Any organisation with a web site, including (hopefully) you reading this, might be quaking in its digital boots.
If SOCA (the UK's Serious Organised Crime Agency), the CIA and the likes of Sony, Nintendo, Fox and the United States Senate can be successfully attacked by the likes of hacking group LulzSec, then what chance has any other organisation got of preventing its web site going offline or, more seriously, having data (including in the case of Sony, lots of personal, private data) stolen?
LulzSec may now have shut up shop (more from the fear of having its members' identities "outed" by rival hacking group Anonymous than anything else) but there are plenty of skilled, bored, thrill-seeking individuals out there with the skills and capability to carry the hacking torch. The question this short article ponders is ... what is the liability for your organisation if it is hacked?
The legal responsibilities break down into three:
(i) the law on personal data (which has been created by legislation);
(ii) the law governing anyone the organisation may have a contract with (the law is based on hundreds of years of case law); and
(iii) the law on assuming a "duty of care" to others the organisation may not have a contract with (which comes from 79 years of case law).
In the UK, the law on personal data is based on eight principles which come from the European Data Protection Directive. The seventh of those principles states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
In other words, if you have personal data on your system, make sure the stuff is secure.
How secure is secure? Well that depends on how you might understand the word "Appropriate" in that sentence. But it must be right that if hackers access systems because they are not properly patched, upgraded, virus-checked or firewalled, then not enough has been done. And the fines from the regulators, the reputational damage (and the loss of business, as Sony has found out) are more than enough incentive to invest in securing your IT.
Secondly, if you have a contract with someone, by which you are obliged to provide information or data (personal or otherwise) from your web site, and you cannot do so because your web site is unavailable or hacked, then, according to the way in which most commercial contracts are drafted, if this has occurred because of something that was within your control – and you goofed by not taking proper precautions – you might be looking at being sued for breach of contract. Any loss or damage suffered by your contracting party could be down to you – and recoverable from you.
Thirdly, what about the more general "duty of care" for someone you don't have a contract with? Well, in law, a duty of care is owed to anyone sufficiently "proximate". So if there is an expectation that someone uses services on your site (e.g. a citizen using council services on a council web site) and that site is unavailable and that citizen suffers a loss, if the council has been negligent – and assuming that citizen is sufficiently "proximate" to the council – the council (or more generally the relevant web site owner/operator) can find itself being sued for negligence.
One thing is clear. As hacking attacks become more audacious and commonplace, the scope of liability you may incur for not protecting your web site increases. Perhaps, you cannot protect against denial-of-service attacks with billions of requests from thousands of bots. But you can install firewalls, basic intrusion counter-measures and monitoring, all appropriate and "scale-ably relevant" to the size and importance of your site.
And so you should – or risk getting sued, fined or, worst of all, bad press!
Mark Weston is partner at Matthew Arnold & Baldwin LLP.