The best way to ensure employee security is to make them aware of the risks, writes Peter Wilson from Tarlo Lyons Solicitors. Along with the commercial advantages that the increased use of e-commerce has had, there is an ever-increasing number of security issues that arise. Global interaction and interconnectivity mean that customers are more accessible to providers, but it also means that the business is more vulnerable to everyone. Failure to properly deal with information security issues involves both regulatory risk (such as data protection) and more general business risk. Recent statistics suggest that almost half of UK businesses suffer at least one malicious security breach a year. The average cost of a serious security breach is £30,000. Despite the growing threat, only 27 per cent of UK businesses spend more than one per cent of their total IT budget on information security.1 Although there are hundreds of security products now available on the market, there is one defence that outstrips the rest in terms of both value for money and effectiveness: namely, awareness. Linked to this is the creation of a culture of security and the need to bind staff to contracts that protect the business’s trade secrets and confidential information.

Security awareness and employees Managers and directors of businesses need to be aware of the threats facing their organisations and of the potentially devastating effect that a security breach could have on them. They also need to be aware that there are a number of simple steps that can be taken to enhance security. One of the biggest threats to information security that a company is faced with comes from its own employees. In order to minimise this risk, a culture of security should be promoted within companies; this begins as early as the recruitment process.

Recruitment, contracts and policies Even if the recruitment function is outsourced, it is still the end-user’s business that is at risk, so it is the end-user who must ensure that both the method of recruitment and the contract governing the outsourcing cover the issue of security:  background checks should be carried out on all staff and potential staff;  the employee should be made aware of his/her obligations, both under the contract of employment, and through office-wide policies;  a strong password must be used and changed on a regular basis to keep the network more secure;  if employees work from home, or remotely via laptops, dual identification procedures should be used. Along with all of the issues relating to information security, managers should keep in mind the regulation of employees’ human rights and data protection issues, which impact on data storage and employee surveillance. If any of the company’s business is conducted online, especially where money transactions take place on the Internet, information coming in from external sources should be checked twice: once as information is fed between the external source and the website; and once as it moves between the website and the company network. This is especially important when dealing with overseas customers, because regulation of information security may not be as stringent as it is in the UK.

If dealing with international websites on a more permanent basis – ie if a business function has been outsourced overseas – it is important that the contracts governing the movement of information between the two sites deal with the issues of information security and data protection, and that they provide an equivalent level of protection to the laws in the UK. As well as awareness of the threats facing the company, management should ensure that there are procedures, and accountable people throughout the management structure, in place to deal with a security breach should it happen. Early detection can save thousands of pounds worth of damage to the network. As new viruses are introduced every week, the virus software that covers a company’s network should be updated regularly. Having a back-up server can cut down the downtime for web-based products, thus minimising the loss of business and customer confidence. Another way to safeguard customer confidence is to ensure that publicity is handled carefully.

Employment contracts A carefully drafted employment contract can help secure the following:  the employee’s compliance with the relevant security procedures and policies;  compliance with the employer’s email and Internet policies;  protection of the business’s intangible assets: copyright, databases, inventions, trade secrets and confidential information (including customer lists and technical information such as computer source code). This can be achieved through the use of restrictive covenants where appropriate. Also, express clauses protecting these assets can be included, which ensure that a higher level of protection is granted than that given by law.

Conclusion IT spending has increased as the advantages of e-commerce have been recognised by UK businesses; but the spending on IT security is still worryingly low. The publicity surrounding international incidents such as the Melissa and Lovebug viruses shows just how vulnerable businesses and national infrastructure systems are to cyber-criminals. Company directors are beginning to acknowledge that the risks associated with providing e-commerce services are some of the most serious facing businesses today, and yet the most basic measures are still not being implemented. Businesses must implement security policies and appropriate technologies both to comply with data protection law and to protect their operations. Tarlo Lyons is a leading London law firm focused on delivering commercial solutions for technology-driven business. It has one of the largest teams of dedicated technology lawyers in England, and believes in leveraging the expertise and talent it has assembled to provide real benefits for its clients. It believes that success comes from contributing to its client’s objectives, and its ability to understand and work with technology is central to this. For further information contact: Tarlo Lyons, Watchmaker Court, 33 St. John’s Lane, London EC1M 4DB. Tel: +44 (0)20 7405 2000; Fax: +44 (0)20 7814 9421; Website: www.tarlolyons.com

