Security contractors urged to take out personal indemnity insurance

The increasing number of virus and worm attacks means that significant numbers of security contractors could face legal action after their client's systems have been attacked, say industry experts

There was more virus and worm activity in the first three months of 2004 than in the whole of last year, and despite efforts by software and hardware vendors to address the problems, the situation seems to be getting worse. As the number of attacks increases, there is an increasing risk that consultants will be blamed for disrupted services and lost data.

Richard Starnes, vice president of the UK chapter of the Information Systems Security Association (ISSA), believes personal indemnity insurance for most security professionals will become inevitable.

"Doctors, lawyers and engineers all carry professional liability insurance coverage because if they make a mistake -- and they will because they're human -- there's a real possibility they will get sued. I don't see why that wouldn't apply to the info security professional," said Starnes.

David Woods, an IT litigation specialist at law firm Masons, agreed that security consultants should take out indemnity insurance because they are at risk if their clients' systems are compromised.

A spokesperson for Decision Finance, a specialist in small business finance and insurance, said that professional indemnity insurance has been available for more than a hundred years and in the relatively new IT security area, it has been available "for as long as there have been IT security professionals".

According to the spokesperson, the popularity of personal indemnity cover increases along with the risks associated with the job.

"There has been a higher degree of virus attacks so there is a preponderance to sue," the spokesperson said.

Rob Carolina, a specialist in the legal aspects of secure electronic commerce and a senior fellow at the Royal Holloway College in Egham, explained that under English law, if a contractor undertakes a project, they are obliged to act with "due skill and care", which means that if they make a mistake, they could be held liable.

However, Carolina said that two elements play in favour of the consultant. Firstly, companies can only sue for what they have lost due to the contractor's negligence, which may be very difficult to translate into a monetary value. Secondly, when it comes to security, companies tend to be shy about airing their dirty laundry in public.

Carolina said that if a company wanted to sue because they had received bad advice that resulted in their servers being compromised, they would have to demonstrate in court the value of their loss -- which might be difficult.

"You can only recover what you prove you have lost. If you say, 'he gave me some really bad advice and now someone has crashed our server -- it was very embarrassing,' you can't recover for embarrassment. But you can try to recover the cost of fixing or repairing the server, and the cost of downtime," Carolina said.

Stuart Okin, Microsoft UK's chief security officer, said he's not surprised that security professionals are having to take out indemnity insurance, but he believes that taking legal action against contractors is the wrong option. Instead, he said more resources should be ploughed into catching malware writers who are actively seeking out and exploiting security vulnerabilities.

"The security consultant is not committing the crime -- it is squarely down to the hackers, virus writers and organised criminals. That is where the responsibility lies and that is where we should be directing our investments and energies," Okin said.