Legal Aspects of Information Security Management

April 30, 1998

In a world of increased security risks and threats, information security in Internet commerce has assumed a centre-stage role. With advances in information technology and with an increasing number of consumers relying on Internet-based services, intrusions and other forms of attacks on IT systems will not only continue but are likely to increase in frequency.

The Internet has become an essential and integral aspect of most information technology systems today. The Internet which can be described as the global network of networks has shaped and is continuing to shape the industrial landscape where Internet-based transactions are becoming increasingly common. The IT systems which include the networks and databases have now become an integral part of most nations’ critical infrastructure and this infrastructure is increasingly linked to the Internet. Within this huge Internet-based system, Internet commerce has emerged as one key sector.

The scope and reach of information technology systems in the business sector, particularly those with Internet connectivity, have expanded greatly in recent years. We are also likely to witness an increasing degree of sophistication in attacks on systems. At risk is the potential criminal violation of data and assets of consumers, particularly in sensitive sectors involving banks and financial institutions. As a consequence, technology risk management, especially in relation to information security breaches, has become even more important. At the same time, the deployment of such technologies has become more complex, thereby making technology risk management even more difficult.

Dealing with information security breaches can be complex as the attacks are difficult to detect. The fact that it is not always clear whether certain types of activities are necessarily illegal creates further problems in prosecution. When computer crimes are committed across borders, bearing in mind that digital evidence is by nature transient and fragile, the problem becomes compounded.

Technology services in Internet commerce

Enterprises need to take pre-emptive measures to prepare themselves against cyber attacks as well reactive measures after an incident has taken place ¯ to limit losses and to pursue the perpetrator of the attack. Most types of risks inherent in Internet commerce are not

fundamentally different from traditional commerce. But given the very nature of Internet commerce, which is much more technology-dependent than traditional commerce, technology risks have become increasingly prevalent and accentuated in complexity and magnitude.

Commercial enterprises typically provide Internet-based systems through two basic sources:

• primary sources, from the enterprise’s own internal system and applications, which may be developed internally;

• secondary sources, such as systems and applications provided through service providers, typically outsourced from external partners or providers.

In the development of such systems in the past, enterprises have tended to deploy proprietary or closed-loop networks which pose less of a risk from attacks via the Internet. However, the increasing use of Internet technologies in an open environment in the commercial sector has created new risks and created greater vulnerabilities and threats.

Customers expect the deployment of Internet technologies to mean greater access and quicker service turnaround. In Internet commerce, customers tend to expect that such enterprises deliver its online services on a continuous, consistent and timely basis. Particularly during peak times, customers of online commercial enterprises expect:

• continuous service on a 24 x 7 x 365 basis and

• short transaction processing cycles;

The higher risk in providing Internet-based commercial services, coupled with customer expectation of quicker, more accessible (but nevertheless secure) systems, continue to pose a major challenge to the senior management of corporations in providing effective service.

Nature of technology risks in Internet commerce

Technology risks in Internet commerce like in other Internet-based systems include any potentially adverse outcome in the form of damage or loss that results from failure or disruption arising from the use of or reliance on information technology systems, including hardware, software, equipment, devices, systems, applications and networks. Such risks typically could result from any of the following three forms of risk events namely:

• attacks, such as intrusions, malicious hacking and fraudulent actions

• systems flaws, such as processing errors, software defects, operating mistakes, hardware breakdowns, systems failures, capacity inadequacies, network vulnerabilities, control weaknesses and information security shortcomings

• management failure to provide adequate recovery capabilities, such as the absence of a disaster recovery plan.

Such risks can arise from within and outside the organisation with the risks being higher if the threat is internal. While most spending on IT security tends to focus a lot more in developing perimeter defences to ward off external attackers from penetrating IT systems, there is a realisation that resources also need to be provided to prevent an attack from within which could be far more disastrous.

While protecting the network, hardware and software is very important, it is the data that resides within the system that is far more important than the system or infrastructure itself. In the Internet commerce arena, such critical data includes customer and accounts particulars. Such data can be remotely accessed, altered, deleted, manipulated or inserted by someone with hacking skills. Unless the system is able to trace and track such intrusions, there is a likelihood that the damage or loss may not be noticed early enough.

Given the unique characteristics of Internet commerce as one primary Internet-based distribution channel for commercial activities, the risk exposure when there are attacks and service disruptions are much higher compared with traditional bricks-and-mortar commerce.

Disaster can range from a total loss of service due to deliberate attacks, natural disasters, or a catastrophic system failure owing to software faults or hardware malfunctions. While an aeroplane being crashed deliberately into a skyscraper such as the WTC terror attack may not be anticipated on a day-to-day basis, system downtime for whatever reasons must still be planned for.

