Legal Issues - Computer Virus Liability

COMPUTER VIRUS LIABILITY
[In January 1995, the US Bureau of Public Debt's Security Branch and
its legal department debated the issue of unintentional distribution
of computer viruses and the legal liability of institutions found to
have passed contaminated software or diskettes.  The discussions
were published in the US Bureau of Public Debt's Information Systems
Security Monitor newsletter and credited to Kim Clancy (Security
Branch), Jim Kramer-Wilt (Legal) and Lisa Martin (Legal). It is
reprinted here with permission.]

Security Branch:  "What, if any, boilerplate language exists that
we could put in contracts that would protect us if we received disks
that were infected with a virus?  What are [others] doing?

Legal:  "At present, Public Debt is not using any special language
in . . . contracts.  The present warranty clause does not protect
us from consequential damages.  Procurement uses a general clause
unless the Contracting Officer determines that a greater level of
protection is necessary.  We could insist that a clause be inserted
that the contractor has screened the software for any known viruses.
This, of course, would not protect us from unknown viruses.  It
appears that we should be making the screen ourselves, rather than
relying upon the contractor.  I would assume that such screens
are being made."

Security Branch:  "In the area of Interagency agreements - what is
our liability if, for example, we would send [someone] a diskette
with a virus?  Is exempting language available? Would it be
effective, such as in contracts with these [others]?"

Legal:  "Contracts between government agencies follow the general
outline of the first question above.  Government agencies are pretty
much self-insured for such damages.  Any diskettes sent to other
agencies should carry the following disclaimer:

WE HAVE SCANNED THIS DISKETTE FOR VIRUSES USING <SOFTWARE BRAND AND
VERSION INSERTED HERE>.  NONE OF THE DISKETTES HAVE ANY VIRUSES
ACCORDING TO OUR USE OF THESE PROGRAMS.  HOWEVER, BE AWARE THAT
THERE MAY BE VIRUSES OR OTHER DANGEROUS PROGRAMS THAT HAVE ESCAPED
DETECTION.  WE DO NOT WARRANT OR REPRESENT THAT ANY OF THE DISKETTES
ARE ABSOLUTELY FREE OF VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS OR
ANY OTHER TYPE OF DANGEROUS COMPUTER PROGRAM.  YOU SHOULD PERFORM
YOUR OWN TESTING TO ASSURE THAT THE FILES YOU DOWNLOAD ARE TRULY
FREE OF VIRUSES OR OTHER DANGEROUS PROGRAMS.

This disclaimer could be in the form of a pre-printed sticker that
is affixed to the diskette package."

Security Branch:  "What should we do if we get a diskette with a
virus from another company?  Should we contact the vendor?  Are
there any repercussions if we do contact the vendor?"

Legal: "You should contact the vendor and inform them of your
finding.  Whatever action they choose to take is up to them.
I believe that there is a duty to contact the vendor and there
should be no legal repercussions.  We also feel that you should
pass along your findings to Main Treasury, e.g. 'I scanned the
diskette with a certain virus checker and found this virus,'
thereby making no statement as to how the virus got on the
diskette.  In other words, only reporting exactly what you
observed."

PART II: LIABILITY FOR VIRUSES, A NEGLIGENCE STANDARD

. . . Tort and civil liability is rarely discussed in the
context of [computer] viruses since there is a growing body of
criminal law regulating the introduction of them into a system.
The introduction of viruses _may_ allow an injured plaintiff relief
under the tort theories of conversion, trespass and tortious
interference with contractual relations. Tort liability has been
an issue of concern to the managers of computer systems and networks.
The failure of managers to safeguard their systems may lead to
recovery in tort by injured third parties.  One suggestion has
been to impose strict legal liability on the producers and vendors
of computer systems, services, networks and software, requiring
adequate safeguards and barriers to be placed to avoid unauthorized
invasions, and to carry adequate insurance should an invasion occur.
This standard may be too demanding since even the best boundaries
of technological protection have proved to be penetrable. A system's
need for the existence of trap doors for programming and debugging
will also be troublesome for managers should a strict liability
standard be implemented. Negligence may be a viable alternative
standard should strict liability be too harsh. A manager's duty to
the system would entail the reasonably prudent selection,
implementation and maintenance of the security provisions of the
system.

Application of negligence principles to the manager would require
her to use reasonable care to secure the system when it is
foreseeable that failure to secure it would result in injury to
foreseeable plaintiffs. A test similar to the one created by Judge
Learned Hand in United States v. Carroll Towing may be a viable
standard in this instance. Since there are times when every
computer system may be infected by a virus, the manager's
duty should be a function of three variables, paraphrased from
Judge Hand's decision in Carroll Towing:

     1) the probability of invasion by a virus;

     2) the gravity of the resulting injury; and

     3) the burden of adequate precautions.

The application of this test may provide a flexible and workable
alternative approach to manager's liability for the failure to
protect the computer system from viruses.

Suggestions for reasonable protection:

     1) Limiting computer access by terminated employees, particularly
     those who have been subjected to disciplinary action;

     2) Requiring a showing of need before allowing any employee to
     access system software on multiuser systems;

     3) Requiring staff to devote greater attention to monitoring the
     use of computer systems and to checking for evidence of unusual
     or suspicious activity.

Staff with responsibility for computer systems should be centrally
involved in analyzing these or other protective policies, and
should be given necessary resources to carry out these functions.


 _Establishment of Operational Safeguards_

In addition to establishing access restrictions, a number of steps
might be taken to reduce the risks of harm from a computer virus:

     1) Installing software programs that keep watch for computer
     viruses;

     2) Testing software [and storage media] for presence of computer
     viruses;

     3) Initially installing new software, particularly those of
     uncertain origin on an isolated computer system;

     4) Immediately investigating unexplained or suspicious activity,
     including unauthorized attempts to . . . alter files

     5) Immediately removing from computers any software that exhibits
     symptoms of possible virus infection;

     6) Establishing backup policies designed to assure that clean
     copies of uninfected application programs remain available for
     a reasonable time;

     7) Requiring the grandfathered rotation of backup copies, stored
     off-site;

     8) Conducting periodic security audits to determine whether
     reasonable steps have been taken to assess and counter any
     particular virus threat.