Legal compliance risks arise from failure to comply with legislative, regulatory and codified (for example, professional and business codes of practice) provisions governing the supply of particular goods and services. Typical instances include infringement of: applicable laws and codes in foreign jurisdictions; domestic and foreign advertising regulations and codes of practice; provisions governing the handling of personal data; provisions relating to the protection of consumers; and general legal provisions, such as defamation or harassment. They are referred to as legal compliance risks because they arise primarily from infringement of the law.
Legal and compliance issues arise from the use of Internet technologies in the same way that they arise in the conduct of traditional commercial, business and professional activities. For instance, advertisements on websites must conform to regulations and advertising codes in the same way as advertisements which appear in publications or other media.
Legal and compliance issues range across a broad sweep of activities. For the purposes of this analysis, the following categories are identified:
• website management – addressing risks arising from the operation of an organisation’s website;
• consumers and services – addressing risks arising from the use of Internet technologies to supply goods and services;
• jurisdiction and applicable law – addressing risks arising from the conduct of business in global markets;
• Internet abuse – arising from misuse of Internet technologies;
• monitoring and surveillance – addressing risks that arise for both employers and employees from the monitoring and surveillance of personnel in the workplace;
• Web 2.0 and social networking – addressing risks arising from abuse of this activity;
• Cloud Computing – addressing risks that arise from organisations using services hosted by suppliers over the Internet.
Two types of risk arise in the context of an organisation’s management of its website: first, from the use of a domain name; and second, from the information posted on the website.
Domain names (website addresses) uniquely identify an organisation’s presence on the World Wide Web and should be instantly identifiable to consumers, stakeholders, suppliers and introducers alike. They represent a significant element of an organisation’s goodwill.
Care should be taken to register a domain name precisely with a domain name registration agent. Even slight variations may cause confusion with other domain names of similar appearance or sound, potentially giving rise to proceedings over any infringement.
Once registered, the organisation must ensure it is renewed periodically and that changes are recorded appropriately.
In the past, the practice of ‘cybersquatting’ has arisen. This involves an organisation registering the brand name of another organisation as a domain name and then attempting to sell the domain name to the brand owner.
One of the earliest cases on this issue was Marks & Spencer Plc v. One in a Million Ltd.: (1999) 1 WLR 903; on appeal, (1999) FSR 1 CA. Its implications are discussed later. Other similar cases involving illegal or improper use of domain names, with slight variations, have arisen since.
The risk posed by this type of situation is the potential to significantly affect an organisation’s trading name and goodwill. Risks also arise from failing to search thoroughly against a proposed domain name and failure to renew a registered domain name.
The quality of website content is a vital factor in drawing the attention of consumers to the site and, therefore, attracting new business. A website should promote the good name of the organisation; proactively offer information; and generate interest in the organisation’s services. Ultimately, it should aim to become a valuable resource to which consumers and clients return repeatedly.
Most importantly, information and advice posted on any website must be timely, up to date and accurate because there must be a reasonable expectation that a visitor to the site may act upon it.
Various risks arise from the content of a website. A misleading or inaccurate statement may give rise to an action for deceit or proceedings under the Misrepresentation Act 1976 if a visitor acts upon the statement and suffers loss. Out-of-date, poor-quality or inadequate information may give rise to an action for negligence.
In the same way, if an organisation links its website to that of another organisation, an action might arise against both organisations in respect of inaccurate information if the claimant can prove loss.
Many websites contain disclaimers. These can be binding as long as they are brought early to the visitor’s attention, but they are subject to a legal test of reasonableness and may be rejected by the courts.
One further issue is frequently overlooked in terms of website content. An important compliance issue is the need for websites to be accessible to the visually impaired under the provisions of equality legislation. Failure to comply may result in proceedings. Many organisations fail to reach minimum standards in this respect.
Website advertisements
Organisations both fund their marketing strategies and derive considerable income from website advertising.
