Real Estate

Facilitate the real estate buying or selling process with our online applications.
Buy/Sell Co-Op
Buy/Sell Condo
Buy/Sell Home
          1031 Exchange

Form your corporation, limited liability corporation, or limited liability partnership online.
Form a Corporation
Form a LLC
Form a LLP

Protect your businesses trademark. Apply for a trademark with our online application.
Register a Trademark
        Trademark Search
        Trademark Monitor

Refer this Site


Are Businesses Liable for Unintentionally Spreading Computer Viruses?By Jay Hollander

Jay Hollander, Esq. is the principal of Hollander and Company LLC,, a New York City law firm concentrating its efforts in the protection and development of property interests relating to real property, intellectual property and commercial interests, as well as related litigation.

The content of this article is intended to provide general information relating to its subject matter. Providing it does not establish any attorney-client relationship and does not constitute legal advice. Personal advice in the context of a mutually agreed attorney-client relationship should be sought about your specific circumstances.

Summary: Could your company face legal liability for damage to another business caused by a virus-infected e-mail, unsuspectingly sent out by one of your employees? With the spread of viruses and the increase in e-mail in the workplace, this question may not be far-fetched. This article explores the relevant legal theories and provides tips businesses can take to help minimize their risks for spreading viruses unintentionally.


Until wiped off the media map by the tragic terrorism of September 11, 2001, reports of threatened or spreading viruses were front-page and prime-time news. And with good reason. With nicknames straight out of a video game, these computer viruses -- such as "Code Red" and "Nimda" -- were the electronic computer network equivalent of anthrax in the mailbox.

Just like the anthrax outbreak, the number of viruses and other forms of malicious code hitting computers has been growing, their viciousness is intensifying, and costs related to dealing with them are skyrocketing. The damage malicious code has already caused is tremendous, more than a billion dollars for the Code Red worm alone, and experts say it is going to get worse.

Attacks on computers over the Internet in 2001 are expected to more than double the previous year's number of reported incidents, according to both the government-funded Internet Security Center Computer Emergency Response Team (CERT) and the FBI.

Companies are getting frustrated and angry and they want to hold someone responsible for the financial cost of these attacks. So much so that, for the first time, companies that fail to maintain proper security on their computers and then spread damage may find themselves on the wrong end of negligence lawsuits.

Could that happen to your business? Is it possible you could end up footing the bill, for example, for damage to another business caused by a virus-infected e-mail, unsuspectingly sent out by one of your employees?

At one time, such a scenario might have seemed far-fetched, but now some say it is not only possible, it is likely- that it's just a matter of time before the first case shows up. If so, how could you defend yourself? Would anyone else be liable to you? And finally, how can you reduce your risks?

New Uses for an Old Legal Theory: Negligence

As modern a phenomena as computer virus devastation might be, it's probable that any lawsuits based on them would rely on established legal principles adapted to new facts. While no such reported cases exist as of this writing, and while the scope of this article prevents too detailed an examination of every possible legal ground, let's examine one very likely legal theory that would be used in this context: negligence.

Long the savior of personal injury victims, the theory of negligence has yet to be used as a basis of recovery in any reported decision involving computer viruses.

While details of negligence laws vary somewhat from state to state, the term "negligence" generally means that a defendant failed to exercise due care to avoid causing foreseeable injury to the person or property of a plaintiff in violation of a legal duty owed to that plaintiff.

Interestingly, negligence has traditionally been found both where defendants failed to do something they should have and in cases where they did something they shouldn't have done.

Broken down into its generic elements, a defendant acts negligently if he:

  • has a duty of care to a the plaintiff who started the lawsuit; breaches that duty; and
  • causes damage that was foreseeable in light of the failure to live up to its duty.

For example, let's say a teenager on the other side of the world with too much time on his hands and a desire to make a name for himself cooks up a virus that exploits one of many security vulnerabilities in some of the most popular e-mail software on Earth. Let's also say that the virus, once downloaded as an inadvertent e-mail attachment, destroys the hard drive of the recipient's computer, but only after locating everyone on the recipient's e-mail address list (including customers of the recipient's employer) and mailing itself out to them, too. Just for good measure, we'll make things a little worse by having the virus locate any networks to which the recipient's computer is attached, and turning it to data chow as well, a process replicating itself on the corporate networks of the people to whom the virus was surreptitiously forwarded.

So now the recipient's computer has been wrecked, as has the corporate network. And a similar process repeats itself in the corporate networks of companies whose personnel received the virus in their company e-mail accounts.

