. 50
( 131 .)


facsimiles can assist organisations to become paperless, but only if staff are
encouraged not to print off everything that is received.

New technology risk case studies
Product redesign for sustainability
Innovation and eco-design also include the issues discussed in Chapter 3:
dematerialisation; decarbonisation; eco-efficiency; miniaturisation; simplifica-
tion; substitution; and waste reduction. An assessment toolkit that takes
organisations through this process is available from http://www.iisd.org/

An example is that the UK construction industry is stated to be almost 20
years out of date on some production methods (off-site construction, prefab-
rication and levels of energy efficiency), but there are signs of changes as
John Laing Homes in the US is using central vacuum suction to clean the air
in their new homes. This has the benefits of reducing product liability (as the
house has a reduced impact upon human health); maintaining energy effi-
ciency (in line with building codes); and is proving to be a great selling point
with asthma and allergy sufferers as well as health organisations (The Denver
Post, 15 February 2004, p. K-01).
Part B “ Overview of the Economic Aspects of Business Risk

Agriculture and genetically modified organisms (GMOs)
The speculation based on the technological prospects of new technology such
as genetically modified organisms is coming under greater scrutiny as some
research shows increased external impacts of technologies (i.e. crop varieties)
upon the environment and unclear economic benefits (i.e. for some GM crops
there are estimates of reduced crop yield sizes).
The risk increases as liability for contamination of ˜normal™ or organic
crops will rest with the GM grower and patent holder. This has contributed to
GM maize being withdrawn from the UK. Angola has also banned GM food
(Financial Times, 30 March 2004). There is likely to be a political backlash in
much of the world as the technology is seen as coming from the US. The British
Medical Association said:
Britain is not ready for widespread commercialisation of GM crops and more research is
needed into their health risks. (Financial Times, 10 March 2004)

Case studies here are already plentiful:
Technology: Sainsbury™s plc had their head office invaded by GM protestors
who complained that they sold milk from animals fed with GM ingredients.
The company stated that their milk does not contain GM materials (World
Environmental News, 19 May 2004);
Cadbury Schweppes plc: according to Greenpeace, Cadbury™s Dairy Milk sold
in the US contained GM ingredients. Roast Almond and Fruit & Nut were
also said to contain GM ingredients;
Aviva: according to the Ecologist, Norwich Union was the first insurance
company to use genetic testing to assess customer premiums on 30 occasions;
Marks & Spencer plc: much of M&S clothing was made of GM cotton, also its
skin care and cosmetic products contained GM ingredients. According to sci-
entists, GM cosmetics are riskier due to being directly absorbed into the
Examples of risk management by companies as a response to GMO uncertainties
(the Precautionary Principle as explained in Chapter 18) include the following:
A survey by Friends of the Earth (FoE) has revealed that the UK™s biggest
foods companies will continue to reject GM ingredients in their products
when tougher GM labelling laws are introduced on Sunday 18 April 2004.
The following quotes are company responses to a FoE survey entitled, ˜Food
Firms Reject GM Ingredients™, 15 April 2004;
˜As a 100% own brand retailer we are able to offer our customers a very clear
proposition that all Marks & Spencer food is produced using non-GM ingre-
dients and derivatives™ (Letter, 12 March 2004);
˜Tesco does not ¦ have any own-label GM foods on its shelves, and this will
not change as a result of the new EU legislation in April™;
Morrisons/Safeway: ˜We have removed GM ingredients and GM derivatives
from all our own label products™; and
Chapter 11 “ Information technology (IT) and e-commerce 253

˜Iceland own brand products have been made without GM ingredients since
1998 and we can confirm our commitment to this policy remains ¦ the new
regulations will not lead to any change in this position™ (Letter, 14 March
2004, Friends of the Earth ˜Food Firms Reject GM Ingredients™, 15 April

Another area of concern is the development of nanotechnology, which will pro-
vide many challenges for the insurance industry, according to a report pub-
lished by Swiss Reinsurance Co. While nanotechnology has huge benefits in
many areas, potential risks associated with the technology are as yet unknown
and are hard to assess (Business Insurance, 10 May 2004). There are also con-
cerns about the level of testing and potential human health issues which are
discussed in Chapter 17.
There are already more than 350 nanotech consumer products now avail-
able, including:
Cosmetics, sunscreens, food containers and stain-resistant clothing;
Samsung now sells a new kind of washing machine that releases nanosilver
ions during the wash and rinse cycles to kill bacteria; and
L™Oreal has a nano particle-based formulation in its High Intensity Pigment
color cosmetics line.
In a review of these new products and associated risks Andrew Maynard, chief
science advisor for the Project on Emerging Nanotechnologies of the Woodrow
Wilson Center, wrote:
Without strategic and targeted risk research, people producing and using nano-materials
could develop unanticipated illness arising from their exposure; public confidence
in nanotechnologies could be reduced through real or perceived dangers; and fears of
litigation may make nanotechnologies less attractive to investors and the insurance
industry. (The Woodrow Wilson International Center for Scholars quoted in Nature, 15
November 2006)

Some of the possible human hazards of nanotech that have been identified or
suspected include:
From a safety perspective:
They are more combustible than common, micron-size particles, raising
the possibility of explosions;
Their ability, identified in animal studies, to clog airways, trigger intense
immune-system reactions and ˜toast™ living cells; and
Some particles that behave like little ball bearings can cause slips and falls.
From a health perspective:
Some carbon nanospheres and nanotubes behave differently than conven-
tional ultrafine particles, causing fatal inflammation in the lungs of
rodents, organ damage in fish and death in ecologically important aquatic
organisms and soil-dwelling bacteria; and
Part B “ Overview of the Economic Aspects of Business Risk

And a California team working with laboratory-grown cells showed that
carbon nanotubes specifically activate ˜cell suicide genes™ (extracts from
˜Toxic warnings for nano industry™, Risks, issue number 256, 13 May 2006).

The pharmaceutical industry is an excellent case study of how apparently
miraculous medicines have unforeseen side effects, ranging from thalidomide to
antidepressants. The US Food and Drug Administration (FDA) have warned that
taking antidepressant drugs could increase the chances of suicide. This was
prompted by trials of Cymbalta, which caused concern. Also of concern: GSK
(Paxil, Wellbutrin/Zyban); Lilly (Prozac); Pfizer (Zoloft); and Wyeth (Effezor).

E-waste health and safety risks
There will be increased clean-up and disposal costs of products as the nature of
their toxicity is understood more clearly:
E-waste comprises electronic devices (TVs, PCs, etc. “ due to their obsoles-
cence rather than their being broken) with lead, mercury, and other haz-
ardous materials being discarded in vast quantities;
The majority of the e-waste collected for recycling is also exported to coun-
tries where there are concerns for the labourers and unsafe conditions; and
The Silicon Valley Toxics Coalition and others discovered that dust on com-
puter processors and monitors contains chemicals linked to reproductive
and neurological disorders, including brominated retardants (Konrad 2004).

Sustainability, technology and reporting issues
Whereas the increasingly extensive regulatory and related frameworks may
seem overwhelming for organisations, the overall intention should be recalled
to enable stakeholders to see financial statements clearly and accurately. A
SERM methodology explaining the concept of stakeholders is set out in Chapter
9. The regulations require businesses to be able to produce, when requested,
both financial information and records of how decisions were made. In practice
data must be accurate and accessible rapidly so that:
Auditors must be able to see a company™s financial statements; and
They must be able to look in detail at the data that fed into those statements.

Managing liability issues
In view of the fact that technology issues are increasingly critical to business,
whether purely e-commerce or not, liability concerns can represent an unpar-
alleled business risk. This is a vast topic and only selected matters can be cov-
ered. The task of a business and its legal advisors is to ensure that once the
Chapter 11 “ Information technology (IT) and e-commerce 255

types of technology risks have been identified, the legal ramifications are clearly
understood and analysed. Any potential economic loss should be quantified
wherever possible. With this information, the enterprise would then be able to
prioritise the legal risks and make legal risk mitigation decisions. Enterprises
can minimise, if not eradicate, such legal risk exposures by designing terms and
conditions in their service agreement that exclude or limit their liability in the
event of system failure that causes non-delivery of essential services.

Company business terms
As seen above, by the very nature of enterprise being in ˜big businesses™, it
is not uncommon to see ˜pro-company™ terms being imposed on the cus-
tomers. While customers might simply accept such terms that exclude or
limit the liability of the enterprise particularly when they are not in a
strong negotiating position, it makes a lot of sense for enterprises to focus
on managing their relations with their customers in other more productive
ways such as in the form of client education.

Consumer interests
For most consumers transacting over the internet, the primary concern when a
transaction fails is usually whether he suffers a pecuniary loss, for example
payment made but the goods or services are not received, or when the wrong or
unsatisfactory goods or services are delivered.
From the perspective of the customers, confidence is about knowing what
the customers can expect from the enterprise when there is a disaster or an
attack that affects their commercial transactions. Individuals and consumers
also need to understand the available remedies of a failed transaction over the
internet, regardless of whether it is attributed to a merchant that was a target of
a hacking or the action of fraudulent third parties. In general, customers think
in legal terms only when there is a major economic loss on their part (although
the trend in society is towards more litigation). In any event, the way to man-
age possible legal risk exposures that might result from contractual obligations
is an assurance programme that is sound, well publicised and that engages the
clients of the enterprise in times when there is no disaster.

Communication with consumers
While taking the legalistic approach of protecting one™s interests by defin-
ing and controlling legal risk through the ˜fine prints™ might serve its pur-
pose, a better strategy is to focus on assurance and effective communication
to parties that may potentially sue the enterprise in the event of major
service disruptions.
Part B “ Overview of the Economic Aspects of Business Risk

Evidential issues
In any cases involving breaches of security (see also Chapter 8), companies
must have in place work policies and procedures to ensure that evidence can
be properly presented to the prosecuting agencies and the courts. If proper
steps are not taken in relation to digital evidence, the chances of proving one™s
case or to disprove the other side™s case will be much less. Given the fragility of
digital evidence and the need to collect, preserve and present evidence to the
prosecuting agencies in a criminal legal proceedings, enterprises should ensure
that digital evidence can be properly detected, preserved and presented in a
manner that legally complies with the local laws of the country. Also, given the
transient nature of digital evidence, time is of the essence in all cases involving
information security breaches. In general, companies should have in place poli-
cies and procedures to include the following:
Steps to isolate or quarantine the evidence;
Recovery of evidence;
Reproduction of evidence;
Processing and analysis of evidence; and
Preparation of report by an expert for use in the courts.
In the event digital evidence and data are not properly secured or preserved,
such evidence may subsequently be found inadmissible in court for the pur-
poses of criminal or civil proceedings. Therefore, as part of the enterprises™
post-incident operation procedure in areas of disaster recovery and business
continuity planning, there is a need to ensure that legally compliant procedures
are pre-established so that they can be activated expeditiously when the
incident happens.
Businesses should also seek legal advice on how to determine whether a
crime has been committed and the possible courses of action that can be taken
based on the evidence available. Digital forensics work will invariably have to
be undertaken together with legal personnel to identify the crime, the offender
and to collect and reconstruct the necessary evidence which are typically
found in disks, logs and other media. Legal advice should be sought on issues
such as preservation of evidence, issues of admissibility and the overall pre-
sentment of such evidence to the prosecuting agencies in a manner that not
only complies with the law but also is managed in a manner that would make
a strong case for the prosecution. Aside from criminal proceedings that the pub-
lic prosecutor may take against the perpetrator for the offences committed, the
victim enterprise may also consider filing civil claims for damages and other
losses that may have been suffered as a result of the attack.

Design of a risk management framework
Two aspects may be considered:
Exposure to risks through IT; and
The use of IT to manage risks.
Chapter 11 “ Information technology (IT) and e-commerce 257


. 50
( 131 .)