AEREN FOUNDATIONS

Maharashtra Govt. Reg. No.: F-11724

AN ISO 9001 : 2008 CERTIFIED INTERNATIONAL B-SCHOOL

MARKS : 80

SUB: CYBER LAW MANAGEMENT

Case study 1 Internet attorney Reinhardt Buys says a recent court judgment underlines the importance of IT risk management in companies. Buys says that notwithstanding the requirements of the King II report, a recent court case concluded that a person may be held liable for damages or losses that resulted from a so-called "negligent omission" - the failure and/or refusal to do something when reasonably required to do so. He says the risk management duty was established by the Supreme Court in the judgment of Minister of Safety and Security v Van Duivenboden [2002] 3 All SA 741 (SCA). In the judgment, Judge Nugent stated: "A negligent omission is unlawful only if it occurs in circumstances that the law regards as sufficient to give rise to a legal duty to avoid negligently causing harm. It is important to keep that concept quite separate from the concept of fault." Buys says: "In practical terms, this judgement implies that a company may be held liable for the damages caused by a certain risk, for example a virus that infected the company's network, if a reasonable person would have foreseen the risk and would have acted to prevent the risk or at least limit its consequences. "Virus infections and hack attacks on corporate networks are in the press on a daily basis. No company or company director can claim they did not know about

or foresee such risks. The total effect of the Van Duivenboden judgement and the risk management guidelines of the King II report are that company directors, including non-executive directors, should identify potential risks and take all reasonable steps to avoid the risk or limit its consequences. "Although most corporate IT risks can be successfully addressed by the correct use of suitable technology, the most difficult risk to address is human behaviour behind the corporate firewall. Companies are at risk to attacks and abuse by their own employees. The most damaging risk is probably a disgruntled employee that has access to a company's computer network and sensitive information." Buys points to a case last year in which a dismissed employee of a UK firm's IT department encrypted his ex-company's entire database and demanded 1 million euro in ransom. The company discovered it would cost around 5 million euro to undo the damage and was forced to pay him a generous consultancy fee to sort out the problem. In another case, says Buys, a local retailer employee appeared in the Johannesburg Commercial Crime Court for allegedly initiating a virus in the company's computer network. Trading losses amounted to R5 million. The accused apparently had a grudge against the company's IT department because it had outsourced some IT work and he had to accept a cut in salary. "A cocktail of legal agreements and company policies should be used to address and manage IT risks where human behaviour, such as negligence or the actions of a disgruntled employee, plays a role. "Finally, company directors should keep in mind that failure and/or refusal to identify and address corporate IT risk may result in personal liability if damages or losses follow. In terms of section 424 of the Companies Act, a director and even an IT manager may be personally liable for unlimited damages if the failure to identify and manage risks are classified as reckless management of the company by the courts."

1.

CASE NO 1

People are the weak spot in IT security

Risk management and internal control often do not enjoy the same prominence as other requirements for good corporate governance. Yet these are issues that the King committee on corporate governance treated with due gravity. The King 2 report on corporate governance defines risk management as the identification and evaluation of actual and potential risk areas as they pertain to the company as a total entity, followed by a process of either termination, transfer, acceptance (tolerance) or mitigation of each risk. A similar risk management duty was placed on company directors in a recent supreme court of appeal judgment on information technology (IT) risk management. The court found that a person may be held liable for damages or losses that resulted from a "negligent omission" - the failure and/or refusal to do something when reasonably required. The Judge said in the judgment: "A negligent omission is unlawful only if it occurs in circumstances that the law regards as sufficient to give rise to a legal duty to avoid negligently causing harm. It is important to keep that concept quite separate from the concept of fault. "Where the law recognises the existence of a legal duty, it does not follow that an omission will necessarily attract liability. It will attract liability only if the omission was also culpable as determined by the application of the separate test that has consistently been applied, namely, whether a reasonable person in the position of the defendant would not only have foreseen the harm but would also have acted to avert it." Reinhardt Buys of Buys Inc Attorneys, a law firm that specialises in IT and internet law, says the judgment implies that a company may be held liable for the damages caused by a certain risk - for example, a virus that infects the company's network - if a reasonable person would have foreseen the risk and would have acted to prevent the risk or at least limit its consequences. He cautions that a failure or refusal by a director to identify and address corporate IT risk may result in personal liability if damages or losses follow. In terms of section 424 of the Companies Act, a director and even an IT manager may be personally liable for unlimited damages if the failure to identify

