Don’t rely on the legislation

Virtually all enterprises of any size in Europe use technology in most of their activities. But it is a mistake to rely solely on established legislation to ensure that your rights and the responsibilities you have towards other stakeholders are adequately defined.

Traditional legislation is not always appropriate in the IT field. However, the specifically formulated technology-related legislation is still immature and insufficiently comprehensive. It has been created in haste, without a full understanding of the technology environment, the diversity of it, and the likelihood of its continuing evolution. The attempt was, and remains, to balance the requirements of public safety, national security, tax collection, free market competition and economic prosperity with the requirements, rights and responsibilities which go with freedom of expression, privacy and other civil liberties. However, it is worth noting that currently there is not enough case law to set a precedent for the way in which much of this dedicated technology-related legislation is interpreted in the courts.

The result is that many organisations face a risk in respect of their dependency on technology-related legislation. And the way to manage this is to highlight possible weaknesses and deficiencies within the relevant legislation and to identify compensating controls to limit such dependency risk, until the point is reached where society can place full trust in a current legislation structure that includes technology-related legislation.

In order to better understand the dependency risk and how organisations depend on relevant legislation to protect them against legal proceedings and to underpin their rights in the event of legal proceedings, let us take the examples of privacy and data protection legislation, and computer crime laws. Currently, these have a number of deficiencies.

Data protection

Starting with the European Union (EU) directive for data protection, we find that the scope of the directive puts a limitation on its applicability for protection from activities performed in the name of public or national security, even where these activities infringe on privacy rights. The directive also offers no control of activities conducted by a stakeholder in the course of purely stakeholder-specific (such as enterprise-internal) activities, even if such activities infringe on anticipated privacy rights.

The directive offers no control over raw data that can be used to infer results which could be considered personal information. Further, the use of terms such as 'fair processing' leaves room for ambiguous interpretation. And lastly, the directive makes no conclusive provisions in its approach to cross-border data movement.

In conclusion, the directive's scope does not reflect the complete set of activities that could be detrimental to privacy rights, and which therefore should have dedicated provisions. Additionally, the directive uses language that is open to interpretation. Therefore any organisation which is the perpetrator or subject of one of the activities that fall within these grey areas, cannot rely on the EU directive (nor possibly on member states' legislation to enforce the directive's provisions) to formulate the responsibilities and rights that secure a solid assurance of a winning situation in the case of legal proceedings.

Cybercrime

Taking another example, let us consider the Council of Europe Convention on Cybercrime and its Article 5, which requires European states to formulate relevant legislation that establishes a criminal offence in respect of certain activities that cause system interference. The Article reads: ‘Each party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.’

Looking at the activities listed in the Article, there are some notable omissions. For example, the Article makes no provision for false pretence activities. Some denial of service attacks, whether against an organisation's own computer system or against other third parties' systems using the organisation's computer system as a proxy, are not provided for. Activities that simply overload the system by sending lots of data to be processed, resulting in substantial delay and the ultimate blocking of customers, are arguably not covered within Article 5. Also, as some organisations' systems invite the type of activity that could result in denial of service effects, this could result in a dispute under the wording of Article 5 as to whether the system interference is actually based on an activity conducted ‘without right’. The words ‘intentional activity’ in the provisions could also lead to a dispute where the denial of service activity was accidental.

In conclusion, the Convention is not mature enough to provide controls over all the types of activity that can be detrimental to an organisation's computer systems, but chooses to focus on intention or resulting impact, instead of primarily focusing on all the possible activities that might be involved. So organisations need to make sure that their systems are not used for such activities, including those not provided for under the Convention and its Article 5, and also find alternative mitigating measures. If activities causing loss to itself or to others fall outside the scope of the Convention, an organisation cannot rely on legal proceedings (even as a deterrent measure) to establish its legal rights.

Compensating controls

Having highlighted some of the deficiencies in examples of non-traditional legislation, there are some compensating measures which can ensure that your dependency risk relating to immature legislation is appropriately mitigated.

The high level protection profile (PP) includes control objectives to ensure that:

• All the activities that your enterprise participates in, whether your organisation is likely to be the perpetrator or subject of detrimental effects, are identified (activity enumeration). Ensure that this volatile list always remains current, and is updated and adapted to reflect the technology environment that applies to your organisation. Also use traditional legislative provisions to draw up a target list of activities (superset of the enterprise activities) to be provided for by the non-traditional (technology-related) legislation

• All relevant non-traditional technology-related legislation is identified and that you identify and document any omissions or ambiguities in respect of scope and wordings that could have an impact on your activities – a comparative analysis to identify pitfall gaps. Consider all relevant non-traditional legislation and the combined provision portfolio effect, so that you can identify gaps within this set of associated legislation (for example, computer crime, communication, privacy and data protection, and intellectual property legislation)

• All legislation jurisdictions are well identified and documented

• Contractual agreements are used as required to specifically spell out the expected rights and responsibilities between your organisation and relevant stakeholders, and to specifically cover all aspects of activities and data not provided for under the relevant non-traditional technology-related legislation as identified above. Regard the traditional legislation as setting the target list of provisions that non-traditional legislation together with the contractual agreements' provisions must cover

• Consider formulating a comprehensive acceptable use policy (AUP) and solicit contractual agreement that includes the full extent of the stipulated AUP

• Jurisdiction and dispute resolution mechanism agreements are included within the contractual agreement

• All provisions under any relevant contractual agreement legislation requirements (such as fair contract terms, contract formulation reached by free negotiation) are considered and incorporated during the contract formulation phase

• Contractual agreements encompass all stakeholders leaving no room for any stakeholder omission due to privity of contract

• Self-regulation controls are instigated within the enterprise as described below.

• Further to the above high level controls, there must also be a set of controls targeted at each of the principles (privacy and evidence handling, communications, web marketing and intellectual property) being provided for by the relevant legislation. As an example of a best practice self regulation PP, I would suggest the following as the basis of formulating a privacy-related PP:

• Contractual agreements spell out the agreement (enforcing the rights and responsibilities) between the organisation and the relevant stakeholders, but allowing the data owner to make its own decision (consent) regarding its privacy-related data and allowing such decisions to be reflected within the contractual agreement

• Data collection, handling and use for explicit purpose is made clear to the stakeholder with the option of consent by the stakeholder

• Subject right include rights to know the extent of collected data, correct collected data and erase any data collected by schemes that do not conform to the agreed procedures

• Collected data is accurate, complete, relevant, non-excessive and stored according to the established retention period, with all such activities in line with the intended use purpose

• Information security measures are implemented to assure the above.

• Other best practice PP includes controls to ensure that:

• Due diligence and other governance measures are implemented within the enterprise, together with liability limitation measures including acceptable use policy, non-disclosure agreements and system logon banners

• Other regulations' compliance measures align with relevant requirements such as those related to corporate governance and risk management

• Information security measure are implemented to avoid the organisation's systems being used as part of an attack on a third party

• Information security measures are implemented to underscore the organisation's rights in respect of legal proceedings

• Business continuity and disaster recovery measures are implemented to facilitate availability.

In summary, adherence to the provisions of technology-related legislation needs to be reinforced by both robust specific-content contractual agreements to protect your business, and self regulation, to align your corporate responsibilities with best practice. Now you are on your way to managing legislation-dependency risk.

Amer Shashati is an IT specialist and author, E-mail: jimy.shashati@virgin.net