In the aftermath of any disaster or attack, disaster recovery planning then becomes a critical element in any commercial enterprise’s risk management framework. The substantial task of the enterprise is to put together robust and effective contingency operating procedures that cover all possible types of operational disruption or system breakdown.

Legal risk issues in Internet commerce

There are several characteristics of Internet commerce that require us to reconsider the management of legal risk issues in a different light. These include:

Digital and other information assets

Internet commerce deals with new types of digital and information assets. In one sense, such assets define what Internet commerce is all about for the traditional brick and mortar enterprises. In cases where the enterprise itself is a “pure” Internet company, that is, one without a physical presence, the Internet-based business model is actually the very business itself. These digital and information assets are particularly vulnerable to attacks which can threaten the commercial viability of the business.

Borderless and global

Internet commerce is by definition borderless – a global activity. The Internet is a global network of networks. Internet connectivity itself crosses political boundaries with no hindrances so long as the networks in two different jurisdiction are connected. Business methods that are effective and in compliance with the laws and regulations in one enterprise’s home market may not work in markets that operate in a totally different legal environment, and might even expose the enterprises to unexpected legal liability. An example would be say a US online bank trying to offer its services to citizens of other countries located in different legal jurisdictions. Such a business model would probably be affected by the laws affecting such citizens in their respective home markets.

Timing for product and service roll-outs

In Internet commerce, the “go to market” time for a new project is much shorter compared to bricks and mortar commerce. This reduced time-frame means that legal issues must be addressed much earlier than is traditionally expected.

Managing legal risk issues in Internet commerce

Because of the more Internet-intensive commercial environment, technology-related legal risk management is now becoming an increasingly familiar concept to the board and senior management of all enterprises. If it is not, it should be.

If the legal risks that flow from technology risks are serious enough to threaten the legal and commercial interests of the enterprise, the senior management needs to ensure the establishment of a legal risk management framework to identify these risks and take adequate measures to address them. The company’s Board of Directors, for instance, have a fiduciary duty to protect the organisation from security attacks and other forms of cybercrime and security risks which may have a critically negative impact on the organisation’s reputation, assets and commercial viability.

Enterprises should ensure that adequate steps are taken to protect themselves legally. Apart from liabilities for breaches of contractual obligations, the failure to take reasonable and adequate steps to provide security measures may possibly lead to an enterprise being liable for negligence, either in not taking sufficient steps to protect data and information which it has a duty to protect, or in being used as a platform or a channel to mount an attack against another party. Steps should therefore be taken in advance to establish the procedures to handle security breaches.

The board and senior management should therefore review and approve the organisation’s legal risk management policies, taking into account technology risks and the capacity of the organisation to deal with such problems. Legal risk management in this new technology-intensive environment cannot be a task that is merely carried out periodically, say yearly or half yearly. In today’s accentuated security risk environment, legal risk management has to be regarded as an oversight process undertaken by senior management on a continuous basis. This process involves legal risk identification, assessment, control and mitigation. And the scope of legal risk management should embrace a broader horizon which incorporates proactive legal risk management. A key component in this legal risk management framework is the protection of digital assets.

Protecting digital assets

To protect its Internet-based business, enterprises should first begin by identifying the assets to be protected before it begins to do its business. Potential assets at risk include:

Data This includes customer information, financial data, equity and market index data online and other proprietary data.

Applications or software Such applications or software include those which run corporate IT systems and workflow (for example, Internet commerce software or an enterprise resource planning software which may cost millions of pounds).

Digital products & services Information products sold by the enterprise, such as financial planning software, e-toolkits or e-guides and business information. The legal advisors should help ensure that the enterprise has the right to sell these assets and can help improve the chances of successful litigation against digital asset violators and pirates.

Intellectual property rights (IPR) Such IPR could include those that are in digitized form (for example copyrights in e-commerce software or trade secrets that are stored in a digital format). The enterprise’s business identity in turn can be embodied in its trademarks, logos and domain name. These assets should be protected by registration in commercially important jurisdictions, to ensure the highest level of protection for the enterprise.

Documentation relating to web sites

The enterprise’s information web site and its transactional site or portal needs to be protected through effective contracts governing formation and enforcement. Such web sites should also be monitored and controlled as well through effective contracts involving users of the site, such as the enterprise’s customers and other third parties. Pre-emptive action should be taken against users who violate the enterprise’s intellectual property rights and other digital assets.