and manage risks is classified as reckless management of the company by the courts. "Companies should not only address the identified IT risk, but also the possible legal liability that may follow if the risk materialises," Buys says. "To address the risk of unauthorised access by hackers into a company's network is one thing, yet the damage and liability that may follow if the hacker discloses sensitive company information is a related, yet totally different risk."

Corporate IT risks can be classified as: Risks associated with the use of technology by employees, such as illegal use of e-mail (for pornography or defamation) or non-productivity because of unrestricted and unauthorised internet use External IT security risks such as viruses or hack attacks; Risks associated with a company's website or e-commerce initiatives for example, fines that result from non-compliance with new IT legislation or failure to incorporate legislative requirements that ensure that online agreements are legal, binding and enforceable; Negligent actions by employees - for example, the failure to update virus detection software or the sharing of user names and passwords with third parties; Theft or loss of computer hardware, resulting in, for example, unauthorised disclosure of trade secrets or electronic identity theft; Risks related to the malfunction of technology such as computer software. Buys says an electronic risk assessment tool (eRat) that assists directors and corporate risk managers in IT risk management is freely available at www.erat.co.za. It was recently updated to incorporate the requirements of legislation such as the Electronic Communications and Transactions Act. The King 2 report lays the responsibility for risk management with the directors of a company. It says the total process of risk management - including a related system of internal controls is a board responsibility. Management is accountable to the board for designing, implementing and

monitoring risk management and integrating it into the day-to-day activities of the company. It is also accountable to the board for providing assurance that it has done so. The internal audit function should provide independent assurance regarding management's assertions about the effectiveness of risk management and internal control, King 2 says. Buys says virus infections and hack attacks on corporate networks are in the news on a daily basis, and no company or director could claim ignorance about or the inability to foresee such risks, "The total effect of the said judgment and the risk management guidelines of the King 2 report are that company directors, including non-executive directors, should identify potential risks and take all reasonable steps to avoid the risk or limit the consequences of the risk. "Although most corporate IT risks can be successfully addressed by the correct use of suitable and updated technology - for example, virus detection software or software that prevents employees from accessing internet chat-rooms - the most difficult risk to address is human behaviour behind the corporate firewall."

Companies are most at risk of attacks and abuse by their own employees. The most damaging risk is probably a disgruntled employee who has access to the company's computer network and sensitive information, Buys says. In the UK last year an employee who was dismissed from a firm's IT department encrypted the company's entire database and demanded 1 million in ransom.The company was preparing to call his bluff, when it found out that not only had he succeeded in encrypting the database, but it would cost at least 5 million in computer and employee time to undo the damage.

The compromise: the company paid the employee a generous consultancy "fee" to sort out the problem and agreed that no crime had been committed.

"Issues such as user authentication, restricted access to important data, virus application updates, back-ups and regular intrusion tests should be addressed in a corporate IT security policy," according to Mr. Buys. He also points out that Employers should keep in mind that they need the required employee consent before they can access, filter, block or read electronic employee communications,"

Issues to be addressed 1. Study the case carefully and bring out its salient features

2. What do you understand by the Corporate IT risk. Give your views based on the Case details. 3. What would be your suggestion for better IT security for a company?

2.

