Re: Should companies be on the hook for criminal employees' doings?
Hacking is done by people. Crap security that allows it to happen is done by people.
The law may say that a company is a person in its own right, but that is mostly about property ownership so you don’t have to change the title deeds, contracts and so on every time the people in a company change [1], but in reality, a company is just a group of people who get together for a particular purpose. So this means that a person or people within a company do something as part of their work for the company, the company is liable, even if other more senior people in the company prohibited it. The legal authority for this is actually a Morrisons case - Mr AM Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. https://www.supremecourt.uk/cases/uksc-2014-0087.html
[1] As an example, in England, a partnership is not a legal person, so every time the partners change, you do have to update all the contracts etc every time the partners change. A Scottish partnership is a legal person, even in England, so you don’t.
Biting the hand that feeds IT
