Smith maintains that upon notifying Nike.com of the incident he complied with all their directions, including not disclosing the matter to the media. However, when he invoiced Nike.com for the financial losses he had suffered, it responded by stating its appreciation of his efforts but refusing to pay any compensation.
Smith has set up a web site devoted to the issue at ShameOnNike.com where he states that “some might say that the hacker or hackers are/were responsible. To a small degree that might be true. However, Nike Inc. must surely bear the largest responsibility since it was their total lack of security that allowed it to happen in the first place”.
He bases this argument on his allegation that Nike.com employed a minimal security system called “MAIL-FROM”. Nike.com denies this, maintaining that it used a higher level of security, “CRYPT-PW,” which is password protected.
Nike.com alleges that domain registrar Network Solutions is responsible because it gave the hacker access to change vital registry information for Nike.com.
The whole incident and its repercussions illustrate the problems inherent in establishing fault for computer security breaches. Security experts are now calling for legislation that would set out parties’ liabilities in such cases although some have expressed the opinion that Smith’s suit may be ill-founded.