Nike runs into legal troubles after getting hacked, raising the question: Who's responsible for security?

Talk about a double-whammy: Nike may soon become the first company to get slapped with a lawsuit just because it was hacked.

FirstNet Online, an Edinburgh, Scotland-based startup that offers Net connectivity and Web hosting, is lodging the suit to collect on services rendered when Nike was in a jam. Back in June, hackers used FirstNet's servers to reroute Nike's Web traffic to s11.org, the site of an Australian activist group that was organising a protest at a World Economic Forum meeting. The problem took nearly two days to fix, but FirstNet says Nike isn't the only one that suffered.

At Nike's request, FirstNet agreed to redirect traffic back to Nike's servers. As a result, FirstNet's server traffic skyrocketed by 1,800 percent, crashing the company's own servers seven times and cutting off service to clients.

While acknowledging that the hackers themselves must bear some blame, FirstNet says it was Nike's inadequate security that allowed the hacking to take place, and asked Nike for reimbursement and compensation. Says FirstNet's managing director Greg Lloyd Smith. "They asked [for help], we delivered, and we invoiced."

But Nike's in no hurry to pay. "Nike is as much a victim here as anyone else," says Vada Manager, Nike's director of global issues management. "It's not Nike that requested that its domain name be changed, which in turn re-routed traffic." And Nike isn't the only one to be targeted by this particular form of hacking, he says.

FirstNet's argument doesn't find much support among security experts, either. "I think it is a crazy claim to make," says John Vranesevich, founder of AntiOnline, a Beaver, Pennsylvania, computer security research group. "You're attempting to sue the victim instead of the person responsible for the damage." Vranesevich offers this analogy: Say a sniper stood atop a Sony music store because it offered a good vantage point to shoot at people. Then, instead of pursuing the sniper himself, the families of his victims sued Sony. In the same way, he suggests, Nike has been unfairly made a scapegoat.

Aside from issues of fairness, FirstNet's actions could set a precedent disturbing to many Internet companies. Because there's no generally accepted minimum standard for security, any company could be open to charges of poor security, and likewise be vulnerable to lawsuits. "As soon as some new technological fix is announced, it immediately becomes a cause for the hacker world to figure out how to get into it," says Jim Butler, a lawyer specialising in the Internet at the Atlanta office of Arnall, Golden & Gregory. "What is the duty of a company in that very dynamic situation to keep ahead of the curve?"

"Companies will use criminal statutes [against hackers] to protect their back door, while using insurance to help prevent them from losing a lot of money," he says. Meanwhile, FirstNet is preparing its claim for a Scottish court, while managing director Smith is working to broadcast his version of events, posting details to a Web site, Shameonnike.com.

Smith says he wants to help companies avoid similar troubles and counsels them to contact a lawyer before agreeing to help out during a hacking. "Require advance payment, indemnity against liability, and opt-out clauses where applicable. Then and only then do you consider helping," he writes on his site. But in a footnote, Smith urges, "Actually, ignore that comment, and do what you can for them."

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.