Your net liability - safety first

Imagine having to admit to your CEO that your company is being sued for millions and it's all your fault.
Written by silicon.com staff, Contributor

Imagine having to admit to your CEO that your company is being sued for millions and it's all your fault.

Imagine the website of a US corporation went down for a whole day, losing millions of ecommerce dollars because of a denial of service attack. Imagine that attack was traced back to several relay servers in Europe - one of which was yours. Now US lawyers are crawling all over you, claiming negligence and attempting to recoup those lost dollars straight from your company's bank account. Ouch. Not a good way to start your week, but perhaps quite effective in terminating your career. But is this scenario really likely? According to two top UK lawyers it is. Nick Lockett from Sidley & Austin reckons so. Simon Stokes from Tarlo Lyons agrees. Before panicking and calling up your in-house security expert, let's look at the facts. Anyone attempting to sue for having their site brought down is going to have to prove several things. First, they must show your server was being used to relay the denial of service attack. That's not hard. Second, they will have to prove their business was materially affected by the attack. Also not hard. And third, they'll have to prove you've failed to implement sufficient security procedures on your server. This is where you come in. What constitutes sufficient security procedures to guard against negligence is clearly open to interpretation. However, there are two obvious things that would almost certainly put you in the clear. If a denial of service attack is occurring, and the victim notifies you that your mail server is being used as a relay, you must shut it down immediately. Additionally, when you set up your mail server, you must not use an open default setting. You should always set up a list of permitted IP addresses that can be relayed to. If you make sure the former is standard policy that your whole department is aware of, and you've already done the latter, you should be in the clear. So, don't panic and don't chance a brush with some heavy-handed lawyers - get those procedures in place if you haven't already done so, and make sure you don't end up having a painful meeting with your CEO.
Editorial standards