Are
Businesses Liable for Unintentionally Spreading Computer
Viruses?By
Jay Hollander
Jay Hollander, Esq. is the principal of Hollander and Company LLC, www.hollanderco.com, a New York City law firm concentrating its efforts in the protection and development of property interests relating to real property, intellectual property and commercial interests, as well as related litigation.
The content of this article is intended to provide general information relating to its subject matter. Providing it does not establish any attorney-client relationship and does not constitute legal advice. Personal advice in the context of a mutually agreed attorney-client relationship should be sought about your specific circumstances. Summary: Could
your company face legal liability for damage to another
business caused by a virus-infected e-mail, unsuspectingly
sent out by one of your employees? With the spread of viruses
and the increase in e-mail in the workplace, this question
may not be far-fetched. This article explores the relevant
legal theories and provides tips businesses can take to
help minimize their risks for spreading viruses unintentionally.
Introduction
Until
wiped off the media map by the tragic terrorism of September
11, 2001, reports of threatened or spreading viruses were
front-page and prime-time news. And with good reason. With
nicknames straight out of a video game, these computer viruses
-- such as "Code
Red" and "Nimda" -- were the electronic computer network
equivalent of anthrax in the mailbox.
Just
like the anthrax outbreak, the number of viruses and other
forms of malicious code hitting computers has been growing,
their viciousness is intensifying, and costs related to
dealing with them are skyrocketing. The damage malicious
code has already caused is tremendous, more than a billion
dollars for the Code Red worm alone, and experts say it
is going to get worse.
Attacks
on computers over the Internet in 2001 are expected to
more than double the previous year's number of reported
incidents, according to both the government-funded Internet
Security Center Computer Emergency Response Team (CERT)
and the FBI.
Companies
are getting frustrated and angry and they want to hold
someone responsible for the financial cost of these attacks.
So much so that, for the first time, companies that fail
to maintain proper security on their computers and then
spread damage may find themselves on the wrong end of negligence
lawsuits.
Could
that happen to your business? Is it possible you could
end up footing the bill, for example, for damage to another
business caused by a virus-infected e-mail, unsuspectingly
sent out by one of your employees?
At
one time, such a scenario might have seemed far-fetched,
but now some say it is not only possible, it is likely-
that it's just a matter of time before the first case shows
up. If so, how could you defend yourself? Would anyone
else be liable to you? And finally, how can you reduce
your risks?
New
Uses for an Old Legal Theory: Negligence
As
modern a phenomena as computer virus devastation might
be, it's probable that any lawsuits based on them would
rely on established legal principles adapted to new facts.
While no such reported cases exist as of this writing,
and while the scope of this article prevents too detailed
an examination of every possible legal ground, let's examine
one very likely legal theory that would be used in this
context: negligence.
Long
the savior of personal injury victims, the theory of negligence
has yet to be used as a basis of recovery in any reported
decision involving computer viruses.
While
details of negligence laws vary somewhat from state to
state, the term "negligence" generally means that a defendant
failed to exercise due care to avoid causing foreseeable
injury to the person or property of a plaintiff in violation
of a legal duty owed to that plaintiff.
Interestingly,
negligence has traditionally been found both where defendants
failed to do something they should have and in cases where
they did something they shouldn't have done.
Broken
down into its generic elements, a defendant acts negligently
if he:
- has
a duty of care to a the plaintiff who started the lawsuit;
breaches that duty; and
- causes
damage that was foreseeable in light of the failure to
live up to its duty.
For
example, let's say a teenager on the other side of the
world with too much time on his hands and a desire to make
a name for himself cooks up a virus that exploits one of
many security vulnerabilities in some of the most popular
e-mail software on Earth. Let's also say that the virus,
once downloaded as an inadvertent e-mail attachment, destroys
the hard drive of the recipient's computer, but only after
locating everyone on the recipient's e-mail address list
(including customers of the recipient's employer) and mailing
itself out to them, too. Just for good measure, we'll make
things a little worse by having the virus locate any networks
to which the recipient's computer is attached, and turning
it to data chow as well, a process replicating itself on
the corporate networks of the people to whom the virus
was surreptitiously forwarded.
So
now the recipient's computer has been wrecked, as has the
corporate network. And a similar process repeats itself
in the corporate networks of companies whose personnel
received the virus in their company e-mail accounts.
One
or more of the companies may trace their own damage to
the e-mail inadvertently forwarded to them by the original
recipient and sue the original recipient's company for
damages. Is the case a winner? Does the defendant have
any defenses or the ability to blame the mess on someone
else?
