News Our Pro Bono Volunteers

IT Matters

Managing Legal Risks in IT Security: An Overview

In internet-based commercial transactions,¹ technology risks such as systems failure or attacks are particularly accentuated and the ‘risk turnaround time’ is much faster. In this article, Zaid Hamzah advocates the need to develop a proactive legal risk management strategy that would protect enterprises from legal problems that might flow from IT security risks.

Introduction

In a world of increased security risks and threats, information security in internet commerce has assumed a centre stage role. With advances in information technology and with an increasing number of consumers relying on internet-based services, intrusions and other forms of attack on IT systems will not only continue but are likely to increase in frequency. The kinds of threats are evolving too.² Blaster, for example, hijacked individual computers, turning innocent users into unknowing worm propagators. These kinds of attacks — ‘swarming’ attacks that are coordinated to cause multiplied, cascading effects — have changed the landscape of security risks.

The internet has become an essential and integral aspect of most information technology systems today. The internet, which can be described as the global network of networks has shaped and is continuing to shape the industrial landscape where internet-based transactions are becoming increasingly common. IT systems, which include networks and databases, have now become an integral part of most nations’ critical infrastructure, and this infrastructure is increasingly linked to the internet. Within this huge internet-based system, internet commerce has emerged as one key sector.

The scope and reach of IT systems in the business sector, particularly those businesses with internet connectivity, have expanded greatly in recent years. We are also likely to witness increasing degrees of sophistication in the attacks on such systems. There is a risk of potential criminal violation of the data and assets of consumers, particularly in sensitive sectors involving banks and financial institutions. As a consequence, technology risk management, particularly in relation to information security breaches, has become even more important. At the same time, the deployment of such technology has become more complex, thereby making technology risk management even more difficult.

Dealing with information security breaches can be complex as the attacks are difficult to detect. The fact that it is not always clear whether certain types of activities are necessarily illegal creates further problems in prosecution. And when computer crimes are committed across borders and digital evidence is by nature transient and fragile, the problem is compounded.

Technology Services in Internet Commerce

Enterprises need to take pre-emptive measures to prepare themselves against cyber attacks, as well reactive measures after an incident has taken place to limit their losses and to pursue the perpetrator of the attack. Most types of risk inherent in internet commerce are not fundamentally different from those in traditional commerce. But given the very nature of internet commerce which is much more technology-dependent than traditional commerce, technology risks have become increasingly prevalent and accentuated in complexity  and magnitude.

Commercial enterprises typically provide internet-based systems through two basic sources:

(1) primary sources, from the enterprise’s own internal system and applications which may be developed internally; and

(2) secondary sources, such as systems and applications provided through service providers typically outsourced from external partners or providers.

In the development of such systems in the past, enterprises tended to deploy proprietary or closed-loop networks which pose less of a risk from attacks via the internet. However, the increasing use of internet technology in an open environment in the commercial sector has created new risks and created greater vulnerabilities and threats.

On the part of the customers of enterprises, they in turn expect the deployment of internet technology to mean greater access and quicker service turnaround. In internet commerce, customers tend to expect such enterprises to deliver their online services on a continuous, consistent and timely basis. Particularly during peak times, customers of online commercial enterprises expect:

(1) continuous service on a 24 x 7 x 365 basis; and

(2) a short transaction processing cycle.

The higher risk in providing internet-based commercial services, coupled with customer expectations of quicker, more accessible but nevertheless secure systems, continue to pose a major challenge to the senior management of corporations in providing quality effective service.

Nature of Technology Risks in Internet Commerce

Technology risks in internet commerce like in other internet-based systems include any potentially adverse outcome in the form of damage or loss that results from failure or disruption arising from the use of or reliance on information technology systems including hardware, software, equipment, devices, systems, applications and networks. Such risks typically could result from any of the following three forms of risk events, namely:

(1) attacks such as intrusions, malicious hacking and fraudulent actions;

(2) system flaws such as processing errors, software defects, operating mistakes, hardware breakdowns, system failures, capacity inadequacies, network vulnerabilities, control weaknesses and information security shortcomings; and

(3) management failure to provide adequate recovery capabilities such as the absence of a disaster recovery plan.

