Viruses: Could your business be liable?
Published: 06 Jan 2004 10:25 GMT
The essence of force majeure is something outside a party's reasonable control which prevents that party from performing its contractual obligations. A sophisticated clause will set out specific events to be included in or excluded from the scope of force majeure. In the case of preventable incidents, there would still be questions over whether such an interruption was indeed beyond the defaulting party's reasonable control (if, for example, it had failed to download the latest virus definition patches as they became available).
As with any force majeure clause, thought needs to be given at the time of drafting as to which party is most likely to benefit from the clause, and how broadly it should be drafted. There is another issue, which is whether the disruption caused by a major virus attack -- typically not more than a couple of hours -- is long enough to constitute force majeure: again, this will depend on the nature of the contract.
Responses to a recent Treasury consultation exercise on major operational disruption in the financial markets favoured the review of existing force majeure provisions to ensure consistent and adequate coverage of events such as major IT disruptions in this context. Businesses outside the financial services sector should consider doing the same.
IT disruptions - what are your remedies?
Readers will no doubt be aware of the criminal penalties imposed by the Computer Misuse Act 1990 for spreading viruses. Despite the Act's success (a relatively high proportion of prosecutions have resulted in conviction), criminal measures provide at best a deterrent effect on virus spreaders, but no direct recourse for their victims.(A negligence claim against the virus-spreader, assuming he could be identified, is likely to be academic). Businesses must therefore look elsewhere to recoup losses caused by a cyberattack. The question of an antivirus provider's liability has yet to be tested in court. Much antivirus software is provided on an "as is" basis, or rolled into a package of Internet services.
Antiviral protection may be outsourced to an IT consultant. Whatever the contractual arrangements, businesses should look carefully at exactly what the service level is promised, and at the effectiveness of any exclusions of or limits on the provider's liability. Further up the delivery chain, to what extent do software developers owe a contractual or tortious duty to design systems to be resilient to viruses?
Previous
Did you find this article useful?
220 out of 452 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
