Smith maintains that upon notifying Nike.com of the incident he
complied with all their directions, including not disclosing the
matter to the media. However, when he invoiced Nike.com for the
financial losses he had suffered, it responded by stating its
appreciation of his efforts but refusing to pay any
compensation.
Smith has set up a web site devoted to the issue at
ShameOnNike.com where he states that “some might say that the
hacker or hackers are/were responsible. To a small degree that
might be true. However, Nike Inc. must surely bear the largest
responsibility since it was their total lack of security that
allowed it to happen in the first place”.
He bases this argument on his allegation that Nike.com employed
a minimal security system called “MAIL-FROM”. Nike.com denies this,
maintaining that it used a higher level of security, “CRYPT-PW,”
which is password protected.
Nike.com alleges that domain registrar Network Solutions is
responsible because it gave the hacker access to change vital
registry information for Nike.com.
The whole incident and its repercussions illustrate the problems
inherent in establishing fault for computer security breaches.
Security experts are now calling for legislation that would set out
parties’ liabilities in such cases although some have expressed the
opinion that Smith’s suit may be ill-founded.