Such risks can arise from within and outside the organisation with the risks being higher if the threat is internal. While most spending on IT security tends to focus on developing perimeter defences to ward off external attackers from penetrating the IT systems, there is a realisation that resources also need to be provided to prevent an attack from within which could be far more disastrous.

While protecting IT systems, which include the network, hardware and software, is very important, it is the data that resides within the system that is far more important than the system or infrastructure itself. In the internet commerce arena, such critical data includes customer and accounts particulars. Such data can be remotely accessed, altered, deleted, manipulated or inserted by someone with hacking skills. Unless the system is able to trace and track such intrusions, there is a likelihood that the damage or loss may not be noticed early enough.

Given the unique characteristics of internet commerce as one primary internet-based distribution channel for commercial activities, the risk exposure when there are attacks and service disruptions are, therefore, much higher when compared with traditional commerce.

Disasters can range from a total loss of service due to deliberate attacks, natural disasters, or a catastrophic system failure owing to software faults or hardware malfunctions. While a plane being crashed deliberately into a skyscraper such as in the WTC terror attack may not be anticipated on a day-to-day basis, system downtime for whatever reason must still be planned for.

In the aftermath of any disaster or attack, disaster recovery planning then becomes a critical element in any commercial enterprise’s risk management framework. The substantial task of the enterprise is to put together a robust and effective contingency operating procedure that covers all possible types of operational disruption or system breakdown.

Legal Risk Issues in Internet Commerce

There are several characteristics of internet commerce that require us to look at the management of legal risk issues in a different light and these include:

Digital and other information assets

Internet commerce deals with new types of digital and information assets. Such assets in a way define what internet commerce is all about for the traditional ‘brick-and-mortar’ enterprises. In cases where the enterprise itself is a ‘pure’ internet company, that is, one without a physical presence, the internet-based business model is actually the very business itself. These digital and information assets are particularly vulnerable to attacks which can threaten the commercial viability of the business.

Borderless and global

Internet commerce is by definition a borderless, global activity. Internet connectivity itself crosses political boundaries with no hindrances so long as the networks in the two different jurisdictions are connected. Business methods that are effective and in compliance with the laws and regulations in one enterprise’s home market may not work in markets that operate in a totally different legal environment, and might even expose the enterprises to unexpected legal liability. An example would be a US online bank trying to offer its services to citizens of other countries located in different legal jurisdictions. Such a business model would probably be affected by the laws affecting such citizens in their respective home markets.

Timing for product and service roll-outs

In internet commerce, the ‘go to market’ time for a new project is much shorter compared to ‘brick-and-mortar’ commerce. This reduced time-frame means that legal issues must be addressed much earlier as well.

Managing Legal Risks in Internet Commerce

Because of the more internet-intensive commercial environment, technology-related legal risk management is now becoming an increasingly familiar concept to the board and senior management of all enterprises. If it is not, it should be.

If the legal risks that flow from technology risks are serious enough to threaten the legal and commercial interests of the enterprise, the senior management needs to ensure the establishment of a legal risk management framework to identify these risks and to take adequate measures to address them.

Enterprises should ensure that adequate steps are taken to protect themselves legally. Apart from liability for breach of contractual obligations, the failure to take reasonable and adequate steps to provide security measures may possibly lead to an enterprise being liable for negligence, either in not taking sufficient steps to protect data and information where it has a duty of care to so protect, or in being used as a platform or a channel to mount an attack against another party. Preparatory steps should, therefore, be taken in advance in planning the procedures for handling security breaches.

The board and senior management should, therefore, review and approve the organisation’s legal risk management policies, taking into account the technology risks and the capacity of the organisation to deal with such problems. Legal risk management in this new technology-intensive environment cannot be a task that is merely carried out periodically, say yearly or half yearly. In today’s accentuated security risk environment, legal risk management has to be regarded as an oversight process undertaken by senior management on a continuous basis. This process involves legal risk identification, assessment, control and mitigation. And the scope of legal risk management should embrace a broader horizon which incorporates proactive legal risk management. A key component in this legal risk management framework is the protection of  digital assets.

Protecting Digital Assets

To protect its internet-based business, an enterprise should first begin by identifying the assets to be protected before it commences its business. This will avoid any potential loss of time and resources when the enterprise finds itself losing control of these assets. Potential assets at risk include:

Data

This includes customer information, financial data, equity and market index data online and other proprietary data.