However, Internet advertising creates a number of potential risks. Chief among these is the fact that online advertisements are globally accessible. While ‘terrestrial’ advertisements are governed by the law of the country in which they appear, global advertisements will appear in numerous countries and may, therefore, be subject to jurisdictions worldwide, so increasing the risk of contravening laws, regulations and professional or commercial codes of practice where advertising content is received.
Earlier, in the context of website information, the risk of liability arising from content on a linked site was considered. The same risk potentially arises in respect of advertising content too.
Domestically, criminal proceedings may also arise. Both the Trades Description Act 1968 and the Consumer Protection Act 1987 create offences for misleading statements of certain types.
Website copyright infringement
Copyright gives the owner or originator of material the legal right to prevent others from copying the material without permission.
Two risks arise in the context of information posted on websites:
• the unauthorised reproduction by another of material posted on the organisation’s website;
• the posting of content on the organisation’s website without permission of the creator and/or the website host.
UK copyright law is governed by the Copyright Designs and Patents Act 1988 and includes material posted on a website. Risks, therefore, arise from the reproduction of material on the organisation’s website; inadequate notice to website visitors regarding the organisation’s policy on the copyright of posted material; and failure to appropriately instruct personnel responsible for management of the copyright of website content.
Related to copyright infringement is the emerging practice of downloading copyright material in the form of (most commonly, music) files and distributing these illegally – known as illegal file-sharing. This is now governed by the Digital Economy Act 2010 (see Chapter 9).
Website compliance
The correct management of a website includes ensuring that it is operated in compliance with relevant statutory and regulatory provisions. This includes compliance with provisions governing the supply of information regarding the provision of services through websites.
Examples of these compliance procedures include the: Companies Act 2006 and the Provision of Services Regulations 2009, regarding the supply of information about an organisation offering services, both of which are considered in Chapter 9.
In addition, there is a duty on website owners to ensure that adequate provision is made for visually impaired users of a website. This was governed by the Disability Discrimination Act 1995, which is consolidated in the Equality Act 2010, also considered further in Chapter 9.
Organisations handle vast quantities of confidential electronic data and are exposed to considerable risk because of the instantaneous, mercurial and pervasive manner in which information and data can be dispersed through Internet channels.
Internet technologies make personal data easy to distribute, transfer, retain and store. At the same time, errors in operating Internet technologies can result in loss, distortion, corruption or erroneous transfer of data. Improper management of data arises in the following forms:
• improper or unlawful processing;
• improper use of data;
• storage of inaccurate data;
• loss or damage to data;
• unauthorised transfer of data.
Internet technologies enable information to be easily transferred. International transfer of data has never been easier, but it is governed by strict provisions. All organisations should be familiar with the increasing amount of complex legislation surrounding data handling as well as various codes of practice and guidance issued by the ICO.
Information which is widely available is no longer confidential – there is no control over those who have access to it. Internet technologies are inherently insecure and careful thought is required over their suitability for communicating private information.
The obligation to treat information confidentially can arise in a number of ways, for example:
• professional obligations through codes of practice and professional regulations; for example, in this respect solicitors are governed by the Solicitors’ Code of Conduct 2007;
• the insertion of a confidentiality clause in a contract;
• the use of a non-disclosure agreement (NDA) in tendering documents;
• employer–employee relationships, where obligations of confidentiality are frequently imposed.
Breaches of confidentiality can easily arise through the use of Internet technologies. Casual use of e-mail can result in a confidential e-mail being sent to the wrong recipient(s). Unauthorised individuals may access confidential data which is not adequately protected. The trend towards information sharing and collaboration, as exemplified by Web 2.0 and social networking, offers numerous opportunities for data leakage.
Data leakage and breaches of confidentiality can result in criminal and civil proceedings, and reputational damage.
At law, a duty of care arises when providing advice to someone who may reasonably be expected to rely on it. E-mail, websites and extranets are Internet technologies which are all employed for the provision of information and advice. Employees may frequently have occasion to offer advice through these channels.
The risks surrounding the content of websites were considered earlier. The speed and informality of e-mail can result in information and advice being provided with insufficient consideration – and, in the case of employees behaving in this way, there follows the risk of an organisation being exposed to legal proceedings.
