Are you at risk of being sued after a Web attack?
In recent months there have been some much-publicised breaches of Web security. These incidents have taken a number of forms:
Denial of service attacks making the Web site inaccessible for a few hours, such as those experienced by Yahoo and Amazon. Such attacks may give rise to potential financial loss, particularly if time-critical online transactions are disrupted
Removal of sensitive data from the Web site, such as credit card details and client technical information
Redirection of Web traffic to an unrelated site, as in the dispute between Greg Lloyd Smith and www.Nike.com.
Apart from the enormous management resources needed to recover from such attacks, organisations also face the risk of legal action in these situations.
How liable are you?
Under the Data Protection Act 1998, organisations that have their own Web site must take "appropriate technical and organisational measures" against unauthorised or unlawful processing of personal data. Failure to comply is an offence, and officers of a company can, in certain circumstances, be personally liable.
Unauthorised or accidental release of confidential information is likely to constitute a breach of contract between the Web site owner and its customers, although of course the extent of the liability may differ, depending on the terms of each individual contract.
What legal risk management options are open to you?
There are two immediate measures that organisations can implement to guard against legal liability for security breaches:
A clear disclaimer against such liability should appear on the Web site itself
Any contract between the organisation and its customers should contain a limitation of liability clause.
However, the courts will not give effect to such protections unless they are reasonable. What is reasonable may vary in each case, depending on the size and strength of the parties concerned and, possibly, after the recent offer by Lloyd's of insurance against hackers, the ability of either party to pay the relevant insurance premium.
Technical Risk Management - showing due diligence
When considering reasonableness, the courts are likely to take into account whether the organisation had the proper technical procedures in place to manage the risk of security breaches. These might include procedures to:
Identify the risks by using specialist consultants or "friendly" hackers
Ensure that IT departments are sufficiently skilled to assess these risks and to remedy any loopholes that may be found
Having identified the level of security required, take steps to ensure that an anti-fraud and IT security policy is implemented and maintained, which may involve the use of techniques such as encryption, certificates and use of digital signatures, fire walls and seals of approval of Internet security
Educate staff about the relevant security policy and any changes to that policy
Use spot checks to ensure that the required security policy is being implemented and observed, both on a technical and staff basis
Ensure adequate staff supervision and the introduction of appropriate disciplinary procedures for breaches of security.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
This was first published in July 2000