Microsoft Faces Suit Over Viruses, Worms

By Joseph Menn

Oct. 3, 2003 12 AM PT

Times Staff Writer

A Los Angeles woman fed up with computer viruses and malicious worms is using a new California law to try to force Microsoft Corp. to make its software less vulnerable to such attacks.

In a suit filed this week in Los Angeles County Superior Court, Marcy Hamilton makes the novel claim that the world’s biggest software company has run afoul of the new law, which requires businesses to warn customers when the firms believe personal information has been exposed to hackers or other unauthorized individuals.

Because Microsoft’s Windows operating system runs more than 90% of personal computers, it is a juicy -- and frequent -- target for hackers seeking credit card numbers and other sensitive information. As a result, the suit says, Microsoft should be far more aggressive about warning users when new problems appear.

The Redmond, Wash.-based company’s practice is to post warnings on its Web site, on which visitors are urged to install free fixes for newly discovered security holes. But by the time many consumers respond to the warnings, hackers have already figured out how to exploit the vulnerabilities.

“Microsoft should send an e-mail out to everyone who registers when it finds out about a virus,” said Newport Beach attorney Dana Taschner, who filed the complaint Tuesday on Hamilton’s behalf.

Requiring more immediate notification to customers could alleviate the damage, said Taschner, who is seeking class-action status for the suit to represent millions of Microsoft customers. If granted, the damages could total tens of millions of dollars or more.

Hamilton is hardly the first disgruntled customer to bring legal action against the software behemoth. Microsoft’s $49-billion cash horde has attracted many lawsuits in the past. But those who have sued on more traditional grounds, such as breach of contract or providing defective products, have generally failed as Microsoft has proved itself almost immune from typical consumer suits.

In the eyes of most courts that have ruled on such disputes, Microsoft is not literally selling a product. Instead, it maintains ownership and merely licenses the software for use by others. Licensing agreements provide far less recourse for unhappy customers, and they include language essentially freeing Microsoft from liability.

So Hamilton took a different tack with California’s new disclosure law.

“This represents the first salvo for consumers to say to software makers, ‘Wait a second, if you are going to put out software that needs be patched three times a week, take responsibility for it,’ ” said Mark Rasch, a former head of the Justice Department’s computer crime unit.

But Devin Gensch, an attorney who works on software licensing and privacy issues at Fenwick & West in Mountain View, Calif., said he was skeptical the approach would work.

“That might be a bit of a stretch for a court to swallow,” he said.

Microsoft said Thursday that it was reviewing the case.

“Our intent will be to actively defend their attempt to certify a class action,” spokeswoman Stacy Drake said.

The hacking disclosure law, which took effect July 1, was designed to force companies that own or license “computerized data that includes personal information” to let customers know when an intrusion occurred.

Assemblyman Joe Simitian (D-Palo Alto), the law’s sponsor, said he didn’t want to speculate on whether it covers incidents when the customers themselves are hacked.

“I don’t believe this scenario ever came up,” Simitian said. “I don’t think it was anything that was envisioned.”

Microsoft shares slipped 2 cents Thursday to $28.50 on Nasdaq.

Reuters was used in compiling this report.