Abstract

Information is the lifeblood of modern society. Businesses, non-profit organizations, and government agencies regularly compile and maintain electronic databases of information about individuals who interact with these institutions. Computerized data include contact information, personal histories, financial records, and official identifiers such as social security numbers. This wealth of information allows business and government to operate more efficiently, but also exposes the persons to whom the information relates to risks such as identity theft, monetary losses, loss of intellectual property, loss of privacy and reputation, stalking, and blackmail. This article presents an analysis of civil liability for failure to safeguard confidential information. It focuses on situations where database owners fail to patch a computer security vulnerability, which facilitates compromise of sensitive information. Foreseeability of an intervening tortfeasor's action is essential to imposing liability on a primary tortfeasor for enabling the intervenor's behavior. In a civil suit against a database owner for failure to patch a vulnerability, foreseeability of exploitation of the vulnerability is a key element of the liability analysis, and the focus of this article. The article provides judicial decision-makers with a theoretical basis and practical methodology to make an informed and rational decision about reasonable foreseeability in the context of an information security breach. The main contribution of the article is its analysis of the law and technology of cyber attacks that exploit computer security vulnerabilities. The analysis identifies features that make exploitation of a computer security vulnerability reasonably foreseeable. It then develops cyber analogues of these features, and shows that vulnerabilities are likely to be exploited if they are easy to exploit; are technically closely aligned with the objectives of cyber attackers; provide unauthenticated access to a target system; provide remote access; provide anonymous access; and exhibit low access complexity. The article concludes by proposing a numerical metric of the degree to which a particular cyberspace vulnerability is foreseeably exploitable. The metric is a function of quantitative proxies of the "foreseeability features" identified by the analysis. The article concludes with a numerical example illustrating the application of the metric to vulnerabilities that have actually been exploited in cyber attacks.