A recent computer virus attack on servers that direct traffic on the internet hit Korea especially hard. One reason is that Korea is one of the countries in the world that uses the internet the most, with 70% of the population plugged into the web. In the wake of the attack that crippled internet access over one weekend, a Korean civic group is preparing to file a lawsuit. This may be a good time for many IT-related companies to take a close look at their rights and obligations under the relevant Korean statutes.
Internet service providers
The most important factor in determining the liability of an internet service provider (ISP) would be whether or not the ISP's failure to prevent such an incident is a breach of the ISP's duties. The short answer is that preventing the damages caused by the worm virus was not within the scope of the ISP's control and therefore not a breach of its duties. The virus exploited a weakness in the server software, and a software patch file was made available to the individual system operators by the software manufacturer.
Under the Act on Product Liability of 2002, the general rule is that where damages have been caused by information contained in computer software or a publication, a claim cannot be brought against the software manufacturer or the publisher. The Act is not clear on whether computer software products by themselves are goods which are held to a higher standard than mere information.
Assuming that the software products are goods under the purview of the Act, liability is determined by proving that such goods are defective and that the manufacturer did not take adequate remedial measures to cure the defect.
Defect: In the present situation, the claim would be that the software manufacturer acknowledged the weakness in the software's security and the worm virus attacked that very weakness. Therefore, the software's security was defective. Although the actual cause was the act of a third party introducing the virus, the causal relation between the security weakness and the virus attack is unlikely to be completely severed.
Exemptions: Under the Act, if the level of scientific or technical knowledge available at the time of supply was inadequate to find the defect, the manufacturer can be exempt from liability. However, if the manufacturer knew or could have known about the defect after supply had been made, but did not take adequate steps to prevent damages, it cannot claim an exemption from liability. Therefore, the issue is whether the software manufacturer's actions after detecting the defect were appropriate with regard to the software weakness and the virus attack on that weakness.
Other theories of liability
Legitimate purchasers of the server software can bring breach of contract claims against the software manufacturer for breach of express or implied warranties because of a defect. Also, even if the Act does not apply to the software manufactuer in the present case, the software manufacturer may be held liable under general torts law. However, this would require the plaintiff to clear a higher hurdle by proving negligence by the software manufacturer.
The problem would not have arisen had each individual system operator installed the patch file provided by the software manufacturer. However, it would be difficult to establish that individual system operators had a duty to download the patch file in order to supplement the inherent weakness of the software.
Assuming that a defendant is held liable, damages may be claimed as follows:
Individual internet users: individual internet users may be able to claim damages for mental or emotional suffering caused by the incident.
Internet business operators: internet business operators may bring a claim against an ISP or the software manufacturer for lost profits caused by the incident. Additionally, internet business operators can bring a claim for harm done to their business reputation.
The ISP or the software manufacturer could argue that such business operators failed to mitigate damages by not installing the software patch file, and it is possible that such contributory negligence may block this claim.
ISP: the ISP could hold the software manufacturer responsible for manufacturing defective goods and bring a claim for expenses incurred to resolve the internet connection failure and compensation for harm done to its business reputation. Again, the software manufacturer could cross-claim against the ISP for failing to prevent the incident by installing the patch file.
Yang Ho Oh