WASHINGTON -- Hackers, viruses, and other online threats don't just create headaches for Internet users -- they could also create prison sentences for corporate executives, experts say.
Though business groups have lobbied successfully against laws focused on cybersecurity, companies that don't make efforts to secure their networks could face civil and criminal penalties under an array of existing laws and court decisions, according to security and legal experts.
''Computer security is not solely a technology issue," said Dan Burton, a vice president at computer-security firm Entrust Inc., who serves on a private-sector board to boost accountability.
Though healthcare, banking and deceptive-business laws all create security obligations, a new accounting-reform law now being phased in is likely to have the biggest impact.
The 2002 Sarbanes-Oxley Act holds executives liable for computer security by requiring them to pledge that companies' ''internal controls" are adequate, and auditors are starting to include cybersecurity in that category, said Shannon Kellogg, director of government affairs at RSA Security Inc.
Violating that provision could lead to criminal charges by the Justice Department and jail, said David Becker, a partner at the law firm of Cleary Gottlieb in Washington and former general counsel at the Securities and Exchange Commission.
''Any egregious intentional violation of federal securities law could be criminal," Becker said.
Companies that can prove they have taken concerted steps to improve their networks stand a much better chance of success in court, experts say.
Online viruses and worms like SoBig and Slammer have clogged computer networks and knocked vital websites offline, costing businesses some $55 billion in productivity last year, according to anti-virus company Trend Micro Inc.
Other online risks, from identity theft to espionage, are harder to quantify.
The US government released a plan to increase online security last year, but it contained few hard-and-fast requirements for the businesses that control roughly 85 percent of the nation's Internet infrastructure.
Many of the experts who advocate a hands-off approach say businesses will have to upgrade their online defenses, thanks to Sarbanes-Oxley and other laws.
Healthcare companies will have to ensure by April 2005 that electronic patient data is stored in a confidential and secure manner, under the Health Insurance Portability and Accountability Act of 1996.
Banks and other financial-services groups face similar obligations under the Gramm-Leach-Bliley Act of 1999.
Companies that don't live up to their security promises have faced action by the Federal Trade Commission. Drug maker Eli Lilly and Co. agreed to beef up its internal security after it inadvertently revealed the e-mail addresses of customers who used its Prozac anti-depressant medication.
Some courts have held businesses accountable as well. A Maine state panel ruled last year that Verizon Communications Inc. should have foreseen that its network would be vulnerable to Internet attacks like the Slammer virus, and should be forced to make infrastructure payments to the state even when its network was down.
In Washington, a judge has several times ordered the US Interior Department to unplug its computers from the Internet until it can guarantee that trust-fund payments to American Indians are secure against hackers.
''In the realm of terrorism and cyberterrorism, courts are more willing to find negligence than they did before," said Bill Cook, a partner at Wildman Harrold in Chicago.
Others are less convinced that a courtroom precedent is emerging, though they say that is no excuse not to improve computer defenses.
''There are some court cases, but I don't know that there's really enough to pull together," said Bruce Heiman, a partner with Preston Gates & Ellis in Washington.