Castelain – IT security and the law

Posted Friday, July 31, 2009 - 13:59 by admin

IT Security and the Law… what are your obligations?

Today we all know effective IT security is a good idea. Customers, suppliers, and insurers expect it, and there is no shortage of evidence that the bad guys are becoming increasingly sophisticated in their relentless exploitation of any vulnerability. This also includes the enemy within. A CISCO study recently discovered that organisations are more vulnerable to compromise through the deliberate or negligent acts of employees and trusted contractors than they are by hostile, external sources.

But how much IT security is enough? This whitepaper examines the issue from a legal perspective, and explains your legal obligations in relation to IT security.

Legal obligations typically arise from one of four possible sources:

  1. Legal obligation created through the law of negligence (tort law)
  2. Legal obligations arising due to legislation. (These may arise either under civil or criminal statutes.)
  3. Contracts
  4. Vicarious liability for employee actions.

Let us look at each of these four sources of obligation in turn.

1. The law of negligence and IT security

Under the law of negligence, you have a general obligation to take reasonable care in implementing IT security measures in order to avoid damage to other organisations or individuals. What is “reasonable care” when it comes to IT security? The easiest way to meet this test is to:

  1. Ensure you meet regulatory compliance standards. (We will learn more about this in the legislative section.)
  2. Comply with appropriate Australian and international standards.

Standards compliance is an excellent way to demonstrate to the court that you have diligently undertaken all reasonable measures according to an objective, independently recognised set of benchmarks, or “industry best practice”. Relevant standards to consider are AS/NZS 27002:2006 Information technology ­Security techniques ­Code of practice for information security management and AS/NZS 4360 Australian Risk Management Standard.

At a minimum you should at least have a written security policy and security plan.

Further, it may be a mistake to assume that your company CIO or other relevant employee has a handle on this. According to Computerworld, a recent IDC survey indicates that CIOs from Australia and New Zealand think IT security “is a breeze”. The IDC Annual Forecast for Management Report shows that information security ranks LAST in CIOs' top 10 concerns. It is therefore prudent to consider an IT security audit from recognised experts. Apart from plugging any holes they might find, such an exercise in itself may indicate an approach of reasonable care to a court.

2. Legislative responsibilities

Corporations Act

A variety of statutes impose legal obligations in relation to IT security. Along with the common law of negligence, described above, which creates obligation towards third parties, The Corporations Act 2001 imposes legal obligation upon company directors, secretaries and other company officers to exercise due care and diligence to prevent loss or damage within the company. This means that if it is foreseeable that an IT security breach would result in loss to the company, and the benefit likely to be gained from not addressing that risk is low, then a director who does not address that risk does not act with the required level of care and diligence.

Privacy Act

The Privacy Act 1988 has been extended to the private sector and governs the collection, retention, use and disclosure of personal information. All companies covered by the Act must implement appropriate physical and information security systems to ensure that personal information is protected. Private sector organisations with an annual turnover of more than AUD$3 million, and all health service providers are now covered by the Act. This means they must comply with the National Privacy Principles (NPPs), including National Privacy Principle 4. According to NPP 4, “an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”.

“Reasonable steps” are not defined, but Castelain has experience in advising what is appropriate within the context of a given organisation, and how to achieve compliance cost effectively.

Telecommunications (Interception and Access) Act

Under the Telecommunications (Interception and Access) Act 1979, it is prohibited to intercept communications, except in certain limited exceptions where privacy is outweighed by other considerations. Recognising that accessing, monitoring and/or recording email and Internet communications are an essential part of many filtering, quarantining, archiving, disaster recovery and professional IT standards related practices, it is permitted for employers and network administrators to lawfully access and record communications held on equipment they possess and operate at any time EXCEPT when the communications are “passing over a telecommunications system”.

What does this actually mean? Incoming communications continue to “pass over a telecommunications system” until they are able to be physically accessed by their intended individual recipient, within a corporate network. This has led some commentators to believe that virus scanning may be a technical breach of the law unless employees give signed assent, for example through signing an Acceptable Use Policy when hired. Further, if there is a need to access or copy outgoing communications at or prior to a gateway, then organisations should ensure their employees and other network users are adequately informed in advance. This is complex and evolving legislation and most organisations are likely to need expert advice.

3. Contract Law

Most contracts for IT goods and services contain clauses that create obligations in relation to IT security. For example:

  1. Duty to protect confidential information
  2. Duty not to infringe intellectual property
  3. Warranties of merchantability and of fitness for purpose
  4. Clauses explicitly related to IT security such as guaranteeing not to introduce viruses or malware, to maintain sufficient backups and disaster recovery strategies, and to be responsible for employee or sub­contractor conduct.

4. Vicarious Liability for Employees

There are a number of ways the actions of an employee could create legal liability, and possibly a costly civil settlement or legal fine for the organisation.

According to the Australian Government Solicitor:

“Employers and network administrators who provide email and internet access have a legal obligation to supervise and restrict the manner in which their property is used. A number of sexual harassment, anti­discrimination and copyright cases have consistently highlighted the willingness of Australian courts to hold employers accountable for the actions of people who use their email and internet facilities to break the law. Other areas of potential liability include defamation laws and liability for pecuniary penalties under the Spam Act.”

Conclusion

Unfortunately there is no single, simple checklist an organisation can use to ensure all its obligations in relation to IT security have been met. What is “reasonable” will usually be determined by context. Although IT security comes at a cost, expert guidance can ensure that adequate measures are instituted that are appropriate to the particular situation.

References

Australian Government Solicitor (AGS), Commercial Notes, No. 13, 8 Feb, 2005, “Online privacy, spam and the Stored Communications Act”, http://www.ags.gov.au/publications/agspubs/legalpubs/commercialnotes/com...

Australian Government Solicitor (AGS), Legal Briefing, No. 64, 4 July 2002, “Identifying and Protecting Confidential Information”, http://www.ags.gov.au/publications/agspubs/legalpubs/legalbriefings/br64...

Australian Government Solicitor (AGS), Commercial Notes, No. 20, 19 Sept, 2006, “Recent developments in telecommunications interception and access law”, http://www.ags.gov.au/publications/agspubs/legalpubs/commercialnotes/Com...

Computerworld, “If only reducing costs was as easy as security, say CIOs”, http://www.computerworld.com.au/article/214888/only_reducing_costs_easy_...

Network World, “Most data security risks internal, Cisco study finds”, http://www.networkworld.com/news/2008/111208­-cisco­-study­-internal­-security.html

Office of the Privacy Commissioner: http://www.privacy.gov.au/

Records Management Association of Australasia: http://www.rmaa.com.au/

Standards Australia Limited: http://www.standards.org.au/