The DDoS protection you’re legally entitled to expect

A lawyer with Torys LLP discusses what IT security contracts tend to spell out — and what may be missing. The difference between the two could be critical

Share this article:

DDoS attacks tend to cost their victims a quite a bit of money. And when companies hire service providers who fail to stop them, the question of who’s responsible for what portion of the tab comes up the day after.

We looked at the particular vulnerability of the oil and gas sector to denial-of-service attacks recently, and the potential for hackers to do damage to their physical infrastructure. If (when?) this happens, they’ll be in a world of legal hurt due to environmental regulations, which supersede any contracts they may have made with service providers. But that’s beyond the scope of this blog.

Instead, we’ll take a look at the contracts companies that engage security service providers sign and how they fit into the wider business picture of what IT security costs.

Adam Armstrong, a Toronto corporate lawyer who specializes in IT contracts at Torys LLP, says the first distinction that should be made is between a “service provider,” which would provide a complete package of services, and a specific “service arrangement” with perhaps another company.

There are often multiple parties to a contract, and when disaster scenarios like DDoS attacks are spelled out in one, the first question is what kind of promises were made, and by whom.

“Ultimately,if something happens, what you end up looking at is, under the contract, did somebody have some responsibility to stop it or not,”says Armstrong. “And if someone violated the contract, how much are they liable for?”

When the modern “as-a-Service” model emerged, it was often poorly understood, if not in the technical sense, then too often in the legal sense. But the legal ramifications of the shift to managed IT services were great indeed.

“If you go back a number of years, I would say these things were not really thought about in a lot of detail, and limitations of liability provisions in service arrangement and outsourcing arrangements had a lot of carve-outs for disclosure of confidential information, disclosure of customer information, gross negligence, willful misconduct,” he says.

Years ago, vendors were more willing to take on unlimited liability,  Naturally, this led to a number of costly misunderstandings. But businesses in general have now learned a lot about the importance of the specifics in service provider contracts.

“Vendors and customers are becoming far more aware of the risks” of catastrophic events like DDoS attacks, “and are trying to deal with them directly by spelling out in the contract who is supposed to do what, but then also what the liability is for the parties in the circumstances where something goes wrong,” he says.

Security vendors are by now quite hesitant to take on unlimited liability for the protection they provide. Instead, they’ll sit down with their customers and negotiate over responsibilities and risks, says Armstrong. For example, a security provider could promise to offer a number of countermeasures against DDoS attacks, and make guarantees they will do their jobs diligently—but not that they’ll stop every attack, or cover the damage it causes.

For instance, he says, “If I have someone who I’m now hiring to do my Internet security, and that’s where the problem lies, just because I say, “You, vendor X, you’re doing it now, doesn’t mean vendor X takes all the liability for that.”

“The vendor is not prepared to simply say, ‘I promise no one will get in because they know nowadays that they can’t promise that.”

A company outsourcing services is also outsourcing risk, he adds. And this is where insurance enters the picture. If you’re effectively asking a party at the table to insure something for you, he says, “that actually is a premium built in that’s above what you’re paying them to the service.”

A successfully negotiated contract that spreads out risk in a way that everyone is comfortable with depends on various thing, says Armstrong, including the negotiating power of the parties involved, their willingness to take a risk or absorb the cost associated with one, and their sophistication.

All of these vary depending on the company in question, but risk tolerance is usually a fairly static element, and you either have negotiating power or you don’t. That leaves the last piece, level of sophistication, as something that all  oil and gas companies can improve on. A very precise understanding of how IT contracts work can mitigate the legal fallout from a DDoS disaster.

Get more information about defending your data by downloading ‘The Internet Security eBook: A Self-Assessment Guide.’

Image courtesy of twobee at

Share this article:
Comments are closed.