An interesting question was ask to me the other day. When a website is hacked/compromised who is responsible for fixing it/paying for it to be fixed? From the customers standpoint the answer is clear. The web designer has to cover it. But from my standpoint as a web designer, the answer is not that clear. Here’s why.

Forgetting about writing it into the contract for a moment, lets explore where blame could possibly lie. With any web designer, they should write code to the best of their ability that adheres to best practices in both security and code. In a perfect world that would seal up any security holes code wise. Then there is the server. The server/software can be exploited. But if patches and upgrades are done on a regular basis then there shouldn’t be a problem. The last piece of the puzzle is the user. If the person maintaining the site sticks to best practices security wise (strong passwords, virus free computer, etc) then there shouldn’t be an issue. But the problem is one of these has to fail for a security issue to happen. Then that party is responsible.

To throw a wrench in all of this, what happens if a web designer built a site 3 years ago, no changes have been made beyond a few updates here and there, then the site is compromised because of a new exploit not known about till now. Now who is responsible? The web designer? The client? It can get even more complicated. What about if a web designer creates a site, passes it off to the client. A six months later the client hires a new web designer to manage the site. An exploit happens in the code. Who is responsible? The old web designer or the new one?

It is a tricky situation that sometimes doesn’t have a clear answer. As a web designer I should have a solid contract that takes responsibility off of my company if I’ve done my job correctly and the compromise was not my company’s fault. Its not to get one over on my clients, it is to protect my business. Like any business should. However, I only feel that way if I design a website and hand it off to my client to take care of. If I’ve entered into a service agreement with a client for continued maintenance it is part of my agreement to make sure the site is safe server wise, code wise, and how I access the site. But again blame should be taken off of my company for compromises that happen out of my control.

None of this sits very well. In the end someone has to be responsible for the compromise whether it is the web designer, the client, or the hosting company. A lesson to be taken from this is make sure you and your web designer are aware of the possibilities, your designer stays current on the latest code, security threats, etc, there are clear cut contracts, insurance, and good backups.

I want to leave this as an open ended question. I want to hear from you, our readers what do you think?