Viruses: Could your business be liable?
Published: 06 Jan 2004 10:25 GMT
Insurance
An article in Computer Weekly earlier in the year contained the alarming statistic that only 11 percent of organisations have insurance against cybercrime such as virus attacks. Standard commercial general liability insurance typically only covers damage to tangible property. This leaves computer software in a difficult position, as there is still a legal debate in both the UK and in the US as to whether computer data satisfies this definition.
The insurance industry view is also unclear on the issue, which leaves valuable computer files or databases potentially uninsured against virus damage. The indirect costs of business interruption may not be covered under a traditional policy. This position has been compounded by the use of computer virus exclusions in standard commercial insurance documents.
Some firms now offer specific computer crime and property cover. This covers software loss as well as the cost of business interruption attributable to a virus attack. However, the premiums and excesses on this type of insurance are high due to unpredictability of computer viruses and a lack of quantifiable risk analysis data. In order to obtain cover companies must take part in risk monitoring both at a strategic and operational level and adhere to strict security standards such as the British Standard for Information Security Management -- BS7799.
Could your business be liable?
One feature of the Sobig virus was its ability to "spam jack" -- turn infected PCs into "spam engines", generating a range of offensive mass emailings. This greatly increases the risk that a business which fails to implement adequate antivirus measures could find itself liable for passing the virus and emails on to another user.
What is the likely position in tort? Three elements are essential to a successful claim for negligence: the existence of a duty of care, a breach of that duty and loss resulting from damage to the plaintiff's property.Current legal opinion appears to be divided on the extent of any duty of care in the context of e-communications -- is everyone in your Outlook address book now your "neighbour" for the purposes of tortious liability?
Assuming that such a duty of care exists (at least in some circumstances) what standard of diligence is required to avoid liability? This would doubtless depend on the circumstances (the nature and resources of the organisation and the state of the art).
As with security obligations in a data protection context, compliance with BS7799 is the touchstone of good practice, but may be beyond the resources of small organisations. Implementing (and keeping up to date) antivirus software, and having a email and Internet usage policy are just two measures that all businesses can take to guard against the risk of a negligence claim.
Previous
Did you find this article useful?
220 out of 453 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