By
and large, a plaintiff must prove that the defendant owed
it a duty of care and breached that duty in a way that
caused foreseeable actual loss or harm. So, here are the
issues that will likely come up if -- or when -- a case
is brought for negligence for virus-related damage.
Elements
of a Negligence-Based Virus Lawsuit
Duty
of Care and Breach of Duty
The
first threshold and possible defense for a defendant concerns
whether the defendant owed a duty of care to the plaintiff.
Absent
a contract or special relationship of network access, this
would be arguably difficult to prove since, in today's
world, everyone is connected to everyone else over the
Internet. Imagine what would happen if every company was
liable to every other company for virus-related damage,
no matter how tenuous or non-existent their relationship,
solely because of an unknowing transmission of a virus
that they didn't create. This would certainly be a harsh
result and, in other contexts, courts have sometimes been
reluctant to make defendants potentially liable to the
whole world even for foreseeable harm, if public policy
concerns are determined to prevail.
On
the other hand, have conditions in the electronic world
matured to the point where a court could find that viruses
are a known contingency of doing business? Could that lead
to a legal conclusion that companies have an implied obligation
to keep up to date on software patches and install firewalls
on their networks?
This
is one of the first of the hurdles and thorny issues that
would arise in such an action.
Negligent
Act
Let's
say that a court finds that there was a duty of care owed
and was breached. The question still remains as to what
was done wrong? What should the defendant have done that
it didn't do? Or what didn't it do that it should have
done?
Here's
where it gets interesting. Will a court be prepared to
say that in today's world, it's inherently negligent not
to have anti-virus software and a firewall in place? Will
it go further and transform the good computing practice
of staying current on software updates and security patches
into a legal requirement that must be met to avoid liability?
What
if the proof were to show that the company whose network
forwarded the virus-laden e-mails had suffered through
such an experience before but did nothing to correct it?
On
this one, there could be a persuasive argument. There is
no doubt that, due to government pronouncements as well
as blanket media coverage, the threats posed by viruses,
worms and other malicious pieces of code is generally well-known.
Also well publicized is how these contaminants spread and
whether software patches are available for them.
While
there is no reported case available as of this writing,
this is one component of the negligence test that a potential
plaintiff could have a relatively easy time satisfying.
Cause
of Damage
Following
our progression, if it's proven that a certain defendant
breached a duty of care that it owed to another and committed
a negligent act, the defendant will still not owe anything
to a plaintiff if the negligent act was not the cause of
the damage.
In
this way, if a corporate network that failed to take steps
to prevent inadvertent forwarding of infected e-mails allowed
one to be sent that was stopped by another company's firewall,
it did no damage and there would be no liability despite
any negligence.
On
the other hand, if damage was caused but the plaintiff
's own conduct contributed to the damage, we proceed into
the area of defenses to negligence.
Defenses
to a Negligence Claim
It
may be hard to believe but, even if all the elements of
a negligence case can be proven, a plaintiff may still
not recover in some jurisdictions depending upon the application
of three time-honored concepts: assumption of the risk,
contributory negligence and comparative negligence.
Assumption
of the Risk
Did
you ever wonder why someone who gets hit with a foul ball
at a baseball game usually can't sue the team for damages
and win? Assumption of risk is the answer. Boiled down
to its basics, this defense means that a plaintiff knew
what he was getting into and, having voluntarily gone ahead,
can't sue someone else for predictable consequences.
Applying
this concept to our example, it could be persuasively argued
that a company that allows itself to receive e-mails from
the public in an era where e-mail carried viruses and other
forms of malicious code is commonplace- assumes the risk
that some of that code may make its way onto its network,
causing damage.
Contributory
Negligence
In
jurisdictions that still follow therule of contributory
negligence, originally grounded in English common law,
a negligent defendant will not be liable if the plaintiff
also acted the least bit negligent in causing the damage.
In other words, unless the plaintiff was wholly without
fault, no recovery.
So,
let's say a plaintiff damaged by an e-mail attachment did
not have any safeguards to protect it from such things
entering its network. No anti-virus software, no firewalls,
no safeguards of any kind. In some situations, this could
arguably preclude recovery entirely because the plaintiff "contributed" to
its own harm by its own negligent conduct.
Comparative
Negligence
Since
the results of a finding of contributory negligence can
be pretty harsh, most jurisdictions follow the doctrine
of comparative negligence.
