IT testing laws leave lawyers laughing

IT managers are rejecting elaborate waivers pushed by IT security vendors for routine penetration testing, but legal concerns have been accelerating since the introduction of the Cybercrime Act (2001).

Security vendors and IT managers agree the legal landscape has become far more complicated in the past 12 months and concerns have been raised about the legalities surrounding IT security testing following the introduction of the draconian cybercrime legislation.

Offences carrying jail terms of up to 10 years for possessing hacker tool kits, scanners and virus code are part of the act.

But for IT security vendors these are the tools of the trade and the only way to ‘fit the bill’ is to ensure written authorization is backed by appropriate indemnities from clients. However, the indemnities have become so elaborate to cover legislative concerns as well as insurance risk that users are sceptical.

A company that undertakes extensive penetration testing is ITAC and CEO Stephen James said customers have baulked at some of the waivers. The use of lawyers has certainly increased in the past 12 months, he said.

Freehills Lawyers has also issued warnings to clients claiming written authorization should be sought that includes appropriate indemnities from clients before conducting any security investigations “to avoid criminal liability.”

ITAC’s James said the waiver can be “all encompassing”, so the company has made allowances by putting the word “gross” in front of the word negligence, because there is a big difference between negligence and gross negligence. Clients express fears about having a ‘comeback’ if any testing should go wrong, he said.

“For clients that are concerned they have no comeback as a result of our penetration testing we alter the wording to suit the situation, but insurance companies are certainly driving a new level of legal responsibility in IT security; it isn’t solely about the cybercrime act,” he said.

AMP IT information security manager Stephen Frede said it is important to have legal clearance with the security provider that is undertaking testing, because of the risk of shutting down systems.

“I know of instances where a supposedly safe vulnerability assessment scan has crashed the target system,” Frede said.

“We don’t focus on the act as such, but there must be a clear understanding between the service provider and organization to ensure there are no unfortunate consequences that can arise from misunderstandings.”

Institute of Online Security (IOS) CEO Glenn Floyd said there have been some “novel” approaches by companies seeking to cover themselves under the act.

“Lawyers are the big winners and they have really extended the law to cover themselves; it is always regrettable when lawyers are at the centre of any industry,” Floyd said.

“Corporate governance has reached a whole new realm with everyone trying to protect themselves.”