Contractual obligations

From the enterprise’s perspective, the legal risk exposures that result from major service disruptions are to be given greater priority. Such legal risk exposures usually arise out of contractual obligations in the following two situations. First, where there is service disruption affecting their customers, which, if not clearly regulated in legal terms, may expose the enterprise to potential legal suits for non-performance of its contractual obligations. Second, service disruption to the enterprise’s partners or other third parties who rely on the enterprise technology infrastructure to fulfill other transactional requirements.

Compliance relating to business continuity

Another legal issue that enterprises have to address in the provision of Internet commerce services relates to compliance requirements in business continuity planning. Enterprises such as banks and financial institutions typically operate in a legal environment that is very tightly regulated. The regulatory authorities may require legal compliance in terms of having a sound business continuity plan or disaster recovery plan that is subject to regulatory review and there may be penalties for non-compliance. Such regulatory non-compliance is one form of legal risk exposure that the enterprise’s legal advisors must address.

A business recovery and continuity plan is essential for every business that owns any mission critical application or system. To ensure adequate availability, enterprises typically provide for contingency back up systems to mitigate denial of service attacks or other events that may potentially cause business disruptions.

Business continuity plans or disaster recovery is an essential part of the enterprise’s overall risk management framework. Such risk management framework typically also includes issues pertaining to data confidentiality, system and data integrity and security practices in general.

The board of directors has a fiduciary duty to ensure that in the event of system failure for whatever reason, there is continuity of service for the enterprise’s clients and partners.

Relationship with technology providers

Most commercial enterprises are not in the business of providing technology solutions and they rely a lot on external parties such as Internet commerce technology service providers to provide the technology infrastructure to enable them to provide Internet commercial services. This is another dimension in the legal portfolio that senior management must handle.

A further, vitally important, aspect of the legal protection framework in Internet commerce is the use of effectively drafted contracts with third-party vendors and solution providers to ensure the enterprise’s potential legal liabilities are adequately managed. These are contracts that typically manage the relationships that enable the enterprise to provide secure and continuous services, covering such matters as:

• Web hosting

• development of applications (eg Internet commerce software)

• access services provided typically by infrastructure providers such as telecommunication and Internet service provider companies.

• security services including the supply of security products such as firewalls and encryption software.

Since the provision of technology services are typically not part of a commercial enterprise’s core competencies, such services are typically outsourced to external providers. But the enterprise’s primary responsibility to its customers to provide an accessible, secure service are direct. In the event of the failure of the enterprise’s service provider, the enterprise itself would still be accountable to their customers. There is therefore a need for enterprises to ensure that sufficient counter-indemnity arrangements are entered into between themselves and the third-party technology providers.

So when there is a major service disruption which is caused by technology or system failure, the issue that often arises is the extent to which the enterprise is able to pass on or share any legal risks to the technology service providers. This typically takes the form of indemnity provisions which require the technology service providers to indemnify the enterprise for losses that result from the service provider for failure to ensure business continuity.

Managing liability issues

The task of legal advisors in the Internet commerce business is to ensure that once the types of technology risks have been identified, the legal ramifications are clearly understood and analysed. Any potential economic loss should be quantified wherever possible. With this information, the enterprise would then be able to prioritise the legal risks and make legal risk mitigation decisions.

Enterprises can minimise, if not eradicate, such legal risk exposures by designing terms and conditions in their service agreement that exclude or limit their liability in the event of system failure that causes non-delivery of essential services.

By the very nature of enterprises being ‘big business’, it is not uncommon to see ‘pro-company’ terms being imposed on the customers. While customers might simply accept such terms that exclude or limit the liability of the enterprise, particularly when they are not in a strong negotiating position, it makes a lot of sense for enterprises to focus on managing their relations with their customers in other more productive ways such as in the form of client education.

Consumer interests

For most consumers transacting over the Internet, the primary concern when a transaction fails is usually whether a pecuniary loss has been suffered. From the perspective of the enterprise’s customers, confidence is about knowing what the customers can expect from the enterprise when there is a disaster or an attack that affects their commercial transactions. Individuals and consumers also need to understand the available remedies of a failed transaction over the Internet, regardless of whether it is attributed to a merchant that was a target of a hacking or the action of fraudulent third parties.

Customers think in legal terms only when there is a major economic loss on their part. So the way to manage possible legal risk exposures that might result from contractual obligations is an assurance programme that is sound, well-publicised and that engages the clients of the enterprise in times when there is no disaster.

While taking the legalistic approach of protecting one’s interests by defining and controlling legal risk through the ‘fine print’ might serve its purpose, a better strategy is therefore to focus on assurance and effective communication to parties that may potentially sue the enterprise in the event of major service disruptions.