Under
this theory, any contributing negligence on the part of
the plaintiff is examined for the degree to which it contributed
to the harm. In this way, if a plaintiff's actions were
held to be 25% of the cause of the damage, any recovery
would be reduced to this extent.
Of
course, this is a tricky concept to apply in practice and
it will be interesting to see how courts adopt this theory
to the novel area of malicious code.
The
prevailing idea common to these defenses is simply this.
Just as reasonable care standards can be used to build
a tort case against a defendant, these same standards may
be turned upon the accuser, to lessen or even eliminate
liability.
Strict
Liability
Since
applying these established tort concepts to this new arena
is uncertain business, you're probably wondering why everyone
doesn't just sue the vendors of all the software that has
all these security holes in them.
Unfortunately,
this wouldn't be so easy either. In the first place, most "end
user license agreements" make users agree to virtually
a complete disclaimer of liability in order to use the
product, raising that old assumption-of-the-risk concept
again. Others impose obligations on the user to stay completely
up to date with all patches, a full time job in today's
world.
Still,
if there is any hope on this front, it may come through
a novel application of the concept of strict liability.
Strict liability does away with all the obstacles imposed
in a negligence case. No proof of duty required. No proof
of negligence required. In fact, it doesn't matter if the
defendant was negligent or not.
The
doctrine of strict liability imposes responsibility on
those in control in cases involving inherently dangerous
activities or defective or unreasonably dangerous products.
This doctrine, where found applicable, recognizes that
the activity or product can be socially useful but, nevertheless,
imposes liability because of the intrinsic danger posed
by that activity or defective product.
Interestingly,
though, the concept is not generally applied to services,
as opposed to products. Given recent initiatives to make
software a service rather than a product, it remains to
be seen to what extent this concept can be used.
The
Bottom Line and Prudent Steps to Take
The
concepts explored here only scratch the surface of the
complexity of this area. Apart from the questions already
raised, there are other issues concerning ISP and ASP liability
that are certain to come to the fore as these types of
cases begin to be brought.
There
are also issues concerning who would be the most likely
candidate to be sued. Why, for example, should a company
that unwittingly passes a malicious code attachment be
the one sued instead of the actual virus writer? After
all, the company was a mere conduit, with no malicious
intent and probably no knowledge of what was happening.
While
the virus writer is often unknown (and sometimes a teenager
with no assets), should this give carte blanche to point
the finger at any unknowing company with assets that may
not have kept up with a security patch posted on a vendor
web site a few hours earlier?
The
degree to which software vendors will continue to enjoy
protection from lawsuits is also likely to generate continued
controversy, especially in states that are deciding whether
to adopt UCITA, a
set of uniform rules governing computer information transactions
that has been widely criticized as being too lenient on
vendors in allowing widespread disclaimers of liability.
So,
the bottom line is that, if your company's security practices
are below standard, you may be vulnerable to a lawsuit
sooner than you think.
Business
decisions are predicated on an evaluation of the risks
associated with doing nothing versus the costs of taking
action to avert or minimize the risk. In the past, some
companies whose businesses weren't vitally dependent on
the Internet may have felt that what they had to lose wasn't
worth the added expense of a truly effective security policy.
But
now, with the new awareness of the tremendous damage that
can be inflicted on others by lax security practices, the
balance is shifting, and increasingly, businesses that
ignore security standards do so at their own risk.
It
would be wise to speak with your attorney about your areas
of potential liability, so that you can strategize and
prioritize. Learn about security and have staff that is
trained and competent in this area. If you are negotiating
proprietary software licenses, ensure that your legal counsel
gives adequate attention to preserving liability claims
against vendors for their negligence or defective products
and services.
The ePolicy
Institute suggests that companies establish written
policies for Internet, e-mail, and software use, and
that all employees, including part-timers and contract
help, be required to sign the documents, acknowledging
that they have read and understand the company policy.
Check
with your IT staff or consultant and take pains to implement
common security software and hardware like anti-virus programs
and firewalls.
While
all security problems boil down to human error, whether
intentional or accidental, companies can do a great deal
to make a negligence lawsuit a very long shot.
Companies
that fail to maintain proper security on their computer
systems and then damage others may find themselves on the
wrong end of negligence lawsuits, forced to pay for damage
caused by their laxness in implementing technical minimal
standards of care.
Copyright © Jay Hollander, 2007. All Rights Reserved.
![]()
![]()
|
