Legal Question

NightShade03

Understandably we are not lawyers however I wanted some opinions. If the public ip addresses, equipment, licensing, etc... are all paid for and owned by company A, but company B uses them and maintains them year round...who actually gets in trouble if there is a security breach? I mean company B does manage and maintain everything so you would think it's their responsibility and the hammer falls on them, however it is all company A's property...

Opinions? Thoughts?

tiersten

Security breach? Like lost customer data? If so, who owns the data?

Chances are, it'll be a A blame B and B blames A type thing and both get into trouble but IANAL.

LarryDaMan

It's all about how the contracts are drawn up, but usually the information owner (Company A) would be responsible and in your example they would probably sue Company B for any liability incurred.

NightShade03

Breach type is irrelevant...could be lost customer data or wiping a website.

tiersten

NightShade03 wrote: »

Breach type is irrelevant...could be lost customer data or wiping a website.

Since this a hypothetical situation where the exact type of incident isn't known, it is pretty hard to give you a response.

The general answer would be what LarryDaMan said. Read the contracts and work out who to blame first.

msteinhilber

Without knowing any specifics, I would agree with LarryDaMan. I've utilized several vendors for unmanaged co-location as well as unmanaged dedicated servers (their server, not mine as with the prior example) for web servers over the years and many of the agreements if you actually read through them they typically state somewhere in there that you are responsible for maintaining adequate security. They typically have disclaimers exempting them from any damages your services may incur as the result of attacks. Further more I have seen in agreements that if you fail to provide adequate security you can under some circumstances be held liable for attacks launched upon other areas of their network from your machine.

In my experience, typically the majority of the liability falls upon the shoulders of those who are contractually responsible for managing the hardware and/or services. And in the case of my example with companies leasing servers, I have seen managed servers where the terms and conditions attempted to exempt them from lost data or downtime or other breaches. Ultimately in either case I would imagine that if something significant enough were to happen to bring the courts into the mix, the contracts may or may not really mean that much.

NightShade03

Thanks for the feedback all. Do you think that company A can come down on company B if they notice there are problems with the security of the networks? I mean technically it is their (Company A's) network and their equipment....I don't see a reason why they wouldn't be able to demand Company B take action in implementing security/network changes.

tiersten

NightShade03 wrote: »

Thanks for the feedback all. Do you think that company A can come down on company B if they notice there are problems with the security of the networks? I mean technically it is their (Company A's) network and their equipment....I don't see a reason why they wouldn't be able to demand Company B take action in implementing security/network changes.

Again, it is all down to the contracts.