Companies 'not liable' for Code Red attacks

Legal experts say that businesses will not be liable if their servers become infected by the Code Red worm and inadvertently attack other corporate servers
Written by Wendy McAuliffe, Contributor on

Companies that inadvertently spread the Code Red worm to other corporate servers cannot be held liable for causing an Internet attack, say British legal experts.

The self-propagating worm, which resurfaced on Wednesday, had raised concerns that companies could face legal action for unleashing Code Red on other servers. Some companies have expressed fears that they could be found negligent for not installing the Microsoft patch that would protect their systems from re-infection, and prevent them from attacking other servers.

But according to IT legal experts, it would be ridiculous to imply that all companies should invest time and money into protecting other servers from malicious worms such as Code Red.

The Computer Misuse Act makes the "unauthorised modification of computer material" illegal -- but in the case of Code Red, there would be no evidence to prove criminal intent. "The Act could apply to someone that had deliberately targeted a virus to someone else's computer, but when you can't show that the attack was deliberate, you are moving back to the general realms of negligence," said Peter Stevens, partner in IT at city law firm Manches.

A company could technically be accused of negligence if it has failed to "act reasonably to prevent the loss of material on another company server," explained Stevens. But the duty of care that surrounds issues of negligence typically exists within specific human or business relationships. In the case of Code Red, the time-sensitive worm that is pseudo-random, it is programmed to generate IP addresses for servers using Microsoft's Internet Information Server (IIS) software that it intends to attack. Once executed, the worm will start to create copies of itself in the memory, in order to attack even more IIS servers at the same time.

Mark Read, systems security analyst for computer security company MIS Corporate Defence Solutions, admits that the issue of indirect negligence is a grey area for technology companies. "They are effectively starting an attack on someone else, but it is not deliberate," he said. "It is more likely that system administrators for compromised servers will be red-faced for not installing the Microsoft patches and doing their job properly."

The legal picture for ISPs (Internet Service Providers) and Web hosting companies is more contractual, and will depend on whether they have accepted the additional responsibility of ensuring the security of their clients' Web sites. Richard Kirby at server management company NPSL is fearful of the increasing liability issues which viruses are creating for service providers.

"Many viruses are copycat ones, and I can see the same sort of thing happening with Code Red. With core software changing (like the transition to Windows XP), the patch issue is only going to get worse," added Kirby.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards