Could/Should you be held liable for server vulnerabilities? [closed]
Solution 1:
I'm not a lawyer and not giving you legal advice. This is ServerFault.com, too, not SuperLawyerOverflowFault.com. I'm also speaking only about the United States re: "North America". Canada is frosty and scary and I know nothing about it.
Having said that, I'm not aware of any U.S. states where criminal liability would come into play for simply not installing patches. Likewise, I'm not aware of any U.S. states that would hold the operator of a server criminally liable for malicious software infections spread from a compromised computer.
There are U.S. states where disclosure of data breaches is required, and failing to disclose can result in criminal liability. Even if your server isn't in such a state, merely storing data about people located in such a state where disclosure is required can create the requirement to disclose. Presumably if your servers was compromised it could be argued that a data breach did occur.
I'd be more worried about civil liability. Anybody can sue anybody else for anything at any time.
Solution 2:
There are two separate questions .. "can I get arrested?" and "can I get sued?"
Evan covered the getting arrested part, and gave us a few chuckles as a bonus!
Regarding getting sued .. I can give some guidance for those of us in the USA.
Here in the USA, you can get sued for anything by anybody; the questions are whether the suit will survive initial review and whether you will lose. This is a very complicated question because of the variety of different possible circumstances. Generally speaking, you are safe if you are doing your job, provided it is legal, even if you do it badly. Generally speaking, you are not safe if you are acting outside of your job duties, not following the law, or acting with malice.
Generally speaking, if you are a employee of a business, law specifies that the business be liable for consequences from your actions as their agent, but you cannot in most circumstances be held individually liable. So the company may get sued and may lose; the worst you might get is fired.
The take away ... if you are not a bona-fide, legit employee of a bona-fide, legit business, make sure that you have at least a bare-bones agreement in place that clarifies your liability. And if you are not comfortable with the uncertainty, see a lawyer.
Also, it is probably worthwhile to get a some "error and omission" or general liability insurance as well, particularly if you have any assets of value (such as a house).
Solution 3:
Speaking for the UK, any liability stemming from a hacked website would fall back onto the company operating that site (if it falls back at all) and not to the individuals within that company. For most companies this means that their directors have their asses on the line.
What your boss does with you when he finds out, is another matter altogether, and depends on your employment contract.
Solution 4:
Yes.
I currently work on both sides (both as a host and a client of a host), and I would certainly hold both myself and my contractor accountable in the event of significant financial loss.
Ultimately this depends on the contract that was signed / agreed to. In our case it would be a breach of absolute trust, which goes above contracts.