12 May 2008
Victim or Villian?
Viral liability
Guard against
viruses or face legal action (Internet World e-newsletter - August 17,
2001)
By Rob Gallagher
Businesses are just the innocent victims of viruses, right? Wrong. If your company doesn't take the necessary precautions, you could be found liable for some of the damage.
'I'm fairly sure we'll see [virus liability test cases],' said Jonathan Armstrong, e-commerce lawyer with Eversheds. 'The greater the harm, the greater the likelihood someone will sue for it.'
He recalled a survey conducted four years ago among the legal profession. A number of barristers were asked if a company could be held liable for the transfer of a virus via floppy disk. Four out of six said yes.
And while technology has changed the way viruses travel, the legal risk may not have diminished. 'I had heard a rumour that there were two contemplated actions for ILOVEYOU,' remarked Armstrong.
By the time the ILOVEYOU virus -- aka 'The Love Bug' -- ended its spree in May 2000, it is thought to have cost businesses around £6bn in bumped-up security and lost business. In the UK, BP and Shell were among the largest companies to have servers knocked out by the virus. Microsoft's UK email server even suffered an outage.
Since then, viruses have hardly abated and seem to have grown in destructive power. Sircam struck at the end of July and no one seems to be sure if Code Red has reached its end.
According to Armstrong, a virus like Sircam could raise particularly tricky issues of legal liability. Sircam not only flooded servers with its mass mailings, it also 'stole' files from hard drives and sent them out randomly. Armstrong had seen quite a few documents retrieved from the Eversheds firewall that contained 'share sensitive information'.
In such a situation, confidentiality agreements between companies could be breached. A company could even be sued by a customer, if that customer discovers that their personal details have been revealed to an unlimited number of third parties by the virus. The company's failure to protect itself could be seen as a failure to comply with the Data Protection Act.
As yet, there haven't been any test cases, so it's not clear how companies can shield themselves from the threat. 'My view is that you've got to treat it as a package and put in all sorts of protection,' said Sara Ellacott, head of the e-commerce group for law firm Nabarro Nathanson. 'If a company is vigilant, that will lessen any potential claims against it.'
An increasing phenomenon is the appearance of virus disclaimers on emails. However, legal experts are undecided as to how much protection they provide. In the recent spate of email defamation cases, disclaimers have not been shown to have any effect, as most cases have been settled out of court.
Eversheds' Armstrong felt sure that a disclaimer could have legal effect but, at Nabarro Nathanson, Ellacott wasn't so sure: 'It's the same with all of the disclaimers -- it's helpful and categoric and goes to show that you've taken steps [to protect against viruses], but it won't help in itself.'
Ellacott recommended regular security checks and firewall updates, as well as a tight email usage policy -- ie making sure your staff know not to click on mysterious files sent by unknown parties. The problem is that these measures have been shown to be far from foolproof, as the continual problem of viruses demonstrates.
According to Ellacott, all a business can really do is show that it has 'behaved in a reasonable and responsible manner'. At the moment, many firms may not be taking the danger seriously enough.
'Now companies are being reactive rather than proactive,' said Ellacott.
Article courtesy of www.internetworld.co.uk
|
Head Office - 56 Castle Hill Road - Hastings - East Sussex - TN34 3RH. United Kingdom |
||
|
|
|
