The now-notorious 'ILOVEYOU' and 'Melissa' are just two of the thousands of new viruses which circulate the world by e-mail each year. In March 1999, Melissa became the first e-mail borne virus to achieve household-name status, having caused an estimated US$450 million worth of damage worldwide. The more recent ILOVEYOU virus easily surpassed Melissa's dismal record, leaving a trail of destruction estimated at US$10 billion. Inevitably, a spate of high-profile viruses followed, and these continue to cause disruption around the globe.
Understandably, the furore has raised questions as to how - or if - governments and corporations can minimise the damage of future virus attacks. There have also been calls for changes to be implemented in e-mail software packages to make it more difficult for viruses to spread so rapidly.
However, the cold reality appears to be that whatever steps are taken on a technical level, any company which is on the Internet is at risk from viruses. If your company has not yet been affected by Melissa, ILOVEYOU or another existing virus, then you can breathe a sigh of relief, for now. In all likelihood, another major virus will appear on the scene within the short- to medium-term to test your defences again.
So, what can you do to prepare in the meantime?
Step 1 -identify the risks
The first step in minimising damage from viruses is to identify the risks. In an ILOVEYOU-type virus attack, companies are affected as follows:
-An e-mail borne virus is activated by an employee opening an e-mail or an attachment to an e-mail -The virus spreads through the company's Intranet, destroying certain flies and/or data and overloading its servers
-The virus is spread via e-mail to the companies' customers and/or suppliers and to third parties listed in the address books of the company's employees
Accordingly, the first and most obvious area of risk is the losses which the company itself suffers from the downtime caused by the virus. Depending on the files and/or data which the virus attacks, the company may have to spend many man-hours in reconstructing lost files.
Liability for Losses
The second area of risk is liability for losses which the company's customers or suppliers may suffer as a result of the company's failure to meet its delivery or payment obligations. In this regard, the company may face a claim for breach of contract.
The third and final area of loss is to third parties to which the company has passed on the virus. In this regard, the company may face a claim for negligence if it can be demonstrated that it failed to take appropriate steps to minimise the chances of passing the viruses on.
Step 2- manage the risks
Having identified these three areas, the next step is to minimise the company's exposure to such losses. In this regard, there a number of steps which companies should consider taking:
Minimise your losses:
- Employee guidelines: These may include, for example, a requirement that employees refer all suspicious emails to the IT department before they are opened. As can be seen below, this is more than just a practical step, as it can also be of assistance in defending negligence claims brought by third parties
- Outsourcing: Another important step which can be taken is to outsource the company's virus, detection system to an expert service provider. This may be done either as a stand-alone arrangement (for example to an ASP) or as part of a broader outsourcing policy
- which the company may wish to implement. By entering into an appropriate outsourcing arrangement, the company should be able to benefit from enhanced virus detection, and also transfer some or all of the risks of a virus attack to the service provider
Minimise your liabilities to customers and suppliers:
Most companies' standard terms and conditions contain some form of force majeure clause which excuses the company from performing obligations to customers and/or suppliers in a wide range of circumstances beyond its control. Such a clause may even act to excuse non performance caused by a computer virus, though this should be checked and other wording added if necessary
Minimise your liabilities to third parties:
Any claims against a company by related third parties for spreading a virus would be based on an argument that (i) the company owes a duty of care to the third party; and (ii) the company has breached that duty by negligently passing on the virus to the third party. There is little, if anything, which can be done in relation to the first prong of this argument, as it will very much depend on how the court views the company's relationship with the third party in the context of its claim. However, action can be taken to avoid a claim for negligence by putting in place appropriate safeguards such as, for example, ensuring that all incoming and outgoing e-mails are scanned for viruses, and setting guidelines for employees to follow when dealing with suspicious e-mails.
An appropriately worded disclaimer attached to all outgoing e-mails may also be used in order to exclude liability for negligence. The effectiveness of such a disclaimer would, however, be dependent on it being brought to the attention of the recipient of the e-mail before that recipient has a chance to activate the virus. Accordingly, care must not only be taken in the drafting of the disclaimer, but also in the manner in which it is attached to outgoing e-mails.
Step 3 - transfer your risk
As indicated above, the outsourcing of a company's virus detection system to an expert service provider may enhance the company's technical capability to ward off virus attacks. However, it is fundamental to outsourcing arrangements that the service provider also bears the risk of the technical solution which it provides. Accordingly, in any outsourcing arrangement which is entered into, it is important to include appropriate warranties and indemnities on the part of the service provider.
Although it may not be possible to defeat e-mail borne viruses by staying one step ahead technically, companies needn't rely on good luck alone. By putting in place appropriate procedural and contractual safeguards now, it is possible to stay online with the confidence that future viruses will not result in catastrophic losses - at least for you.
First published in Hong Kong Business in August 2000