First Monday

Management Responsibility in Protecting Information Assets: An Australian Perspective by Adrian McCullagh

Abstract
Management Responsibility in Protecting Information Assets: An Australian Perspective by Adrian McCullagh
Information is a vital and valuable asset of all modern businesses. The law has treated information, in most common law jurisdictions, as not being property. Consequently, it is not possible at common law to steal information. In Australia, the Federal Government has recently brought into force a suite of legislation that has the purpose of deterring hackers who unlawfully try to gain access to a computers located in Australia. Further there have been a number of recent judicial determinations that now impose a positive duty upon management (Directors and Officers of a corporation) to implement reasonable steps to prevent a crime from being effected against the corporation. This positive duty includes the protection of information assets of the corporation from hacker attacks and loss of information and its value. Hence computer security is now a board issue in Australia and not just an IT issue.

Contents

Introduction
Internal Management Duty
Corporate Information
Corporate Criminal Responsibility and Liability
Corporate Duty for the Benefit of Third Parties
Legal Liability to Third Parties for DoS and DDoS Attacks
Management Responsibility
Conclusion

 


 

++++++++++

Introduction

In 1943, Latham CJ commented that knowledge is valuable but it was not property, either real or personal [ 1]. Until recent times, this case has been accepted as an unchallenged exposition of the law [ 2]. One of the issues raised in this paper is whether this decision still holds true as a concept of law in the information age. At that time of Latham CJ's comment, the role of computers was very much limited to military applications. The original Colossus Machine, developed at Bletchley Park in the United Kingdom in 1942, was a simple computer used primarily for decoding encrypted messages. The first functional electronic computer (ENIAC [ 3]) was developed in 1943 at the University of Pennsylvania, but again this machine was developed for the military and was rudimentary in its design. Modern computing did not take shape until 1947 when John Von Neumann developed the concept of coding problems that a machine would interpret and provide an answer to the problem. This was the birth of modern computing as we understand it today and was the genesis of the information age.

The development of the modern computer has lead to the use of the phrase "Information Age" [ 4]. It is the information age that has transformed society from the analogue environment to the electronic environment. The use of computers has become so pervasive that most, if not all, businesses in developed countries have become totally dependent upon the use of computer technology and the integrity of the information stored and manipulated by computer systems [5].

This dependency is no longer limited to domestic relationships. Through the advent of the Internet [ 6] and its ever growing influence, the combination of computer technology with telecommunications technology has extended the use of the computer from the personal environment to the commercial environment. Computers are now able to communicate relatively easy over great distances through large distributed networks. They can now facilitate electronic commerce transactions not only domestically but also internationally. The information age is rapidly becoming the norm for many businesses in western society which has in turn created a unique set of legal, social and business issues that are only now emerging and undoubtedly will continue to evolve.

It is beyond the scope of this paper to investigate all of these issues, consequently this paper will analyse a subset of the numerous legal issues that are arising. In particular this paper will discuss the role and responsibility of management in acting in the best interest of the company in the information age. Traditionally, the cases have identified that management has a responsibility to protect corporate property and ensure that it be used for the benefit of the corporation as a whole. This paper will propose that the term "corporate property" is outdated in the information age and that the term "corporate assets" is the more accurate concept [ 7]. Further, a fundamental category of corporate assets is information assets. In protecting such assets, management must ensure that vital corporate information on which a corporation's survival is dependent must be protected against unauthorised destruction, alteration and in some cases disclosure. This type of information includes critical financial information and software applications that operate on critical financial information [8].

This paper will propose that corporate responsibility extends not only to protecting the corporation's internal vital information but also extends to ensuring that the corporation's own computer system is not used as a vehicle of destruction towards other corporations' information assets. This extension is possibly two-fold. Firstly, management may be held responsible for the actions of its employees if a corporation's employees use corporate assets, namely the corporation's computer system, to invoke a cyber-attack against another corporation's computer system. Secondly, if a corporation does not implement reasonable security measures such that rogue third parties are able to use the corporation's own computer system as a vehicle of attack upon third party computer systems then liability may follow suit against the corporation and its management. This second position is obviously less tenuous than the first but as the law develops in this area it is not out of the question for a court to hold that a company has a duty of care to protect its neighbours against cyber-attacks that have been instigated unwittingly through the use of a corporations own computer system.

This paper will examine each of these issues by identifying the corporate responsibility both civil and criminal that management should be aware of and how to best address the risks involved. The first part of this paper will deal with management's responsibility in protecting the corporation's own internal information. The second part of this paper will deal with the more difficult area of corporate duty of care as against hackers [ 9] instigating a cyber-attack against third parties through the corporation's own computer system.

++++++++++

Internal Management Duty

Corporate Responsibility

Company directors and officers (management) owe a number of duties to the corporation as a whole. These duties arise in equity, at common law and under statute [ 10].

In general, it can be argued that directors have an ethical obligation to shareholders, employees, lenders, general creditors, suppliers, and customers [ 11]. But ethical obligations do not necessarily amount to legal obligations [ 12]. In certain circumstances the courts have held that directors owe an extended duty to creditors to the company. In Kinsela v. Russell Kinsela Pty. Ltd [ 13], the Court extended the duty of care to creditors when, the directors in exercising their powers for the best interest in the company as a whole [ 14], it is clear that the company is not trading in a solvent manner. But the central issue is what is meant by the phrase "in the best interest of the company as a whole" [15].

Lindley MR, in Allen v. Gold Reefs of West Africa Ltd [ 16] held that provided a director's exercise of power was "bona fide for the benefit of the company as a whole", there was "no ground for judicially putting any other restrictions on the power" [ 17]. This position has in recent times greatly changed. Instead of ascribing to the subjective test as Lindley MR has postulated, the modern view is that directors should be subject to an objective business judgement rule [18]. This is discussed more fully further in this paper.

