Out-Law / Your Daily Need-To-Know

Code Red warning could soon be a legal obligation in US

01 Aug 2001, 12:00 am

The feared disruption to internet services following the reawakening of the Code Red worm has so far failed to materialise, but the FBI warns it is still possible that the full effect of the worm may not be felt for a few days and the US Federal Trade Commission is calling for laws that force system administrators to protect against such known dangers.

The worm is a form of virus that self-replicates, without actually altering files and is designed to flood computer networks with data. It was timed to begin replicating itself overnight. Security experts had warned that it threatened to considerably slow down the operation of the internet. However, Ronald Dick, director of the FBI’s National Infrastructure Protection Center (NIPC) said:

“Currently all government and private sector watch centres are not reporting any unusual activity associated with the Code Red worm. While there is no activity now, it does not mean that the storm has passed.”

The low impact of the worm has been attributed to the actions of systems and network operators who have patched their systems to protect them. According to Microsoft, the patch it offered has been downloaded more than one million times.

Although there has been a positive public response to high profile warnings of the dangers posed by the worm, the FTC wants greater powers to force businesses to take heed of future warnings.

The FTC is seeking public comment on a proposed regulation that is in part intended to force businesses to protect against “any anticipated threats or hazards to the security or integrity” of customer information. These measures are aimed at financial institutions and are included in standards required under the country’s Gramm-Leach-Bliley Act. As of 1st July, 2001, this Act requires US financial institutions to notify customers about their privacy practices and allow consumers to "opt out" of having their non-public personal information disclosed to non-affiliated third parties.

The Act's security provisions require certain other federal agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer information. The objectives of these standards are to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records and to protect against unauthorised access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer. The standards could allow action to be taken against financial institutions that fail to take heed of security warnings such as that issued by the FBI for the Code Red worm.