Steven Press

Wednesday, 28 December 2005 06:03

Computer viruses

Picture this: your business just completes one of the biggest e-commerce orders in its history. No sooner do your employees begin to high-five each other (and calculate their anticipated commissions) when your purchasing client calls to inform you that your host Web site just spread a virus throughout your purchaser’s information system. Not only is the order cancelled, but now you are about to be sued.

Who is at risk for civil liability?
All businesses linked with the spread of a virus may become civilly liable for the damage. This includes software providers who sell infected products, distributors of the infected products, and individuals who transmit infected e-mail attachments or otherwise expose others to viruses. In other words, you!

Theory behind a negligence claim for virus transmission

If society valued only completely safe products, knives would be dull, all guns would be illegal, and automobiles would be built like tanks and limited to top speeds of 10 miles per hour.

Instead, society seeks to achieve a balance between the need for safety and the need for economic progress/convenience. That balance is achieved through the application of negligence law.

What are the elements of a negligent spread of computer virus claim?
Basically, there are three elements to a successful claim for the negligent spread of a computer virus. First, the defendant must owe plaintiff the duty to take reasonable care to avoid contaminating the plaintiff with the computer virus. Second, the defendant must breach this duty. Third, the defendant’s breach of duty must cause the plaintiff harm.

  • Duty. To whom does a business owe a duty of reasonable care to prevent computer virus contamination? It is reasonable to impute to software providers a duty to not sell their customers software contaminated with viruses. Similarly, it is reasonable to impute to Web-based businesses a duty to protect their customers from downloading infected products.

It is also equally reasonable to impute a duty to any business with a Web site to use reasonable care to protect its users from downloading computer viruses. Finally, any business that uses e-mail has a duty to those with whom it communicates via e-mail to not transmit computer viruses.

  • Breach. Breach of duty refers to the failure to satisfy the reasonable business standard which imposes the duty to exercise the same precautions a reasonable business in the same or similar circumstances would exercise. In the virus context, a business is negligent if it fails to exercise a precaution when the burden of the precaution is less than the likelihood of harm multiplied by the expected harm. This is better known as the cost-benefit analysis.

The higher dollar value placed on the anticipated harm caused from spreading a virus multiplied by the likelihood of spreading the virus, the more anti-virus precautions a business will be expected to take under the cost-benefit analysis.

  • Causation. A plaintiff seeking recovery for negligence must show it would not have been contaminated by a computer virus had the defendant business honored its duty. Suppose a reasonable business would update its virus programs once a month. Also suppose the defendant breached its duty by failing to update its virus protection software the same month it contaminated its customer with a virus.

The defendant may be negligent if the uninstalled virus update would have prevented the virus. However, if the infecting virus was too novel to be included in the antivirus update, the defendant’s breach would not have caused the harm and the defendant would not be liable for negligence.

No doubt a goal of your business is to exceed the customer service offered by your competitors. You should have the same goal when it comes to computer virus protections. If you achieve that goal, hopefully you will avoid having to explain to your suddenly former customer that antivirus software was not worth the cost.

Steven R. Press is an associate at Gambrell & Stolz. His practice areas are corporate law, civil and business litigation, mergers and acquisitions, and restrictive covenants. Please reach him at (404) 221-6534 or