The relationship between a director and company is one of the categories of relationships considered by the Courts [ 19] to be fiduciary. Mason J [ 20] in Hospital Products Ltd v United States Surgical Corporation [ 21] succinctly stated the general position concerning fiduciaries as [ 22]:

The critical feature of these relationships is that the fiduciary undertakes or agrees to act for or on behalf of or in the interests of another person in the exercise of a power or discretion which will affect the interests of that other person in a legal or practical sense. The relationship between the fiduciaries is therefore one which gives the fiduciary a special opportunity to exercise the power or discretion to the detriment of that other person who is accordingly vulnerable to abuse by the fiduciary of his position.

The duty owed by a director to the company in equity requires the director to act honestly, in good faith and to the best of his or her ability in the interests of the company, to the exclusion of all other interests. This duty also incorporates negative duties, such as the duty to avoid conflict and the duty not to secretly profit from position [ 23]. As Finn states [ 24]:

Equity has a long standing tradition of intervention in activities of company directors, agents, trustees, solicitors and the like in the cause of exacting high standards of business and professional conduct.

The extent of this intervention has not to date been fully tested and probably never will as the discretionary jurisdiction that is bestowed on the Courts of Equity can never be limited because as circumstances change then so will the discretion of the Court's ability to adjudicate disputes.

These so called "high standards of business and professional conduct" primarily relates to the duty of not compromising the position held by the fiduciary. Any compromise of the position even if no damage is suffered by the beneficiary, (in this case, the corporation) would still give rise to a cause of action against the director [ 25].

It is submitted that the standard of duty of business and professional conduct should be ascertained objectively by taking into consideration:

(a) What the industry norm is for the corporation;

(b) What standards if any have been adopted or endorsed by industry bodies of which the corporation is a member;

(c) What codes of conduct have been endorsed or developed by relevant industry bodies;

The position stated by Latham CJ 1943 concerning the classification of "information" and "knowledge" should no longer apply in the modern business environment. Many differences exist between the business environment of 1943 and that of the 21st century. The use of computers and the ever pervasive reliance upon information has changed the entire jurisprudence surrounding the legal classification of information. In contrast to the United Aircraft case [ 26], it is submitted that the position should be as has been enunciated by Bokhary J. in Linda Chih Linh Koo and anor v. Lam Tai Hing [27]:

"A man's confidential information is his property. The courts have jurisdiction to protect such property from misuse. Such jurisdiction is not confined to cases in which information has been imparted in confidence or to cases in which an obligation to keep the same confidential arises under contract."

The Full Federal Court in ASX Operations v. Pont Data (No. 1) [ 28] accepted that there existed an "information market" and that the actions of ASX as described in that case were sufficient to lessen competition in that market place. The recognition by the Federal Court could readily be extended to a recognition that businesses in the 21st century operate within the information age and as such the business environment in existence in 1943 is outdated and very different to the current business environment. In 1943, the business of trading information was to a large extent non-existent, whereas in today's modern business environment the trading of information can be and is highly profitable [29].

Further, corporations today in order to prosper must keep abreast of not only their financial position, trading position and operations position but must have intimate monitoring mechanisms so that they can respond to the actions of competitors as well as responding to their relevant market dynamics. This results in vast quantities of information being generated and collected which is vital to the ongoing survival of the corporation [ 30]. In this modern age, coupled with the requirement to comply with the professional conduct standard imposed by equity, directors now have a positive obligation to the protect the corporation's information assets where that information is commercially significant to the ongoing viability of the corporation [ 31]. Therefore, there is a positive obligation upon directors to take reasonable steps to secure corporate information where that information is vital to the corporation¹s well being.

Common Law Duty

At common law, the duty of care owed by a director to a company arises because of the relationship of proximity between the directors and the company [ 32]. The obligations imposed on directors by virtue of the common law coincide not only with the equitable duties stated above but also coincide with the statutory duties under the Corporations Act 2001 (Corporations Act). These duties include the duty to act honestly, the duty to act with reasonable skill [33], and the duty to act in good faith for a proper purpose [ 34] and in the best interests of the company [ 35].

In contract to director's duty at common law, the common law does not recognise a general duty in a person to prevent harm to another. This was stated by the High Court of Australia as recently as the year 2000. However, where there are special circumstances, such a duty might arise. In Modbury Triangle Shopping Centre Pty Ltd v. Anzil and Anor [ 36], Gleeson CJ with whom Gordron, Hayne and Callanan JJ agreed said:

"Leaving aside contractual obligations, there are circumstances where the relationship between two parties may mean that one party has a duty to take reasonable care to protect the other from criminal behaviour of third parties, random and unpredictable as such behaviour may be. Such relationships may include those between employer and employee, school and pupil, or bailor and bailee. But the general rule that there is no duty to prevent a third party from harming another is based in part upon a more fundamental principle, which is that the common law does not ordinarily impose liability for omissions."

Kirby J disagreed with this statement as in his opinion, there is a general duty upon persons to take reasonable steps to prevent third parties from causing harm to others. The view of the majority can be relied upon for the proposition that directors due to their special relationship [ 37] do owe a general duty of care to take reasonable steps to prevent harm being perpetrated against the corporation. An obvious harm in the information age that directors need to be aware of is the wanton attacks by hackers against a corporation's computer system and the information stored and processed on those computers. These attacks need not result in damage to the computer system but could nevertheless cause the relevant systems from being available for use through a denial service attack. This denial of service can cause an economic damage as opposed to a physical damage.

