Legal Compliance 

Every organization has shareholders or stakeholders involved with, or having a stake in, its operations, procedures and ultimate financial or citizen-facing results. As information technology is used in almost every business environment, shareholders are aware of the benefits and risks, and want to be kept current about both, good or bad news. When operations are going well with few and normal problems, routine reports and e-mail updates every week is a reasonable frequency. However, should an information security breach occur causing organizational financial or legal exposure, shareholders require a very high level of communications with and between executives and senior management. The IT companies need to establish four dimensions of communications-identifying shareholder and customer expectations; establishing direct communication channels; developing the message; and managing the message.

IT executives and senior managers have the same problem as elected politicians-cutting through the 'noise' to answer questions and provide information. In today's 24-hour news cycle environment, almost anything occurring in the world can turn good news cold, and bad news hot. It's a fact of life that shareholders and customers collect and review information on a 24x7 basis and compare the media provided information against management reports to understand the differences, if any. During times of crisis such as a major security breach, accidental release of customer files or information, loss of data during a storm, or the inability to handle high volumes of sales data, the volume of information impedes understanding exactly what is happening or has happened. Complex problems must have simple explanations to gain political and shareholder support (which is often easier said than done). Maintaining customer provided information carries with it a significant legal responsibility. As such, customer records are a significant liability. However, they are also a significant asset. One reason to maintain customer information is because it is needed to perform a transaction with the customer in the first place, and it can assist the firm in obtaining repeat business from the customer in the future. 

Customers should expect a degree of confidentiality and privacy in conducting business with both the public and private sectors. The Privacy Act of 1974 somewhat ensures that their sensitive information would not be released to other parties. The law extends further in reference to securing customer provided information. Some of the codified laws that pertain specifically to the protection of customer provided data internationally include the Govt Performance and Results Act of 1993, Paperwork Reduction Act of 1995, Clinger-Cohen Act of 1996, Digital Millennium Copyright Act of 1998, U.S. Govt Information Security Reform Act of 2000, Digital Signatures Act of 2000, USA Patriot Act of 2001, E-Government Act of 2002 and the Sarbanes-Oxley Act of 2002.

Security failures are increasingly leading to customer litigation. Inadequately protecting customer provided data from unauthorized disclosure due to security failures may result in liability findings by the courts. To prevent such findings, it is imperative that firms initiate an action for implementing an information assurance strategy. 

International aspects



Electronic records are used as evidence in jurisdictions around the world. They are relevant in litigation between private parties and in cases initiated by governments. As organizations expand the scope of their computer networks, they find that their electronic documents are located in an increasing number of different legal jurisdictions. Those records, thus, become subject to the rules governing evidence and disclosure of special forms of information in many different nations, regions and localities. The global scope of those operations complicates the electronic records management process.

Various countries have developed legal requirements for the protection of certain forms of particularly sensitive personal records. The electronic records most frequently protected by this type of regulation include records that contain information pertaining to specifically identifiable individual people (personal information), including financial and health/medical records. The EC has implemented sweeping information privacy requirements to protect personal information from disclosure. Regulatory action has been taken by countries such as Australia, which makes unauthorized access to electronic records of financial institutions a criminal offense subject to penalties including prison terms of up to two years. Some jurisdictions have elected to deal with the issue of protection of electronic records through laws that prohibit unauthorized access to computers and their content. In addition to requirements protecting certain records from disclosure, in some instances there are legal obligations to release those records to authorities. Some countries have made certain electronic records the target of specific retention or disclosure requirements. For example, a controversy developed in the United Kingdom as a result of the enactment of the Regulation Investigatory Powers Act (RIP) in 2000. RIP was controversial for several reasons, including the fact that it limits the ability of a person who is required by the UK government to surrender encryption keys from disclosing to any other party the fact that the keys have been surrendered. The fear is that this could lead to situations in which an organization's encrypted communications can be accessed by the UK government, yet the target enterprise is unaware that the communications have been compromised, as the party responsible for the disclosure to the government is under a legal obligation not to disclose the fact that the key had been surrendered.

Various countries require that certain electronic records be retained or, in some cases, that they be provided to the government. Countries such as Cuba, Vietnam and China, for instance, require that information regarding ISP accounts and websites be registered with the government, as a matter of standard operations. Not surprisingly, many organizations and individuals are wary of requirements for electronic records retention or disclosure imposed by governments. Those legal requirements provide a major source of information for governments, and they afford a level of visibility into the operations and activities of enterprises and individuals that is not entirely justified. Nevertheless, those electronic records requirements are not merely isolated incidents, and it is likely that an increasing number of governments will move to gain access to additional records of service providers and network users.

Organizations fear that many different government authorities around the world may begin to require disclosure of certain highly secure electronic records. As noted previously, one of the most sensitive forms of electronic records is an encryption key, because its disclosure can compromise the security of communications. Other highly sensitive types of electronic records include the registration and identification records of the certification authorities that are being developed to help foster security in e-commerce. Govt's or private parties' access to these records is the cause for concern to proponents of e-commerce. If your organization is involved in any of these operations relying on highly sensitive records, you should recognize that your records will likely be the prize targets of governments and private organizations around the world. 



Just as you develop your systems and operations to protect those records from unauthorized users, so too should you act to make sure that they can be protected from widespread compulsory disclosure. One way to accomplish this goal is to monitor carefully the potential legal disclosure obligations in all of the jurisdictions in which you conduct business. You should try to influence the development of those rules whenever possible. If the disclosure rules in certain jurisdictions are burdensome, it is wise to consider adjusting the business operations to minimize your exposure to those jurisdictions by minimizing your physical presence and the scope of business activities in those places.

As companies expand their international operations, they will be required to comply with an array of rules associated with electronic records applied by the different countries in which they conduct business. Those rules will require the protection, retention and disclosure of certain types of records. Electronic records management systems implemented by businesses should, therefore, recognize the international scope of business activities and should be

designed to facilitate compliance with many different records retention and use rules. Even with that attention, however,

coordinating multi-jurisdictional compliance for electronic records management is no small task.

Contributed by Jaspreet Singh, Price Waterhouse Coopers