Malware: the new legal risk

The purpose of this research is to show that companies world‐wide are being placed under increasing pressure by an onslaught of cyber risks and malware is one of the most common sources of security failures at present. The position in South Africa is no exception and malware presents a very real danger to corporate South Africa's information assets, resources and systems, as it has the capacity to undermine firewalls, hijack Virtual Private Networks (VPN's) and defeat digital signatures. The threats associated with malware have several salient legal issues embedded in it and these are elaborated in the paper. Unfortunately, corporate South Africa is still largely ignorant of the range of tools available to the “Darkside” and the potential legal consequences which may ensue if this cyber risk materialises. The article helps in the understanding of the problem.

This paper examines malware, and more specifically legal liability for malware from a South African perspective. The account contained in this contribution deals with the question whether or not a company who falls victim to a malware attack or unwillingly facilitates such an attack, may be held legally liable. This is done by giving a brief overview of the nature of the cyber risk malware, before moving on to observe the consequences which may ensue if a malware attack occurs. Corporations who fall victim to malware attacks or unwittingly facilitates such an attack may suffer: direct damage; indirect damage; and physiological damage.

It will be pointed out that malware attacks may result in legal liability in civil law for the “victim” company because of its failure to take reasonable steps to secure the information assets, resources and systems of the company.

It will furthermore be observed that companies who unwillingly facilitate malware attacks, where for instance the company's own employee uses company resources to launch a virus attack, may be faced with legal liability in the form of vicarious liability.

Suggestions are made on how to avoid legal liability for failed information security.

No such a study has yet been undertaken in South Africa as most view the law and technology as strange and perhaps dangerous bedfellows. The study will also be of use, value and interest to the library and information community outside South Africa since it raises an issue of real significance.