The Latest Media News in the Law Industry

29 May 2015 | James Young-Drew and Michael Wigley, Wigley & Company

What Foot-and-mouth can teach us about cybersecurity

Speedread

The threat of a digital computer virus is a world apart from the ravages of Foot-and-mouth disease. Or is it? In a 1966 negligence case, the Foot-and-mouth virus escaped from a UK research institute and infected neighbouring cattle. The institute was found to owe a duty of care to the affected farmers.

The same principle would likely apply to modern companies that allow digital viruses to escape and infect "neighbouring" users. The law of negligence proceeds by analogy,(1) so here's a last century analogy for a modern digital issue.

This article outlines how negligence principles work in practice, and why it's so important to ensure that cybersecurity measures are up to industry standards.

Cyber security law and practice, a recommendatory report produced by the General Counsels of the UK's top 100 companies, is a good example of cybersecurity best practice, which informs the standard of care required of commercial entities to avoid liability in the context of digital viruses.

Wigley & Company's summary of the GC100 cybersecurity report is available here.

A bad case of Foot-and-mouth

The year is 1959. The Foot-and-Mouth Disease Research Institute of Surrey, England, has just imported a new virus from Africa for experimental purposes. The virus escapes, cattle neighbouring the Institute become infected, and the Minister of Agriculture is forced to temporarily close the Guildford and Farnham markets to quarantine the disease.

The market closures (which lasted for six days in all) did not please the local auctioneers, Weller & Co, who were unable to carry out cattle auctions during this period. Weller & Co decided to claim for financial losses by suing the Foot and Mouth Institute under the law of negligence.

The court found that, if the virus were to escape from the Institute, it was a foreseeable fact that neighbouring cattle could die.(2) The Foot and Mouth Institute consequently had a legal duty towards the owners of neighbouring cattle to take reasonable care to prevent the disease from spreading.

In the case of Weller & Co, however, their relationship with the Institute was too remote to create such a duty. The auctioneers' claim for financial loss was dismissed.

Why is Foot-and-mouth relevant to cybersecurity?

Imagine a more modern situation. The year is 2015. A company with inadequate cybersecurity has managed to attract a deadly computer virus. The virus quickly spreads, infecting the company's internal network and online systems. A few hours later, the company goes into digital lock-down to prevent the disease from spreading.

Unfortunately, the damage is done. The virus has already infected the systems of sub-contractors, personal devices used by employees, business contacts, website users, and thousands of other third parties.

To whom does our fictitious company owe a duty of care under the law of negligence?

The duty of care in a digital world

If such a case were to unfold, the court's approach would likely involve applying the same sort of legal principles relied upon last century, well before cyber threats even existed.

Under the law of negligence, a duty of care is owed to another party where, generally speaking, it can be said that an act of carelessness by the defendant would foreseeably cause harm to the other party. There is no universal rule; rather, courts undertake a "multi-factorial" approach to the issue.(3)

Problems abound in the context of viruses and other electronic threats. It is quite reasonable to submit that any party receiving corrosive digital information will foreseeably suffer harm, and therefore, in the case of an internet website, a duty of care should be extended to everyone who visits the site. For a large company, this means an uncontained virus could result in thousands, or even millions, of potential claimants.

However, the courts are cautious about imposing a degree of liability which is so wide as to be indeterminate. There are factors which often justify limiting the scope of a duty of care, such as the extent to which victims can protect themselves,(4) or that a defendant can only be held liable if it had (or should have had) specific knowledge about the harm other parties would suffer.(5)

Note that a claim for pure financial loss is certainly available under the law of negligence (and is the most likely harm caused by a computer virus).(6) The reason Weller & Co did not succeed against the Foot and Mouth Institute was because their relationship was too distant to create a duty of care, not because the type of claim was invalid. A similar rule of proximity is equally applicable, though not determinative, of duties owed in the digital world. Direct contacts (customers, for example) harmed by an escaped computer virus will likely be owed a duty of care, but this duty may not extend to more remote parties (such as auctioneers who lose business, as in Weller v Foot and Mouth).

To be clear, this 50 year old case is not the full answer on cybersecurity negligence liability. The law of negligence has evolved considerably since then, though some judges and academics have noted that Australian negligence principles have become even more unpredictable, especially in areas which have yet to be brought before the courts.(7) Until then, Foot-and-mouth remains a great illustration of the extent to which companies that expose third parties to digital viruses could be held liable.

What standard of care must a company exercise to avoid negligence liability?

Where a duty of care is found to exist, we move to the second consideration: the defendant must also have failed to exercise a reasonable standard of care. The required standard will generally take account of best practice in the relevant industry, and the nature of the particular virus. It also adjusts to the conduct and expertise of the defendant. For companies which profess to be IT experts, or rely heavily on digital use as part of their business, the standard of care expected of them will be higher.

What best practice experts and standards on cybersecurity say should be done will guide what is the required standard of care. That does not require perfection, as no system can be 100% immune from problems.

Courts will also consider the difficulty of taking necessary precautions against risk. That is unlikely to be a compelling argument here, however, because the threat of a computer virus is both widely known and relatively inexpensive to prevent, compared to the risk posed. Also important is that the obligation to uphold a standard of care is "an obligation which keeps pace with the times. As the danger increases, so must ... precautions increase".(8) Relying on virus protection software is an insufficient precaution if it is not regularly updated.

What this means in practice

Much like the Foot and Mouth Institute in 1959, modern businesses have a legal obligation to protect their "neighbours" from the threat of viruses. In practice, this means taking care to ensure cybersecurity measures are up to industry standards.

The General Counsels of the UK's top 100 companies recently published a report, Cyber security law and practice, to help in-house lawyers deal with cybersecurity risk.(9)

Their recommendations are a good representation of industry practice, which informs the standard of care required of commercial entities as to digital threats. The risk of a claim for negligence is one facet dealt with in the report, along side reference to industry guidelines (such as ISO 27032), and ten recommendations to improve cybersecurity.

(1) See Perre v Apand Pty Ltd (1999) 164 ALR 606; [1999] HCA 36.
(2) Weller v Foot and Mouth Disease Research Institute [1966] 1 QB 569, QBD
(3) Sullivan v Moody (2001) 183 ALR 404; [2001] HCA 59 at [48].
(4) Above, n 1.
(5) Caltex Oil (Australia) Pty Ltd v Dredge "Willemstad" (1976) 136 CLR 529; 11 ALR 227; 51 ALJR 270.
(6) Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964] AC 465, affirmed in Perre and Caltex Oil, above n 1 and n 4.
(7) See generally, Graham Barclay Oysters Pty Ltd v Ryan (2002) 194 ALR 337; [2002] HCA 54 at [211]-[213] (Kirby J); and K Barker "Economic Loss and the Duty of Care: A Study in the Exercise of Legal Justification" [2008] UQLRS 1, C Rickett (ed), Justifying Remedies in the Law of Obligations, Hart Publishing, Oxford 2008.
(8) Lloyds Bank v Railway Executive [1952] 1 All ER 1248.
(9) GC100 IP and Data Protection Working Group (2015), accessed 15 April 2015; Wigley & Company's summary of the GC100 report.

Note: Originally published in Privacy Law Bulletin, May 2015, Volume 12 No 5