Electronic contracting The errors that result from computers making contracts differ from the ones made by people, says William Kennair, Chair, ICC’s (International Chamber of Commerce) Commission on E-Business, IT and Telecoms Task Force on Security and Authentication. Legal rules relating to mistake, bad faith and misrepresentation may not fit the errors that result from computers processing transactions. ‘Electronic contracting’ is the automated process of entering into contracts via the contracting parties’ computers, whether networked or through electronic messaging. Because the parties can program their computers to respond automatically to certain inputs (such as an offer or enquiry), the parties may not be aware in every case of precisely what their networked computers are doing, and they may not consciously participate in the contract formation process. Moreover, the errors that result from computers making contracts (probably due to the programming logic) are sometimes not the kind that human beings would make, and the legal rules relating, for example, to mistake, bad faith and misrepresentation may not quite fit the errors that result from computers processing transactions. The economic context in which electronic contracting takes place has come to be dominated by large-scale public networks of computers – networks that have become easy to use and practically ubiquitous in many commercial environments, for example, the World Wide Web. These developments fundamentally affect the way business is done, even where it is already being done electronically. The greater power and reach of the new networks also offer opportunities for achieving greater efficiency in performing transactions. To consider how transactions work electronically, a look at basic business models is informative.

Electronic business models In most economic cultures the basic model for doing business is the market. In a market model, those who have meet those who need – they bargain and agree, and they exchange. The market is assumed to operate among an open, broad community, and in that respect it differs from a chain. This constitutes an open business model. In a chain, the number of buyers and sellers is restricted due to obligations of exclusivity. If a chain has been imposed, a stranger can no longer simply go to the marketplace and sell what he has or buy what he needs. Instead, a seller is committed to sell only to a specified buyer or small group of buyers. Similarly, a buyer is also restricted to a defined set of sellers. This constitutes a closed business model. The exclusivity is a matter of degree and depends, among other things, on:  Relative bargaining power of the parties.

The relative number and availability of alternatives are amongst the factors determining bargaining power. Bargaining power has often proven to be greater in the buying role, assuming that many potential suppliers exist or can be induced to exist.  Cost of building one-off relationships. The stranger-to-stranger transactions of the market model can be expensive, depending on how the transactions are carried out. In the recent past, the cost of building relationships has increasingly led those parties with superior bargaining power to promote the building of chains. Factors that contribute to that cost are:  Need for specialised goods. In the automotive, aerospace and similar industries, the captive supply chain manufactures goods that are not standard, fungible commodities but rather are made to the buyer’s specifications. Over time the supplier may recover the costs of tooling-up to produce goods that satisfy unique specifications, and may thus become economically dependent on a powerful buyer. In addition to specialised goods, distribution services are often established to support the chains and are dependent on the chains for their subsequent survival.  Technical set-up and integration. Traditional electronic data interchange (EDI) is based on the chain model because of the difficulty and complexity of setting up interconnected databases and reliable means of transferring information between them. The legal approach to EDI reinforced this dependence on chains – the legal basis for EDI was established bilaterally between ‘trading partners’ through an agreement that was intended to suffice for all transactions that the parties would carry out. EDI has thus greatly promoted the development of trade chains in recent years at the expense of free choice in the marketplace. A more recent model is the web portal, whereby an intermediary establishes favourable pricing for purchases made through their portal. Generally they establish a closed userconsumer/ retail group, and membership involves agreeing to certain rules. This model is between a closed and open system, being less formally structured than EDI, and is businessto- consumer focused rather than business-to-business focused as in EDI. The technical connectivity is much simpler and the relationship is established contractually. Other forms of ‘portal’ are appearing that are aimed at providing an open marketplace or exchange of goods and services. This marketplace or exchange is itself a service, and the growth of intermediaries is an indication of the major change from more traditional business models. Although chains have become common in recent years, the market (or ‘open’) model retains a great advantage over the chain (or ‘closed’) model and a modest advantage over the semi-closed portal model: it is more economically efficient.

