7

Is there precedent in North America or elsewhere where a server administrator was held accountable for leaving a server vulnerable?

For example, if there is a known exploit in IIS - Microsoft issue a patch for it and for reason X you don't apply it on your server, your site is compromised by hackers and as a result you end up infecting your visitors with malware which could eventually cause financial loss. Are you or could you be held liable?

This is subjective and obviously not something I do ;) just curious.

user9517
  • 114,104
  • 20
  • 206
  • 289
jfrobishow
  • 71
  • 10
  • In the US, if you can show "due diligence", and your system gets hacked or whatever you are probably okay. Consult your auditor. The only caveat is if you are a contractor working under a contract which stipulates something different, or you are on a SOX-compliant(Sarbanes-Oxley) site. Then you have to rely on 'due diligence' as defined by what auditors and federal regulations specify. If auditors find problems and you have a hack-in , then you are in legal trouble, bigtime. So will your company be. – jim mcnamara Jul 29 '10 at 14:55

4 Answers4

5

I'm not a lawyer and not giving you legal advice. This is ServerFault.com, too, not SuperLawyerOverflowFault.com. I'm also speaking only about the United States re: "North America". Canada is frosty and scary and I know nothing about it.

Having said that, I'm not aware of any U.S. states where criminal liability would come into play for simply not installing patches. Likewise, I'm not aware of any U.S. states that would hold the operator of a server criminally liable for malicious software infections spread from a compromised computer.

There are U.S. states where disclosure of data breaches is required, and failing to disclose can result in criminal liability. Even if your server isn't in such a state, merely storing data about people located in such a state where disclosure is required can create the requirement to disclose. Presumably if your servers was compromised it could be argued that a data breach did occur.

I'd be more worried about civil liability. Anybody can sue anybody else for anything at any time.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 3
    +1! for SuperLawyerOverflowFault and frosty/scary alone. – jscott Jul 29 '10 at 14:59
  • 3
    Civil liability could vary quite a bit state to state, too. In California the employer is required to indemnify the employee from any "ordinary" problems and an employee can only be held personally liable if what they did was dishonest, willful or "gross negligence". (labor code section 2800, 2802, other sections and various case law) Other states in the US can vary quite a bit and it might be possible for the employer to blame/charge the employee for that kind of ordinary negligence. – freiheit Jul 29 '10 at 15:58
5

There are two separate questions .. "can I get arrested?" and "can I get sued?"

Evan covered the getting arrested part, and gave us a few chuckles as a bonus!

Regarding getting sued .. I can give some guidance for those of us in the USA.

Here in the USA, you can get sued for anything by anybody; the questions are whether the suit will survive initial review and whether you will lose. This is a very complicated question because of the variety of different possible circumstances. Generally speaking, you are safe if you are doing your job, provided it is legal, even if you do it badly. Generally speaking, you are not safe if you are acting outside of your job duties, not following the law, or acting with malice.

Generally speaking, if you are a employee of a business, law specifies that the business be liable for consequences from your actions as their agent, but you cannot in most circumstances be held individually liable. So the company may get sued and may lose; the worst you might get is fired.

The take away ... if you are not a bona-fide, legit employee of a bona-fide, legit business, make sure that you have at least a bare-bones agreement in place that clarifies your liability. And if you are not comfortable with the uncertainty, see a lawyer.

Also, it is probably worthwhile to get a some "error and omission" or general liability insurance as well, particularly if you have any assets of value (such as a house).

tomjedrz
  • 5,964
  • 1
  • 15
  • 26
2

Speaking for the UK, any liability stemming from a hacked website would fall back onto the company operating that site (if it falls back at all) and not to the individuals within that company. For most companies this means that their directors have their asses on the line.

What your boss does with you when he finds out, is another matter altogether, and depends on your employment contract.

wolfgangsz
  • 8,767
  • 3
  • 29
  • 34
2

Yes.

I currently work on both sides (both as a host and a client of a host), and I would certainly hold both myself and my contractor accountable in the event of significant financial loss.

Ultimately this depends on the contract that was signed / agreed to. In our case it would be a breach of absolute trust, which goes above contracts.

Joshua
  • 593
  • 2
  • 19