From infection to courtroom : the legal implications of a virus attack

Liz Bell, from leading law firm Morgan Cole, looks at the risks to your company. Blaster, Sobig, and Sasser are all names that will be familiar to system administrators as they are just a selection of the most prolific viruses that have plagued businesses over the past 12 months.

SoBig infected a staggering 90 percent of vulnerable hosts within 10 minutes, doubling in size every 8.5 seconds and ultimately infected tens of thousands of machines worldwide.

Even the recent Sasser worm, which had a relatively benign payload, caused significant disruption to business networks across the world: the worm hit public hospitals in Hong Kong, the UK Coast Guard and caused the delay of a number of British Airways flights.

The problem for organisations is that just as applications are becoming more complex, creating an increasing number of exploitable vulnerabilities, network perimeters are being weakened by wireless access and virtual private networks (VPNs).

When the National High Tech Crime Unit (NHTCU) surveyed organisations within the UK last year, it found 77 per cent of respondents had suffered from a virus attack.

Whilst the precise cost of a virus attack is impossible to quantify, a survey of leading UK companies that are members of the Corporate IT Forum (tif), conducted after the Blaster worm in 2003, produced some worrying findings.

The cost of a virus cleanup was found to be four times higher than previously estimated, at an average cost of £122,000, with an average of 365 man hours lost.

As these blue chip companies have the resources to implement stronger than average security policies it is likely smaller companies were proportionally harder hit.

What is important to realise, however, is that virus attacks are not just a concern for the IT department but can have legal implications right across the business.

Costs don’t just start with virus protection and finish with infection cleanups.

Data disclosure

With more information being created, held and transmitted electronically, it is inevitable that a virus infection will threaten confidential information.

One only needs to look at the SirCam worm, which sent random files from the infected machine to all Outlook contacts, to see the risks.

The disclosure of internally confidential information could allow rivals to gain a competitive advantage or disclose patentable inventions or innovative ideas.

It may also put you in breach of any obligations to keep that information confidential. Today, a confidentiality clause is a standard term in most commercial agreements, and most organisations will have had to sign a Non-disclosure or Confidentiality Agreement at some point during pre-contract negotiations.

Even where a formal agreement is not finalised, there is often an implied duty to keep information that is being exchanged confidential. Although no action will be taken unless the other party is aware of the disclosure, the legal liability remains, and if the disclosure does becomes known it could result in a compensation claim for any loss suffered.

Potentially, more worrying for an organisation is the disclosure of information which relates to individuals. Under the UK Data Protection Act (DPA), organisations have a duty to take technical measures to prevent unlawful access, disclosure or damage to personal information.

The classification of personal information extends to email addresses, meaning that if a virus captures an email address from the address book of an infected host and discloses this to the virus author, it could amount to a breach of the DPA.

The more sensitive the personal information is, the more stringent the technical measures need to be taken to meet this legal duty.

This duty is not absolute, and the measures taken must be continually reviewed to ensure that they reflect not only the current security measures, but also the current risks to that data.

Where a breach of the DPA occurs, company directors who have failed to take appropriate protections for personal data may find themselves personally liable under the act.

In heavily regulated industries, such as the financial services and the medical professions, regulatory bodies also impose their own specific obligations to protect the confidentiality of customer and patient records. A virus infection, which results in a breach of these regulations, raises the spectre of an investigation and possible financial penalties.

Data corruption

Whilst most attention is naturally focused on protecting the confidentiality of personal data, the duty extends to maintaining its integrity.

Even subtle manipulations to data could have a significant impact on the individual concerned.

A type of virus, the so-called data diddler, is able to undermine the integrity of data by randomly changing certain data within files.

One of these, Compat, alters the values of a cell within an Excel spreadsheet by 5 percent.

Such minute changes are very difficult to spot making this type of virus particularly malicious.

If a virus were to alter figures on a spreadsheet containing outstanding debts at a credit reference agency, a reference check using that corrupted data could result in an individual being denied credit, or being mistakenly granted further debt. The corruption of medical records could have even greater consequences.

The legal cost of downtime

Whether caused by corrupted data, or overloaded processing capacity, there are also legal consequences for system downtime and the related loss of productivity.

This is likely to be a particular problem for service industries, such as marketing agencies, where the majority of information and client deliverables will be stored on the network.

Any systems downtime may prevent the agency delivering to the client on time.

Whatever the industry, it is likely that where specific deadlines need to be met, the contract will provide for liquidated damages.

These are a financial penalty for failing to deliver on time and whilst liquidated damages clauses do take into account matters outside a supplier’s control, it is unlikely a virus infection would be deemed an acceptable reason.

Some supply contracts also contain pricing incentives, which could be missed in the disruption caused by a lack of network availability - bonus payments for early delivery can be as big an incentive as liquidated damages clauses for non-delivery.

In addition, where payments are linked to performance agreements or service levels, repeated or prolonged system unavailability may impact on the supplier’s ability to meet agreed levels.

Lack of deterrent

Unfortunately for businesses, despite the legal responsibilities faced in keeping data secure and confidential, the law offers little recourse if you come to be at the wrong end of a virus attack.

The inadequacy of current criminal sanctions to act as a deterrent or to achieve adequate reparation has often been criticised. Although spreading viruses is an offence punishable with a prison sentence in the UK under the Computer Misuse Act (CMA), very few virus writers are brought to face the courts.

Despite improved cross-border co-operation between police agencies, the majority of virus authors continue to evade prosecution due to the difficulty in obtaining sufficient evidence and the understandable reluctance of victims to come forward.

Indeed, the most recent success, the arrest of the suspected Sasser author, was the primarily the result of a Microsoft bounty fund to encourage informants on virus writers, rather than a police investigation.

Even when a virus writer is arrested, organisations often feel that there is little value in seeking compensation from the virus authors, who often have little financial wealth. Instead, they focus their effort and resource in cleaning up systems and preventing a similar occurrence.

Onward virus transmission

The actions of viruses such as SoBig, which used infected machines as spam engines to spread to other networks, also raises the question of liability for passing the virus to other networks.

To date, there has been little evidence of any claim for losses following the onward transmission of a virus from network to network.

Such a case would be difficult to prove in an environment where there is no single or effective solution for preventing infection or cross-infection.

However, software suppliers, or ongoing electronic data services are being asked to warrant that “all reasonable steps” are taken to prevent cross-infection.

Whilst this shies away from being an absolute guarantee, it does put the onus back onto a supplier to protect their customers.

Minimising risk

With many of the potential liabilities arising out of contractual relationships, company’s can help mitigate some of the risks by practising good contractual management. Meanwhile, complying with security standards such as BS 7799 - best practice recommendations for information security management - can decrease the risk of a virus infections.

MPs are currently reviewing UK computer misuse legislation, but even if this does strengthen the deterrent effect, the global nature of the problem means it will not have a significant impact on the increasing proliferation of viruses.

It is the diligent application of security patches, improved employee education over the risk of email attachments, and maintaining up-to-date anti-virus software that will remain key weapons in the fight to minimise the legal and commercial risks of virus infection.