Can $1M in damages be accurate in a website defacement?

The site was restored in less than an hour, but follow-up took months

matthew keys
Credit: Reuters

Corporate security pros should note that journalist Matthew Keys was convicted this week of changing a headline on the LA Times Web site, a case that may help define what can be included when a toting up damages caused by hackers.

The bill cited in court came to $929,977 for the cost of changing back the altered headline, which stayed live for less than an hour, but also the cost of assessing what other damage was done and fixing it, which took months. You can read details about the case here and here.

The Times said it had to figure out how attackers got in and check for possible backdoors they might have installed, hence the big bill.

But other evidence included an email written by Keys’ former boss that said, "if you bill a thousand dollars an hour, that will help us get it prosecuted." Keys lawyers suggest that was padding the bill in order to break the $5,000 threshold needed to make the case prosecutable under the federal Computer Fraud and Abuse Act.

Keys seems pretty feisty and will likely appeal the conviction, so this could drag on for a while, but even if he doesn’t, the case should shed some light on what can be considered damages under the law.

There are two sides. First, the side taken by the prosecution, which said that the actual damages went beyond the effort of fixing the headline and included the cost of a full network security assessment and of removing backdoors installed during the attack.

That can be considered reasonable if remediating the effects of the hack are costs the victim otherwise would not have incurred.

But the other side is that perhaps some of the items remediated after the attack should have and would have been done already if the victim had been following industry-standard security practices.

For example – and it doesn’t necessarily apply in this case – should damages include the installation of a platform to revoke the passwords of terminated employees? If the company failed to revoke the password and that failure resulted in a breach, should the attacker have to pay for a system to automatically invalidate credentials for employees who leave in the future?

Regardless of how you view the issue, it is something the courts will likely decide, and it will have an impact not only on damages businesses might recover, but also what laws will come into play in cases like this.

The case also calls into question the severity of anti-hacking laws. Keys faces up to 25 years in prison, plus $750,000 in fines for getting someone to “f**k some s**t up” on the Web site, according to accounts of the trial. If he was a disgruntled employee throwing a tantrum by having a headline altered, 25 years seems extreme.

The law with its penalties seems like it was written to address major attacks like the Target and Sony hacks; this has literally made a federal case out of a hissy-fit defacement.

The judge has discretion over what prison term to impose, if any. What he decides is another reason to keep an eye on the case.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10