Sign in to follow this  

Question about legal responsibilities under network security breach

This topic is 377 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hey,

 

Say we have company A, that does software development for company B. An employee of company A, does some action that makes private and confidential data of company B,on company's A servers, publicly available, by negligence.

 

A curious attacker extracts that information and asks money from company A in exchange for not making it available.

 

Yet, a third company, company C, helps with consulting company A to resolve this scenario by catching the attacker. (working with police etc).

 

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents. 

 

The attacker might get a sentence from the judge, he asked money in exchange to give the data.

 

My question is: is the attacker the only one who should face the law in this case ?

 

Share this post


Link to post
Share on other sites

The attacker is the only criminally responsible party. But company B can still sue company A for not being more careful with company B's data.

I understand, let's further say company A doesn't notify company B of the breach and the attacker manages somehow to contact company B and tell them about what happened ("I saw you're data"), how can this be worse for A, than the original case ?

Share this post


Link to post
Share on other sites

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents.

 

Unless the NDA clearly states that the agreement expires in such a situation, then it doesn't. An attacker could be lying about seeing the documents, for example.

 

 

Regarding your general question though - you're asking something very broad and which will vary from place to place. In theory, software companies that are negligent could be punished for it by some authority or other. In practice, software companies are negligent all the time and get away with it. And there are grey areas of what "publicly available" means - just how much effort must an attacker put in for it to be considered that the original developer was negligent?

Share this post


Link to post
Share on other sites

The attacker is the only criminally responsible party. But company B can still sue company A for not being more careful with company B's data.

 

 

 

True but company A should have some kind of indemnity insurance specifically for this.  I'm just a contractor and I have to purchase insurance to cover this.

Share this post


Link to post
Share on other sites

 

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents.

 

Unless the NDA clearly states that the agreement expires in such a situation, then it doesn't. An attacker could be lying about seeing the documents, for example.

 

 

Regarding your general question though - you're asking something very broad and which will vary from place to place. In theory, software companies that are negligent could be punished for it by some authority or other. In practice, software companies are negligent all the time and get away with it. And there are grey areas of what "publicly available" means - just how much effort must an attacker put in for it to be considered that the original developer was negligent?

 

Let's say I'm "more or less" talking a specific situation that happened.. I'm just trying to understand the situation better. The effort of the attacker was rather minimal, from what I've heard. The company seems to have gotten away, and the argument I've heard was: "everybody exposes data like this and it's common, because installing this kind of software - which from what I've understood was installed for learning reasons by A's developer - is a common thing".

I'm not sure how common is that and to be honest , what got me upset about the whole story was a biased presentation that basically said: Company A didn't do anything wrong, they did a common thing, and the attacker is a very bad person , he should bear all the guilt. 
 

Edited by Deliverance

Share this post


Link to post
Share on other sites

Is it common that software companies are negligent? Yes, of course. Barely a week goes by when we don't learn of some data breach somewhere.

 

Was Company A in this situation worse than most companies? I don't know, and that information's not available here. It's implied that it was accessed via some sort of software that is commonly installed, which means the questions are: "was it reasonable to install that software?", "was that software installed correctly?" "how hard is it to secure that software?" etc

 

Should Company A take any responsibility? Depends on a bunch of things. Did they break a contract with Company B? We can't answer that. Did they fail to meet minimum legal standards regarding keeping data safe? Again, we don't have enough information. If you want clear legal answers you're going to have to (at a minimum) name the jurisdictions involved.

 

It is interesting to think about how we decide who the true victim is, and who should be blamed for bad things happening. What is the minimum you should do to protect yourself - whether we're talking about hacking, or robbery, or physical violence. If you walk down a dark alleyway and get mugged, should you accept some of the blame? What about if you know the alleyway is dangerous?

Share this post


Link to post
Share on other sites
  1. Company A is liable for civil charges.
  2. The employee is liable for civil and possibly criminal charges.
  3. The attacker is liable for civil and definitely criminal charges.

In countries where Civil Law is applied, Company A has "in contrahendo" and "in vigilando" responsibilities. Company A has in contrahendo responsabilities because the company breached a contract and also if the employee happens to have had a criminal record or bad references from previous employers, because it failed of doing due diligence when they hired the employee. Does the employee have a criminal record or bad references from past employers? if not, then...

In vigilando responsibility because Company A is responsible for "watching" what the employee does during working hours. Did the company take reasonable steps to ensure something like this doesn't happen, or this employee happens to do whatever he wants with no supervision? Is it common for these things to happen? was this the first time? did the employee took an unreasonable amount of effort to circumvent company's security? how long was this data exposed? (1 second, 1 hour, months?)

A lot can be done to prove it (how often they report to a supervisor, whether there's security cameras, sysadmin logs, strict firewall rules, good security policies & practices and how they're being enforced, how often passwords are reset)

 

All of this has to be proven in court (Company B has to prove A was negligent, A has to prove they were not and that this data breach could not be reasonably prevented); which is why sometimes company B may never sue A, unless a lot was at stake.

Is company A liable? Yes. Will they sue? Who knows.

 

I don't get how Company C's NDA was breached, it is my understanding C was hired to catch the attacker after the data leak happened. If that's the case I don't see how C is liable for anything.

If company C had already been hired by A before the leak to keep their documents safe, then B can sue both A & C; and A can sue C.

 

But this is not set in stone. If the data from company B that were leaked documents how they pursued illegal activities, the whole thing changes entirely.

 

Btw this theoretical scenario sounds very real. Contact a lawyer.

 

PS. Forgot to say that in order to sue for civil charges, the plaintiff must prove they were harmed in some way. If no damage was made to B, then they can't sue.

Edited by Matias Goldberg

Share this post


Link to post
Share on other sites

if the employee happens to have had a criminal record or bad references from previous employers

 

I think you missed the part in the original post where it was stated that the information was made public "by negligence", not by a deliberate malicious act.

Share this post


Link to post
Share on other sites

Security breach laws are mostly  governed by state laws.  Here is a very useful summary you can use to know IF you have to disclose the breach and what you have to do about it.  http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf. please note that you have to obey any state laws in which you do business.   Which means if you are selling something on steam you have to obey all 50.  The easist way to do this is find the most restrictive and then follow that one. 

Edited by N1njaSt0rm

Share this post


Link to post
Share on other sites

This topic is 377 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this