Security suit against Microsoft could turn huge

A 50-year-old Los Angeles mother of two who fell victim to hackers has sued Microsoft Corp. seeking damages and an order requiring the vendor to improve its security notification system.

The suit, filed Tuesday in Los Angeles Superior Court, claims that Microsoft's "eclipsing dominance in desktop software has created a global security risk" as the world's computer networks are now susceptible to "massive, cascading failures." The vendor is charged with violating California laws because of unfair and deceptive business practices.

The case was filed on behalf of the Los Angeles woman, but a request has been filed to certify the case as a class action, said Dana Taschner, a Newport Beach, California, lawyer who filed the suit on behalf of the plaintiff.

"We represent an individual plaintiff who is also seeking to be a class representative on behalf of all U.S. purchasers of Microsoft operating system software," he said.

Microsoft spokeswoman Stacy Drake said the company received the complaint and is reviewing it. Based on an initial review, Microsoft plans to fight the attempt to certify a class action, Drake said. Microsoft also believes the lawsuit "misses the point." The problems caused by viruses and hackers are the result of criminal acts by the people who write viruses and break into computers, Drake said.

Getting class certification is crucial for the case, according to Eugene Crew, partner at Townsend and Townsend and Crew LLP, a San Francisco firm that successfully brought a class action suit against Microsoft for overcharging for software in California.

"If Microsoft can prevent the class from being certified, that will kill the case in the crib. An individual proceeding on his own could not afford to proceed with the case just to recover the damages that he alone suffered," Crew said.

Parts of the lawsuit repeat the arguments by seven prominent IT security researchers in a report released last month. That report argued that reliance by "nearly everyone" on Microsoft products has created monolithic IT infrastructures that are less secure than relying on multiple operating systems. [See, "Researchers: MS dominance poses security challenge," Computerworld (US online), Sept. 25.]

The Los Angeles woman suing Microsoft was a victim of identity theft, Taschner said. "She works on her home computer and somehow her system was hacked and her name and social security number were used to access bank accounts and other services," he said. "She has been trying to clean up the mess."

Microsoft makes it too hard for consumers like the plaintiff to secure their systems, Taschner said. "We are asking the court to issue an order requiring Microsoft to give better notice. The hackers are faster on the uptake than the consumer; in a strange way, the Microsoft alerts are actually causing more harm than good."

The suit mentions the Blaster worm that wreaked havoc in August, despite the fact that Microsoft had warned of and issued a software patch for the software bug exploited by the worm in July. [See "Feared RPC worm starts to spread," Aug. 11.]

Microsoft's Drake said the company has made security a top priority and is committed to developing the most secure software possible and making it easier for customers to protect themselves against attacks "launched by malicious law-breakers."

Taschner said he expects the Los Angeles Superior Court to respond to his filings next week.