By Eric Wilson
NOVEMBER 07, 2006
COMPANIES are contractually binding their electronic trading partners to
recognised security standards as corporate systems become increasingly
linked for just-in-time trading.
The move is designed to maintain data integrity and privacy, but the
legal framework for IT security compliance in e-commerce is often fuzzy.
At common law, says Matthew Rouse, principal of Brisbane technology law
firm Rouse Lawyers, general liability for technology security negligence
can run through the supply chain.
"The modern law of negligence is founded on the principles enunciated in
the snail in the ginger beer case", Rouse says.
Rouse refers to May Donoghue's soft drink, served in 1928 at the
Wellmeadow Cafe in Paisley England - allegedly with ice cream. At issue
was a 500 claim that snail remains found in the bottle caused
gastroenteritis and emotional distress.
After losing her case, on appeal the House of Lords allowed Donoghue to
sue down the supply chain to get at her drink supplier's supplier, a man
named David Stephenson.
This established the principle of duty of care to third parties.
Seventy-four years later in Australia, this same duty of care applies to
securing all private information a business may hold about Donoghue or
anyone else - even as subcontractors, outsourcers and offshorers access
data about her through websites, sales, and supply-chain management
As a result, verifiable legal compliance with international standards is
driving a gleeful IT security industry because senior management is
liable if anything goes wrong.
Rouse says Commonwealth legislation could pin Donoghue's issues on the
board, with directors having a duty of care and diligence under section
180 of the Corporations Act.
"While there is not a specific obligation, it is likely that proper IT
security measures would fall under this general duty of care, depending
on the scope of the company's business," Rouse says.
Bigger companies, and those presenting as IT savvy, are expected to
comply with industry best practice codes, Rouse says.
Even a salesperson saying information will be secured, can trigger a
best-practice obligation under the Trade Practices Act.
Under the Privacy Act, it's possible to legally enforce the privacy
statements of companies with turnover of more than $3 million, Rouse
Yet when it gets down to tin tacks, the law is fuzzy as to what a secure
IT environment is. That is why security standards are becoming
increasingly important to control information systems.
Symantec Asia-Pacific and Japan compliance solutions senior director Tim
Hartman says standards such as ISO 1779/27001 provide a generic way to
assess IT security risks, ranging from physical security to acceptable
use policies, email security and configuration management.
Standards provide a common approach for security professionals to audit
what is done.
Banks use the Basel II standard, while the federal government's security
standard is ASC133.
The Department of Communications, Information Technology and the Arts'
Leading Practices and Guidelines for Enterprise Security Governance is a
good place to start, Hartman says.
"You want to trust the people you are dealing with electronically so you
get them to sign off on standards," he says. "Security then becomes
Going through a standards process establishes rigour in risk assessment
and decision-making. Hartman says increasing connection between
corporations is eliminating electronic perimeters.
Although firewalls are important, the IT infrastructure they protect
must be hardened.
"Taken to the nth degree, if you dropped that infrastructure on the
internet unprotected, it should survive," Hartman says.
That's not as uncommon as it sounds, as corporate intranets are
sometimes inadvertently exposed to the outside world.
Stephen Kirkby, chief executive of independent web security tester
Maxamine, says maintaining standards isn't easy because web staff are
usually stressed by pressing deadlines.
Mistakes can easily happen in their busy environment, which makes
independent security testing essential to fulfilling the duty of care.
But, he says, big companies often don't even know how many internal
websites they have.
So, if legal push comes to shove, one must be able to prove security
PatchLink Asia-Pacific vice-president Neal Gemassmer says this means
deploying a reporting system that shows when, where and how systems
across a supply chain are patched and updated.
That's because firewalls and infrastructure hardening only buy time to
fix vulnerabilities, and are not the fixes in themselves.
"Companies are negligent if they don't patch their applications, or if
they rely on human aspects or don't report," Gemassmer says.
Apparently May Donoghue settled her duty of care litigation with David
Stephenson's executors out of court for 200UKP, but two lord justices
later concluded there never was any snail.
Visit the InfoSec News store!