Firms have expressed concern that inconsistent computer-crime laws and widely varying penalties for computer criminals are undermining deterrence, increasing the risks to corporate systems. Companies were responding to news that while the Melissa virus author has been sentenced to 20 months in prison in the US; in Holland the author of the Kournikova virus is appealing against a term of just 150 hours of community service.

Security experts reiterated the need for courts to treat Internet crimes more seriously, and for businesses to report financial losses caused by such incidents.

Jan de Wit was sentenced to 150 hours' community service by a Dutch court last year for creating and distributing the Kournikova email worm. At the time of sentencing, virus and legal experts expressed concern that the penalty was too low and would fail to deter other potential virus writers. However, de Wit's lawyer recently announced that his client would appeal against even this lenient sentence.

De Wit's lawyer said the sentence should be overturned because his client did not mean to inflict any damage, and it had not been proved that any great damage was caused. During the trial, 55 victims estimated they had suffered losses totalling $166,827. But this figure would have been much higher if all the victims had reported their losses, according to experts. Graham Cluley of antivirus firm Sophos said Kournikova was a widespread and hard-hitting virus, and the 150 hours' community service penalty was a feeble response.

To ensure that virus authors receive sentences that reflect the gravity of their offences, Cluley said businesses should play their part. "Viruses can cause great damage, yet businesses are ashamed to report infections. They must take a two-pronged stance: improve protection on their systems and be prepared to take action against the authors of malicious code," he argued.

Although proving higher financial losses may encourage harsher penalties, estimating the cost of viruses is not an easy task. Denis Zenkin of antivirus solutions provider Kaspersky Labs said, "Is it possible to estimate how much it costs if a virus deletes files that are the result of years of hard work? Or if a virus lets confidential data leak from a corporate network that leads to the failure of a multimillion-pound deal?"

As a result of the difficulties in measuring financial losses, Zenkin said courts and law enforcement agencies should look for other ways of estimating damage to prove the culpability of virus authors, apart from relying on individual company estimates.

Earlier this month, a US court sentenced David L Smith, author of the Melissa virus, to 20 months in jail. Smith admitted to causing more than $80m of damage worldwide.

Have your say: contact IT Week