http://australianit.news.com.au/articles/0,7204,20697239%5E24169%5E%5Enbv%5E,00.html By Eric Wilson The Australian NOVEMBER 07, 2006 COMPANIES are contractually binding their electronic trading partners to recognised security standards as corporate systems become increasingly linked for just-in-time trading. The move is designed to maintain data integrity and privacy, but the legal framework for IT security compliance in e-commerce is often fuzzy. At common law, says Matthew Rouse, principal of Brisbane technology law firm Rouse Lawyers, general liability for technology security negligence can run through the supply chain. "The modern law of negligence is founded on the principles enunciated in the snail in the ginger beer case", Rouse says. Rouse refers to May Donoghue's soft drink, served in 1928 at the Wellmeadow Cafe in Paisley England - allegedly with ice cream. At issue was a 500 claim that snail remains found in the bottle caused gastroenteritis and emotional distress. After losing her case, on appeal the House of Lords allowed Donoghue to sue down the supply chain to get at her drink supplier's supplier, a man named David Stephenson. This established the principle of duty of care to third parties. Seventy-four years later in Australia, this same duty of care applies to securing all private information a business may hold about Donoghue or anyone else - even as subcontractors, outsourcers and offshorers access data about her through websites, sales, and supply-chain management systems. As a result, verifiable legal compliance with international standards is driving a gleeful IT security industry because senior management is liable if anything goes wrong. Rouse says Commonwealth legislation could pin Donoghue's issues on the board, with directors having a duty of care and diligence under section 180 of the Corporations Act. "While there is not a specific obligation, it is likely that proper IT security measures would fall under this general duty of care, depending on the scope of the company's business," Rouse says. Bigger companies, and those presenting as IT savvy, are expected to comply with industry best practice codes, Rouse says. Even a salesperson saying information will be secured, can trigger a best-practice obligation under the Trade Practices Act. Under the Privacy Act, it's possible to legally enforce the privacy statements of companies with turnover of more than $3 million, Rouse says. Yet when it gets down to tin tacks, the law is fuzzy as to what a secure IT environment is. That is why security standards are becoming increasingly important to control information systems. Symantec Asia-Pacific and Japan compliance solutions senior director Tim Hartman says standards such as ISO 1779/27001 provide a generic way to assess IT security risks, ranging from physical security to acceptable use policies, email security and configuration management. Standards provide a common approach for security professionals to audit what is done. Banks use the Basel II standard, while the federal government's security standard is ASC133. The Department of Communications, Information Technology and the Arts' Leading Practices and Guidelines for Enterprise Security Governance is a good place to start, Hartman says. "You want to trust the people you are dealing with electronically so you get them to sign off on standards," he says. "Security then becomes measurable." Going through a standards process establishes rigour in risk assessment and decision-making. Hartman says increasing connection between corporations is eliminating electronic perimeters. Although firewalls are important, the IT infrastructure they protect must be hardened. "Taken to the nth degree, if you dropped that infrastructure on the internet unprotected, it should survive," Hartman says. That's not as uncommon as it sounds, as corporate intranets are sometimes inadvertently exposed to the outside world. Stephen Kirkby, chief executive of independent web security tester Maxamine, says maintaining standards isn't easy because web staff are usually stressed by pressing deadlines. Mistakes can easily happen in their busy environment, which makes independent security testing essential to fulfilling the duty of care. But, he says, big companies often don't even know how many internal websites they have. So, if legal push comes to shove, one must be able to prove security standards compliance. PatchLink Asia-Pacific vice-president Neal Gemassmer says this means deploying a reporting system that shows when, where and how systems across a supply chain are patched and updated. That's because firewalls and infrastructure hardening only buy time to fix vulnerabilities, and are not the fixes in themselves. "Companies are negligent if they don't patch their applications, or if they rely on human aspects or don't report," Gemassmer says. Apparently May Donoghue settled her duty of care litigation with David Stephenson's executors out of court for 200UKP, but two lord justices later concluded there never was any snail. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Nov 06 2006 - 22:55:20 PST