The Dilemma of Reporting Spyware Attacks

LAS VEGAS—The Federal Trade Commission is asking corporations to report incidents when they are victimized by spyware attacks, but some experts say the process of doing so puts businesses in a tricky position, where they must weigh the benefits of pursuing malware code distributors against the potential for legal recrimination.

Speaking at a roundtable discussion on the topic of spyware at the Black Hat Briefings security conference being held here July 31 through Aug. 3, Eileen Harrington, a deputy director in the Bureau of Consumer Protection at the FTC, said that companies will need to be more forthcoming if they are to help the agency track down malware writers and take those individuals to court.

While companies must be held responsible for any mistakes they make that leave computer networks and sensitive data exposed to attacks, law enforcement officials need private-sector organizations to contribute more actively if the FTC is going to make headway in tracking down those responsible for the programs, she said.

“Companies need to report problems to help us do our jobs. If you have the appropriate security measures in place, you shouldn’t be afraid to contact us,” Harrington said. “Where liability can arise on the part of the private sector is when personally identifiable information on an [IT] system has not been reasonably protected. What constitutes ‘reasonable’ varies from case to case, and we will sue companies when those steps are not in place.”

Read the full story on eWEEK.com: The Dilemma of Reporting Spyware Attacks

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.