mailing list archives
Re: [PEN-TEST] Legalities and Liabilities
From: Bhanu Prasad <B_Prasad () REDSALSA COM>
Date: Tue, 12 Sep 2000 15:26:51 -0400
Another interesting aspect to this is when clients look at legal suits as an
option if their systems are hacked after a security consulting assignment.
This might become an increasing trend in the time to come and will have a
huge impact on the viability of security firms and their insurance costs.
The magnitude of consequential loss suites are simply phenominal...and in
case of e-commerce ventures this is an issue.
The only defence in the court of law would be that reasonable care was
undertaken during the security assignment...but in case of the dynamically
changing security challenges and also the limited possibility of generally
accepted standards, it might be difficult to prove the same. To add to the
woes, by default an assignment such as penetration testing is supposed to be
innovative and how can one prove in the court of law that it was innovative
and thorough enough?
All consulting firms have liability limitation clauses in their contracts
but we do see instances of clients suing IT companies for failed projects.
Am I being a too imaginative or is there a big issue in what I am talking
From: Ben Lull [mailto:blull () VALLEYLOCAL COM]
Sent: Tuesday, September 12, 2000 2:43 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Legalities and Liabilities
I have some questions regarding the legal aspects of penetration
testing (I'm hoping this hasn't be answered on the list before,
I haven't had time to keep up for the past couple of weeks).
1.) Before a pen/sec test takes place, what type of legal documentation
should be obtained (disclaimers, limitation of liability, etc..)?
2.) What are major topics that should be discussed and included in a
contract between the pen/sec company and their client? Should a
contract even be written up in the first place?
3.) When conducting a pen/sec test what legal issues should be kept in
mind (e.g.. get out of jail free type of stuff).
5.) After a pen/sec test, if the client's network is cracked, can the
pen/sec company be held responsible?
6.) If the pen/sec company offers services such as actual securing of
systems, can they be held responsible if the systems they secured are
I'd appreciate as much feed back as possible. Once again I apologize if
this has already been discussed.
* Ben Lull
* ValleyLocal Internet, Inc.
* Systems Administrator