Civil remedies are a more viable legal solution to cyber crime for the enterprise than criminal prosecution, according to IT security consultant and forensics expert Ajoy Ghosh.
Tort law (specifically the tort of negligence) is likely to pressure large market sectors such as ISPs (Internet service providers) to adopt security measures that prevent cyber criminals from plying their trade and more readily identifies them, he said.
"Proponents of a tort law framework cite the inadequacies of law enforcement agencies to identify, locate and prosecute cyber criminals coupled with the rapidly developing infrastructure and judicial conundrums of cyberspace," Ghosh said.
From a victim's perspective, he said the rationale for pursuing civil rather than criminal remedies offers advantages such as confidentiality, standard of proof that does not require evidence 'beyond reasonable doubt' and a more timely settlement for compensation. Another advantage is corporate liability.
"The victim doesn't have to identify a particular individual as the individual hacker since a corporation can be liable for damages either vicariously or through contributory negligence; this also provides the claimant with the ability to access significant damages," Ghosh said.
Alistair MacGibbon, director of the Australian Federal Police High Tech Crime Center, agrees civil action has a role to play in combating cyber crime.
"Civil action has a legitimate role to play but we still want to provide an open door for more people to report computer crime; we don't pretend law enforcement is the only solution," he said.
However, MacGibbon does believe the private sector can take more preventative measures by educating users such as Internet banking customers who are fooled into using a fake mirrored Web site and providing password and user name details.
While the private sector has increased security spending in the past 12 months, Auscert general manager Graham Ingram said it is clear most organisations are still finding it hard to manage a multitude of issues surrounding the proper protection of information systems.
"Organisations need to ensure they are able to operate their information systems security prior to connecting to the Internet; it is clear that organisations aren't aware of some relatively basic security issues and have paid dearly," he said.