One or more of the companies may trace their own damage to the e-mail inadvertently forwarded to them by the original recipient and sue the original recipient's company for damages. Is the case a winner? Does the defendant have any defenses or the ability to blame the mess on someone else?

By and large, a plaintiff must prove that the defendant owed it a duty of care and breached that duty in a way that caused foreseeable actual loss or harm. So, here are the issues that will likely come up if -- or when -- a case is brought for negligence for virus-related damage.

Elements of a Negligence-Based Virus Lawsuit

Duty of Care and Breach of Duty

The first threshold and possible defense for a defendant concerns whether the defendant owed a duty of care to the plaintiff.

Absent a contract or special relationship of network access, this would be arguably difficult to prove since, in today's world, everyone is connected to everyone else over the Internet. Imagine what would happen if every company was liable to every other company for virus-related damage, no matter how tenuous or non-existent their relationship, solely because of an unknowing transmission of a virus that they didn't create. This would certainly be a harsh result and, in other contexts, courts have sometimes been reluctant to make defendants potentially liable to the whole world even for foreseeable harm, if public policy concerns are determined to prevail.

On the other hand, have conditions in the electronic world matured to the point where a court could find that viruses are a known contingency of doing business? Could that lead to a legal conclusion that companies have an implied obligation to keep up to date on software patches and install firewalls on their networks?

This is one of the first of the hurdles and thorny issues that would arise in such an action.

Negligent Act

Let's say that a court finds that there was a duty of care owed and was breached. The question still remains as to what was done wrong? What should the defendant have done that it didn't do? Or what didn't it do that it should have done?

Here's where it gets interesting. Will a court be prepared to say that in today's world, it's inherently negligent not to have anti-virus software and a firewall in place? Will it go further and transform the good computing practice of staying current on software updates and security patches into a legal requirement that must be met to avoid liability?

What if the proof were to show that the company whose network forwarded the virus-laden e-mails had suffered through such an experience before but did nothing to correct it?

On this one, there could be a persuasive argument. There is no doubt that, due to government pronouncements as well as blanket media coverage, the threats posed by viruses, worms and other malicious pieces of code is generally well-known. Also well publicized is how these contaminants spread and whether software patches are available for them.

While there is no reported case available as of this writing, this is one component of the negligence test that a potential plaintiff could have a relatively easy time satisfying.

Cause of Damage

Following our progression, if it's proven that a certain defendant breached a duty of care that it owed to another and committed a negligent act, the defendant will still not owe anything to a plaintiff if the negligent act was not the cause of the damage.

In this way, if a corporate network that failed to take steps to prevent inadvertent forwarding of infected e-mails allowed one to be sent that was stopped by another company's firewall, it did no damage and there would be no liability despite any negligence.

On the other hand, if damage was caused but the plaintiff 's own conduct contributed to the damage, we proceed into the area of defenses to negligence.

Defenses to a Negligence Claim

It may be hard to believe but, even if all the elements of a negligence case can be proven, a plaintiff may still not recover in some jurisdictions depending upon the application of three time-honored concepts: assumption of the risk, contributory negligence and comparative negligence.

Assumption of the Risk

Did you ever wonder why someone who gets hit with a foul ball at a baseball game usually can't sue the team for damages and win? Assumption of risk is the answer. Boiled down to its basics, this defense means that a plaintiff knew what he was getting into and, having voluntarily gone ahead, can't sue someone else for predictable consequences.

Applying this concept to our example, it could be persuasively argued that a company that allows itself to receive e-mails from the public in an era where e-mail carried viruses and other forms of malicious code is commonplace- assumes the risk that some of that code may make its way onto its network, causing damage.

Contributory Negligence

In jurisdictions that still follow therule of contributory negligence, originally grounded in English common law, a negligent defendant will not be liable if the plaintiff also acted the least bit negligent in causing the damage. In other words, unless the plaintiff was wholly without fault, no recovery.

So, let's say a plaintiff damaged by an e-mail attachment did not have any safeguards to protect it from such things entering its network. No anti-virus software, no firewalls, no safeguards of any kind. In some situations, this could arguably preclude recovery entirely because the plaintiff "contributed" to its own harm by its own negligent conduct.

Comparative Negligence

Since the results of a finding of contributory negligence can be pretty harsh, most jurisdictions follow the doctrine of comparative negligence.

Under this theory, any contributing negligence on the part of the plaintiff is examined for the degree to which it contributed to the harm. In this way, if a plaintiff's actions were held to be 25% of the cause of the damage, any recovery would be reduced to this extent.

Of course, this is a tricky concept to apply in practice and it will be interesting to see how courts adopt this theory to the novel area of malicious code.