In complex transactions using extranet technologies, where teams of personnel with differing levels of expertise are engaged, there is a real danger of inexperienced personnel inadvertently giving incorrect advice and information.
In a similar way, informal communications through social networking sites can result in casually offered information and advice on which reliance is placed.
Yet another risk arising from the speed and informality of e-mail is the ability to form online contracts inadvertently. Inexperienced employees are especially vulnerable in this respect and run the risk of exceeding their authority and accidentally concluding a contract on behalf of an employer.
If the employee has ostensible or apparent authority to enter into a contract on behalf of an employer, the contract may be binding and the employer may be liable under the terms of the contract, regardless of whether the employee had actual authority.
Risks can arise in the conduct of transactions and are a good illustration of how the traditional model of business activity sits uneasily with the Internet model.
It is perhaps best illustrated within the legal profession in which ‘high-street’ practices, in particular, offer traditional legal services, such as the preparation of wills and the administration of probate estates. Internet technologies now enable these services to be provided at a distance.
The question arises as to the conduct of these transactions. Are there any codes or regulations or consumer protection measures that apply to ‘distance’ contracts for goods and services? If so, what level of compliance is required and what risk management steps should be taken?
It is almost impossible to apply terrestrial laws reliably to an environment governed by Internet technologies. This problem is significantly compounded when considered in an international context, where individual countries jealously guard their jurisdictions.
As e-mail and website content can be read in virtually any country, there arises the potential for considerable confusion in providing services over the Internet because, in theory at least, each country receiving content may wish to claim exclusive jurisdictional control in the event of a dispute.
Given this confusion, the most likely method of resolution is to obtain some form of international agreement. Some organisations provide frameworks to govern certain aspects of the Internet. The World Intellectual Property Organisation (WIPO) and the Internet Corporation for Assigned Names and Numbers (ICANN), which administers the issue of domain names, are two examples of bodies supervising administrative issues ‘consensually’. However, strictly speaking, there is no overarching authority.
The law of defamation applies equally to electronic communications in the same way as it does to any other ‘traditional’ paper-based communication. Defamation on the Internet is sometimes referred to as ‘cyberlibel’.
Defamation is an untrue statement, published to a third party, that damages the reputation of a person, or persons or a corporate entity. Therefore, electronic defamation might occur through publication in an e-mail, on a website, on a bulletin board or newsgroup, or in a discussion group. Social networking sites are now an increasing source of Internet defamation, largely because of their informal nature.
There must be publication to a third party, but Internet technologies change traditional concepts and views of publication. For instance, screening of e-mails might give rise to publication. As liability can attach to publishers of a libel, an organisation might attract liability for statements made by employees acting within, or ostensibly within, the scope of their employment, or even through third-party statements appearing on its website.
When sending an e-mail, it is easy to slip into informality. In both internal and external e-mail, employees can overlook the legal validity of e-mail and make comments that would clearly be defamatory in a letter or fax.
Internet technologies enable obscene material to be accessed and distributed in various ways and can facilitate obscene behaviour in the workplace. Typical examples are the publishing and distribution of indecent or obscene material via e-mail, or the display of indecent material downloaded from a website. E-mail is an example of the use of a public communications system on which it is a criminal offence to send an offensive, indecent of obscene message.
A development of this is the specific offence of possessing an indecent photograph or pseudo-photograph of a child, and there have been various high-profile cases, almost all involving the downloading or distribution of such material from the Internet
Harassment is conduct of a nature which the victim finds unacceptable, unreasonable or offensive. It can include both verbal and physical behaviour and a single act can be sufficient. Sexual harassment might, for example, include direct harassment by e-mail or indirect conduct, such as downloading or distributing sexually explicit material.
In both instances, the most obvious source of offending is likely to arise through the careless or irresponsible use of e-mail. The informality of e-mail lends itself to the use of inappropriate and improper language and expression.
Offensive material copied from a website might also constitute commission of the offence in either case. A board of directors (in the form of a company) or partners in a firm might find themselves liable for an employee’s conduct in this area, if it was within their control.
