IT directors have never been more overwhelmed by laws
affecting IT - as they heard at a Computer Weekly 500 meeting on
the impact of forthcoming legislation on IT.
"There are over a hundred pieces of legislation affecting IT and
e-business," said Will Roebuck, legal strategy director of the
member-based e-Business Regulatory Alliance, which has just been
set up to provide clarification, guidance and lobbying on
e-regulation for IT users.
The complexity of the legal landscape, and the pace at which
both technology and the law are changing, means, he says, "that
even legal experts are confused about e-legislation".
Confusion, however, is as invalid a defence as ignorance, and IT
directors do need to understand where and how what they do can pass
from legal to illegal. Roebuck said it comes down to risk
management and, ideally, keeping corporate IT legal should be part
of good corporate governance, with clear policies and standards on
areas subject to legislation, such as business e-data retention or
email monitoring.
"The IT director should have a very good understanding of the
business processes and understand how technology facilitates them,"
said Roebuck - that way he can see the touchpoints where the law is
going to impact those processes and technology.
As ever, prevention is better than cure.
"Whenever any IT project is undertaken, get the legal department
involved at the beginning," Roebuck said. And, since a considerable
chunk of e-legislation concerns employees, the human resources
department should also check out IT proposals and operations.
Conducting a "legal audit" across all existing IT is also a prudent
step for IT directors to take in conjunction with HR and the
company lawyers.
The sheer range of legislation which touches IT is vast, from
laws on disability discrimination to cross-border consumer
protection law, taking in laws on libel, copyright and obscenity
along the way.
Companies can be breaking the law by allowing staff to display
offensive screen-savers which can land the organisation in a
constructive dismissal tribunal if the offended employee resigns
citing a hostile workplace.
They can break the law by passing on personal information about
staff or customers to 'spoofers' in identity theft. They can break
the law if staff send defamatory emails such as spreading rumours
about the financial liabilities of rivals or find that contract law
recognises an e-mail agreement as legally binding when that was not
the intent of the sender.
They can break the law holding unlicensed software they didn't
even know they had on their computers, or be hammered by another
country's consumer protection laws if they sell goods
internationally via the web. They can even break the law when IT
staff pass on intercepted illegal internet content to their
managers for discovery.
Although there are clearly good societal reasons for so much
legislation, its sheer weight and complexity imposes a considerable
burden on companies and their IT - implementing the Data Protection
Act alone is said to have cost £1.3 bn, said Roebuck.
Understanding the IT implications of new regulation as early as
possible will clearly help IT directors to position their companies
on the right side of the law, at least possible cost, but IT
directors should not be merely passive consumers of new
e-legislation. The legislative process responds to consultation and
lobbying, and those who will be affected by the law should also
seek to shape it in the first place.
This Computer Weekly 500 Club meeting took place on 15 October
2003.
Computer
Weekly 500 Club >>
The E-business Regulatory Alliance
www.e-ra.org.uk
Forthcoming legislation for IT directors to look out
for:
Data protection
The latest EC directive on Data Protection makes it illegal for
organisations to fail to extract explicit consent from data
subjects to keep, use or pass on their personal data. In
particular, websites will have to ensure that there is a clear
opt-in box which will need to be ticked by site users.
"The original directive didn't cover spamming and cookies," said
Roebuck.
This latest legislation, implemented in the UK as Statutory
Instrument 2426 (2003), took effect on ll December.
"It's a very hot potato," warns Roebuck. "Web users will have to
be able to turn off cookies."
Alternative Disputes Resolution
This law, due this yearwill tackle the issue of cross-border
conflicts in e-contracts.
The current legal situation on whether an e-contract is subject
to the national law of the country of origin where the selling
country is based, or that of the country of the purchaser, is
highly contentious. Countries usually argue in favour of their own
laws applying, whatever the effect on e-commerce - in France, for
example, no contract is legal if it is not written in French.
So problematic is the issue that it is clearly hampering the
development of global e-commerce. Some companies simply opt out of
cross-border trade by stipulating they will accept payment only via
credit cards issued in the site's country of origin, losing out on
potential sales rather than become embroiled in international legal
disputes.
Because ADR will provide a faster, easier and less conflictual
means to resolve disputes over e-commerce sales, it will encourage
customers to pursue claims they might otherwise have given up on.
That therefore puts an onus on the seller to improve their selling
processes, for example by ensuring that it can track a sale from
purchase through to accepted delivery in cases where customers say
that goods were paid for but not delivered. IT will have to provide
the integration of the necessary business processes.
Intellectual Property Rights Enforcement
Directive
This directive, which is still going through its consultative
stage, threatens, says Philip Virgo of Eurim, which lobbies
government on IT affairs, "to be really messy."
"The aim of the directive is to make it much easier to enforce
IPR in software which currently, apart from car boot sales, is very
little enforced."
However, Eurim is warning about the highly adversarial tone of
the directive.
Organisations such as the Federation Against Software Theft
"help you do a software audit and settle things in a friendly way",
says Virgo. "The Directive is about the investigatory powers of
those enforcing IPR. It will effectively extend the US Millennium
Copyright Act to Europe."
The investigatory powers will enable IPR holders to threaten
users with cessation of business operations until the licensing
dispute is resolved.
"It will make IT directors schizophrenic," said Virgo. If their
company has rights in its own corporate software and systems they
will welcome the more stringent enforcement of IPR that the
directive aims at, but as users of IT suppliers' software and
systems they will see it as potentially dangerously punitive.
Regulatory Investigatory Powers Act
In its reformed state it should be viewed less as a burden on
business, but as a safeguard, said Virgo.
"Ripa is a good thing because IT users are now allowed to check
the credibility of those claiming data from them, reducing the risk
of giving out (personal) data they should not," he said. "Legacy
legislation dating from the war gives a lot of organisations the
power to claim information from you, but most claims are from
enquiry agents, pretending to have authority, and intent on
identity theft."