The penetration of a company's computer system by an outside third party without authority often causes damage to the company. Sometimes the unauthorised penetration is done for purposes not intended to cause damage, such as the hacker attempting to prove how clever he or she is or to show up weaknesses in the security implemented to protect the computer system, or for amusement. Notwithstanding the lack of intention to cause damage, the mere act of attacking a corporation's computer system is a crime. It is not the intention to cause damage that gives rise to the crime; it is the knowing intention to gain access without authority that gives rise to the crime.

Section 477.1 of the Cybercrimes Act 2001 (Cwth) provides that:

"A person is guilty of an offence if: 
 (a) the person causes:
  1. any unauthorised access to data held in a computer; or
  2. any unauthorised modification of data held in a computer; or
  3. any unauthorised impairment of electronic communication to or from a computer; and
 (b) the unauthorised access, modification or impairment is caused by means of a telecommunications service;
 (c) the person knows the access, modification or impairment is unauthorised; and
 (d) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the access, modification or impairment."

Consequently, a person commits an offence if they without authority gain access to a computer, or impede the operations of a computer with the intent to commit a serious offence under either a Commonwealth law or a State law or a Territory law. For example pursuant to section 408D of the Queensland Criminal Code a person who hacks into a computer may have committed a serious offence [ 38]. The maximum penalties range from 2 years [ 39] imprisonment up to 10 years [ 40] imprisonment. A serious offence is defined as an offence that has a maximum penalty of not less than 5 years imprisonment.

In addition to the Cybercrime Act 2001 (Cwth) [ 41], the Corporations Act has its own series of offences that specifically relate to the recording and storage of corporate information on computers. In particular section 1307 deals with the obligations of properly maintaining corporate books of account [42]:

"1307(2) [Contravention] Where matter that is used or intended to be used in connection with the keeping of any books affecting or relating to affairs of a company is recorded or stored in an illegible form by means of a mechanical device, an electronic device or any other device, a person who: 
 (a) records or stores by means of that device matter that the person knows to be false or misleading in a material particular; or
 (b) engages in conduct that results in the destruction, removal or falsification of matter that is recorded or stored by means of that device, or has been prepared for the purpose of being recorded or stored, or for use in compiling or recovering other matter to be recorded or stored by means of that device; or
 (c) having a duty to store matter by means of that device, fails to record or store the matter by means of that device:
  1. with intent to falsify any entry made or intended to be compiled, wholly or in part, from matter so recorded or stored; or
  2. knowing that the failure so to record or store the matter will render false or misleading in a material particular other matter so recorded or stored; contravenes this subsection.

Clearly, directors do have a special relationship to the company and therefore have a positive duty to take reasonable steps to ensure that a person does not without authority amend or destroy any financial records or business data. Such steps are not simply limited to the implementation of security technology [ 43]. Reasonable steps involves a holistic approach which includes the development of appropriate policies and procedures, training of staff in those policies and procedures and the regular review and assessment of the company's adherence to the relevant policies and procedures.

In addition to this common law duty there exist certain statutory duties, which are enshrined in the Corporations Act.

Statutory Duty

The statutory duties imposed by the Corporations Act overlap with both the fiduciary and common law obligations of directors. These include civil obligations to exercise their powers and discharge their duties:

(a) in good faith and for a proper purpose [44]; and

(b) with reasonable care and diligence [45].

Contravention of these provisions can result in pecuniary penalties of up to $200,000 for which the director will be personally liable.

The statutory duty to exercise care and diligence in s 180(1) [ 46] puts an obligation on directors to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director or officer of a corporation in the corporation's circumstances, and they occupied the office held by and had the same responsibilities within the corporation as the particular director or officer.

In determining whether the statutory rule has been breached, the Courts have regard to the particular circumstances of the company in applying an objective test. In Circle Petroleum (Qld) Pty Ltd v Greenslade [ 47] the managing director of a company failed in his duty to exercise reasonable care and diligence by allowing a customer to increase their trading credit by approximately $1.5m when he was aware that the customer was experiencing financial difficulties. The customer was subsequently declared insolvent and the Court held that the actions of the managing director in departing substantially from industry practice and taking such a high risk in extending the credit was a breach of his duty and a failure to exercise the degree of skill and care as would be reasonably expected from a person with his knowledge and experience.

Further circumstances of what will constitute breach of the duty to exercise care and diligence were outlined in Cashflow Finance Pty Ltd v Westpac Banking Corporation [ 48]. This case dealt with the predecessor to s180(1). In this case breaches of the duty were held to have occurred when the managing director failed to ensure the company had in place an adequate system of controls for the accounting and auditing of systems, authorisation of loans and controls over disbursements. This case is of particular relevance because the director was held personally liable for not implementing appropriate policies and procedures as regards to protecting the business of the company. The obligations exemplified by this case identify the duty upon directors to ensure that through their actions or inactions appropriate mechanisms are implemented to ensure business continuity. By not having appropriate credit controls and audit procedures in place the company was not able to measure the business performance of itself, which resulted in the company and the directors not being in a position to know the financial status of the company at any particular moment in time. This same rationale applies to the security of vital corporate information. If the directors do not take the issue of information security seriously and they fail to implement appropriate policies and procedures thereby unnecessarily exposing the company to cyber-attacks which result in the loss of vital data or the impairment of the business to operate for even a short period of time, then the directors could be held liable to such loss.

Defences to Breach of Duty

The statutory business judgment rule as enacted in s 180(2) of the Corporation Act operates as a defence to a charge of breach of duty to exercise reasonable care and diligence and operates in respect of the same offence at both common law and in equity. A business judgment is defined as any decision to take or not take action in respect of a matter relevant to the business operations of the corporation. A director will be taken to have exercised due care and diligence in respect of a business judgment if they:

(a) made the judgment in good faith and for a proper purpose; and

(b) do not have a material personal interest in the subject matter of the judgment; and

(c) inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate; and

(d) rationally believe that the judgment is in the best interests of the corporation.

For the "belief" to be held to be a rational, it must be a belief that a reasonable person in the directors position would also hold. Therefore, the test as now applied to the duties of directors is now an objective test as opposed to the Lindley MR test which has been discussed above.

A further point concerning the business judgment is that directors have a positive obligation to inform themselves about the operations of the company and can no longer simply sit idle and ignorant as to the working and business operations of the corporation. To assist directors in forming a rational belief s. 189 of the Corporations Act provides that it is reasonable for a director to follow the advise of any third parties who have relevant expertise in relation to the advise given. Further, most modern corporations have at board level, specific committees that are empowered to monitor various aspects of the business operations of the corporation [ 49]. It is not unusual for such committees to include outside consultants who have the necessary expertise to advise the corporation.

Summary

In this section it has been argued that directors have a number of duties that coexist in equity, at common law and by statute. In many cases the duties significantly overlap. The prime obligations imposed upon directors are to act honestly with all due care, skill and diligence in the best interest of the company as a whole. With this in mind and taking into account the general observations of the Courts as to the information age and the importance and value of information, it is submitted that part of a director's duty is to ensure that corporate financially critical information must be securely administered. That is, directors now have a positive obligation to take reasonable steps to secure vital corporate information. If directors do not adhere to this minimum obligation then it is likely that they could be personally held liable for any loss or damage arising. As to what is reasonable will entirely depend upon the circumstances of the industry that the corporation operates in. If the corporation is a publicly listed company or is in a sensitive industry such as the banking industry or the superannuation industry then the requirements as to what is reasonable will most likely be more stringently addressed by the courts.

The next section discusses more fully the legal classification of information. As stated above, directors have an obligation to protect all corporate property. The term property includes both tangible [ 50] and intangible property [ 51]. In the next section it will be argued that the law needs to better accommodate information by classifying it as property. Alternatively, the director's duty should extend to take reasonable steps to protect all assets of a corporation and not just corporate property and where it is not possible to absolutely protect an asset then the directors should implement a risk transference strategy such as insurance.

++++++++++

Corporate Information

Introduction

As discussed, directors are under various duties to act in the best interests of the company as a whole. It is clear from this that they are under an obligation not to misuse or endanger property belonging to the company. This prompts an investigation of what precisely is incorporated in the scope of the term "property". Clearly, physical assets of a company will be property, however, questions remain as to the classification of certain intangible assets. Of particular concern is whether the information accumulated and stored in a company's IT system will generally be regarded as property of the company. If not all information can be classified as property, what characteristics should be in place that will assist management in identifying the information elements that will fall within the ambit of "property"? By understanding the scope of this, management is better placed in managing the risks and therefore the liability that results.

Historical Perspective

Over the past 60 years there has been a gradual change in the judicial appreciation of what constitutes property and whether indeed information can be properly regarded as property. The cases dealing with this issue have largely been income tax cases due to the fact that Income Tax Assessment Act classifies a tax payer's assessable income as income derived from ordinary concepts, one of which is income derived from the commercialisation of property [ 52]. This is significant because prior to the introduction of the Capital Gains Tax Regime in 1985, capital income derived from capital assets was not subject to a tax imposition. Therefore, in order to avoid paying income tax on certain sources of revenue many cases were argued on the basis that the income was not derived from the commercialisation of property but from the disposal of a capital item.

Latham CJ addressed the issue of information as "property" in The Federal Commissioner of Taxation v United Aircraft Corporation [ 53] by exploring the value of knowledge as a commodity. Although recognising that knowledge is valuable, particularly knowledge that is kept secret, his Honour did not believe it to be property in a legal sense. Consequently, if the information was not property any capital disposal of the information and any revenue derived from such disposal would be assessed as being income from ordinary concepts and therefore taxable income [54].

Brent v Federal Commissioner of Taxation [ 55], decided almost 30 years later, involved an individual selling her life story to a newspaper corporation. In order to minimise the payment of income tax for sums paid by the newspaper corporation, she attempted to have the fees she received classified as consideration for the sale of proprietary rights or of rights analogous to property rights. Again it was recognised by the Court in confirmation of the United Aircraft [ 56] case that neither knowledge nor information is property in a strictly legal sense. This was despite the appellant attempting to differentiate her circumstances from those of prior cases due to the fact that the relevant information prior to its disclosure was highly secret information. The High Court again stated that information will not be considered property merely because it is secret in nature [ 57]. It was held that the consideration received by the appellant was for services rendered and should be treated as income [58].

Modern Perspective

In Re: Smith Kline and French Laboratories (Australia) Limited [ 59] the issue concerned the use of certain confidential information by the Federal Department of Community Services and Health that accompanied the lodgement for approval of a certain drug. At the time of this case [ 60], before a drug can be legally released for commercial use in Australia the applicant drug company (Smith Kline in this case) must undertake certain controlled trials and tests to ensure that the drug is safe to use. The confidential information concerned the data arising out of those tests. It is not unusual for newly released drugs to be subject to patents which further strengthens the commercial value of the drug in favour of the approved applicant. The term of a patent is 20 years from the date of approval of the patent. When this period expires it is open to any third party to reproduce the product without infringing the previous patent holders subsided rights. In the case of approved drugs it is open for generic drug companies to commence production of drugs that are no longer subject to a patent. In this case a company known as AlphaPharm made application to produce a drug that was previously subject to a patent in favour of Smith Kline. The issue at hand was whether the Department was permitted to rely upon the Smith Kline data or was it required to cause AlphaPharm to undertake its own trials and tests in order to get approval. Gummow J again followed the general position that information, even confidential information was not property but in this case his Honour went further than previous cases. Gummow J identified that confidential information was subject to certain equities, the principal equity being the right to sue (a chose in action) if a breach of confidentiality arose. This chose in action has certain proprietary characteristics which the law recognised as being capable of being protected. Further his Honour noted that the Commonwealth under the Constitution (Section 51 (1) placenta (xxxi)) could exercise its rights of compulsory acquisition of property on just and fair terms. His honour noted that in general terms the Constitution must not be interpreted in narrow terms and that it was open to the Department on behalf of the Commonwealth to compulsorily acquire at interest in the relevant confidential information. According to Gummow J, instead of classifying confidential information as property, his Honour took the position (in obiter) that the term "property" as used in the Constitution could be extended to include confidential information. Therefore, it was open to the Department to compulsorily acquire the confidential information on fair and just terms.

