In recent months there have been some much-publicised breaches of Web security. These incidents have taken a number of forms:
Apart from the enormous management resources needed to recover from such attacks, organisations also face the risk of legal action in these situations.
How liable are you?
Under the Data Protection Act 1998, organisations that have their own Web site must take "appropriate technical and organisational measures" against unauthorised or unlawful processing of personal data. Failure to comply is an offence, and officers of a company can, in certain circumstances, be personally liable.
Unauthorised or accidental release of confidential information is likely to constitute a breach of contract between the Web site owner and its customers, although of course the extent of the liability may differ, depending on the terms of each individual contract.
What legal risk management options are open to you?
There are two immediate measures that organisations can implement to guard against legal liability for security breaches:
However, the courts will not give effect to such protections unless they are reasonable. What is reasonable may vary in each case, depending on the size and strength of the parties concerned and, possibly, after the recent offer by Lloyd's of insurance against hackers, the ability of either party to pay the relevant insurance premium.
Technical Risk Management - showing due diligence
When considering reasonableness, the courts are likely to take into account whether the organisation had the proper technical procedures in place to manage the risk of security breaches. These might include procedures to: