• 04 499 5534
  • This email address is being protected from spambots. You need JavaScript enabled to view it.

The question of liability in cyber attacks

Last week we were told the Waikato District Health Board was thrown into chaos because of a cyber-attack on its IT systems. The attacker demanded the payment of a ransom.

Waikato DHB cyber attackPhone lines were crashed and the computer system had almost all information technology services blocked apart from some email accessibility. Operations and other services were cancelled. Urgent surgery was still to be carried out perhaps at Waikato Hospital but failing that at other hospitals.

We are also told that the attack was probably caused by somebody opening an email attachment.

This is an important finding by the Waikato District Health Board because it alerts us all to the importance of taking care in opening email attachments from unknown or unusual senders.

How many readers just simply open emails and attachments regardless of who sent them to see what they have to say? And if you are an employee doing this, what liability do you have? And if you are breaching a company policy when you do this, surely your position is worse?

Any unfortunate employee who opens an email and attachment that results in the infection of their employer’s systems will probably feel desolate, especially if the damage is extensive.

Of course, we do not know the circumstances that led to the opening of the email at Waikato, but no doubt the district health board will be looking into that. Where an employee is guilty of poor performance, employment consequences may follow.

But in general, what can an employer recover in terms of the costs and expenses incurred where an employee is at fault?

In the old days of the common law of master and servant, particularly in England, things were quite tough. The servant had to repay the master for losses caused by their negligence. Where the employer is insured, perhaps the insurance company would sue the worker.

That is exactly what happened in a case involving Martin Alfred Lister, who was 27 years of age in 1949 when an accident occurred. He had worked for his employer since he was 17, apart from a break during World War II.

He and his father were taking a truck into a slaughterhouse yard in Romford in England. The father got out of the truck and went behind it and the son reversed into him. The father was injured and it was accepted that the son had driven the truck negligently without properly looking where he was going.

The father sued the company for personal injury for the negligence of one of its employees, who happened to be his son. The employer’s insurance company insisted on recovering the damages awarded to the father from the son as damages for negligence and/or breach of contract.

A sad story displaying the harshness of the thinking in the late 1940s in England.

In much more recent times, a case decided by Judge Christina Inglis – now the chief judge of the Employment Court – shows the emphasis is quite different.

The case involved the Auckland Council at the time of the transition from many small local bodies to the merged Auckland Council. The focus was on whether or not a worker had complied with advice received on tax payments. The worker lost her job and brought a personal grievance. The council later sought damages for breach of contract against the worker.

The court made the following observation: “[It] is strongly arguable that in the modern context of employment relationships in New Zealand, and in light of the mutual obligations conferred on the parties under the act, an employer may not seek to recover damages from an employee arising from acts of negligence committed during the course of their duties.”

“If it were otherwise it would likely have a chilling effect on the way in which employees undertake their duties, could lead to reactive claims or threats of claims against those taking personal grievances which would undermine the statutory framework for resolving employment relationship issues, and expose employees to significant potential financial liability for a breach even in circumstances that could never justify a dismissal.

“It also raises policy concerns about the fair allocation of risk and which party is best placed to mitigate potential liability.”

The tide is certainly turning against the older judicial thinking that an employer could recover damages from an employee for acts of negligence committed in the course of their duties.

It is unlikely that a worker who opens an email attachment which infects their employer’s system will be liable for the losses incurred. But having said that, they may well be faced with employment consequences.

Regardless of these interesting arguments, there are surely lessons on what happened at Waikato District Health Board for all of us. Take great care in opening emails and especially attachments from strange senders. Better to have someone check it out than let curiosity take over and take a risk.

Employers must make sure their software protection programme is up to date and have good company policies to guide the staff. Staff best take due care and follow those policies.