ABSTRACT
This chapter discusses the inadequate defenses seen in practice against technical attacks on software vulnerabilities and on networks, leaving the discussion of attacks on human vulnerabilities, such as phishing, to a later chapter. Like Chapter 2, this chapter is concerned with software but only to the extent that it is embedded in a business's network. The focus is on defending the vulnerabilities that are there, and the certainty that some of them will be attacked. To provide an incentive to manage properly, this chapter proposes that the FTC actively enforce security standards. The broad investigative powers of the FTC make it an attractive way to address security mismanagement. FTC investigations are governmental actions. Individuals harmed by security mismanagement can sue under common law negligence theories, and under state and federal statutes that require reasonable security. The two regimes work in concert to discipline businesses.
