The US IT security market and its legal trappings August Bequai
tinues to grow. so do the security needs of electronlc commerce. “Doing business on the Internet without proper security,” according to author and security expert Louis Tyska, CPP, “is comparable to doing business in the New York City subway system.” Mr Tyska’s views are shared by many US securit!, experts. The statistics bear Mr ryska out. Nearly 40% of all intrusions into US computer systems, cost their \,ictims over $1 million; nearly half of these are caused by insiders. But cyber-crime has also spawned a multibillion dollar security industq’; which is expected to take in a total of $17 billion between 1997 and
B :
Computer
Audit
( 1997. Elsewer
Update Science
l
February Ltd.
2000, with an annual growth of 30%. According to an IBM spokesman. “there’s more business than anyone can handle.”
Legal concerns for vendors When future historians study American civiliztion, they will take nott that privacy and ci\.il rights, were viewed in almost religious terms. Xlultimillion dollar Terdicrh against security vendors. who were unfortunate to find their way before I 5 juries, rather
are the norm: thAn the exception.
The slow progress of biometric security in the 1’S can, in large part, be attributed to the legal trappings they face. Sec~~rily \,endors, on the trek tc, While
the
IT securiq market has spanned a modern-day “Goldrush”, vendors should take note of its legal pitfalls. America’s security industr!,, while lucrative, is also highly regulated; foreign vendors not excepted
1997
America’s
new
found
I3
Dorddo, would do \~ell to take note of the legal trappings they face.
A. Privacy: While the ‘I’S Constitution and n~imerous federal laws seek to safeguard the priKtc) of tile citizenqy the ~OCXIYi$
on governmental abuses, and not the private sector. However, many of the states have enacted an army of laws and regulations that provide for the individual’s privacy from intrusions by private individuals and business entities. States like California, have incorporated broad privacy provisions in their constitutions. Security vendors especially those in the monitoring and services areas - need to take note of these state privacy safeguards; especially if they were to operate in the large commercial centres, such as New York and Los Angeles. An individual who felt his/her privacy had been abused by these security technologies, could seek legal recourse against both vendor and user; the fact that the vendor may have played no role in the alleged abuse, is no defence. B. Labour Unions: While America’s political
pundits are fast to decry the fate that has befallen Iabour unions, their socalled demise - while not illusory - is far from accurate. Labour unions like the Communication Workers of America are alive and active players in America’s telecommunications sector. Labour unions have been in the forefront of efforts to ensure that employers do not invade the privacy of their workers. Much of the impeders for such legislation as the “Privacy for Consumers
tems have come under attack as being health hazards - a New York jury recently awarded $6 million in damages to three women who said they were injured by repeatedly using their computer keyboards.
and Workers Act”, which would regulate many existing IT security systems, has come from the Communication Workers of America and Liberal Democrats in the ITS Congress.
US workers and others who are exposed to IT security systems, could use the health and safety laws and regulations to hold both vendor and user liable if they can demonstrate injury to their health; resulting from use or exposure to these systems.
44
D. Disparate Treatment: America sets the
Security vendors need to take notice of labour unions, when targeting specific corporations and industries. This is especially true, since many collective bargaining agreements - which govern the relationship between management and their staffs at many US companies - take note of employer security programs. These agreements are policed and enforced by the US Department of Labour. C. Health and Safety: The US is replete with legislation and regulations aimed at safeguarding the health and safety of its workforce. At the federal level, enforcement authority reposited with the US Occupational Safety and Health Administration (0s~~). Some biometric security sys-
standard when it comes to social engineering. With thousands of federal, state and local laws and regulations dealing with every facet of social intercourse, it should not come as a surprise if workers or anyone else, argued that the IT security system in place singled out their ethnic, racial, etc., disparate treatment. Whether the initial charge has a merit or not, is of secondary importance. It will frequently suffice to spark an investigation by one of the many governmental regulators - i.e., the US Equal Employment Opportunity Commission (EEOC). The investigation, even if it fails to confirm the complainant’s charges of disparate treatment, could prove costly; as well as result in adverse publicity for both the security vendor and its client(s).
Computer
Audit Update l February 1997 (” 1997, Elsevier Science Ltd.
.
Iii
Frequently, resulting in a financial settlement.
arise from the use of its equipment/services.
E. Federalism: Most foreign vendors frequently fail to take note that the US is a complex - and confusing - federal edifice. Each state has its own laws, regulation and enforcement powers. State governors resemble the princes of the Hapsburg Empire; jealous of their jurisdiction.
The agreement should also provide for arbitration, as the vehicle for resolution of the dispute. Unlike the US judicial system, arbitration is speedy, less costly and binding. The security agreement, if properly drafted, can provide a vendor with important safeguards from frivolous litigation.
The much publicized OJ. Simpson case is illustrative of America’s federalism. Had he been prosecuted in Florida, the outcome would probably have been different. Security vendors need to give serious thought to the locality they select to operate out of; for example, while multimillion dollar judgments are the norm in states like Alabama, they are the exception in others. Selecting the right locality from which to operate, could keep an IT security vendor out of court. F. Contracts: A security vendor should also take note of the provisions in the contract it signs with users of its equipment/services. First and foremost, the contract should identify a state which is more business oriented, as having jurisdiction over any legal disputes that might arise. A vendor should also ensure that the contract with the user(s) is also specific as to which state law will govern any legal disputes which might
4 I
i
z
G. Strict Liability: Under US laws, both the vendor and manufacturer of a defective product can be held liable for injuries sustained by members of the public. The strict product liability laws cover only goods and not services. A vendor should specify in its sales/licensing agreement, that the security system - where appropriate - is a service and not goods. For example, the security software could qualify as a service; exempting the vendor from civil liability under the strict product liability laws. Ignorance of any defect(s) in the goods by
Computer Audit Update l February 1997 0 1997, Elsevier Science Ltd.
the vendor, is not adequate defence.
an
Governmental regulation and oversight AnIT security vendor,
especially one not versed in US laws, should have a grasp of the basic governmental regulations and oversight that could impact on its American operations. Among these: A. Immigration: While the US takes pride in its diversity, foreign vendors seeking to do business in its security market need visas and work permits for their nonUS workers. The governmental regulator charged with issuing visas and work permits for the workers of foreign businesses operating within the US, is the Immigration and Naturalization Service (INS). Foreign security vendors, operating within the US market, could face civil and criminal sanctions if they lack INS authorization. B. Labour: The US workplace is largely regulated by the Department of Labour; which has oversight jurisdiction over wages and work conditions. Staffs of foreign vendors operating within the US would fall under its jurisdiction; as would their employers.
The Department has broad enforcement powers; backed by an army of lawyers and investigators. It is common for domestic vendors to “blow the whistle” on their foreign competitors. C. Taxes: These are the province of the US Internal Revenue Service (IRS) and the state taxing agencies. How a foreign security vendor will be taxed, will depend on both its status with the US; as well as how its products and services are characterized. For example, security software, will command taxes that are different from those assessed for encryption products. The IRS has broad enforcement powers and a foreign vendor who fell afoul of its regulations, could find its products and property seized; as well as facing criminal and civil sanctions. D. Commerce: US export and import laws are the province of the Department of Commerce. The Department, in conjunction with the US Customs Service, exerts oversight jurisdiction over foreign vendors. Given the sensitive nature of IT security - i.e., its military applications a foreign vendor would do well to check with the Department and the Customs Service on the legality of its US marketing/ sales efforts. The vendor
should also check to ensure that the products it sells within the US market, are not classified as military technologies. A recent decision by a federal court in San Francisco, striking down restrictions on the sale of certain forms of data scrambling software, on the grounds that they violated free speech rights, is of limited application. The government is appealing the decision. E. Monopolies: While many Asian and European businesses enjoy monopolies in their home markets, these are frowned upon in the US. They are also illegal. A foreign vendor should guard against entering into any business venture(s) with other entities operating in the American market, which could be viewed as being monopolistic and restraints on commerce. Enforcement authority in this area, rests with the Anti-trust Section of the Department of Justice and the Federal Trade Commission.
Summary The US IT security market is a multibillion dollar annual business. It is a highly competitive market; as well as fraught with legal perils. An unwary foreign vendor would do well to take note, that not all the roads to cyberspace are paved with gold.
Computer
Audit Update l February 1997 0 1997, Elsevier Science Ltd.