Internet attorney Reinhardt Buys says a recent court judgment underlines the importance of IT risk management in companies.
Buys says that notwithstanding the requirements of the King II report, a recent court case concluded that a person may be held liable for damages or losses that resulted from a so-called "negligent omission" - the failure and/or refusal to do something when reasonably required to do so.
He says the risk management duty was established by the Supreme Court in the judgment of Minister of Safety and Security v Van Duivenboden [2002] 3 All SA 741 (SCA).
In the judgment, Judge Nugent stated: "A negligent omission is unlawful only if it occurs in circumstances that the law regards as sufficient to give rise to a legal duty to avoid negligently causing harm. It is important to keep that concept quite separate from the concept of fault."
Buys says: "In practical terms, this judgement implies that a company may be held liable for the damages caused by a certain risk, for example a virus that infected the company`s network, if a reasonable person would have foreseen the risk and would have acted to prevent the risk or at least limit its consequences.
"Virus infections and hack attacks on corporate networks are in the press on a daily basis. No company or company director can claim they did not know about or foresee such risks. The total effect of the Van Duivenboden judgement and the risk management guidelines of the King II report are that company directors, including non-executive directors, should identify potential risks and take all reasonable steps to avoid the risk or limit its consequences.
"Although most corporate IT risks can be successfully addressed by the correct use of suitable technology, the most difficult risk to address is human behaviour behind the corporate firewall. Companies are at risk to attacks and abuse by their own employees. The most damaging risk is probably a disgruntled employee that has access to a company`s computer network and sensitive information."
Buys points to a case last year in which a dismissed employee of a UK firm`s IT department encrypted his ex-company`s entire database and demanded 1 million euro in ransom. The company discovered it would cost around 5 million euro to undo the damage and was forced to pay him a generous consultancy "fee" to sort out the problem.
In another case, says Buys, a local retailer employee appeared in the Johannesburg Commercial Crime Court for allegedly initiating a virus in the company`s computer network. Trading losses amounted to R5 million. The accused apparently had a grudge against the company`s IT department because it had outsourced some IT work and he had to accept a cut in salary.
"A cocktail of legal agreements and company policies should be used to address and manage IT risks where human behaviour, such as negligence or the actions of a disgruntled employee, plays a role.
"Finally, company directors should keep in mind that failure and/or refusal to identify and address corporate IT risk may result in personal liability if damages or losses follow. In terms of section 424 of the Companies Act, a director and even an IT manager may be personally liable for unlimited damages if the failure to identify and manage risks are classified as reckless management of the company by the courts."
Share
