internet users who, by intent or negligence, modify or disable security features designed to protect fellow Internet users. In crafting the duty of care, courts have regularly balanced the foreseeability of harm and the gravity of harm against the burden on a software user. In particular, juries should have little difficulty in imposing a duty on Internet users that is designed to prevent them from modifying or disabling virus protection.

Operator Liability

Additionally, the operator of an Internet site, like any other retail establishment, could theoretically be liable for the reasonably fore-seeable harm caused by third parties that injures customers. The Internet's history of intrusions and security breaches makes such foreseeability likely. In Hamilton v. ACCU-TEK, 62 F. Supp. 2d 802 (E.D.N.Y. 1999), the court found that a general duty to avoid negligence is assumed.

Both an Internet site operator and an Internet user could potentially be held liable for negligently permitting a third party to access its computer and copy data or proprietary information owned by others where that inadequate security results in injuries to third parties. Courts have imposed a duty to maintain a secure environment against a wide array of property owners, including landowners, landlords, business owners and other possessors of real property and chattel. This liability is in addition to the imposition for injuries caused by the criminal acts of third parties.

A prima facie case against those who intentionally or negligently modify or disable Internet software designed to protect other Internet users requires proof of the following elements: 1) a duty of care owed by the Internet user to other Internet users; 2) conduct below the applicable standard of care that amounts to a breach of that duty; 3) an injury or loss; 4) cause in fact; and 5) proximate or legal cause. The court in McCall v. Wilder, 913 S.W.3d 150, generally detailed these elements of negligence.

As courts consider the duty of one Internet user to another, they must balance such factors as: the foreseeability of the harm of computer viruses or privacy breaches; the relationship between Internet vulnerabilities and harm; the connection between careless Internet security practices and the injury suffered by one or more third-party Internet users; the burden on the individual Internet user and the consequences to the community Internet users for imposing a duty to maintain adequate security; and the availability, cost and prevalence of security solutions.

Any duty to protect one Internet user from the actions or inaction of another must be predicated on a preventable risk. In many cases, there may be multiple defendants who owe third-party Internet users a duty of care. The scope of liability will most likely be determined by the courts and be decided by a jury on grounds of duty or proximate cause.

Damages

Under proximate cause, a defendant is liable for all the general kinds of harms which were foreseeable risks of the defendant's acts or failure to act. The predominant injury caused by Internet users who expose other Internet users to harm by intentionally disabling security software, and by Internet users exposing other Internet users to harm by engaging in risky behavior, will most likely be a financial loss, dignitary injury or invasion of privacy, rather than personal injury or death.

Thus, a typical Internet case involving an Internet user who intentionally or negligently caused harm to other Internet users would not involve pain and suffering or general damages. An injured third party could theoretically receive damages for the unauthorized use of computer networks or be compensated for economic expenses incurred because of a computer virus. The law of torts may also provide for punitive damages to punish and deter those Internet users that fail to remediate known vulnerabilities after many prior losses.