WI Fi Woes

August 31, 2001

The Square Mile is to be WiFi-enabled throughout.  So are various airports, hotels aspiring to conference trade and the reception areas of the more go-ahead professional firms.  This is both good and bad. 

The good is obvious.  You need never again resort to the glossies while stuck in a reception area waiting for a meeting; you can work instead. 

The bad is less obvious.  The creepy-looking man across the way from you may be reading your private e-mails, transcribing your 1-Click details or demolishing your hard drive – or of course all three.  If he is organised rather than just curious or malicious, he may also be copying your client’s highly confidential business secrets, which you have stored on your laptop in a convenient Word document.  If you have a computer that is set up to enable you to communicate wirelessly through the Internet, and if you do not take certain technical precautions, other people may read and copy material on your hard drive, steal your passwords and leave behind viruses.

The practical solutions are easy, as I understand it.  The technical precautions are available and they are not difficult to take.  For the purposes of this article, we will take that on trust.

The potential legal risks are infinitely more complicated, but, like the technical risks, they can to a large extent be fixed.  They are complicated because of the number of different parties involved.  These will probably be as follows:

1                    the service provider (S)

2                    the location provider (L), such as a hotel

3                    the user (U), who will be an individual but who will as often as not be an employee, so that for legal purposes, through the magic of vicarious liability, U means both the user and the user’s employer – where we need to distinguish the individual from the employer, we will call then “Little U” and “Big U” respectively

4                    any person, in addition to U,  whose data is misused (C for client) – C may be U’s client or it may be some other third party whose data U holds.

Let us call the creepy-looking man V (for villain).

The risks are:

          that V will get access to C’s data held by U as a result of U’s use – or rather misuse – of the service provided by S

          that V will get access to U’s own data as a result of U’s misuse of the service provided by S. 

Let us call them the risks of Unauthorised Access.   There is the further risk that V may introduce a virus into U’s system.  This is highly important practically, but has fewer ramifications from a legal perspective.

U can always prevent Unauthorised Access by using the necessary technology.  S may also be able to restrict access to users who have the necessary protection.  L may be able to require S to do so.

If there is Unauthorised Access and C or U suffers loss as a result, these are likely to be the legal consequences:

  1. C and U can sue V, but they probably won’t know who he is.  Even if they do, he will probably not be worth suing.  For what it’s worth, V will probably be breaking the criminal law too, as enshrined in the Computer Misuse Act 1990.

  2. C (if it has suffered the loss) can sue U in contract.  The contract will be that under which U provides its services to C (such as a solicitor’s terms of engagement), or it may be a written or unwritten contract containing an obligation on U to maintain C’s data in confidence.  C’s chances of success will depend on the nature of the contractual relationship between U and C.  In most cases U would be liable to C in respect of the loss of C’s data unless there were very clear wording excluding liability for that loss.  There is nothing in any event that S or L can do about it.

  3. If C and U have no contract but U owes C an equitable obligation of confidentiality, C can sue U for the breach of that obligation.

  4. C cannot sue L or S in contract, because it has no contract with either of them.

  5. It is possible that C could sue L or S in negligence.   L or S would be liable to C if C could establish that they had a duty of care to C, that they had negligently allowed the service to be misused by U in circumstances where C suffered a loss, and that it was reasonably foreseeable that C would suffer such a loss. There are two courses of action that each of L and S could take to minimise this loss. The first is that both L and S could include in their contractual documentation with U wording drawing U’s attention to the potential risks and the action necessary to avoid them.  The second is that each of L and S could include in their contractual documentation with U an indemnity so that, if C were able to sue L or S successfully as a result of U’s failure to use the necessary technology, L or S, as the case may be, could recover any loss from U.

  6. U can sue L in contract.  The claim might arise out of U’s own loss or as a result of U’s being sued by C.  If U can claim that L effectively warranted to U that U’s use of the system was secure, U could sue L for its breach of that warranty.  For example, a hotel might be a little too sweeping in advertising the availability of WiFi as part of its conference services. The solution for L, as before, is to include in its contractual documentation with U clear wording drawing U’s attention to the risks of Unauthorised Access and telling U what steps to take to avoid that risk.  Alternatively, it could simply inform U in its contractual documentation that any risk of Unauthorised Access was U’s risk and could not be passed on to L. A second alternative is for it to obtain an indemnity from S for any such claim, in its contractual documentation with S.  Of course its capacity to do that depends on the bargaining position between S and L; I have known situations where L has extracted a full indemnity from S in those circumstances.

