We've seen it before: innocent and unsuspecting organizations that have their networked computers hijacked for use as pawns in attacks against other companies' networks.
But what about when such hijacking can be averted? Is it the middleman's responsibility to prevent further dispersal of attacks? When a hacker sends a virus and/or infiltrates a system and then uses that system to break into or infect other systems, does it result in potential liability for the victim? Downstream liability is recognized as failure to secure, warn and prevent such propagation.
If your organization's computer systems are infected with a virus that's further dispersed by your employees, are you liable for damages that result? You can be if your organization was made aware of the virus's presence, for instance, if a savvy staffer runs antivirus software and discovers it or if you're notified by one of the recipients of your infected e-mail. This awareness may cause your organization to be receive blame indirectly.
Once a user or an organization is made aware that its system has been made the pawn in furthering the spread of a virus or infiltration (through being hijacked), it could become a target of legal action for having had a hand (even though not intentionally) in spreading the virus.
Certainly, an organization is negligent if it's notified that its system is being used as a launch pad for spreading a known virus and doesn't take steps to prevent further infections. While the virus writer is the one directly responsible for creating such viruses, the organizations suffering losses can be held liable for the resulting damage. An organization is more apt to have assets and resources from which litigants may recoup damages, as opposed to a hacker, who is more likely an adolescent or someone with few assets.
Aside from the ethical concerns connected with downstream liability, organizations must take into account their legal obligation to keep their systems secure. Depending upon the state in which the organization is located, there may be laws governing statutory requirements, liability avoidance and legal facilitation of prosecution for unauthorized access and use.
In an effort to protect themselves against such liability, organizations have to use appropriate antivirus defenses. With liability decided at the state level, organizations are left in a quandary, since downstream attacks can happen virtually anywhere across connected systems, without regard to traditional boundaries or borders.
In short, an organization's information systems must be kept secure, not only from a legal standpoint, but for their commercial dealings as well.