Applications or software

Such applications or software include those which run corporate IT systems and workflow (for example, an internet commerce software or an enterprise resource planning software which may cost millions).

Digital products and services

These are the information products sold by the enterprises such as financial planning software, e-toolkits or e-guides and business information. Legal advisers can help ensure that the enterprise has the right to sell these assets and improve the chances of successful litigation against digital asset violators and pirates.

Intellectual property rights (IPR)

Such intellectual property rights could include property that is in digitised form (for example, copyright in e-commerce software or trade secrets which are stored in a digital format). The enterprise’s business identity in turn can be embodied in its trademarks, logos and its domain name. These assets should be protected by registration in commercially important jurisdictions, to ensure the highest level of protection for the enterprise.

Other Key Issues

Documentation relating to websites

The enterprise’s information website and its transactional site or portal itself needs to be protected through effective contracts governing its formation and enforcement. Such websites should also be monitored and controlled through effective contracts involving users of the site, such as the enterprise’s customers and other third parties. Pre-emptive action should be taken against users who violate the enterprise’s intellectual property rights and other digital assets.

Contractual obligations

From the enterprise’s perspective, the legal risk exposure that results from major service disruptions is to be given greater priority. Such legal risk exposure usually arises out of contractual obligations in the following two situations. First, where there is service disruption affecting their customers, which, if not clearly regulated in legal terms, may expose the enterprise to potential legal suits for non-performance of its contractual obligations. Second, service disruption to the enterprise’s partners or other third parties who rely on the enterprise technology infrastructure to fulfil other transactional requirements.

Compliance relating to business continuity requirements

Another legal issue that enterprises have to address in the provision of internet commerce services relates to compliance requirements in relation to business continuity planning. Enterprises such as banks and financial institutions typically operate in a legal environment that is very tightly regulated. The regulatory authorities may require legal compliance in terms of having a sound business continuity plan or disaster recovery that is subject to regulatory review and penalties for non-compliance. Such regulatory non-compliance is one form of legal risk exposure that the enterprise’s legal advisers must address.

A business recovery and continuity plan is essential for every business that owns any mission critical application or system. To ensure adequate availability, enterprises typically provide for contingency back up systems to mitigate denial of service attacks or other events that may potentially cause business disruptions.

Business continuity plans or disaster recovery is an essential part of the enterprise’s overall risk management framework. Such risk management framework typically also includes issues pertaining to data confidentiality, system and data integrity and security practices in general.

Relationship with technology providers

Most commercial enterprises are not in the business of providing technology solutions and they rely a lot on external parties such as internet commerce technology service providers to provide the technology infrastructure to enable them to provide internet commercial services. This is another dimension in the legal portfolio that senior management must handle.

A further, vitally important, aspect of the legal protection framework in internet commerce is the use of effectively drafted contracts with third party vendors and solution providers to ensure the enterprise’s potential legal liabilities are adequately managed. These are contracts that typically manage the relationships that enable the enterprise to provide secure and continuous services, covering such matters as:

(1) Web hosting;

(2) development of applications (for example, internet commerce software);

(3) access services provided typically by infrastructure providers such as telecommunication and internet service provider companies; and

(4) security services, including the supply of security products such as firewalls and encryption software.

Since the provision of technology services are typically not part of a commercial enterprise’s core competencies, such services are usually outsourced to external providers. But the enterprise’s primary responsibility to its customers to provide an accessible, secure service is a direct one. In the event of the failure of the enterprise’s service provider, the enterprise itself would still be accountable to its customers. There is, therefore, a need for enterprises to ensure that sufficient counter-indemnity arrangements are entered into between themselves and the third party technology providers. These typically take the form of indemnity provisions which require the technology service providers to indemnify the enterprise for losses that result from the service provider’s failure to ensure business continuity.

Managing legal liability issues

The task of legal advisers in the internet commerce business is to ensure that once the types of technology risks have been identified, the legal ramifications are clearly understood and analysed. Any potential economic loss should be quantified wherever possible. With this information, the enterprise would then be able to prioritise the legal risks and make legal risk mitigation decisions.

Enterprises can minimise, if not eradicate, such legal risk exposure by designing terms and conditions in their service agreements that exclude or limit their liability in the event of system failure that causes non-delivery of essential services.