The exclusivity of a chain causes the buyer to forego getting it cheaper elsewhere and the seller to forego finding a better price elsewhere. A chain also burdens innovation by locking in a defined set of suppliers and locking out entrepreneurs with innovative products but without access to the locked-in sales channel. Further, a market is also highly responsive to changing circumstances, whereas the complexity and production integration of a chain can make it slow to realise that, for example, cars must now be more fuel-efficient. Fundamentally, the economic attractiveness of the market model persists. Early electronic commerce fostered the proliferation of chains into areas where either they had not existed or they had never been firmed up into legal commitments. EDI was so difficult and complex to set up that it required the co-operation of both buyer and seller. Securing that co-operation often involved a strong party compelling a weaker one to join in the interchange. However, the cost savings possible through EDI made the economic inefficiency of the chain model compared to the market model tolerable. However, as electronic commerce matures, it becomes simpler, easier and more standardised, as well as more powerful. It has also become nearly ubiquitous, more than widely enough distributed to support a market model of commerce. These subsequent developments create opportunities for increased economic efficiency by re-evaluating where a chain is necessary and where a return to a market model can yield advantage. It is important to remember, however, that whatever model is in use, the protocols or systems in use must be fit for purpose and the controls in place must be appropriate to the value of the transaction.

Developments affecting economic models The developments since the early days of electronic commerce (the EDI era) have reduced much of the technical complexity and interdependence required to engage in electronic commerce. Today, many parties without extraordinary technical sophistication buy and sell electronically at a cost of set-up unimaginable in the EDI days. In large measure, this change is a result of:  more powerful yet user-friendly methods of information interchange;  the commercialisation of trust, and  electronic contracting. The following section examines each of those in turn.

More powerful messages The information-carrying power and flexibility of electronic messages has increased dramatically in recent years. In early electronic commerce, messages consisted merely of unlabelled data fields in a prescribed form. Because development and set-up for utilising those messages was laborious and expensive, software producers and system integrators insisted on widespread agreement on all aspects of the form, which meant that the form became inflexible. While this highly formalised approach to electronic commerce remains common in older systems, a new approach to message form has emerged from the World Wide Web. Experience with hypertext markup language (HTML), the format for Internet documents derived from the standard generalised markup language (SGML), led to making SGML extensible, and the extensible markup language (XML) was born. XML has since overtaken the earlier formalistic messages used in EDI, although EDI remains in use in legacy systems. The power and flexibility of newer message forms and their ability to integrate data with a documentary context sets the stage functionally for electronic contracting. Besides these functional capabilities, business-grade electronic commerce requires message security and assured authenticity.

Commercialisation of trust All forms of trade require an essential element of trust between the participants. As we move towards using the Internet for electronic trading (electronic commerce), this ability to trust must be maintained. For centuries a significant element of trading has been the ability to carry out transactions in a confidential manner and to be able to ‘bind’ the resultant deal. This may have been in the form of a handshake, or by signed and witnessed documents. Some transactions are anonymous, whilst some only require the exchange of a token such as a bond or a Bill of Lading. Whatever the process, the electronic environment must enable it to continue. Trust is an abstract quality that is generally derived over time between two (or more) parties. Within electronic contracting the parties may not have met, and there is a desire to ‘fast-track’ the establishment of an appropriate level of trust. Consequently, the ability to rely on an electronic message has become progressively commercialised as an industry that is increasingly known by the term ‘trust services’. The value of trust services lies in a transfer of risk from the parties in a transaction to third-party service providers.

For example, the following services are commonly used in business-grade electronic commerce:  Authenticity services ensure that a message is genuine – in other words, that it is authenticated by an identified party, that it has remained intact and that evidence can be produced to establish both of those facts should the sender deny authenticity. A ‘certifier’ as defined in the GUIDEC1 is a species of authenticity service.  Payment and credit services ensure that instructions or obligations to pay are properly approved by the payer and carried out in favour of the intended payee. Some of these services are electronic adaptations of transactions originally developed on paper, such as bankcard charges and letters of credit. They also include experiments in new forms of electronic funds transfers.  Operational auditing or accreditation services review the security, information flows and other technical aspects of a system’s operations to determine whether they accord with its obligations. These commercial trust services supporting business-grade electronic commerce create a basis for conducting transactions that is at least as solid as the traditional paper basis. Together with more powerful message capabilities, they make electronic contracting possible on a scale greater than previously envisaged.

