Computer Audit Update
3.
October 7995
Williams, K.C., Behavioural Aspects of Marketing, Heinemann Professional Publishing, 1981.
Kevin McLean has over 22 years experience in Information Technology and management, initially as a systems developer and latterly as a consultant to a wide range of government and business sectors. He is Head of IT Security and Systems Management consulting at Hoskyns Group p/c, which is the UK operation of Cap Gemini Sogeti. He has performed security reviews and has implemented security improvement programmes for a wide range of organizations in the UK and internationally and he is a founder member of the IFIP (International Federation of Information Processing) working group on Information Security Management. This paper was first presented at EuroCACS ‘95.
IT AND LEGAL RISKS MANAGEMENT Gareth 0. Jessop There is a general perception that legal issues are of limited significance in IT. The prevailing view is either that the law largely ignores technology and is decades behind in adapting to it or that only specific areas of law (copyright, data protection, hacking offenses) affect the selection and use of IT systems. In fact, a much wider range of general law impinges on IT strategy, and IT systems involve both a wide range of legal risks and the opportunity to assess and manage those risks. The real issue therefore is not how the law affects IT but how IT affects legal exposure. Take some examples from the law of negligence. From the moment, in 1932, when the law recognized a general duty to “take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbours”‘, the use of technology has featured in that issue: the courts have
14
considered the role of available technology in risk management. Before the end of 1932, a US court had decided that bargeowners were negligent in not fitting radio receivers, even though only one line in the industry had introduced them2. In 1965, a shipping line which had fitted radar but failed to instruct and supervise its staff, so that the radar screen was not permanently monitored, was found liable3. The same principles came to be applied to business IT systems. A bank was held liable on a stopped cheque because its cashier failed to check data available on his terminal. By 1973, another US bank only avoided liability for the consequences of a system crash on a ‘state of the art’ defence, the Court finding that its limited backup facilities and absence of disaster recovery procedures were reasonable by reference to the then current cost and availability of such systems4, and by 1981 in New York, a bank was successfully sued because its software could not deal with the countermanding of cheques if the cheque details were incomplete5. All of these examples are from the United States, but have persuasive authority elsewhere: the courts were applying the same basic rules as exist under English law. In the UK as in the US, the law expects the installation of reasonably available technology and imposes on businesses and their managers a duty to train and supervize staff in its use. Even lawyers are not immune: the US courts have described an electronic retrieval system as an essential tool of a modern efficient law office. Similar principles are capable of applying even in the field of criminal responsibility, where the test of reasonable care can also be relevant. The most drastic example must be the concept of corporate manslaughter, where a gross failure to exercise due care can render a business and its senior management liable to criminal penalties. There is no difference in principle between a failure to provide machine guards or to control asbestos dust and a failure to provide readily-available monitoring or failsafe software. In all these respects, reckless ignorance as well as deliberate actions can found liability, both civil and criminal.
01995 Elsevier Science Ltd
October 7995
The principles of liability in negligence apply to statements as much as they do to actions. If the relationship between a business and its customer or client is so close that the customer must rely on advice given by the business, a duty exists to deliver that advice with reasonable skill and care, judged by reference to the normal standards in the relevant industry or profession. This is true regardless of how the advice is given. Advice given in a mailshot can be actionable, and so can advice given through an ‘expert’ system. IT issues are also highly relevant in the law of contract. Much legal thought was exercised in the nineteenth century in adapting the structure of offer and acceptance, first to cater for a postal system and then for electronic communication in the form of telegraph and telex. Those issues are not dead, but have become even more relevant with the telecommunications revolution. The original concepts, developed to regulate a system of face-to-face communication, have been forced to adapt to cater for distances in space and time, and the basic legal concepts have been strained as a result. Most of all, the communications revolution raises issues of timing and of record-keeping quite different, quantitatively if not qualitatively, from anything relevant when the rules were developed. The familiar lawyers’ problem of the battle of the forms - proving that one party accepted the other’s terms of business before sending its own -takes on a new dimension where communication is near-instantaneous, and the time taken to accept or withdraw an offer can be measured in fractions of seconds. This raises the basic issue of evidential proof, and it is this above all which demonstrates that the questions raised by evolving technology contain their own answers. In any legal dispute, it is rarely the best legal interpretation or the best lawyer which wins, but more usually the best evidence. What matters, most of the time, is not so much what happened as what can be proven to have happened, and records are everything. Here IT (or rather, the imaginative use of IT) is a powerful weapon. The business which can best regulate, track and verity its procedures and its communications will be the winner in almost any legal confrontation.
01995 Elsevier Science Ltd
Computer Audit Update
There are, of course, limits to the power of these weapons. Mainly, those limits are built into the legal system rather than resulting from any inadequacy in the technology, and mostly they are exaggerated. For instance, the situations in which computer records can be used in evidence in this country are limited. Computer records however are almost always admissible where compiled by a person acting under a duty (which usually includes anything produced in-house, by an employee)6. Very often therefore, those records will be accepted as evidence. This is a vital point, for it is almost impossible by oral evidence to prove a generality. A witness may say that they always gave a certain instruction or warning, or that they always enclosed their company’s terms of business with quotations. That will not assist at all in the face of an assertion that, in this particular case, they did not. They are unlikely to recall every specific instance, and it is unrealistic to expect human beings or manual systems to keep complete and detailed records of every transaction. Mass storage on archiving media however is cheap and reliable. The more complete and precise the records of a business, the better its prospects of winning a dispute, and the less the prospect that disputes will arise. Almost invariably, the winning party in any litigation is the one with the best records and good IT systems and procedures are a crucial, evidential head-start. This is one of the prime areas where, at many levels, IT systems can be a powerful tool for the management of legal risks, but it is not the most important or the most direct. Much more significant is the use of IT at the human interface, to manage processes and transactions. This is perhaps most obvious in industrial production, in relation to safety management and quality control, but it can be equally relevant to service provision and sales functions. At its most basic, it can mean hidden-text annotations to point-of-sale documents, defining the authority of sales personnel on pricing or including legal notes to control the variation of standard terms. At one remove, for personnel offering advice or professional services, it can mean access to expert systems.
15
Computer Audit Update
In processes too complex to allow total automation, the employer’s best protection is a system structure which builds in checks and hold-points. At its most basic level, software which provides a decision-loop (something as simple as “this creates a risk of .. ... . ... .. ..Continue? Y/N”) can often fulfil the employer’s basic duty to provide a safe system or provide a control on variations in contract terms. At one remove, the system can be structured to require a reference to a factual database or an expert programme as a necessary step in the creation of an advice document or a tender form. In all of these applications, the same functions which control the process itself and therefore the risks inherent in it can generate the necessary records. The system then can also provide what may be vital evidence as a matter of automated routine, by logging these procedures. So far, all of this is in very general terms, and of course it is only the imaginative application of these principles in specific business situations which can produce real benefits. There is a third aspect however which is much more readily quantifiable, and which brings the use of technology in risk management directly into the audit arena. There is a very direct correlation between the risk-management functions of IT and cost control in at least two areas of variable costs: insurance and legal expenses. In the insurance field, quantifiable premium discounts are often available for specific systems. For instance, many product liability and some employers’ liability policies offer discounts for recognized, externally-monitored quality systems (which usually require specific IT functions to be workable) and/or for the facility through database records to be able to implement rapid product recalls. Less easily quantifiable, but equally direct, is the effect of data management of the legal expenses budget. Law itself, whether it be transactional advice or dispute resolution, is an expensive commodity. It is also usually a distress purchase. It is simple enough to demonstrate where that expense is greatest: the lawyer’s time is usually purchased by the hour and most of their
16
October 1995
hours are occupied, not in exercising legal expertise, but in collating or in arguing facts. This is most pronounced in contentious matters, where the great majority of court time is taken up in establishing disputed facts. Those facts themselves are usually very simple (did ‘A’ say or do a thing, or not). The evidence to prove them, particularly by circumstantial methods, and the time involved, can be vast. Gigabytes of data, in the form of oral evidence and paper records, go towards establishing one binary decision in the judge’s notebook. Many of the most time-consuming, and thus expensive, of the lawyer’s functions in fact represent IT problems awaiting solution. This is certainly true of travelling time to meetings, collating documents and repeating advice in recurring situations involving different managers. The cost of resolving a legal issue therefore is, at least in part, an IT budgeting exercise. This suggests a value-added service which both lawyers and audit professionals can offer to the client business: planning and monitoring the relationship between IT systems and the reduction of risk exposure and risk-related variable costs. In many aspects, the factors in that cost-benefit equation will be, at least retrospectively, quantifiable and able to be monitored. It is a short step from this idea of IT systems as a risk management tool to their creative use for the exploitation of legal opportunities. This is particularly true in international dealings, where the legal regimes of particular states can create costs and competitive disadvantages, whilst the availability of global telecommunications offers the opportunity to plan, for tax or exchange control purposes, where (legally speaking) a service will be rendered or a function performed. At this level, legal services and IT systems are related aspects of strategic business management. This represents a future concept of global asset management, but will not be realized unless, as a first step, legal and audit professionals together can evolve a means of evaluating both legal procedures and IT innovations as related aspects of a single system.