By the very nature of enterprises being ‘big businesses’, it is not uncommon to see ‘pro-company’ terms being imposed on their customers. While customers might simply accept such terms that exclude or limit the liability of the enterprise, particularly when they are not in a strong negotiating position, it makes a lot of sense for enterprises to focus on managing their relations with their customers in other more productive ways, such as in the form of client education.

Consumer interests

For most consumers transacting over the internet, the primary concern when a transaction fails is usually whether he suffers a pecuniary loss, for example where payment has been made but the goods or services have not been received, or when the wrong or unsatisfactory goods or services are delivered. From the perspective of the enterprise’s customers, confidence is about knowing what the customers can expect from the enterprise when there is a disaster or an attack that affects their commercial transactions. Individuals and consumers also need to understand the available remedies of a failed transaction over the internet, regardless of whether it is attributed to a merchant that was a target of a hacking or the action of fraudulent third parties.

Customers think in legal terms only when there is a major economic loss on their part. Thus, the way to manage possible legal risk exposure that might result from contractual obligations is an assurance programme that is sound, well publicised and that engages the clients of the enterprise in times when things are running smoothly.

While taking the legalistic approach of protecting one’s interests by defining and controlling legal risk through the ‘fine print’ might serve its purpose, a better strategy is, therefore, to focus on assurance and effective communication to parties that may potentially sue the enterprise in the event of major service disruptions.

Evidential issues

In any case involving breach of security, companies must have in place work policies and procedures to ensure that evidence can be properly presented to the prosecuting agencies and the courts. If proper steps are not taken in relation to digital evidence, the chances of proving one’s case or of disproving the other side’s case will be much less.

Given the fragility of digital evidence and the need to collect, preserve and present evidence to the prosecuting agencies in criminal legal proceedings, enterprises should ensure that digital evidence can be properly detected, preserved and presented in a manner that complies with the local laws of the country. And given the transient nature of digital evidence, time is of the essence in all cases involving information security breaches.

In general, companies should have in place policies and procedures, including the following:

(1) steps to isolate or quarantine the evidence;

(2) recovery of evidence;

(3) reproduction of evidence;

(4) processing and analysis of evidence; and

(5) preparation of report by an expert for use in the courts.

In the event digital evidence and data are not properly secured or preserved, such evidence may subsequently be found inadmissible in court for the purposes of criminal or civil proceedings. Therefore, as part of the enterprise’s post-incident operation procedure in areas of disaster recovery and business continuity planning, there is a need to ensure that legally-compliant procedures be pre-established so that they can be activated expeditiously when the incident happens.

Enterprises should also seek legal advice on how to determine whether a crime has been committed and the possible courses of action that can be taken based on the evidence available. Digital forensics work will invariably have to be undertaken together with legal personnel to identify the crime, the offender, and to collect and reconstruct the necessary evidence which is typically found in disks, logs and other media. Legal advice should be sought on issues such as preservation of evidence, issues of admissibility and the overall presentment of such evidence to the prosecuting agencies in a manner that not only complies with the law but would also make a strong case for the prosecution. Aside from criminal proceedings that the public prosecutor may take against the perpetrator for the offences committed, the victim enterprise may also consider filing civil claims for damages and other losses that may have been suffered as a result of the attack.

Conclusion

Enterprises involved in internet commerce should address and manage legal issues in a manner that is structured and proactive. In internet commerce, it is imperative that not only physical security be assured but a sound legal protection regime that protects and secures the enterprise’s other commercial interests be in place. If planned and executed in such a structured and proactive manner, such a legal protection regime would boost the enterprise’s overall corporate governance framework.

Zaid Hamzah³

Microsoft Legal and Corporate Affairs Department for the Asia Pacific region

E-mail: zaidh@microsoft.com

Endnotes:

1 Internet commerce refers to the sale and purchase of products and services using delivery channels based on internet technology, including fixed lines and wireless means. In this article, the services referred to in relation to internet commerce are the transactional type of services as opposed to informational or simple communicative websites.

2 Bill Gates writing in Microsoft Progress Report: Security dated 31 March 2004.

3 Zaid Hamzah is author of the book E-Security Law & Strategy (Lexis Nexis, 2005). The views of the author in this article are his personal ones and do not reflect the views of  Microsoft Corporation.