Post-Incident Reactive Measures

While being proactive in the management of legal affairs is always the best approach, there are nevertheless other “reactive” measures that have to be taken in the aftermath of a cyber attack where the enterprise is the victim. Given the fragility of digital evidence and the need to collect, preserve and present evidence to the prosecuting agencies for a criminal legal proceedings, enterprises should ensure that digital evidence can be properly detected, preserved and presented in a manner that legally complies with the local laws of the country. And given the transient nature of digital evidence, time is of the essence in all cases involving information security breaches.

In the event digital evidence and data are not properly secured or preserved, such evidence may subsequently be found inadmissible in court for the purposes of criminal or civil proceedings. Therefore, as part of the enterprise’s post-incident operation procedure in areas of disaster recovery and business continuity planning, there is a need to ensure that legally-compliant procedures be pre-established so that they can be activated expeditiously when the incident happens.

Enterprises should also seek legal advice on how to determine whether a crime has been committed and the possible courses of action that can be taken based on the evidence available. Digital forensics work will invariably have to be undertaken together with legal personnel to identify the crime, the offender, and to collect and reconstruct the necessary evidence which are typically found in disks, logs and other media. Legal advice should be sought on issues such as preservation of evidence, issues of admissibility and the overall presentation of such evidence to the prosecuting agencies in a manner that not only complies with the law but is managed in a manner that would make a strong case for the prosecution. Aside from criminal proceedings, the victim enterprise may also consider filing civil claims for damages and other losses that may have been suffered as a result of the attack.

Designing a risk management framework

In designing the overall legal risk management framework, enterprises should, as a general rule, have a proactive and structured programme of action involving the following elements.

• an overall system to identify, classify, measure, prioritise and assess legal risks that are relevant to the enterprise’s operations

• a plan that is documented in the form of an operation manual (both hard copy and embedded into the system in the form of web-based documents) containing policies, practices and procedures that addresses and controls these risks ¯ such a plan must specify the responsibilities of all parties involved in the whole risk management process from the operational level right up to the CEO

• a regular test plan that when implemented approximates all possible worst-case scenarios for the purpose of testing the system to its fullest potential

• monitoring programme to assess all types of technology and other operational risks and the evaluation of the effectiveness of such programmes

• updating such plans in the light of developments in the technology, law and business practices

• post-incident recovery procedures which must incorporate digital evidence collection, preservation and presentment techniques which are legally compliant

• fulfillment of legal compliance requirements as specified by the regulatory bodies

• security awareness programme that will help nurture a more security conscious environment.

Legal audit

In designing this legal risk management framework, it is best to start with an audit. This phase involves the senior management in the enterprise and the legal team doing an audit on the adequacy of legal strategies, legal documentation and work procedures and guidelines that affect the day-to-day legal management of Internet commerce services. Examples of issues that are usually addressed during the audit include :

1. The overall legal strategy to handle legal risks that are technology-driven and the objectives and plans currently guiding the enterprise in the area of technology risk management.

2. An assessment of the legal compliance environment as well as the developments in the legal standard of care in providing security services to protect the enterprise from intrusions or such other forms of attack.

3. The form and effectiveness of the enterprise’s legal standard operating procedures and guidelines and the general organisation and administration of legal matters.

4. Legal cost and economics, for example the cost-benefit analysis of getting external lawyers to advise on the legal issues that the enterprise is currently addressing.

5. Legal department resources and capabilities, ie strengths and weaknesses, as related to resources, reputation, services and legal market position. Issues that need to be addressed include whether existing lawyers who are competent in the traditional type of commercial activities such as loan document preparation are competent to handle IT-related legal liability issues, for example in the area of security breaches in Internet commerce.

6. A forecast of the technology and security risk environment and the legal consequences that flow from it that will affect the legal position of the enterprise and its clients.

Conclusion

Enterprises involved in Internet commerce should address and manage legal issues in a manner that is structured and proactive. In Internet commerce, it is imperative not only that physical security be assured but that a sound legal protection regime that protects and secures the enterprise’s other commercial interests is in place. If planned and executed in such a structured and proactive manner, such a legal protection regime would bolster the enterprise’s overall corporate governance framework.

Zaid Hamzah is an Advocate & Solicitor, Supreme Court of Singapore and Solicitor, England & Wales. He is a Visiting Associate Professor at the Law Faculty, University of Malaya, Malaysia and Managing Director of a software development company, I-Knowledge Technologies Private Limited, Singapore. Email zaid@docforte.com or visit http://lexstrategist.com

© Zaid Hamzah 2003

[1] Internet commerce refers to the sale and purchase of products and services using delivery channels based on Internet technologies, including fixed lines and wireless means. In this article the services referred to in relation to Internet commerce are the transactional type of services as opposed to informational or simple communicative website.