Automated and agent-based electronic contracting Networked computers make and perform contracts with increasing frequency using the various business models described above. They also perform other actions that can greatly affect the rights and liabilities of the parties. The active, conscious participation of the parties in these processes can vary from a thorough deliberation about the legal significance of a transaction to complete unawareness. These new electronic contracting capabilities introduce a new dynamic into business and trade transactions. It is now easy to make contracts, because parties can automate the contract formation process and then manage it much like they manage their other critical information technology systems. The ease of making contractual deals through automation may lead prevailing commercial structures back towards market economic models. Extensive networks such as the Internet and NASDAQ have demonstrated the vitality of markets in which highlycustomised products are not the object. Markets, rather than chains, are the natural and more efficient economic model in large networks where the many who have are juxtaposed against the many who need. Besides enabling a return to market economics, automated (including agent-based) electronic contracting can also potentially be more flexible. It can facilitate better alignment with the real relationship between the parties as it evolves. In the thought underlying EDI and chains, contract formation was viewed as a manual process that occurred once and for all when a link in the chain was forged. This front-loading of the contract formation process made the transactional rules incapable of evolving as the relationship evolved and incapable of responding to new opportunities or transactions. Setting out ground rules at the start makes sense, but ground rules should leave room for working out contractual specifics later. It is more practical to have an initial enabling contract that sets out ground rules and to allow further contracts to draw in specific details, opportunities, transactions and relationships that occur. In particular, those later, more specific contracts can perhaps most efficiently be made through automated electronic contracting.

Principles of fair electronic contracting (POFEC) The first GUIDEC set the stage for a principled commercialisation of trust in accordance with business needs, and now by incorporating principles of fair electronic contracting (POFEC), the current version seeks to do the same for electronic contracting. Although electronic contracting offers new possibilities for efficient transactions and economics, as well as greater flexibility and evolutionary capabilities, it also has new vulnerabilities that can be abused and could face theoretical validity questions in some legal systems. Abuse may arise because the capabilities of computers in processing documents have limitations that are different from those of people. A computer’s ability to perceive the significance of information depends entirely on what its programming anticipates and what the computer can recognise in its input. It would, for instance, have great difficulty in ascertaining a price from a simple, untagged expression that would be quite clear to a human reader, such as ‘for a price of ten pounds sterling per dozen’. Further, even if the input is tagged to make it recognisable to a computer, a program may fail to properly interpret and process it.

Usually such short-sightedness in programming is inadvertent or simply a constraint to be accommodated; but failings can also result from pranks, or from even more sinister causes. However, although a computer’s document processing capabilities are limited and susceptible to abuse, many business leaders are finding that the speed and cost savings of automation nevertheless justify the use of computers to process business documents. Increasingly, such documents can affect the obligations and rights of the computer users. Computers now perform transactions that cannot be seen as anything other than the making or extending of a contract. Sometimes those transactions are validated by an enabling umbrella agreement. However, contracts are also now commonly made between strangers via the Internet, without any ascertainable previous relationship between them at all, let alone a preparatory contract with provision for subsequent electronic contracting. The increasing commercial significance of the transactions that computers perform, despite their limitations and vulnerabilities, demands practices that respect those limitations and vulnerabilities. The POFEC examine the computer-to-computer processing of commercial documents, and in particular those documents that cause non-consumers to incur or increase their obligations. They do not, and cannot, establish legal requirements themselves, but they do state best practices in order to inform on both policy and the practical conduct of international commerce as it proceeds to involve obligations incurred in ever-more automated ways. The main elements of the POFEC are: 1. Drafting of documents for document processing systems to:  avoid a battle of forms;  incorporate external documents sparingly and carefully;  avoid inclusion of inapplicable text;  use document type when appropriate;  avoid unrecognisable mark-up in a document;  ensure authenticity adequately;  permit manual intervention and override. 2. Legal efficacy of electronic contracting covering:  assent by a document processing system;  mistakes and document processing systems;  availability of the human readable form;  principles of evidence.

It is anticipated that further projects within ICC’s Commission on E-Business, IT and Telecoms will tackle in greater detail many of the issues raised herein. ICC is the world business organisation and the only representative body that speaks with authority on behalf of enterprises from all sectors in every part of the world. Because its member companies and associations are themselves engaged in international business, ICC has unrivalled authority in making rules that govern the conduct of business across borders. Although these rules are voluntary, they are observed in countless thousands of transactions every day and have become part of the fabric of international trade. For more information on GUIDEC II contact: International Chamber of Commerce, 38 Cours Albert 1er, 75008 Paris, France. Tel: +33 1 49 53 30 13; Fax: +33 1 49 53 28 59; E-Business, IT and Telecoms email: ayesha.hassan@iccwbo.org; Website: www.iccwbo.org