IT and legal risks management

Embed Size (px)

Text of IT and legal risks management

  • Computer Audit Update October 7995

    3. Williams, K.C., Behavioural Aspects of Marketing, Heinemann Professional Publishing, 1981.

    Kevin McLean has over 22 years experience in Information Technology and management, initially as a systems developer and latterly as a consultant to a wide range of government and business sectors. He is Head of IT Security and Systems Management consulting at Hoskyns Group p/c, which is the UK operation of Cap Gemini Sogeti. He has performed security reviews and has implemented security improvement programmes for a wide range of organizations in the UK and internationally and he is a founder member of the IFIP (International Federation of Information Processing) working group on Information Security Management. This paper was first presented at EuroCACS 95.


    Gareth 0. Jessop

    There is a general perception that legal issues are of limited significance in IT. The prevailing view is either that the law largely ignores technology and is decades behind in adapting to it or that only specific areas of law (copyright, data protection, hacking offenses) affect the selection and use of IT systems.

    In fact, a much wider range of general law impinges on IT strategy, and IT systems involve both a wide range of legal risks and the opportunity to assess and manage those risks. The real issue therefore is not how the law affects IT but how IT affects legal exposure.

    Take some examples from the law of negligence. From the moment, in 1932, when the law recognized a general duty to take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbours, the use of technology has featured in that issue: the courts have

    considered the role of available technology in risk management. Before the end of 1932, a US court had decided that bargeowners were negligent in not fitting radio receivers, even though only one line in the industry had introduced them2. In 1965, a shipping line which had fitted radar but failed to instruct and supervise its staff, so that the radar screen was not permanently monitored, was found liable3.

    The same principles came to be applied to business IT systems. A bank was held liable on a stopped cheque because its cashier failed to check data available on his terminal. By 1973, another US bank only avoided liability for the consequences of a system crash on a state of the art defence, the Court finding that its limited backup facilities and absence of disaster recovery procedures were reasonable by reference to the then current cost and availability of such systems4, and by 1981 in New York, a bank was successfully sued because its software could not deal with the countermanding of cheques if the cheque details were incomplete5.

    All of these examples are from the United States, but have persuasive authority elsewhere: the courts were applying the same basic rules as exist under English law. In the UK as in the US, the law expects the installation of reasonably available technology and imposes on businesses and their managers a duty to train and supervize staff in its use. Even lawyers are not immune: the US courts have described an electronic retrieval system as an essential tool of a modern efficient law office.

    Similar principles are capable of applying even in the field of criminal responsibility, where the test of reasonable care can also be relevant. The most drastic example must be the concept of corporate manslaughter, where a gross failure to exercise due care can render a business and its senior management liable to criminal penalties. There is no difference in principle between a failure to provide machine guards or to control asbestos dust and a failure to provide readily-available monitoring or failsafe software. In all these respects, reckless ignorance as well as deliberate actions can found liability, both civil and criminal.

    14 01995 Elsevier Science Ltd

  • October 7 995 Computer Audit Update

    The principles of liability in negligence apply to statements as much as they do to actions. If the relationship between a business and its customer or client is so close that the customer must rely on advice given by the business, a duty exists to deliver that advice with reasonable skill and care, judged by reference to the normal standards in the relevant industry or profession. This is true regardless of how the advice is given. Advice given in a mailshot can be actionable, and so can advice given through an expert system.

    IT issues are also highly relevant in the law of contract. Much legal thought was exercised in the nineteenth century in adapting the structure of offer and acceptance, first to cater for a postal system and then for electronic communication in the form of telegraph and telex. Those issues are not dead, but have become even more relevant with the telecommunications revolution. The original concepts, developed to regulate a system of face-to-face communication, have been forced to adapt to cater for distances in space and time, and the basic legal concepts have been strained as a result. Most of all, the communications revolution raises issues of timing and of record-keeping quite different, quantitatively if not qualitatively, from anything relevant when the rules were developed. The familiar lawyers problem of the battle of the forms - proving that one party accepted the others terms of business before sending its own -takes on a new dimension where communication is near-instantaneous, and the time taken to accept or withdraw an offer can be measured in fractions of seconds.

    This raises the basic issue of evidential proof, and it is this above all which demonstrates that the questions raised by evolving technology contain their own answers. In any legal dispute, it is rarely the best legal interpretation or the best lawyer which wins, but more usually the best evidence. What matters, most of the time, is not so much what happened as what can be proven to have happened, and records are everything. Here IT (or rather, the imaginative use of IT) is a powerful weapon. The business which can best regulate, track and verity its procedures and its communications will be the winner in almost any legal confrontation.

    There are, of course, limits to the power of these weapons. Mainly, those limits are built into the legal system rather than resulting from any inadequacy in the technology, and mostly they are exaggerated. For instance, the situations in which computer records can be used in evidence in this country are limited. Computer records however are almost always admissible where compiled by a person acting under a duty (which usually includes anything produced in-house, by an employee)6. Very often therefore, those records will be accepted as evidence. This is a vital point, for it is almost impossible by oral evidence to prove a generality. A witness may say that they always gave a certain instruction or warning, or that they always enclosed their companys terms of business with quotations. That will not assist at all in the face of an assertion that, in this particular case, they did not. They are unlikely to recall every specific instance, and it is unrealistic to expect human beings or manual systems to keep complete and detailed records of every transaction. Mass storage on archiving media however is cheap and reliable. The more complete and precise the records of a business, the better its prospects of winning a dispute, and the less the prospect that disputes will arise. Almost invariably, the winning party in any litigation is the one with the best records and good IT systems and procedures are a crucial, evidential head-start.

    This is one of the prime areas where, at many levels, IT systems can be a powerful tool for the management of legal risks, but it is not the most important or the most direct. Much more significant is the use of IT at the human interface, to manage processes and transactions. This is perhaps most obvious in industrial production, in relation to safety management and quality control, but it can be equally relevant to service provision and sales functions. At its most basic, it can mean hidden-text annotations to point-of-sale documents, defining the authority of sales personnel on pricing or including legal notes to control the variation of standard terms. At one remove, for personnel offering advice or professional services, it can mean access to expert systems.

    01995 Elsevier Science Ltd 15

  • Computer Audit Update October 1995

    In processes too complex to allow total automation, the employers best protection is a system structure which builds in checks and hold-points. At its most basic level, software which provides a decision-loop (something as simple as this creates a risk of . . . . . . . . . . . . . Continue? Y/N) can often fulfil the employers basic duty to provide a safe system or provide a control on variations in contract terms. At one remove, the system can be structured to require a reference to a factual database or an expert programme as a necessary step in the creation of an advice document or a tender form. In all of these applications, the same functions which control the process itself and therefore the risks inherent in it can generate the necessary records. The system then can also provide what may be vital evidence as a matter of automated routine, by logging these procedures.

    So far, all of this is in very general terms, and of course it is only the imaginative application of these principles in specific business situations which can produce real benefits. There is a third aspect however which is much more readily quantifiable, and which brings the use of technology in risk management directly into the audit arena. There is a very direct correlation