Disclaimer: I am not a lawyer; consult yours before relying on advice from any layperson, including me. Thus spake "Owen DeLong" <owen@delong.com>
Should the ISP have shut the customer off? Probably. I certainly would have. Are there ISPs that don't? You bet... Some because they are afraid to. Have ISPs been sued for turning off abusive or abusing customers? You bet.
You can be sued for doing anything or nothing (or both). The real question is whether the plaintiff has any chance of winning, or even of getting past a pre-trial motion to dismiss. Presumably every ISP has some sort of AUP that allows the ISP to, at its discretion, shut off a customer based on suspicion of abuse. Hopefully by now they've all been updated to include in the definition of abuse a failure of the customer to secure their system(s). Even if not, I can't see a customer winning a case against an ISP who cuts them off for being infected with a worm (the activity of which would fall under abuse).
Is it prudent for an ISP to turn someone off? Depends on how you evaluate the risks involved. Either decision you make carries some risk.
Opening your doors for business invites all sorts of risks, including being sued for totally ridiculous and frivolous reasons. Acting as allowed under your contract with a customer does not substantially increase those risks. Fear of exercising your contractual rights means you don't have much faith in your contracts or representation. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov