. 52
( 131 .)


merce arena, such critical data includes customer and accounts particulars.
Such data can be remotely accessed, altered, deleted, manipulated or inserted
by someone with hacking skills. Unless the system is able to trace and track
such intrusions, it is likely that the damage or loss may not be noticed early
enough. Given the unique characteristics of internet commerce as one primary
internet-based distribution channel for commercial activities, the risk exposure
when there are attacks and service disruptions is therefore much higher com-
pared with traditional bricks and mortar commerce.
Disaster can range from a total loss of service due to deliberate attacks, nat-
ural disasters, or a catastrophic system failure owing to software faults or hard-
ware malfunctions (see also Chapter 8). While an aeroplane being crashed
deliberately into a skyscraper such as the World Trade Center terror attack may
not be anticipated on a day-to-day basis, system downtime for whatever rea-
sons must still be planned for. In the aftermath of any disaster or attack, disas-
ter recovery planning then becomes a critical element in any commercial
enterprise™s risk management framework. The substantial task of the enterprise
is to put together robust and effective contingency operating procedures that
cover all possible types of operational disruption or system breakdown.
Chapter 11 “ Information technology (IT) and e-commerce 263

Legal risk issues in internet commerce
There are several characteristics of internet commerce that require us to review
the management of legal risk issues in a different light and these include:

Digital and other information assets
Internet commerce deals with hitherto new types of digital and information
assets. Such assets in a way define what internet commerce is all about for
the traditional bricks and mortar enterprises. In cases where the enterprise itself
is a ˜pure™ internet company, that is, one without a physical presence, the
internet-based business model is actually the very business itself. These digital
and information assets are particularly vulnerable to attacks which can threaten
the commercial viability of the business.

Borderless and global
Internet commerce is by definition a borderless, global activity. The internet is
a global network of networks. Internet connectivity itself crosses political
boundaries with no hindrances so long as the networks in two different
jurisdictions are connected. Business methods that are effective and in compli-
ance with the laws and regulations in one enterprise™s home market may
not work in markets that operate in a totally different legal environment, and
might even expose the enterprises to unexpected legal liability. An example
would be a US online bank trying to offer its services to citizens of other
countries located in different legal jurisdictions. This kind of business model
would probably be affected by the laws affecting such citizens in their respec-
tive home markets.

Timing for product and service roll-outs
In internet commerce, the ˜go to market™ time for a new project is much shorter
compared to bricks and mortar commerce. This reduced time frame means that
legal issues must be addressed much earlier than is traditionally expected.

Managing legal risk issues in internet commerce
As a result of the more internet-intensive commercial environment, technol-
ogy-related legal risk management is now becoming an increasingly familiar
concept to the board and senior management of all enterprises. If it is not, it
should be.
If the legal risks that flow from technology risks are serious enough to
threaten the legal and commercial interests of the enterprise, the senior man-
agement needs to ensure the establishment of a legal risk management frame-
work to identify these risks and take adequate measures to address them. The
Part B “ Overview of the Economic Aspects of Business Risk

company™s board of directors, for instance, have a fiduciary duty to protect the
organisation from security attacks and other forms of cyber crime and security
risks which may have a critically negative impact on the organisation™s reputa-
tion, assets and commercial viability.
Enterprises should ensure that adequate steps are taken to protect them-
selves legally. Apart from liabilities for breaches of contractual obligations, the
failure to take reasonable and adequate steps to provide security measures may
possibly lead to an enterprise being liable for negligence, either in not taking
sufficient steps to protect data and information where it has a duty of care to
protect, or in being used as a platform or a channel to mount an attack against
another party. Preparatory steps should therefore be taken in advance in plan-
ning the procedures to handle security breaches.
The board and senior management should therefore review and approve
the organisation™s legal risk management policies taking into account technol-
ogy risks and the capacity of the organisation to deal with such problems.
Legal risk management in this new technology-intensive environment cannot
be a task that is merely carried out periodically, say yearly or half yearly.
In today™s accentuated security risk environment, legal risk management has to
be regarded as an oversight process undertaken by senior management on a
continuous basis. This process involves legal risk identification, assessment,
control and mitigation. Also the scope of legal risk management should
embrace a broader horizon which incorporates proactive legal risk manage-
ment. A key component in this legal risk management framework is the protec-
tion of digital assets.

Compliance relating to business continuity
Another legal issue that enterprises have to address in the provision of internet
commerce services relates to compliance requirements in relation to business
continuity planning. Enterprises such as banks and financial institutions typi-
cally operate in a legal environment that is very tightly regulated. The regulatory
authorities may require legal compliance in terms of having a sound business
continuity plan or disaster recovery that is subject to regulatory review and
penalties for non-compliance. Such regulatory non-compliance is one form of
legal risk exposure that the enterprise™s legal advisors must address.
A business recovery and continuity plan is essential for every business that
owns any mission critical application or system. To ensure adequate availabil-
ity, enterprises typically provide for contingency back-up systems to mitigate
denial of service attacks or other events that may potentially cause business
disruptions. As has been mentioned in Chapter 8 a business continuity plan or
disaster recovery plan is an essential part of the overall risk management frame-
work of the business. Such a risk management framework typically also
includes issues pertaining to data confidentiality, system and data integrity and
security practices in general. The board of directors has a fiduciary duty to
ensure that in the event of system failure for whatever reason, there is continu-
ity of service for the enterprise™s clients and partners.
Chapter 11 “ Information technology (IT) and e-commerce 265

