This article explains how companies may be held liable for the damage caused by virus infections. In terms of the King II Report on Corporate Governance and recent court cases, company boards must take reasonable steps to prevent and/or limit the damage and loss that may result from virus infections. This article explains how companies may be held liable for the damage caused by virus infections. In terms of the King II Report on Corporate Governance and recent court cases, company boards must take reasonable steps to prevent and/or limit the damage and loss that may result from virus infections.
It is fairly well understood, by even the most technophobic amongst us, that when a virus, or any other form of malicious computer code, infects a corporate network a number of potential losses and damages may follow. Typically these include:
* The virus can destroy important corporate data. As a result the company may not be able to operate (loss of profits) and if the story breaks in the local press, the company's share price may tumble (loss of value to shareholders).
* The virus infection can result in the company not being able to operate for a period of time (the same damages as detailed above may follow).
* The virus infection may result in the unauthorised disclosure of private and confidential company information. In such a case the company may be sued for privacy infringement, infringement of intellectual property or breach of contract due to the unauthorised disclosure of confidential information).
* The virus may automatically forward itself to another corporate network (such company may suffer the same damages and losses detailed above).
Traditional corporate instinct tends to classify virus infections as an 'act of God' or at least an act over which the company has no control, the argument being that if the virus programmer is not identified, there is very little legal re-course for those who suffer damages.
Virus writing is not illegal
Programming a virus is not illegal in South Africa. Like other forms of unpopular speech (eg, pornography and propaganda), even malicious computer code is protected by the free speech provisions of the South African Constitution. However, if the virus was programmed with the main purpose to overcome security measures, such programming will be illegal in terms of section 86(3) of the Electronic Communications and Transactions Act 25 of 2002 (the ECT Act). This section reads as follows:
"A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence".
Offenders may face a fine or a jail term of up to 12 months.
If a virus, programmed primarily to overcome security measures, is used, section 86(4) of the ECT Act applies:
"A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence".
Offenders may face a fine or a jail term of up to five years.
The provisions of the ECT Act will apply if:
* The offence was committed in South Africa (eg, the virus was programmed locally).
* Any act of preparation toward the offence happened in SA (eg, the virus programmer downloaded the required source code from the Internet from a computer based in South Africa).
* The result of the offence had an effect in South Africa (eg, South African corporate networks were infected by the virus).
* The offence was committed by a South African citizen anywhere in the world.
* The offence was committed by a person with permanent residence status in South Africa.
* The offence was committed on board a ship or aircraft registered in South Africa or on a voyage or flight to or from South Africa (eg, the virus programmer programmed the virus on a laptop during an SAA flight from London to Cape Town).
However, even if the virus programmer is caught and prosecuted, it will be very difficult to recover the civil liabilities detailed above. For this very reason, those who suffered damages from virus infections are now looking at others to recover their damages from. Companies normally have much deeper pockets than virus programmers!
Boards liable for virus damages?
It is now established law in South Africa that liability for damages may follow from a so-called 'negligent omission' - the failure to do something when so required. In the recent case of Minister of Safety and Security v Van Duivenboden  3 All SA 741 (SCA) the Supreme Court stated, amongst others, the following:
Nugent JA: "A negligent omission is unlawful only if it occurs in circumstances that the law regards as sufficient to give rise to a legal duty to avoid negligently causing harm. It is important to keep that concept quite separate from the concept of fault. Where the law recognises the existence of a legal duty it does not follow that an omission will necessarily attract liability - it will attract liability only if the omission was also culpable as determined by the application of the separate test that has consistently been applied by this court in Kruger v Coetzee, namely, whether a reasonable person in the position of the defendant would not only have foreseen the harm but would also have acted to avert it."
In plain English
In plain English, with all respect to the learned Judge, the Supreme Court stated that a person may be held liable for damages if he/she failed to take any action to prevent or limit the damage and only if a reasonable person would have foreseen the possible damage and would have taken action to prevent or limit it.
Although the Van Duivenboden judgment has not yet been tested on the facts of a virus infection, it is safe to assume that the same principles will be applied by the court. Therefore, a company may be held liable for the damages caused by a virus infection if:
* The company failed and/or refused to take the necessary steps to prevent or limit the virus damage.
* The company could have foreseen and could have taken action to prevent or limit such damage.
With reference to the abovementioned examples of possible damages that may follow from virus infections it will be possible for shareholders and others that suffered damage and/or loss because of a virus infection, to recover such damages from a company based on the principles outlined in the Van Duivenboden judgment. It is not hard to imagine that these losses and damages may run into many millions of rands.
Directors or IT managers may be personally liable
Furthermore, company directors and managers may be held personally liable for such damages in terms of section 424 of the Companies Act 61 of 1973, if their failure and/or refusal to take sufficient steps, results in reckless management of the company in question. Section 424(a) states:
* "When it appears, whether it be in a winding-up, judicial management or otherwise, that any business of the company was or is being carried on recklessly or with intent to defraud creditors of the company or creditors of any other person or for any fraudulent purpose, the Court may, on the application of the Master, the liquidator, the judicial manager, any creditor or member or contributory of the company, declare that any person who was knowingly a party to the carrying on of the business in the manner aforesaid, shall be personally responsible, without any limitation of liability, for all or any of the debts or other liabilities of the company as the Court may direct."
King II and risk assessment
In terms of the risk management guidelines of the King II Report on Corporate Governance, a company must also identify and address all material risks, including technology risks, the company may face. Virus infections and the whole range of potential damages and/or loss that may follow, must be identified and addressed by the company. It is a duty of the board of directors to satisfy themselves that the company is managing IT risks sufficiently.
So, what to do?
If a company is taken to court for the damages that resulted from a virus infection of the company's network, such a company will have to prove that it took all the reasonable steps to identify, reduce and/or limit the potential damage and losses. In proving such reasonable steps the company will probably have to show that it:
* Took the necessary and required steps to identify and address virus infections (as required by King II).
* Used updated virus detection and filtering technology that actually worked at the time of the virus infection.
* Addressed the 'human element of IT security' by adapting and maintaining a corporate IT Security Policy that, amongst others, addressed virus infections.
A risk assessment checklist
Buys Inc Attorneys has developed a 'risk assessment checklist' to assist companies in identifying and addressing the various IT risks they may face. The checklist details more than 70 IT risks and provides guidelines on the legal, technical and corporate governance steps that a company should take to avoid possible liability as detailed in this article. The checklist is available from the Cape Town and Johannesburg offices of Buys Inc Attorneys.
Disclaimer: Information in this article is provided for information and discussion purposes only. Readers should obtain the necessary legal advice before they take any action suggested in this article. The writer and publisher do not make any warranties or representation that the solutions detailed herein will necessarily prevent or limit corporate liability of any kind.