Once again, social networking sites are a potential source of this behaviour because of the informal nature of communications and the ready sharing of information and opinions.
A number of statutory and regulatory provisions have been introduced to govern the status of secure communications passing over the Internet. These provisions attempt to balance the right to intercept secure communications for certain purposes, for example, the interests of national security, against the rights of individuals conferred by the European Convention on Human Rights.
Included in these provisions are rights for employers, in certain circumstances, to monitor employees in the workplace, including their use of e-mail and the Internet. The risks arising from the use of Internet technologies in the workplace are considered in the next chapter. However, these operational issues also give rise to legal obligations with which employers must comply.
These statutory provisions are examined in Chapter 9, but they introduce particular questions for consideration. First, there is the possibility that secure communications with clients and others may be the subject of an application for surrender and disclosure to the authorities, with implications for the confidentiality of professional and business relationships.
Second, while employers may have the right to monitor the use of Internet technologies in the workplace, there are limited grounds upon which they are entitled to do so. Taking action outside exemptions contained in the legislation will expose the employer to the risk of criminal prosecution.
Potentially serious legal and compliance issues also arise from the casual use of social networking sites. Employers who use social networking sites as a source for recruiting people may be vulnerable to accusations of discrimination.
An employer may attempt to, or actually, obtain information and data about a potential employee’s sexual or religious orientation through such sites. As well as offending against existing legislation, this also contravenes the Employment Practices Data Protection Code (see Chapter 9).
The exchange of confidential data by employees, within and beyond the organisation risks a breach of the DPA; and in certain circumstances, the employer and/or employee might be liable to criminal proceedings.
Furthermore, overfamiliarity between potential or even actual employees through the use of social networking sites can give rise to problems for both employer and employee. Much publicity has arisen from the practice of employees publishing derogatory remarks about their employers on such sites.
Recently, an employee was dismissed for publishing offensive remarks about her employer on such a site and in another case, some members of a transport service were dismissed for insulting remarks about passengers posted on a social networking site.
The development of social networking has given rise to the emergence of illegal file-sharing. This activity most frequently involves the downloading and distribution of music files, avoiding the required payment. Sometimes pornographic material is also involved. While this is an operational issue because it involves employees’ behaviour, it is also illegal because it may infringe the Copyright Designs and Patents Act 1988 and the Digital Economy Act 2010, both considered in more detail in Chapter 9.
As well as technology risks, Cloud Computing also gives rise to a number of legal and compliance risks. These risks arise mainly from organisations failing to understand the scope and relevance of legal and regulatory provisions, including codes of practice and industry standards.
Probably the most prominent legal and compliance risks revolve around compliance with the DPA. Many of the issues involving compliance with this legislation run in tandem with the technology risks associated with Cloud Computing.
An organisation does not divest itself of responsibility or liability under the DPA by simply outsourcing the processing of its data to a supplier of such services. Responsibility and liability remain with the organisation at all times for the duration of the Cloud Computing project.
IT risks arising from the safe and proper handling and management of the organisation’s data by a supplier also involve compliance issues under the DPA. Non-compliance with the DPA can result in the organisation facing criminal proceedings under the DPA, or civil proceedings for negligence taken out by a consumer for loss or damage to its data, as well as considerable reputational damage.
Penalties for non-compliance with the DPA have recently increased and the ICO has expressed an intention to give examples of serious non-compliance a significantly higher profile.
Therefore, situations involving loss or damage to data are not only serious risks to an organisation in the context of IT, they are also serious compliance issues because such situations will almost certainly have involved a failure, directly by the supplier and vicariously by the organisation, to take adequate steps to protect the security of the data concerned – a breach of one of the eight principles of the DPA.
Similar exposure to liability might arise in respect of the potential for contamination by viruses and other malware of data stored in close proximity to the data of other organisations in farms of virtualised servers.
The collection of vast amounts of data in remote servers, sometimes globally dispersed, raises another compliance issue. The DPA provides that data shall not be transferred beyond the EEC, unless there is clear and available evidence of adequate provisions for its safe and proper management in the recipient country.
3.137.170.241