01995 Elsevier Science Ltd
October 1995
Properly used, and properly accounted, IT systems are a key part of the legal management of today’s business. References 1.
Donoghue -v- Stevenson, [1932] AC 562, HL
2.
The T J Hooper 60 F.2d 737
3.
The Lady Gwendolen, [1956] P.294, CA
4.
Port City State Bank -v- American National Bank,486 F.2d 196
5.
Migden -v- Chase Manhattan Bank, 32 UCC Rep. 937
6.
Civil Evidence act 1968
NEWS D6j& vu - Daiwa Bank loses $1.1 billion due to rogue trader Daiwa Bank Ltd recently lost $1.1 billion stemming from a New York-based employee’s attempts to conceal a $200 000 loss he suffered in a trade more than a decade ago - a case of deja vu in light of the recent Barings debacle. The size of loss by a single trader approaches that of the losses that led to the collapse of British merchant bank Barings Plc in February when trader Nick Leeson lost $1.4 billion in unauthorized trading of Japanese stock futures and options. In Daiwa’s case, an executive vice-president based in New York is being blamed by the Japanese bank. The bank alleges that 44-year old Toshihide lguchi forged and concealed trading documents for 11 years in an effort to conceal his initial loss in the US Treasury bond market, and that he committed as many as 30 000 unauthorized trades within a management structure where he was essentially overseeing himself. In 1979 lguchi was given
01995 Elsevier Science Ltd
Computer Audit Update
responsibility for managing the trading floor and auditing his own department’s trades. “You have the front office and the back office - the problem was he was in charge of both” , said Kazuya Sunahara, a managing director of Daiwa in Japan. Despite the heavy loss incurred due to Iguchi, Daiwa is reported to be able to withstand a loss of this size more easily than Barings. The bank announced that even with the loss it will turn a profit of $1 .Ol billion for the half year ending 30 September and that the bank has almost double that amount in unrealized gains on its securities holdings.
FAST brings first industry prosecution under new Trademarks Act The Federation Against Software Theft (FAST) has brought a successful prosecution against a UK firm who had imported more than 6000 units of counterfeit software from the Far East. Computer Component Marketing (CCM) from Altrincham, Cheshire, UK imported counterfeit versions of Microsoft’s Windows 3.11 for Workgroups operating system. These packages were then sold into the distribution channel in the UK where the illegal trade came to light following complaints from both the public and resellers. A search warrant was executed in February 1995 by, officers from the Greater Manchester Police Force and FAST, and a quantity of counterfeit product was removed. CCM pleaded guilty to charges under the new Trademarks Act 1994 and the Trade Descriptions Act 1968 for the possession and supply of counterfeit product. The director was given a three year conditional discharge on each count and ordered to pay legal costs of f3000. Robin Lawrence, FAST Operations Manager commented, “widespread resentment of both end users and resellers to pirated software these
17