Date: Wed May 24 06:30:13 2006
From: scomeau at cansecwest.com (Sean Comeau)
Subject: Responsibility

On Mon, May 22, 2006 at 08:05:47AM +1000, Greg wrote:
> Large motel/hotel chain I recently acquired wants to sue previous company
> who did their I.T. work for them as a customer's wifi connected machine
> infected their network and caused loss of booking data thus money.
> 
> My question then is - if you have done the utmost to lock down your customer
> but someone connects an infected machine and somehow it gets in, is the
> customer right in suing you? Eg, like a car mechanic, you do the best but
> you cannot be 100% sure that something else that was never a problem will
> now cause a problem (such as a new exploit in our case that wasn't known
> generally until 24 hours ago). Should you be sued at that point?

What was their backup strategy? How many records were lost? It could have been 
disk failure that caused loss of data. Who cares what the cause was. If they
signed an agreement with this IT company to perform regular backups to prevent 
loss of data and then, when data was accidently deleted, they find out there are 
no backups they should sue these guys to recover losses. Just like if you paid 
a mechanic to fix your breaks and you find out (the first time you get near the 
bottom of a steep hill) that he took your money, lied to you and just didn't 
bother to do the work. And that he neglected to do it knowing full well that 
cars often drive down hills and that if they are unable to stop damage to 
property and injury will almost certainly occur.

Basically, shit happens. Computers are unreliable. It is common knowledge,
even among non technical people such as accountants, that backups are needed. 
It is not common knowledge how often backups need to be done for a particular
business. That's for good IT managers/management companies to ask about and 
their employers/clients to choose their own risk on.

Powered by blists - more mailing lists