Unpatched Virus Spreaders Could Be Liable

I can see this coming down the pipeline in the United States as well. The problem becomes how do you measure what "adequate" preventive measures are?

If a patch like the one for MS03-026 becomes available one week and the worm comes out the next week (as its expected to be)- can you fault companies for not having patched yet? I mean enterprise organizations need to testing and allocate resources to roll out a patch to the whole infrastructure- 1 week is probably not enough time and I don't think you could hold them responsible.

However, the patch for SQL Slammer had been out for more than 6 months before the worm and I think you can hold a company responsible for not having patched in that timeframe.

Thoughts from the field??