Trade Terms and Conditions -
and Internet Access
Which companies can still afford not to be represented on the Internet?
The answer is: Fewer and fewer!
In the wake of this Internet boom more and more Service Providers offering affordable Internet access and the housing of home pages, have shot up from fertile ground. For many companies using a service provider is an attractive solution because the monthly lease of a permanent connection to the Internet costs more than the annual price of a dial-up connection and a few megabytes of disk storage for a homepage. Not to mention the investments in servers, etc.
Thus, it is very understandable that offers from Internet Service Providers are readily accepted by particularly smaller companies who wish to establish an Internet presence. However, low-cost Internet offers are not necessarily worth their price.
Most companies primarily wish to get onto the Internet because they wish to enhance their image by presenting their company culture as weil as the products and services they offer, to existing and potential customers. That this company presentation quickly can turn into image damage has lately been painfully realised by a number of companies.
One of the consequences of the crash was that a few gigabytes of data were destroyed. Although the ISP did possess back-up copies of the data, it installed only enough data to get a new computer up and running.
All the information deposited on the crashed computer by customers did not get restored - a message was simply sent to all customers to the effect that the computer had been replaced and the service again in operation; would they please upload all their data to the server from their back-up copies.
When customers affected by the problem complained, they were confronted with a paragraph in the General Terms and Conditions of the ISP:
"In case of data loss customers are obliged to transfer the data in question to us again without compensation."
Not only does this paragraph allow the ISP to escape responsibility for restoring lost information and the cost and time associated with this process, but it exonerates the ISP from any obligation to undertake suitable security measures to protect customer data in its care.
Ultimately, this type of clause causes customers to have to bear the costs and responsibilities regarding information on ISP-owned computers over which they have no influence, nor perhaps even right to access. Furthermore, customers are often left without any possibility of testing the security state of the computers used to hold their valuable data.
When questioned about these questions and the circumstances leading to the data loss the ISP in question was only willing to make a telephonic statement by a business executive. He only explained that the ISP did not accept any liability for customer data and in general for how customers used their allocated disk space. He added that if a customer used their password irresponsibly for example, anyone with knowledge of the password would be able to change or even delete the data (which had nothing to do with the case in question).
Although there is some merit to the notion that an ISP is not obliged to accept responsibility for the actions of their customers, it would be fairly easy to establish reasonable security procedures including activity logging, which would at least make it possible to find out how or by whom the information was destroyed.
The point is of course that in case the ISP can be shown to be responsible for the data loss it might be possible to make it liable for the costs associated with re-establishing the information rather than simply letting customers sit with the pain.
A closer look seems to indicate that the absence of liability because of general limitation clauses in the terms and conditions of this particular ISP had led to a situation in which no particular value was attached to user data by the service provider, and where only the most rudimentary measures were in place in terms of information security.
In other cases it has turned out that ISPs were run as one-person companies which were financially incapable of purchasing even the most basic security tools such as tape streamers for backup purposes and firewall equipment.
Ironically, this type of ISP reminds you of the 'Dilbert Principle', according to which e.g. a supervisor tells one of his employees that he has to work off 10 hours of overtime because he has been off for a two-week vacation. Or the bank explaining to a customer that there is no money on his account because the bank had been robbed the previous week - and that he must pay in the deficit immediately.
From an information security point of view suppliers having this type of clauses included in their business terms simply cannot be regarded as serious. Serious and above all commercial users should no longer be prepared to accept comprehensive liability limitation clauses.
This type of information security limitations, in connection with a company's Internet presence, can lead to considerable damage to the image and reputation of the company, thereby causing economic damage. Because of the factors mentioned above it may be very difficult to claim compensation or even prove what or who caused the problem in the first place.
lt is thus recommendable for a company considering to go on the Net to take a deep and careful look at General clauses limiting the liability of a service provider, as well as at the security measures actually in place to protect customer information before selecting an important supplier such as an ISP.
And do get it in writing rather than from the mouth of a salesman...