[Retric]

Liability can be shared and a tenant may greatly prefer going after an ex. landlord vs. some random person.

Granted, this does not apply in your case, but Chicago does have mixed use Residential/Commercial leases which is covered.

Now suppose a tenant goes back to retrieve their property the day after there lease ends. Which under some situations they are allowed to do. Key works, the enter building...

IANAL, but would suggest this is a situation the owner would like to avoid.

[tptacek]

Your concern here is over moral hazard. You're saying, the law makes landlords liable for theft so that they'll do their duty to secure their building. I'm not arguing this point; moral hazard makes a lot of sense. If you want to argue that Trib Corp should have some negligence liability here, fine.

But there is no sense in which that kind of liability mitigates the criminal actions of others. If I go into a building for which the landlord is liable for theft, and I steal $5000 worth of crap (or cause $5000 worth of damage), I'm going to be prosecuted for that if I'm caught, no matter the landlord's liability. Criminal liability isn't shared due to negligence, and when criminal liability is shared (among accomplices and co-conspirators), it's not divided up among the parties --- because that would be silly.

[Retric]

Morale hazard does play into what they can clam as damages. If reverting the defacement using there CMS system costs 500$ and results in 2,000 in lost profit NP. If it takes someone a few hours to verify that was the only change, NP.

But, they can't claim time related to revoking his permissions because they should have done that in the first place. Ditto for performing a security audit ect.

This is a normal user using there CMS system, not an admin or developer messing with things.

[tptacek]

I'm only going on here because I'm worried I've been unclear about the nature of the damage here.

If you're objecting to the idea that, having caused a breach, the convicted attacker is now on the hook for securing the application they broke, so that the attack they used is no longer viable, I agree. That is in no way fair.

But that's not what's happening.

Instead, having been breached, and only because they've been breached, the victim is now in a position of needing to assess the extent of the damage done. They can't guess --- at least, not if they're a major corporation --- because continuing to operate when you have reason to believe you've been systemically compromised is unethical and dangerous.

That's the difference between a DF/IR audit and a security audit. A security audit tries to find all your vulnerabilities. A DFIR audit tries to scope the compromise and retain evidence. Of the two, the DFIR audit has a narrower scope and more specific purpose.

But, weirdly, it's also more expensive. There are more application security consultants than there are DFIR auditors, and DFIR auditors are often selected by insurance companies, not by the market.

At any rate: the costs we're talking about Keys having incurred are not a bonanza of free assessment work Trib gets to bill to Keys.

[Retric]

Someone logged into the CMS system using an active account and changed something in the CMS system. Are they required to do an audit of anything outside the CMS system, no.

I accept that you feel an external audit is required. But, is it a reasonable expense directly incurred, no.

PS: As a parting piece of evidence. Was $10,206 to $13,147 likely to include DFIR audit and all other costs? No.

[tptacek]

What do you think they spent $13,000 on?