As more enterprises push services online, IT executives should be wary of the legal risks which could occur if they are subject to a distributed denial of service (DDoS) attack, finds Hamish Barwick.
It could be an IT executive’s nightmare — finding out the company website has been hit with a distributed denial of service (DDoS) attack and can’t be accessed by customers. Both customers and management are demanding to know what’s happening. And worse still, there is evidence that customer data has been compromised. It’s at that time that an IT security contingency plan begins to pay off.
For Middletons partner, Mark Feetham — who specialises in ICT law — having a contingency plan in place before the worse happens can help companies avoid loss of business or a potential lawsuit.
“Companies that fail to do any planning to address a DDoS threat may be exposed to a negligence claim if an attack is launched against it which causes a third party to suffer a security breach, data or privacy loss,” he says.
This IT security contingency plan could include taking proactive steps to ensuring that proper logging is configured in all security devices, so that in the event of an attack, the log data can be examined and handed over to law enforcement agencies.
In addition, having a security awareness program developed by the CIO and distributed to all staff members was needed.
“Education and awareness of security threats throughout any organisation is key to minimising threats and reducing risk,” Feetham says. He also warns that companies that use Cloud computing services may also be at risk as a DDoS attack could limit or preclude access by the company to its own data or business applications.
“Organisations considering Cloud computing as an option must carefully balance the issues against any identified cost saving associated with a switch to Cloud,” Feetham says. “Adequate due diligence on a prospective provider and careful consideration of the terms of the Cloud services contract are strongly recommended.”
Gilbert + Tobin’s Andrew Hii says any negligence claim following a DDoS attack will be determined by what the company has done to protect its data.
“If the DDoS attack was to stop people from using that website to perform a transaction and those people suffered losses as a result there might be the potential for a negligence claim to be brought against the company,” he says.
Regardless of DDoS attacks, Hii adds that companies should make sure that any Cloud provider they go with has in place sufficient security measures.
“Insuring that any Cloud provider or outsourcer has best practice standards goes a long way to dealing with those risks,” he says, If the negligence case makes it to court, than having evidence which shows the company’s obligation to its customers is essential, according to Hii.
“Record keeping is just as important in any case where a company may be exposed to this kind of liability.”