In recent months there have been some much-publicised breaches of
Web security. These incidents have taken a number of forms:
- Denial of service attacks making the Web site inaccessible for
a few hours, such as those experienced by Yahoo and Amazon. Such
attacks may give rise to potential financial loss, particularly if
time-critical online transactions are disrupted
- Removal of sensitive data from the Web site, such as credit
card details and client technical information
- Redirection of Web traffic to an unrelated site, as in the
dispute between Greg Lloyd Smith and www.Nike.com.
Apart from the enormous management resources needed to recover
from such attacks, organisations also face the risk of legal action
in these situations.
How liable are you?
Under the Data Protection Act 1998, organisations that have
their own Web site must take "appropriate technical and
organisational measures" against unauthorised or unlawful
processing of personal data. Failure to comply is an offence, and
officers of a company can, in certain circumstances, be personally
liable.
Unauthorised or accidental release of confidential information
is likely to constitute a breach of contract between the Web site
owner and its customers, although of course the extent of the
liability may differ, depending on the terms of each individual
contract.
What legal risk management options are open to you?
There are two immediate measures that organisations can
implement to guard against legal liability for security
breaches:
- A clear disclaimer against such liability should appear on the
Web site itself
- Any contract between the organisation and its customers should
contain a limitation of liability clause.
However, the courts will not give effect to such protections
unless they are reasonable. What is reasonable may vary in each
case, depending on the size and strength of the parties concerned
and, possibly, after the recent offer by Lloyd's of insurance
against hackers, the ability of either party to pay the relevant
insurance premium.
Technical Risk Management - showing due diligence
When considering reasonableness, the courts are likely to take
into account whether the organisation had the proper technical
procedures in place to manage the risk of security breaches. These
might include procedures to:
- Identify the risks by using specialist consultants or
"friendly" hackers
- Ensure that IT departments are sufficiently skilled to assess
these risks and to remedy any loopholes that may be found
- Having identified the level of security required, take steps to
ensure that an anti-fraud and IT security policy is implemented and
maintained, which may involve the use of techniques such as
encryption, certificates and use of digital signatures, fire walls
and seals of approval of Internet security
- Educate staff about the relevant security policy and any
changes to that policy
- Use spot checks to ensure that the required security policy is
being implemented and observed, both on a technical and staff
basis
- Ensure adequate staff supervision and the introduction of
appropriate disciplinary procedures for breaches of
security.