Relationship with technology providers
Most commercial enterprises are not in the business of providing technology
solutions and they rely greatly on external parties such as internet commerce
technology service providers to provide the technology infrastructure to enable
them to provide internet commercial services. This is another dimension in the
legal portfolio that senior management must handle.
As has been discussed above, a vitally important aspect of the legal protec-
tion framework in internet commerce is the use of effectively drafted contracts
with third party vendors and solution providers to ensure the enterprise™s
potential legal liabilities are adequately managed. These are contracts that typ-
ically manage the relationships that enable the enterprise to provide secure and
continuous services, covering such matters as:
Web hosting;
Development of applications (for example, internet commerce software);
Access services provided typically by infrastructure providers such as
telecommunication and internet service provider companies; and
Security services including the supply of security products such as firewalls
and encryption software.
Since the provision of technology services are typically not part of a commer-
cial enterprise™s core competencies, such services are typically outsourced to
external providers. However, the enterprise™s primary responsibility to its cus-
tomers is to provide an accessible, direct, secure service. In the event of the fail-
ure of the enterprise™s service provider, the enterprise itself would still be
accountable to its customers. There is therefore a need for enterprises to ensure
sufficient counter-indemnity arrangements are entered into between them-
selves and the third party technology providers.

Legal indemnity
Therefore when there is a major service disruption caused by technology or
system failure, the issue that often arises is the extent to which the enterprise
is able to pass on or share any legal risks to the technology service providers.
This typically takes the form of indemnity provisions which require the
technology service providers to indemnify the enterprise for losses that
result from the service provider for failure to ensure business continuity.

Commercial risk case study

Legal aspects of metadata and electronic documents
It has been mentioned elsewhere that two of the key risks that a business
faces in modern day commercial activities stem from the threat of litiga-
tion and problems found in the IT area. Many examples have been cited
Part B “ Overview of the Economic Aspects of Business Risk

about the commercial risks in connection with hacking, identity theft and
related phenomena: one aspect that should also be discussed as a separate
area of concern relates to metadata. This discussion therefore considers
the meaning of metadata and its use “ and significance “ in litigation.
Moreover whether or not there is any litigation pending it is vital that
small businesses should handle their data extremely diligently: as tech-
nology improves and rapid developments occur in this sector it is increas-
ingly important to behave ethically regarding documents and corporate

Metadata: its meaning and significance
Metadata is defined as data about data and as regards electronic docu-
ments it is the information relating to a document that is not evident on
the face of the document but is stored as a matter of course in the computer
and recorded by the document that created the software. Its main signifi-
cance is that often in litigation it is crucial for the parties, investigators and
litigators to know more about the provenance of a document: the proper
interpretation of document metadata can help to provide missing informa-
tion. Such information can be vital in many aspects of commercial litiga-
tion, ranging from contract issues to employment disputes.
By way of example, in an unfair dismissal and sexual discrimination
matter claims can be contested by examining the history of key documents
such as dates of letters, the details of notice procedures, the authors of doc-
uments and when they were printed, as well as the path of earlier versions.
This can reveal, in turn, the authenticity of documents which can counter
allegations regarding creation dates and their original features. Moreover
metadata about the original author and the origin of the document can be
cross-referenced with records from mobile telephones and emails found
on the hard drive. Clearly such information can be vital to clarify the real
background to a document that can support or destroy what emanates
from the face of the document.

Typical metadata
It is helpful to understand the basic components of metadata and what can
usually be accessed by viewing the properties of the document in the
application that created it “ such as Microsoft Word„ “ or by using spe-
cific software. Typical metadata includes:

* Document title;
* Document author, in accordance with the system™s determination. It
should be noted of course that this may not be reliable as regards who
actually wrote the document or who last worked on it since often com-
mercial documents are revised by many persons and may be copied
many times. Nevertheless a complete analysis may be possible that
explains how and when the system recorded the details of the docu-
ment author;
Chapter 11 “ Information technology (IT) and e-commerce 267

* The company from where the document originates (subject to the same
concerns mentioned above);
* The location of the file on the computer;
* The date and time when the file was created, as well as the location
from which it was opened;
* A record of when the file was last accessed;
* A record of when the file was last modified, such as the time and date
when the size changed, which can be a useful indicator; and
* A record of who last saved the file.
Additionally specialist software can extract the following details:

* The identity of the last 10 authors and document locations. This is most
significant as evidence since the information can demonstrate how the
document arrived at the current location and who had been involved in
it. It should be noted, however, that any discrepancies as regards the
computer™s internal clock and real time must be noted carefully, along
with any time conversions in relation to different time zones when, for
example, documents are being transmitted across varying time zones as
in the case of transatlantic communications;

* When the document was last saved; and
* When the document was last printed.
Role of a forensic copy
Whereas metadata can be extracted from both live documents and recov-
ered or deleted documents there must be a proper forensic copy of the
original file available before the analysis of metadata. This is in order to:

* Preserve the original time and date stamps; and
* Maintain any other potentially useful information regarding the file.
The metadata information can be combined with other information obtained
through other investigations, such as through an analysis of email and tele-
phone records, in order to add real value to an investigation in these circum-
stances. For example, there may be many cases “ not only those in which
fraud is alleged “ where information that is contained in metadata should be
hugely useful to provide evidence regarding an important issue.
A non-forensic copy is likely to contain inaccurate information
because time and date stamp information “ as well as any other useful
information “ will be altered if the file has been opened and copied from
the original computer system.
Disclosure rules and metadata
The disclosure rules state the following:

* A document is ˜anything on which information of any description is
recorded™ and therefore includes electronic documents;
Part B “ Overview of the Economic Aspects of Business Risk


. 52
( 131 .)