Businesses which pass on a virus by neglecting to keep software patches up to date may find themselves criminally liable for damaging other organisations’ computers.
IT lawyer Michael Wigley flagged the possibility of legal action during a Wellington seminar on the theme of computer security. Reaching for the broader interpretations of that heading, the seminar also touched on the challenges of ensuring acceptable conduct by employees on the company’s network and making sure the business is secure in its legal powers to bring defaulters to account.
For almost two years, many have referred to “security post-September 11”. The slogan for much of the NZ Computer Society-organised seminar could have been “security post-October 30”, the date when the Crimes Amendment Act 2003 comes into force, criminalising intrusion into and damage to computers and interception of private electronic communications.
However, the principles behind culpability for passing on viruses extend back to the biological arena, Wigley suggests. When IT lawyers try to establish how new law in the field will apply, he says, they often draw parallels from findings in other areas. In that light, he referred to a British case where the owners of a piggery were held at fault for poor animal husbandry practices, which had led to the release of infected animals and consequent infection on other properties.
There are clear parallels with unintentional “bouncing on” of a computer virus through email address books and the like, when a fix for the exploited “vulnerability” is known and available but the organisation has not applied it, Wigley says.
The lesson is not only to keep patches up-to-date but, at a more basic level to know what software you have.
Some businesses who passed on the Slammer virus (exploiting a hole in Microsoft SQL Server patched six months before) were not even aware they had SQL Server on their systems, says Wigley. “It’s an undocumented feature of many applications”.
Wigley and his co-presenters, consultant Ian Mitchell and security specialist Alasdair McKenzie, also covered the effect security protection has on contracts and how it jibes with interception restrictions post-October 30. In promising a standard of service to another party, says Mitchell, you must reserve to yourself contractually the power to switch off processors, network links and services if your system has been attacked.
A provider should not promise 24x7 availability if it’s not really justified by the business needs, cost-justified or if it’s not practicable.
McKenzie dealt with the facets of security — confidentiality, integrity of the system and availability — referring his audience to the international standard published here as ASNZ 17799. This gives a framework to vet completeness of security precautions. The speakers also dealt extensively with the enforcement of acceptable use policies (AUPs) within the organisation. It’s not enough to have AUPs set out in a manual or even to have the user click on a button or tick a box to signify assent, they say. It’s best to require a physical signature. Employees will say they didn’t click the button, and you’d better be sure you can prove they did formally assent to the conditions.
To be completely secure from attack, employees should be given time, in working hours, to read the AUPs, and initial them again every time there is a change, so they can’t claim it was the employer’s fault they didn’t know.
Other laws such as sexual harassment statutes should be taken into account. In many workplaces, a certain amount of mild online erotica and sexually-oriented banter would not be thought out of the ordinary by many employees. But there is always the danger that someone will take offence. “It’s getting to the stage where if someone feels an image is offensive to them then it is,” Mitchell says.