What Every Technology Lawyer Needs to Know about IT Security

April 30, 1998

There are some topics in the field of IT law which might be considered to be “sexy” (at least to those of us who are sad enough to devote our careers to this kind of thing!), such as service levels and credits, limitation of liability regimes, IPR provisions and the like. IT security, on the other hand, is most definitely not among them. However, this is likely to be a mistake, as issues associated with IT security are amongst the most important that our clients will face, and need to be properly understood if they are to be adequately reflected in the contracts which we help to draft. This article accordingly considers IT security in the wider sense, and in particular evaluates the lawyer’s role in dealing with the challenges it presents.

Nature of the Risk

In a recent survey, the National High Tech Crime Unit (NHTCU) identified the top IT security threats as follows:

· viruses, worms or Trojan attacks

· unauthorised access/hacking

· theft of confidential or proprietary information

· sabotage to data or networks

· financial fraud (including identity theft)

· abuse of internet access

· equipment theft

· denial of service attacks

· unauthorised modifications of Web sites.

To illustrate the potential scale of the problem, one might point to the experience of Sumitomo Mitsui bank, who uncovered a criminal scheme whereby “cleaners” were attacking keyboard logging into USB ports with a view to pulling off a fraud which it was estimated could have netted them up to £220 million. Moreover, a recent DTI study revealed that the average UK business suffered at least one security breach every month.

It is perhaps then not surprising that IT security has become a mainstream news item, when the impact of such things as the Sasser Worm are estimated as having caused up to £1.8 billion of damage (ie as much as a major hurricane). It is equally the case therefore that IT security cannot be viewed as some kind of “speciality subject” so far as the legal profession is concerned. Put simply, if it is a concern for our clients, it must be a concern for us as lawyers and it poses a risk which we must ensure that our contracts and advice covers adequately and appropriately. If, for example, one is acting for a customer in relation to an IT services or purchase agreement, one must understand the nature of the relevant security-related requirements in order to ensure that they are properly addressed in the contract. Equally, if one is advising the supplier in such circumstances, it is essential that you can help advise the supplier as to the nature of the obligations which it may be taking on, so that the supplier can both be confident that it can comply with such requirements, and that its fees reflect its costs of doing so.

The Key Requirements

There are in fact many legislative and regulatory requirements which touch upon IT security to either a greater or lesser degree, some of which are well understood and others which are perhaps less so. Some (but by no means all) of these are highlighted below:

· Data Protection Act 1998

The 1998 Act is perhaps the most obvious statute to pick up in IT security terms, given the reference in Sch. 1 to the Act to the need to take “appropriate” technical and organisational measures to protect against the risks of unauthorised processing and/or accidental loss or destruction of personal data. Perhaps not surprisingly, the Act does not go on to say what “appropriate” measures might consist of, and the Information Commission indicates that a risk based assessment is required in this regard (eg one which is dependent upon the nature of both the personal data and the type of processing which is in issue).

· Electronic Communications Act 2000/Electronic Signatures Regulations 2002

Whilst perhaps not overtly focussed upon IT security, these instruments in fact create some of the essential grounding for IT security by setting out the basis for the validity of electronic signatures and the framework for the provision of encryption and cryptography services (which are clearly key to IT security in general).

· Companies (Audit, Investigation and Community Enterprise) Act 2004

This Act was primarily a reaction to the major corporate scandals in the US (Enron, World Com et al) but adds a new obligation upon companies to keep audit-related information “secure”. Inevitably, this will extend beyond physical security and simple retention of documents so as to include obligations to preserve such information against loss, destruction or tampering by electronic means.

· FSA Rulebooks

The FSA has also picked up on the importance of IT security, and there is a wide array of rules disgorged from it which relate to issues of security, geographic location and business continuity in the context of “outsourcing” (remembering also in this regard that the FSA defines “outsourcing” very widely so as to include just about every kind of service which the regulated entity could do itself but decides instead to assign to a third party, which will accordingly capture many pure services arrangements). For example:

– SYSC 3.1.1.R – “A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business”

– SYSC 3.A.7.8 – requires an assurance as to the adequacy of risk related controls, and says that firms should “have regard” for standards such as ISO 17799

Other relevant provisions include SYSC 3A.7.5G and SYSC 3A.7.6.G (on IT systems, and the maintenance of “appropriate systems and controls for the management of…IT system risks”), SYSC 3A.7.7G and SYSC 3A.7.8G (on Information Security, including the need to prevent access to information by unauthorised persons, establishing the accuracy of information and its processing, and ensuring that a person or system which processed information cannot subsequently repudiate the results), SUSC 3A.7.9G (on geographic location), and SYSC 3.2.19G and SYSC 3A.8 (on business continuity). More generally, the FSA stresses the need for firms to have in place negotiated and written contracts which reflect the principles and requirements which they have outlined.

