Statistics show companies world-wide suffer more damage from viruses than from hackers.

This may be the case, but hacking is still a serious problem that causes millions of dollars of damage.

I was reminded of this recently when a client telephoned for urgent advice following an attack on his company's Web site. A hacker had caused widespread damage to the layout and content of the site that included the destruction of large portions of the client's subscriber database.

Fortunately, the client did not hold any credit-card information on the site and most of the destroyed data had been backed up. The site was up and running again within 24 hours, although the damage of the client's reputation is impossible to gauge at this stage, because it is not known whether the hacker copied the client's customer database and, if so, how the hacker may use the information.

The problem, is even if it is possible to construct a 100 percent secure firewall, only a handful of companies could afford it. However, this does not mean steps cannot be taken to reduce the risks arising from hacker attacks.

Companies should identify and evaluate the potential damage of various forms of hacking. What effect would a denial-of-service attack have on your company? What if credit-card information is compromised?

Liability also may be incurred to third parties either for breach of contract or otherwise. It is worth noting that Hong Kong's Personal Data (Privacy) Ordinance obliges a holder of personal data to take all practicable steps to protect it against unauthorised access, and the ordinance also gives individuals whose personal data has been compromised the right to sue in the event the holder of the data has not complied with this obligation.

A company also can take practical steps to guard against hackers. It is easy to say every company should have a firewall in place, but many start-up, cash-starved companies may opt for a low level of firewall or even proceed without a firewall.

These decisions are made on the basis of a limited foreseeable loss to the company in the event of an attack by hackers, without considering the potential liabilities the company may incur to third parties.

Inadequate security can lead easily to liability to third parties through the tort of negligence or under the data privacy ordinance. Using notices and contractual terms on a Web site can limit or exclude many potential liabilities to third parties. Such notices and terms are relatively straightforward to draft and should be included on sites as a matter of course.

If a company outsources the hosting of its Web site it should be possible to pass on some, if not all, of the risk relating to the' performance of the firewall to the service provider through the use of appropriate contractual provisions. These steps will not provide total security against hackers, but they will at least put you in a position to minimise your losses and liabilities.

First published in SCMP Technology Post on 31 October 2000.