Penetration Testing mailing list archives
Re: [PEN-TEST] Legalities and Liabilities
From: Bhanu Prasad <B_Prasad () REDSALSA COM>
Date: Tue, 12 Sep 2000 15:26:51 -0400
Another interesting aspect to this is when clients look at legal suits as an option if their systems are hacked after a security consulting assignment. This might become an increasing trend in the time to come and will have a huge impact on the viability of security firms and their insurance costs. The magnitude of consequential loss suites are simply phenominal...and in case of e-commerce ventures this is an issue. The only defence in the court of law would be that reasonable care was undertaken during the security assignment...but in case of the dynamically changing security challenges and also the limited possibility of generally accepted standards, it might be difficult to prove the same. To add to the woes, by default an assignment such as penetration testing is supposed to be innovative and how can one prove in the court of law that it was innovative and thorough enough? All consulting firms have liability limitation clauses in their contracts but we do see instances of clients suing IT companies for failed projects. Am I being a too imaginative or is there a big issue in what I am talking about? Thanks, Bhanu -----Original Message----- From: Ben Lull [mailto:blull () VALLEYLOCAL COM] Sent: Tuesday, September 12, 2000 2:43 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Legalities and Liabilities Hallo, I have some questions regarding the legal aspects of penetration testing (I'm hoping this hasn't be answered on the list before, I haven't had time to keep up for the past couple of weeks). 1.) Before a pen/sec test takes place, what type of legal documentation should be obtained (disclaimers, limitation of liability, etc..)? 2.) What are major topics that should be discussed and included in a contract between the pen/sec company and their client? Should a contract even be written up in the first place? 3.) When conducting a pen/sec test what legal issues should be kept in mind (e.g.. get out of jail free type of stuff). 5.) After a pen/sec test, if the client's network is cracked, can the pen/sec company be held responsible? 6.) If the pen/sec company offers services such as actual securing of systems, can they be held responsible if the systems they secured are cracked? I'd appreciate as much feed back as possible. Once again I apologize if this has already been discussed. Thanks, Ben Lull *** * Ben Lull * ValleyLocal Internet, Inc. * Systems Administrator ***
Current thread:
- [PEN-TEST] Legalities and Liabilities Ben Lull (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Dan Ryan (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Tim Kramer (Sep 13)
- Re: [PEN-TEST] Legalities and Liabilities Coderian (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Wandering One (Sep 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Legalities and Liabilities Bhanu Prasad (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Dan Ryan (Sep 12)