· Basel Committee on Banking Supervision

Still with the financial services sector, the Joint Forum on Outsourcing in Financial Services came up with a similar set of principles relevant to IT security, including:

Principle VI – the regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of recovery facilities

Principle VII – the regulated entity should take “appropriate steps” to require that its service providers protect the confidential information of both the regulated entity itself and of its clients, in respect of both intentional and inadvertent disclosure to unauthorised third parties

· Foreign Legislation

Even if one is confident of having complied with the requirements set out in the UK legislation and regulations, the fact that so much of today’s business is conducted internationally means that one may also have to consider the requirements imposed by other countries. For example:

– The US Health Insurance Portability and Accountability Act 1996 (better known as HIPAA) includes security standards for protecting the confidentiality and integrity of “individually identifiable health information”

– Also in the US, the Sarbanes-Oxley Act of 2002 (and especially section 404 of the Act) requires public companies to include in their annual reports an “internal control report” which is to contain an assessment of the effectiveness of the internal control structure and the procedures of the issuer for financial reporting, which will clearly include issues as to the integrity and security of the systems which it utilises for this purpose.

What Does This Mean In Practice?

So far so good. However, it is one thing to know that obligations exist, and quite another to know how they might be satisfied. For example, what would actually constitute “appropriate” measures as required by the Data Protection Act 1998, or suffice to show that an organisation has taken “reasonable care” as mandated by the FSA?

Whilst there is no absolute guarantee in this regard, it seems clear that adherence to BS 7799 and its code of practice for information security will be a very good starting point; indeed, the DTI concluded that an organisation who had implemented an information security management system (ISMS) in accordance with BS 7799 would be “in a good position” to respond to any questions which might be posed vis à vis notification to the Information Commission and would “help to satisfy the information security requirements of the 1998 Data Protection Act”.

The key elements of compliance with BS 7799 are helpfully summarised in a DTI factsheet which is accessible at http://www.dti.gov.uk/bestpractice/assets/security/understanding-BS7799.pdf.

In summary, however, it covers the steps which an organisation should follow in relation to each of the following:

1. Security Policy

2. Organisational Security

3. Asset Classification and Control

4. Personnel Security

5. Physical and Environmental Security

6. Communications and Operations Management

7. Access Control

8. System Development and Maintenance

9. Business Continuity Management

10. Compliance.

At first blush, one might assume that these were issues to be addressed by technical or security specialists rather than lawyers. However, many of these elements require input of a legal nature. For example:

– Security Policy: in determining what the security policy should address, the relevant organisation will obviously need to have an understanding of what its legal requirements dictate and require, as well as simply what commercial “good practice” might require

– Asset Classification and Control: this expressly includes software licences and associated contracts, not merely in the sense of knowing where they are kept/stored, but also in knowing what they provide

– Personnel Security: this includes various aspects of employment law, including the provisions of employment contracts and services, agreements with contractors, the drafting of staff handbooks, and guidance on issues touching upon personal data

– System Development and Maintenance: it is one thing to know what is intended to be implemented, and another to ensure that the relevant contract provides for this to be the case as a matter of fact (eg in terms of warranted performance times, binding service level regimes and the like)

– Compliance: not surprisingly, there is a significant and ongoing requirement for legal input in this regard, as BS7799 mandates a review of compliance with key legislation not simply at the point of initiating a particular project or agreement, but thereafter on a regular basis.

Conclusion

There is a danger that IT security is thought of as a purely “techie” issue, which can be dealt with by standard boilerplate clauses with little thought as to the issues which such provisions are intended to address. In fact, IT security is at the heart of many of the day to day concerns of our clients, and needs to be given a commensurate degree of attention. Accordingly, lawyers need to be at the forefront in both identifying the nature of the risks to be addressed, and helping to develop the strategies to be put in place to address them.

Kit Burden is a Partner at DLA Piper Rudnick Gray Cary, an SCL Trustee and Chair of the SCL Outsourcing Group.