Friday, 19 February 2016
Cyber attacks; Who carries the liability ?
What is less clear is who is picking up the tab when things go wrong. Given that most companies tend to outsource hosting and webdesign and frequently work with freelance IT contractors liability may be limited at the contractual level. There is also a strong incentive for existing technical providers to insist all is well to avoid clients digging too deep and realizing that they are carrying all the liability.
Insurance has a part to play here but the insurance industry seems to be struggling to determine risk premiums and the policies available are awash with exclusions.
It was widely reported that TalkTalk suffered substantial loss from being hacked but not made clear whether this was an insured risk.
If private data is held on a third party shared server and that data is stolen partly through the failure of the hosting company to implement reasonable levels of security who pays ?
Arguably none of this has really mattered in hard financial terms because losses have been difficult to quantify. This is set to change if the legislation which can fine companies up to 4% of turnover comes into force in 2017.
One way or another the issue will be clarified and whether the liability rests with the client or IT / hosting contractors. With the average cost to an SME of a cyber attack being @£190,000 the cost is material.