Legal challenges: Who is responsible for security?
- 01 May, 2000 12:01
"I LOVE YOU": Three little words, which Lloyds of London valued at over one billion dollars in damages to world business in the first week of its existence. Its damage continues to be counted.
As integrators of computer products and IT solutions, you may be wondering, with some degree of urgency, whether you are exposed to any of that damage, and, more importantly, what you can do to minimise that exposure.
Your first task should be to assess the legal relationship firstly between you and your customer, and secondly, between you and your supplier. Those relationships should be governed by a contract.
It has been my unfortunate experience that many new entrants into the technology industry have paid either insufficient or no attention to protecting themselves with carefully drafted contracts.
Let me pose this hypothetical:
You purchase quantities of antivirus software from a supplier such as Symantec for re-sale. When an order is placed, you may very well be provided with a copy of the terms upon which Symantec will agree to supply you with their product. In your keenness to do business with Symantec you agree to the terms (without necessarily digesting them fully) and commence receiving the product. You assume the terms are commercially reasonable since it is Symantec with whom you are dealing.
You in turn supply the antivirus software to your customer, as part of a total software package. You have some general terms of engagement with your customer, but those terms relate to payment and hours spent on site, rather than the performance of the product supplied.
Assumption 1 in the above scenario is that you in fact have "general terms of engagement", that is, a contract with your customer. In the absence of such a contract, liability for any failure of the software may well lie with you. Obviously nothing in the law is ever certain, but you would be at your most vulnerable if you were without any contract dealing with the extent of your liability.
If you look closely at Symantec's terms of their supply to you, you would most likely find what lawyers call an "indemnity" from you to Symantec. Such a clause would protect Symantec from liability, in the event the end-user of the software suffered damage arising from some unforseen virus. In other words you indemnify Symantec for any losses for which Symantec may otherwise be liable for the failure of their product to detect and cure even known viruses. Do you have a similar indemnity from your customer? Without one, your customer may successfully prove to a Court that you had a duty to ensure your customer's system was safe from such "infections" if you were aware of their existence.
Symantec may also limit liability in another way, by placing a limit on the extent and nature of the compensation for which Symantec may be liable. Symantec may have a provision within its contract limiting its exposure to direct damages, but excluding "consequential" damages, such as those suffered by a third party user of the software with whom Symantec has no contractual arrangement. There may be a monetary limit on any damages suffered at all.
Let's not forget the nature of computer viruses: even for software manufacturers like Symantec, patches, upgrades and updates are a way of life. Their position is further complicated by a total lack of control over the e-mailing and surfing of a customer's employees. So of course they will attempt to limit their exposure to the risk of viruses like the Love Bug or the Melissa virus, and so should you.
Business-to-business e-commerce relationships with your suppliers and your customers are also fraught with risk unless everyone knows where they stand contractually. That knowledge has to be set up front. There is no point directing on-line traffic to your expertly worded terms and conditions if the sale has already been effected. As has been observed in this magazine very recently: "e-commerce accelerates the business process - speed is everything." That's no excuse for ignoring the need for legal self preservation.
It is therefore vitally important for you as an integrator or reseller that you become familiar with any terms upon which you obtain and source product, and any terms upon which you supply product, which may be susceptible to viruses. Of course, the analogy extends just as equally to any other form of damage that may flow from the failure of product other than due to a virus attack.
The extent of your risk minimisation will depend upon your knowledge of your customer's system, and will depend upon your relationship with your customer.
Mark Addison is IT partner for legal firm Barker Gosling Lawyers. He can be contacted via email@example.com