This development in identifying the proprietary element in confidential information is a sensible approach as it will give Courts greater flexibility in dealing with breaches of confidentiality and finally settles the position as to the basis of this area of the law. There have been in the past many cases [ 61] that have attempted to explain breaches of confidentiality either through some contractual framework [ 62] or some judicially recognised conscience element [ 63] that forms part of equity. Neither of these solutions adequately address from a jurisprudential aspect the basis of the court's right to determine breach of confidence cases. By having a property basis for the determination of breaches of confidence the courts will be in a better position to deal with such cases instead of inventing contortions in reasoning to support a particular position. As stated by Bokhary J in the Koo case [64]:

"A man's entitlement to keep his confidential information confidential, and to recover compensation if such information is misused, is not confined to what can be achieved under contract or through the intervention of equity where information was imparted trusting the recipient to keep the same confidential There is a proprietary interest in confidential information; and there is jurisdiction in the courts to intervene to preserve such interest or award compensation for harm done to it."

His Honour in conclusion stated:

"The conclusion that a proprietary jurisdiction exists is one at which I am happy to arrive."

This position also falls with the line of reasoning that has been put forward by the English & Wales Law Commission as regards to thefts of trade secrets [ 65] where the commission after reviewing the various cases have concluded that trade secrete should be classified as being property which can be stolen and thus fall within the criminal law jurisdiction.

As far as the author can ascertain there have not been any cases that have directly stated that directors owe a duty to protect assets that are not propriety in nature. Traditionally, the courts have held that directors have a duty to protect the corporate property but have not directly extended this proposition to non-property corporate assets. Hence, the issue of classifying certain information as property may become important. Alternatively, if the courts continue with the traditional position that information is not property, then it is submitted that the courts in this modern information era should hold that director owe a duty to all assets including those assets that are not property. It was clear from the Pont Data case that information can in certain circumstance have a market and thus be commercialised for profit. Consequently, it would be a grave anomaly for the courts in this information age to hold that directors do not have a duty to protect corporate information from unauthorised third party access.

Summary

In this section it has been argued that trade secrets sometime referred to as confidential information should be classified as property and therefore fall within the general requirement of directors to protect such property in the same manner as any other corporate property. If this is not correct with the Australia then at the very minimum trade secrets should form part of the wider concept of corporate assets and consequently management should also be obligated to securely protect corporate assets. In not adopting the proprietary nature of trade secrets the general use of the criminal law will not be available as regards to stealing information. This was fundamentally the reasoning in the case of Oxford v. Moss [ 66].

++++++++++

Corporate Criminal Responsibility and Liability

Introduction

On 15 December 2001, the Federal Criminal Code (Code) came into force. Division 12 of the Code directs its attention to Corporate Criminal Responsibility. The effect of the Division 12 is that the Code applies to companies in the same manner as it applies to individuals. But companies have no mind of their own; they are in effect artificial entities that the law recognises. As Viscount Haldane LC said, [ 67]:

"My Lords, a corporation is an abstraction. It has no mind of its own any more than it has a body of its own; its active and directing will must consequently be sought in the person of somebody who for some purposes may be called an agent, but who is really the directing mind and will of the corporation, the very ego and centre of the personality of the corporation. That person may be under the direction of the shareholders in general meeting; that person may be the board of directors itself ..."

Section 12.1 (2) provides the a company may be found guilty of any offence [ 68] including one punishable by imprisonment. Section 12.2 provides that if an offence is committed by an employee, agent or officer of the company within their the actual or apparent scope of the employment then the company will be attributed with the offence. If an element of the offence in question involves either recklessness or intention or knowledge of the fault element then that element will be found if the company has either impliedly or expressly authorised or permitted the offence to be committed. This really is sheeted home to the management of the corporation. Section 12.3 provides that the concept of authorisation or permission will be proved if among other things it is established:

Section 12.3 (2) (c) and (d)

(a) proving that a corporate culture existed within the body that directed, encouraged, tolerated or led to non-compliance with the relevant provision; or

(b) proving that the body corporate failed to create and maintain a corporate culture that required compliance with the relevant provision.

The term corporate culture is defined as an attitude, policy, rule, course of conduct or practice existing within the company. The effect of these provisions is that if management has created a culture of non-compliance to Commonwealth Laws then not only will the perpetrators of the non-compliance be committing an offence but the offence is also sheeted home to the corporation.

If, for example, an employee of a corporation uses the corporate computer system to gain without authority, access to a third party¹s computer system and the management has through its policies or lack of policies or conduct impliedly condoned the action then the company will also have committed an offence. It is for this reason that the management of companies should ensure that they have appropriate written policies in place coupled with appropriate training to ensure that all employees are aware of their respective responsibility.

Summary

In this part it has been argued that directors owe an extensive duty in protecting the assets of a corporation. Part of such assets will include corporate property. A principle difference between tangible property and intangible rights is that it is not generally possible to steal an intangible right. If information of a secret nature is classified as property then criminal law protection is available so as to prosecute perpetrators and thus may in turn create a greater deterrent in breaches of confidentiality. Otherwise, it is necessary to fit the actions of the perpetrator into specific crimes which may not fit the true nature of the criminal activity.

