This topic is not a coherent one. Liability takes very different forms and covers various aspects of cybersecurity measures and incidents.

The cybersecurity law as such is primarily based on compliance rather than liability. Regulated subjects, i.e. essential service operators and others, are obliged to develop, deploy and document their own cybersecurity measures, detect and report cybersecurity incidents and comply with potential regulatory orders issued by relevant authorities. In that respect, liability is mostly of secondary concern and covers violations of the above duties. We discuss in class namely administrative liability arising from investigative and directive powers of cybersecurity authorities, i.e. fines and administrative orders.

A special sort of indirect, yet quite interesting and pragmatically important, liability can be found in the Czech law. It is attached to a regulatory instrument of an 'official warning' that does not have per se direct liability consequences, but may induce private law liability. When authorities issue and officially communicate a warning, there arise no immediate duties or administrative sanctions, but regulated subjects are provably informed about an actual risk. It is a matter of their choice whether they undertake any action to respond to a warning - however, if they fail to do so and harm is caused as a consequent of such inaction, they might be held liable for failing to fulfill the general private-law preventive duty.

In any case, cybersecurity law is not primarily about liability. Its aim is to provide for secure environment rather than tools for identification and sentencing of perpetrators. Thus, most of the liability agenda related to cybersecurity incidents falls outside the scope of cybersecurity law.

In class, we discuss mostly typical liability cases that are rather frequent and complex. We mostly avoid liability of attackers - these cases are relatively seldom (because of lack of evidence). If evidence is sufficient, these cases are relatively straightforward from the legal standpoint, because criminal law provides for relatively well-suited typical crimes.

First typical, and quite problematic, case is the one of a negligent user. These cases appear when users let attackers to access their device through malware. In result, devices are either used as a gateway for intrusion, ransomware or spyware, or they are used as zombies for DDoS attacks. The main question of law is then whether users acted in negligence, i.e. whether they knew (or could have known) about the risk, and could have acted in order to avoid it. In class, we specifically discuss labour relations and options that the employer has in order to make negligent employees liable.

Another typical issue is the liability of active professionals. Active countermeasures taken against various sorts of cyberattacks might generate liability risks because of their possibly intrusive or destructive effects. It is then questionable, whether and when one might argue with self-help in cases of infringement of rights, or which active countermeasures are to be considered beyond legal. The same discussion can be also applied on penetration testing, ethical hacking etc.

As a bonus, although this method is not available in the continental law, we discuss quite a creative case of relatively well-balanced liability assessment of users who avoided security update of an operating system and exposed their devices to a botnet malware.