Lawsuit Lays Blame on Microsoft for ID Theft

A California woman has filed what could become a class-action suit against Microsoft (Nasdaq: MSFT), claiming the software giant's flaw alert and patching system is inadequate and fails to protect consumers.

The action, being handled by a California attorney known for taking on big business on behalf of consumers, stems from an apparent case of identity theft that the woman says was made possible by weaknesses in Microsoft's products.

The suit alleges that because Microsoft products are so widely used, their weaknesses constitute harm to consumers. By making that argument, lead attorney Dana Taschner is seeking to leverage a recent research report by the Computer and Communications Industry Association, which stated that nearly ubiquitous use of Microsoft software poses a risk to national security.

The suit claims that rather than protecting consumers, Microsoft's alert system actually tips off hackers, who move more quickly to develop exploits for flaws than users do to apply patches.

Numbers Game

In addition, the lawsuit alleges Microsoft engaged in unfair business practices. It seeks unspecified damages as well as an injunction that would require the company to revamp its alert system.

It also seeks treatment as a class action, which could enable thousands if not millions of other California residents -- and possibly all U.S. residents -- to join the lawsuit if they have been affected by Microsoft flaws. The definition of "flaws" has not yet been determined, but it might include widespread vulnerabilities, such as the one that enabled the Blaster worm to attack hundreds of thousands of computers.

Microsoft could not immediately be reached for comment. The company previously has argued that hackers should be targeted, because they are the ones who cause damage by exploiting software vulnerabilities.

Been There

Lawsuits are nothing new to Microsoft, even suits stemming from hack attacks. To date, the company has made a concerted effort to settle many of the consumer and business complaints against it. For example, it has agreed to pay millions of dollars to settle civil antitrust matters in California, Florida and elsewhere.

Last spring, a Korean civic group filed suit against Microsoft for failing to stop the SQL Slammer worm.

That suit, by the People's Solidarity for Participatory Democracy, is being watched closely in the United States, because it is likely only a matter of time before similar challenges crop up on Microsoft's home turf, information security attorney Christopher Wolf told the E-Commerce Times.

"It's complicated because there is no standard of what is effective or adequate action on behalf of a software firm," Wolf said. "Is once a month enough? Once a week?"

It may be hard to prove negligence in the SQL Slammer case because Microsoft had issued a patch for the targeted SQL flaw months before the worm ravaged the Web in January of this year.

"That may not be the [test] case, but eventually there will be one that ends up deciding exactly what a company's responsibilities are to protect users from hackers," Wolf noted.