  7. U can sue S in contract.  The situation is the same as between U and L

  8. L can sue S in contract (to recover the loss arising from being sued by U or C).  If L can claim that S effectively warranted to L that U’s use of the system was secure, L could sue S for its breach of that warranty.  The solution for S, as between it and U, is to include in its contractual documentation with L clear wording drawing L’s attention to the risks of Unauthorised Access and telling L that it should notify U of those risks and that it should include in its contractual documentation with U both a notification of the risks and an exclusion of liability as between L and U.  Or it could simply inform L in its contractual documentation that any risk of liability to U for Unauthorised Access was L’s risk and could not be passed on to S. It might also be able to obtain an indemnity from L for any such claim, in its contractual documentation with S.

  9. It is very unlikely that S could sue L.

  10. Big U almost certainly won’t be able to sue Little U, even if Little U caused all the trouble in the first place through failing to comply with Big U’s instructions.  But Big U should in its staff manual draw Little U’s attention to the potential risks and the action necessary to avoid them.  That will have two benefits – it will explain the risks to Little U, making it more likely that Little U does not risk Unauthorised Access needlessly and it will strengthen Big U’s position in any employment-linked litigation that may ensue, short of enabling Big U actually to be a claimant.

To summarise, each party should have documentation with the others, where possible, in which it does two things:

          it explains the risks

          it ensures that any legal liability falls on the other party.

The party with no documentation of its own, so that the position is governed by general law or, worse, by the other parties’ wording, is likely to end up chairless when the music stops.

Which documentation would this be in practice?

Big U and Little U will already have an employment contract and supporting material such as a staff manual.  It will be a question of including the appropriate wording there.

U and C may or may not have terms of engagement.  It will depend on their relationship.  If they do, again it will be a question of including the appropriate wording.  If not, U should consider setting up mechanisms so that it does not hold valuable third-party data without the third party acceding to terms that release U from liability or at least limit that liability.

S and L will probably have a contract between them. It is important that the question of liability does not go by default.  This contract is likely to be negotiable, depending on how anxious L is to be able to provide WiFi access and how highly it rates S’s services compared with those of its competitors.

S and U may have click-through terms relieving S of liability.  They will probably not be negotiable.  Actually, S is the party most likely already to have effective documentation, even if experience suggests that it is likely to be in American.

L and U may or may not have a contract.  If L is a hotel and U a guest, they will have, and the appropriate terms can be included.  If U is merely a visitor to a hotel, or if L is a professional firm or some secluded corner of Heathrow Airport, the most that L can do to limit liability is to try to impose terms unilaterally, by means of a notice.

Any standard documentation will be subject to the unfair contract terms legislation.  Whether this matters will depend to some extent on whether C or U are consumers: also, crucially, on the extent to which parties are informed of the risks of not taking the necessary precautions; a simple denial of liability will rarely be reasonable if the reasons why it should be reasonable are not explained.  It is unlikely however that any amount of explanation will be enough to enable solicitors to contract out of their obligation to take basic care of their clients’ trade secrets.

A number of different relationships, then, have to be considered in different circumstances, but the solutions in each case are not very different.  Consider however some further variations:

(a)                V may be an employee.  There may be a Big V that is found and is worth suing.

(b)                Conversely, Little U may not be an employee.  If he or she is an independent contractor, that will demand a separate level of documentation, where Big U may want to take an indemnity, which may be enforceable.

(c)                There may be more than one S.  The Cloud, for example, which is responsible for carpeting the City with WiFi access, sometimes provides services to users and sometimes indirectly via other service providers.

(d)                There may be more than one L.  Who is the L for the City of London, for instance?

There will be plenty of work for lawyers.  Most of it will involve sorting out disasters where valuable data has been hijacked and all concerned are looking round for someone to blame. But prudent operators will be preparing for that day, squirreling away terms and conditions, so that if any one is blamed it’s not them.  

Robin Bynoe is a Partner at Charles Russell: Robin.bynoe@charlesrussell.co.uk