++++++++++

Corporate Duty for the Benefit of Third Parties

Introduction

This part discusses the duty if any, that a company and its management may have to third parties. It is clear from the above that directors owe a duty to act in the best interest of the company as a whole. But do directors have a social responsibility to ensure that corporations meet a general "good citizenship" obligation and if so what is the extent and shape of that responsibility? This part will partially direct its attention to what actions should be taken by companies in protecting themselves against a denial of service attack. A recent extension to denial of service attacks is the distributive denial of service attack.

Denial of Service Attacks

A denial of service attack ( Figure 1) is where a third party continuously sends to a particular computer, messages that are designed to overflow a message buffer [ 69]. The target computer system will automatically attempt to respond to the received message. Difficulty arises when the number of messages received over a short period of time cannot be attended to by the target computer and therefore the messages are stored in a buffer awaiting a response or some action by the target computer. Once the buffer is full, the target computer becomes stressed and cannot attend to other functions including some essential functions. In essence the resources of the target computer are tied up responding or taking some action to irrelevant messages sent by the third party. Hence the naming of this attack "denial of service".

The FBI [ 70] has identified that it likely that this type of attack is really a decoy to the real attack being far more sinister. When such an attack is under way, computing as well as human resources are directed to dealing with the attack. This redirection of resources permits the attacker to carry out a more surreptitious attack which could involve that destruction of vital information or the extraction of vital information or simply ensuring that the computer system is not available for other legitimate users of the system.

There are strategies available for a computer facility to deal with the affect of a common denial of service attack that is not a distributive denial of service attack. The system's manager can attempt to alter the computer setting so as to not accept any messages from the source IP address. This solution depends upon the target computer system having multiple front processors that will attend to incoming messages. It is not possible to prevent a denial of service attack; all that is available to the target systems is to minimise the affect of such an attack. The reason for this is that it is not possible to prevent a third party from sending messages to the target system. The attack originates from a locality outside of the control of the target system and therefore the target system must within its own control domain attend to the minimisation of the attack's effect. As will be discussed next, it is even more difficult to attend to the affect of a distributive denial of service attack is being effected.

 

 

Distributive Denial of Service Attacks

In the week of 7 February 2000, hackers launched distributed denial of service (DDoS) attacks on several prominent Web sites, including Yahoo!, E-Trade, Amazon.com, and eBay [ 71]. In a DDoS attack, dozens or even hundreds of computers all linked to the Internet are instructed by a rogue program to bombard the target site with nonsense data [ 72]. This bombardment soon causes the target sites's servers to run out of memory, and thus cause it to be unresponsive to the queries of legitimate customers.

A distributive denial of service attack ( Figure 2) is far more sinister than a simple denial of service attack. Firstly, the attacker has to load on a number of third parties computers a trojan horse [ 73] that will be used to effect the denial of service attack. It is not unusual for the attacker to surreptitiously load the denial of service trojan horse on to hundreds of computer systems (zombie sites [ 74]), which will be used to attack the ultimate victim. Secondly, the trojan horse is designed to activate upon the occurrence of some event that is common to all of the zombie sites. Simply put, the event could be time based such that at say 10 am greenwich +10, all of the trojan horses that have been surreptitiously deposited onto the various zombie sites will simultaneously activate and commence the attack on the target system. The target system will now have to deal with not one attacking site but many and it could be hundreds of zombie sites.

The administrators of the zombie sites should be able to identify that they are part of an attack even if unknowingly since there should be a substantial increase in the use of their own resources. The zombie sites mail server will register an inordinate amount of outgoing activity which should put the zombie sites systems administrator on notice that there is something suspicious going on, especially when it is identified that the same message is being sent to the same destination location.

 

 

Summary

A denial of service attack can tie up substantial resources that could be better allocated for the corporation. The real danger is that the DoS attack is not the primary attack but is a diversionary tactic so as to commit limited corporate resources in dealing with the attack. The real attack could be far more sinister and as such clear protective measures [ 75] should be implemented.

++++++++++

Legal Liability to Third Parties for DoS and DDoS Attacks

Introduction

In dealing with a distributive denial of service attack the zombie site will not have the requisite intention to commit a crime but outstanding is whether the owner of a zombie site has a duty of care to protect itself against being the conduit for a distributed denial of service attack. There are a number of cases reported in the press [ 76] about the liability of zombie sites to third parties but as yet there have not been any reported court cases on this point.

The liability of zombie sites appears to primarily fall within negligence. With all of the press dealing with this area, it is difficult for companies to claim that they are not aware of the damage that may be caused by a DDoS attack being launched from their system. By failing to secure their systems or take adequate precautions against DDoS hijacking, companies are exposing themselves to unnecessary liability. It is submitted that a company will not be exercising the required standard of care in the face of a reasonably foreseeable risk or harm to end victims if security is not in place. But what is this standard of care?

Duty of Care

As Lord Atkin noted in Donohue v. Steven [77]:

"The rule that you are to love your neighbour becomes in law, you must not injure your neighbour; and the lawyer's question, Who is my neighbour? Receives a restricted reply. You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour. Who, then, in law is my neighbour? The answer seems to be - persons who are so closely and directly affected by my act that I ought reasonably to have them in contemplation as being so affected when I am directing my mind to the acts or omissions which are called in question."

In dealing with the standard of care, this is determined by balancing the seriousness of the harm (the likely damage) that could occur, the likelihood of the harm eventuating (the probability of the damage occurring) and the expense, difficulty and inconvenience involved in taking preventative measures (the cost of prevention) [ 78]. Therefore, is a person liable for the damage caused to a third party where that damage occurs through a distributed denial of service attack?

