Public Liability

[netserve]

Here's the situation.

3 different companies run MS SBS (exchange) mail servers and fail to apply Aug 2004 security updates which in effect turns their mail servers into almost open relays. (in effect a cross between an open relay and an autoresponder gone wrong)

A client via their own exchange mail server sends out a mailshot to their customers (including the 3 MS SBS servers above) and uses their domain name hosted with us as the From/Reply address. The client screws up the mailshot and sends it out with the list as CC's rather than BCC's

When the 3 screwy SBS exchange servers get the mail rather than just deliver locally, they relay mail to all of the CC'd mailing list.

As there are 3 faulty servers doing this we get exponential growth in the number of mails being generated, to the point that we have 20,000 emails within 30 mins and 400,000 emails within 6 hours.

Most members on the mailing list had their accounts bounce mail for being full so we ended up with a copy of every mail generated by the faulty servers and all of the bounces, autoresponders etc to the point where we had 3 servers working flat out to filter out the mails and try and keep our other customers mail working. After a week of problems we've spent about 15 man hours dealing with the problems.

So the question is, given that the administrators of the SBS servers failed to maintain their servers in a fit state while being connected to the public internet would anyone agree that we have a right to claim compensation for negligence on the part of the SBS exchange server owners.

 

[domaingenius]

Here is what I would do, and take it or leave it. I would contact the owners of the 3 faulty exchanges and ask them whether they have insurance against such incidents,such as public liability insurance. By their reaction to that question you will know what you are up against. If they give you the details then I would contact their insurers and discuss a without prejudice settlement. If they dont give you the details, then I would write to the owner of the exchange stating that you intend to make a claim and ask them to pass the letter on.

DG

 

[chinesewhispers]

Here is how I see it.

The companies who have the SBS servers, will not have any kind of contract or guarantee that says they will provide a fault-free service. In this case, they are the recipients of the original offending email, not the senders. They have not intentionally created the misconfiguration, or open relay, they have merely neglected to resolve a problem. The original problem in this case is that of Microsoft, and I doubt you will be able to find them liable.

The original problem seems to have been that of the senders, by putting the addresses incorrectly. This has been unfortunately magnified into a larger problem by the ill-configured servers.

I think it would have to go down as experience, but ultimately, the senders could have been at the biggest fault.

 

[netserve]

They have not intentionally created the misconfiguration, or open relay, they have merely neglected to resolve a problem. The original problem in this case is that of Microsoft, and I doubt you will be able to find them liable.

Lets put it a different way.

You buy a new car but after a few months there's a product recall because the hand brake is faulty. You ignore the recall and carry on parking your car at the top of a steep hill as you always have done.

Then one day, snap, the car runs down the hill and kills someone.

You've failed to act on a warning and as a result of your negligence damage has been caused to an innocent bystander. The manufacturers are in the clear because they told you to fix the problem.

Thats exactly the same position that we have with the servers.

My understanding is that if you do something or fail to do something which a reasonable person would have done and as a result you cause damage to a third party then you are liable. (Thats why we all have 3rd party liability insurance in our motor, home and business insurance policies)

 

[chinesewhispers]

You've failed to act on a warning and as a result of your negligence damage has been caused to an innocent bystander. The manufacturers are in the clear because they told you to fix the problem.

Thats exactly the same position that we have with the servers.

Unless the warning was given directly to you (rather than just a general release of information) and was stated with, do this or else, it would not pass responsibility on to you. What if you were out of the country when the notice was given?

I do see your point, but I don't think in this situation you would be liable either. Whilst I do sympathise entirely, I am trying to be objective, and don't think you will succeed in trying to hold the server companies responsible.

I do wish you luck however.

 

[netserve]

What if you were out of the country when the notice was given?
....I am trying to be objective, and don't think you will succeed in trying to hold the server companies responsible.

If you run a car then you have a duty of care (and a legal duty via MOT) to ensure that it does not put members of the public at risk.

The same duty of care extends to just about everything else.

A court would always ask what a reasonable man would do.

As a reasonable man, would you connect a mail server to the internet and not apply any of the required security patches and updates from Microsoft?

If a reasonable person would maintain their server properly then not keeping it up to date is negligent and any damage done by that server would leave you open to a claim.

Remember, where there's blame there's a claim

 

[Admin]

Do the Companies published Terms and Conditions have get-out clauses / disclaimers that could limit your options to claim?

 

[netserve]

The terms and conditions don't enter into it as they're not in a contract with the people whose mail accounts they've bombarded.

 

[chinesewhispers]

Whilst not patching a server is negligent behaviour as a system administrator, I do not believe it would be found to be legally negligent. As there aren't any contracts or service agreements in place etc.

I don't think blame can be laid anywhere in this case, it would have to be laid down to experience.

Let us know how you get on though.

They didn't initiate a bombarding, the person who incorrectly addressed the email caused the problem.

 

[netserve]

Yup, I've asked for a solicitor to get involved.

If you sent an email TO: bob@isp; dan@isp; tom@isp; and found that by the next morning you'd had 500,000 emails back, your email account was closed down, you couldn't run your business via the web for 4 days and you'd got a bill for £1000 for a sys admin to get your mail server/account running again, I think you'd do more than put it down to experience ;-)