Directors face 'cyber liability'

It is common knowledge that viruses can damage businesses by corrupting and deleting files, writes Graham Cluley.

It is common knowledge that viruses can damage businesses by corrupting and deleting files, writes Graham Cluley.

In addition, they can strain relationships and dent an organisation's reputation if inadvertently mailed out from a company. However, in an increasingly litigious world, organisations could now find that they are held financially and legally responsible for the damage caused by their distribution of malicious code.

An increasing number of companies are including clauses in their contracts with suppliers and partners which set out which party picks up the bill if a virus spreads between them. And, with the introduction of legislation such as the Data Protection Act 1998, directors now have a legal liability to keep their company's data safe and secure.

Virus infections fall under the Data Protection Act because some (known as "data diddlers") are able to modify files. There are even examples of viruses multiplying cells in spreadsheets by 0.0000001 on one day every month. Such alterations are difficult to spot, but over time they have serious data corruption implications.

Others viruses - for example 2001's Sircam worm - scoop up random files from infected PCs and forward them to all Outlook contacts via e-mail.

Bearing in mind the Data Protection Act and the increasing inclusion of these "cyber liability" clauses, it is surprising that few businesses are insured against any form of IT security breach. Indeed, according to a recent survey by independent network consultancy Scalable Networks, only 11% of UK companies have taken out any form of computer crime insurance.

This lack of cover may be due to the complicated issues surrounding cyber liability.

Firstly, it is difficult to ascertain exactly how much a virus infection and clean up would have cost the injured the party. Secondly, with the Data Protection Act stating that "reasonable" measures need to be taken to prevent data loss or damage, it is difficult to establish whether an infection was simply a case of bad luck or was due to misuse or negligence.

Futhermore, these aspects of the Data Protection Act remain untested - no UK director has yet been to court or even charged for not keeping their company's data securely protected. What constitutes "reasonable" measures still has to be legally defined, but on paper at least, companies (and their directors in particular) could be held liable.

Decreasing risk
Before the issue of liability is properly defined in the courtroom, there are some guidelines - particularly ISO 7799 - which can dramatically decrease the risk of network infection. These best practice guidelines cover security procedures, processes and staff training as well as tactical product deployments.

In addition to following such guidelines, businesses should consult with their insurance companies and negotiate premiums to cover their online systems. These premiums should reflect their exposure to risk, the value of the data held on their systems and the measures which are in place to reduce their exposure to virus infection and IT security breaches in general.

Of course, under the Computer Misuse Act 1990 it is illegal to enter and/or modify another party's machine without their permission. So we should not lose sight of the fact that the real guilty party is the person who releases the virus into the wild.

To help bring these virus writers to book, businesses need to be more forthcoming about reporting their security breaches. Without such evidence it is difficult to prosecute and sentence virus writers. More importantly, soft sentencing does little to deter future cybercriminals, which is bad news for businesses.

Why you need to take action

    • Companies are increasingly including clauses in contracts that spell out which party is liable to pay for virus clean-ups

    • Virus infections could leave directors in breach of the Data Protection Act

    • Only 11% of organisations have insurance against cybercrime

  • Firms may need to prove that they have taken "reasonable" measures to protect themselves and other parties.

Graham Cluley is senior technology consultant at Sophos Anti-Virus

Read more on Antivirus, firewall and IDS products