In the case of Lothian v. Rickards [79] the High Court held that:

"Where damage may result to A by the happening of an event, which is under the control of B under such circumstances that if the event happened by reason of his negligence alone he would be liable to A, then, if the happening of that event is likely to occur from causes independent of the malicious act of a third person, a duty arises on the part of B to take reasonable precautions against the happening of that event, and, where the event has happened and caused damage to A, B having neglected to take those precautions, in determining the liability of B it is immaterial whether the act of a third person, which brought about the happening of the event was careless, mischievous or malicious."

In effect the High Court decision supports the proposition the owners of computer sites owe a general duty of care to take reasonable steps to ensure that third parties cannot hijack their computer systems and thus cause damage to computer systems owned by victims. That is, using the above terminology B owes a duty of care to A, where through B's negligent act or omission a malicious third party uses B's computer system to effect a denial of service attack upon A's computer system.

The Rickards case went on to appeal to the Privy Council, where the Privy Council reversed the decision of the High Court by stating that where a third party maliciously causes the event to occur then no duty arises. Despite the Privy Council's view there are strong reasons to support the proposition that such a duty of care does arise in the modern era. Firstly, it is possible for zombie sites to take reasonable steps that are not cost prohibitive to better protect their computer systems so that they are not used as a conduit for a DDoS attack. Secondly, the cost to the victim who is the real innocent party in this activity can be substantial. Such cost involves not only the cost in re-establishing availability of the victims computer system, there is also the consequential damage in not being able to transact business due to the unavailability of the victims computer system. Thirdly, in a DDoS attack, the third party hacker is actually using the zombie site's computer system/property as the conduit to affect the criminal activity upon the innocent third party victim. The principle of law identified in both the Modbury's case and the Rickard's case (Privy Council) as regards to no general third party duty of care to minimise criminal activity being affected upon third parties is distinguishable. Where a third party (the criminal) uses property owned and under the control of a second party (the property owner) which property is used by the criminal to effect a crime upon a first party (the victim) then the property owner does have a duty of care to take reasonable steps to prevent the use of the relevant property from being used by the criminal to effect a crime upon the victim.

A complicating factor that has arisen in recent times is that many of the distributive denial of service attacks are now using non-corporate machines as zombie sites. That is, through the use of technologies such as ADSL [ 80] the general public are able to have continuous connectivity to an ISP that is connected to the Internet. This results in the end user being allocated a static IP address which means that it is substantially easier for hackers to surreptitiously load a distributive denial of service trojan horse onto the computers operated by the unsuspecting general public. Further, it is quite unusual for the general public to go to the expense of loading one of the commercially available "firewalls" designed for PC use. Complicating this even more is that configuring the firewall at the PC end is not a simple matter. The whole situation is becoming a labyrinth of complexity and it would be unreasonable for policy reasons to attribute liability to corporations and not attribute the same liability against the general public. The situation should be the same, with both sectors of the community (that is corporate and general public) being required to implement reasonable security mechanisms that substantially minimise the opportunities available to hackers [81].

In this online environment, business is being commercially forced to engage in commercial transactions via electronic commerce, which results in the need for business to take more pro-active steps against the effectiveness of such attacks; especially as it is relatively simple to greatly minimise the risks involved and the cost is not excessive.

From the victim's perspective it is impossible to prevent a DDoS attack but it is possible to minimise the effect of such an attack. At a very minimum the victim should have installed a firewall which can deal with the extraneous messages received. This front end firewall mechanism will prevent the extraneous messages from getting to the back end system where the applications reside and thus lessening the performance of the back-end system. The victim must ensure that the information residing on the back-end system where the applications also reside are not impeded or corrupted. The main purpose of the DDoS attack is to impede the availability of the target system and this must not fall into the ambit of the attack.

The victim should from a forensic evidence perspective be in a position to capture the IP addresses of the zombie sites. With this information the victim should be able to advise each of the zombie sites to stop the attack. It also provides evidence to mount a legal cause of action against each of the zombie sites. One thing the victim should not do is reverse the messages back to the zombie site as this may cause a denial of service to the zombie site which could result in liability for the victim.

Since it is not possible for the victim to prevent these types of attacks, attention should be directed to the zombie sites. Organisations should have a have a positive obligation to monitor their resources so as to prevent them from being used as a zombie site. Such monitor technology is relatively easy to install and use. Further, with appropriate security technology it is possible to greatly minimise the ability of attackers from surreptitiously loading trojan horse software that can be used to effect a DDoS attack.

Summary

It has been argued that a company has a general duty of care to ensure that it is not used as a zombie site to effect a distributed denial of service attack. Also it has been put forward that a company in entering the online environment must implement appropriate security measures to minimise the risk of causing damage to third parties who are also connected either directly or through an ISP to the Internet. Failure to do so could result in the innocent third party (the victim) in successfully obtaining an injunction against the zombie site. Such an injunction could be directed against the zombie site by requiring the zombie site to close down its online availability. This could in effect destroy an online business where an injunction is ordered against it. If this were to occur then the directors could be exposing themselves to personal liability as discussed earlier in this paper.

++++++++++

Management Responsibility

Introduction

What should management do to minimise the risk of being personally liable for either an attack against corporate assets (both internal and external attacks) or from third party claims due to a DDoS attack? What are the reasonable security actions that best manage the risk in protecting the information assets of a corporation? In this part some of the issues will be examined that need to be taken into consideration in determining what is reasonable in the circumstances.

Information security is not a simple task as it involves a myriad of subject matters that are interwoven with each other. Apart from the technical controls that need to be put in place, management must also ensure that there are both administrative and physical controls. Information security is really a layered solution that must be cost effective, time efficient and not impede to process of making money [ 82].