The prevailing idea common to these defenses is simply this. Just as reasonable care standards can be used to build a tort case against a defendant, these same standards may be turned upon the accuser, to lessen or even eliminate liability.

Strict Liability

Since applying these established tort concepts to this new arena is uncertain business, you're probably wondering why everyone doesn't just sue the vendors of all the software that has all these security holes in them.

Unfortunately, this wouldn't be so easy either. In the first place, most "end user license agreements" make users agree to virtually a complete disclaimer of liability in order to use the product, raising that old assumption-of-the-risk concept again. Others impose obligations on the user to stay completely up to date with all patches, a full time job in today's world.

Still, if there is any hope on this front, it may come through a novel application of the concept of strict liability. Strict liability does away with all the obstacles imposed in a negligence case. No proof of duty required. No proof of negligence required. In fact, it doesn't matter if the defendant was negligent or not.

The doctrine of strict liability imposes responsibility on those in control in cases involving inherently dangerous activities or defective or unreasonably dangerous products. This doctrine, where found applicable, recognizes that the activity or product can be socially useful but, nevertheless, imposes liability because of the intrinsic danger posed by that activity or defective product.

Interestingly, though, the concept is not generally applied to services, as opposed to products. Given recent initiatives to make software a service rather than a product, it remains to be seen to what extent this concept can be used.

The Bottom Line and Prudent Steps to Take

The concepts explored here only scratch the surface of the complexity of this area. Apart from the questions already raised, there are other issues concerning ISP and ASP liability that are certain to come to the fore as these types of cases begin to be brought.

There are also issues concerning who would be the most likely candidate to be sued. Why, for example, should a company that unwittingly passes a malicious code attachment be the one sued instead of the actual virus writer? After all, the company was a mere conduit, with no malicious intent and probably no knowledge of what was happening.

While the virus writer is often unknown (and sometimes a teenager with no assets), should this give carte blanche to point the finger at any unknowing company with assets that may not have kept up with a security patch posted on a vendor web site a few hours earlier?

The degree to which software vendors will continue to enjoy protection from lawsuits is also likely to generate continued controversy, especially in states that are deciding whether to adopt UCITA, a set of uniform rules governing computer information transactions that has been widely criticized as being too lenient on vendors in allowing widespread disclaimers of liability.

So, the bottom line is that, if your company's security practices are below standard, you may be vulnerable to a lawsuit sooner than you think.

Business decisions are predicated on an evaluation of the risks associated with doing nothing versus the costs of taking action to avert or minimize the risk. In the past, some companies whose businesses weren't vitally dependent on the Internet may have felt that what they had to lose wasn't worth the added expense of a truly effective security policy.

But now, with the new awareness of the tremendous damage that can be inflicted on others by lax security practices, the balance is shifting, and increasingly, businesses that ignore security standards do so at their own risk.

It would be wise to speak with your attorney about your areas of potential liability, so that you can strategize and prioritize. Learn about security and have staff that is trained and competent in this area. If you are negotiating proprietary software licenses, ensure that your legal counsel gives adequate attention to preserving liability claims against vendors for their negligence or defective products and services.

The ePolicy Institute suggests that companies establish written policies for Internet, e-mail, and software use, and that all employees, including part-timers and contract help, be required to sign the documents, acknowledging that they have read and understand the company policy.

Check with your IT staff or consultant and take pains to implement common security software and hardware like anti-virus programs and firewalls.

While all security problems boil down to human error, whether intentional or accidental, companies can do a great deal to make a negligence lawsuit a very long shot.

Companies that fail to maintain proper security on their computer systems and then damage others may find themselves on the wrong end of negligence lawsuits, forced to pay for damage caused by their laxness in implementing technical minimal standards of care.

Copyright © Jay Hollander, 2007. All Rights Reserved.

  Bookmark     Save


Home   |   About Us   |   Contact    |   Sitemap   |   Search   |   Terms of Service, Privacy Policy and Disclaimer   |   Clients Rights

© 2000-2023 Hollander and Company LLC. All Rights Reserved.
By using this web site you agree to the following  Terms of Service, Privacy Policy and Disclaimer

Thank You

Thanks for your interest in our articles. Kindly assist our efforts to bring you more relevant information by providing your name and email address below to be added to our newsletter and email distribution list. You will then click through to your article. Rest assured, we do not give out your information to unrelated third parties, as provided in our privacy policy and you can unsubscribe upon receipt of any unwanted newsletter or informational email from us.

Your Name

Email Address

Security code

Submit and View Article