IT directors have never been more overwhelmed by laws affecting IT - as they heard at a Computer Weekly 500 meeting on the impact of forthcoming legislation on IT.
"There are over a hundred pieces of legislation affecting IT and e-business," said Will Roebuck, legal strategy director of the member-based e-Business Regulatory Alliance, which has just been set up to provide clarification, guidance and lobbying on e-regulation for IT users.
The complexity of the legal landscape, and the pace at which both technology and the law are changing, means, he says, "that even legal experts are confused about e-legislation".
Confusion, however, is as invalid a defence as ignorance, and IT directors do need to understand where and how what they do can pass from legal to illegal. Roebuck said it comes down to risk management and, ideally, keeping corporate IT legal should be part of good corporate governance, with clear policies and standards on areas subject to legislation, such as business e-data retention or email monitoring.
"The IT director should have a very good understanding of the business processes and understand how technology facilitates them," said Roebuck - that way he can see the touchpoints where the law is going to impact those processes and technology.
As ever, prevention is better than cure.
"Whenever any IT project is undertaken, get the legal department involved at the beginning," Roebuck said. And, since a considerable chunk of e-legislation concerns employees, the human resources department should also check out IT proposals and operations. Conducting a "legal audit" across all existing IT is also a prudent step for IT directors to take in conjunction with HR and the company lawyers.
The sheer range of legislation which touches IT is vast, from laws on disability discrimination to cross-border consumer protection law, taking in laws on libel, copyright and obscenity along the way.
Companies can be breaking the law by allowing staff to display offensive screen-savers which can land the organisation in a constructive dismissal tribunal if the offended employee resigns citing a hostile workplace.
They can break the law by passing on personal information about staff or customers to 'spoofers' in identity theft. They can break the law if staff send defamatory emails such as spreading rumours about the financial liabilities of rivals or find that contract law recognises an e-mail agreement as legally binding when that was not the intent of the sender.
They can break the law holding unlicensed software they didn't even know they had on their computers, or be hammered by another country's consumer protection laws if they sell goods internationally via the web. They can even break the law when IT staff pass on intercepted illegal internet content to their managers for discovery.
Although there are clearly good societal reasons for so much legislation, its sheer weight and complexity imposes a considerable burden on companies and their IT - implementing the Data Protection Act alone is said to have cost £1.3 bn, said Roebuck.
Understanding the IT implications of new regulation as early as possible will clearly help IT directors to position their companies on the right side of the law, at least possible cost, but IT directors should not be merely passive consumers of new e-legislation. The legislative process responds to consultation and lobbying, and those who will be affected by the law should also seek to shape it in the first place.
This Computer Weekly 500 Club meeting took place on 15 October 2003.
Forthcoming legislation for IT directors to look out for:
The latest EC directive on Data Protection makes it illegal for organisations to fail to extract explicit consent from data subjects to keep, use or pass on their personal data. In particular, websites will have to ensure that there is a clear opt-in box which will need to be ticked by site users.
"The original directive didn't cover spamming and cookies," said Roebuck.
This latest legislation, implemented in the UK as Statutory Instrument 2426 (2003), took effect on ll December.
"It's a very hot potato," warns Roebuck. "Web users will have to be able to turn off cookies."
Alternative Disputes Resolution
This law, due this yearwill tackle the issue of cross-border conflicts in e-contracts.
The current legal situation on whether an e-contract is subject to the national law of the country of origin where the selling country is based, or that of the country of the purchaser, is highly contentious. Countries usually argue in favour of their own laws applying, whatever the effect on e-commerce - in France, for example, no contract is legal if it is not written in French.
So problematic is the issue that it is clearly hampering the development of global e-commerce. Some companies simply opt out of cross-border trade by stipulating they will accept payment only via credit cards issued in the site's country of origin, losing out on potential sales rather than become embroiled in international legal disputes.
Because ADR will provide a faster, easier and less conflictual means to resolve disputes over e-commerce sales, it will encourage customers to pursue claims they might otherwise have given up on. That therefore puts an onus on the seller to improve their selling processes, for example by ensuring that it can track a sale from purchase through to accepted delivery in cases where customers say that goods were paid for but not delivered. IT will have to provide the integration of the necessary business processes.
Intellectual Property Rights Enforcement Directive
This directive, which is still going through its consultative stage, threatens, says Philip Virgo of Eurim, which lobbies government on IT affairs, "to be really messy."
"The aim of the directive is to make it much easier to enforce IPR in software which currently, apart from car boot sales, is very little enforced."
However, Eurim is warning about the highly adversarial tone of the directive.
Organisations such as the Federation Against Software Theft "help you do a software audit and settle things in a friendly way", says Virgo. "The Directive is about the investigatory powers of those enforcing IPR. It will effectively extend the US Millennium Copyright Act to Europe."
The investigatory powers will enable IPR holders to threaten users with cessation of business operations until the licensing dispute is resolved.
"It will make IT directors schizophrenic," said Virgo. If their company has rights in its own corporate software and systems they will welcome the more stringent enforcement of IPR that the directive aims at, but as users of IT suppliers' software and systems they will see it as potentially dangerously punitive.
Regulatory Investigatory Powers Act
In its reformed state it should be viewed less as a burden on business, but as a safeguard, said Virgo.
"Ripa is a good thing because IT users are now allowed to check the credibility of those claiming data from them, reducing the risk of giving out (personal) data they should not," he said. "Legacy legislation dating from the war gives a lot of organisations the power to claim information from you, but most claims are from enquiry agents, pretending to have authority, and intent on identity theft."