CASE NO 2- Learning Cyber law in cyberspace

If you have an email account, you have probably experienced, first hand, Unsolicited Commercial Email (UCE), often referred to as "spam". These email

messages range from the friendly reminder of new features and products offered on a website, to announcements of get rich quick schemes or pornographic websites. UCE is, to most, an annoyance. It clutters your email inbox, takes time to download, time to determine that it is, in fact, UCE, and it takes time to delete. For individuals, the annoyance factor largely depends on how much UCE one receives, how quickly one can hit the delete key, and how tolerant they are of such interruptions. Regardless of the level of annoyance, UCE has very real costs. The increased downloading time may result in a higher monthly service fee individuals pay their on-line service provider. The time spent sorting through email is also a cost incurred by individuals as a result of UCE. UCEs also consume space in the form of computer memory. For an individual, the memory space used by UCEs can become a problem, but more typically, the space consumed by UCE is more acutely felt by the on-line service providers (OSPs). For OSPs, unsolicited commercial email is much more than a mere annoyance. UCEs cost OSPs money. In order to keep their systems operating at peak efficiency so as to keep their customers satisfied, OSPs must have adequate memory space to handle not only the regular email traffic, but also the increased email load created by UCEs. The increased load on the entire Internet created by UCE also slows the flow of other Internet traffic. UCE also has an even darker side. Because those who send UCE know that the vast majority of recipient do not like receiving junk email and will often delete the message without even opening it, senders of UCE have been known to falsely identify the content of the messages. Senders of UCE also know that the use of filtering technology will block messages with certain identifying characteristics, such as a mail server known for sending mass quantities of UCE. Additionally, some individuals despise receiving junk email so much that they react by targeting the sending party with retaliation. The retaliation can range from sending a nasty email to more aggressive (and illegal) tactics of sending email bombs or viruses to the sender of the UCE. Because of the possible filtering of messages and the possibility of more serious reactions from angry recipients of SPAM, senders of UCE have been known to falsely identify the return email address and other routing information. While UCEs are almost universally loathed, regulating the sending of UCE provides insight into the difficulties faced in regulating any conduct in cyberspace. In a very practical sense, new technologies challenge lawyers to find approaches within the bounds of current legal doctrine to assist their clients in achieving results the clients desire. In the case of UCEs, that means finding legal theories or causes of action that will permit those who bear the cost of UCEs, i.e., individuals and OSPs, to prohibit or at least place restrictions on the sending of UCE. As problems with the application of these extant doctrines in cyberspace become apparent, inevitably there are calls for new laws on local, state, national and even international levels. Several states in the United States have passed laws regulating

UCE. Each year new legislation is introduced in the United States Congress that would address UCE. Internationally there also has been movement towards the regulation of UCE. In addition to top-down regulation through government imposed laws, regulating activity in cyberspace is also attempted through what is sometimes referred to as a bottom-up approach. The bottom-up approach involves individual actors attempting to shape behavior through promotion of a code of conduct or "netiquette" or through social and monetary pressures with vehicles such as boycotts, but not through government enacted laws.

Issues to be addressed 1. Study the case carefully and bring out the relevant facts of the case. 2. Elaborate on the issues of Top Down and Bottom Up approaches quoting suitable examples. 3. What did you learn in the cyber law based on this study?

3. Consider the following two proposals for defining personal jurisdiction in cyberspace: 1) Personal jurisdiction and choice of law must be determined based on where the server supporting your web site is located. There are two exceptions to this rule: (a) Consumer transactions are not covered by this rule; and

(b) Assertion of jurisdiction to vindicate some social values, such as prevention of child pornography, would be exempt from this rule.

2) A proposal for determining personal jurisdiction in cyberspace. Establish the Personal Jurisdiction considering the above two proposals. Given that Personal jurisdiction should be based on an analysis of the following three factors

(a) Is the activity directed at a particular forum? Does the forum have distinguishable and differentiated claim over other forums? (b) The nature of the activity - is it illegal, socially undesirable and the like; and (c) To what extent does the threat of jurisdiction undermine the underlying activity in question, such as electronic commerce?