Time Based Security

Since information security is complex it is widely accepted that it is not possible to implement an absolutely secure information system. Schwartua states [ 83] that security should be measured by time. His security model, which is now widely accepted as being appropriate, states [84]:

St > Dt + Rt

Where:

St = the security measured by the time it takes to breach the security control;

Dt = the time it takes for the security control to detect the security breach;

Rt = the time it takes for the security control to react to the security breach.

This security model takes into account that it is not possible to build an absolutely secure system that is commercially acceptable. Provided the security time is greater than the aggregate of the detection time and the reaction time then the information system can be said to be secure. Both the detection time and the reaction time are crucial to information security.

If the security control does detect an unauthorised intrusion within an acceptable time frame then the hacker may cause untold damage before the corporation can instigate reactive measures. If the corporation does not react in a timely manner then the hacker could continue the attack and increase damage to a corporation's information assets.

The detection and reaction mechanisms primarily involve both technical and administrative controls, though in some cases will also involve physical controls. It is generally accepted that when it comes to information security compromises are likely to occur; it is a matter of risk managing the adverse intrusion.

Information Risk Analysis

The driving forces affecting the expenditure on information security include the business environment of the corporation, the costs involved in implementing the security and the size of the corporation and the damage that can arise due to an unauthorised intrusion. For example, a manufacturing corporation may not expend as must on information security as a banking corporation or a corporation that is engaged in the health industry. Risk management associated with information security revolves around the probability of the adverse event occurring, the likely damage that could occur and the cost - both pre-emptive and prospective - of dealing with the adverse event. It may be decided by a corporation that the probability of the event is so low that any expenditure is excessive. Further, the corporation may decide that the risk to the corporation is so high that information security is a major expenditure for the corporation. This is especially when the corporation¹s primary asset is information, like information brokers such as Bloomberg's, Pont Data or the Australian Stock Exchange to name a few.

There are a number of techniques in determining the amount of the expenditure a corporation should allocate in managing the risk [ 85] involved in information security. The prime objective of security controls is to reduce effects of threats and vulnerabilities to a level that is tolerable (i.e., mitigate risk). It may be determined by the corporation that it is willing to accept the risk against a particular vulnerability because the risk is either too remote or the damage likely to be sustained is too small to warrant any expenditure. There are two methodologies used to determine information risk [86]:

(a) Quantitative risk analysis; and

(b) Qualitative risk analysis.

Quantitative risk analysis attempts to assign real values to the cost of countermeasures and the potential damage that may occur [ 87]. Qualitative risk analysis risk analysis involves scenario analysis of risk possibilities and a ranking of the seriousness of the threats and the sensitivity of the assets [88].

In dealing with quantitative risk analysis, management should identify the following:

(a) What is the value of the information asset to the corporation?

(b) What is the actual threat to the corporate assets?

(c) What are the possible consequences if a threat arises?

(d) What is the probable frequency of occurrence of a threat (this should be annualised) [89]?

(e) What is the probability that the threat will happen?

(f) What safeguard could be deployed to countermeasure vulnerability?

(g) What is the cost of deploying the safeguard?

The difficulty with quantitative information risk analysis is that it attempts to use real numbers and therefore can be very time consuming; detailed analysis is required in order to get any benefit from such an analysis. The real benefit from this type of analysis is that it attempts to assign an objective dollar value to information risk and the cost of countermeasures which results in a cost/benefit analysis for the deployment of a particular safeguard [ 90].

An alternative to quantitative information risk analysis in qualitative information risk analysis. An example of qualitative information risk analysis is the Delphi technique [ 91]. The Delphi technique involves a group decision process and centres upon each member of the group to give an honest and realistic assessment as to various risk scenarios and likelihood of the threat occurring, as well as an estimate of the damage resulting. Each member of the group undertakes this task independent of other members and usually anonymously. This allows members of the group to participate without being influenced by other members of the group.

Finally if the risk is substantial then a risk transference strategy may be required. The most likely risk transference strategy is insurance. In taking this position the corporation will need to ensure that it discloses all of its analysis to the insurance company because the insured must act in the utmost good faith [ 92].

Technical safeguards

There are many technical solutions available in commercial use, but not all are suited for all environments. For example, it would be unreasonable to impose upon a small business that has relatively speaking an insubstantial turnover the requirement to expend vast amounts of money on implementing a public key infrastructure as its security solution. The technical safeguard should, as discussed above, align with the likely risks that the corporation may encounter.

Technical safeguards involve the use of logical access controls, encryption technology, security devices, identification and authentication technology [ 93]. It may be appropriate for a business to have a simple password mechanism with no other technical safeguards. This may be suitable if the particular information system is not connected to the Internet and does not interface outside of its own environment. As the business of a corporation becomes more sophisticated then the controls should also become more sophisticated. Corporations within the banking industry should be required to have sophisticated technical controls and sensitive preventive and reactive measures. Notwithstanding the type of business, all businesses should at least implement an appropriate firewall, virus detection technology and intrusion detection technology. There are currently many commercial products for firewall technology, virus scanners and intrusion detection technology that are reasonably priced.

Administrative Safeguards

Administrative controls involve policies, standards, procedures, guidelines, personnel screening, security awareness training. It is widely accepted that the vast majority of attacks against a corporations information assets come from within the organisation [ 94]. These attacks can be either intentional or accidental. It is for this reason that management needs to be vigilant in informing employees of their responsibilities in relation to information assets. Management should develop documentation in a hierarchical manner (Figure 3) [ 95].

 

Figure 3: Documentation Hierarchy

 

Policies are the highest level of documentation and fall into a number of categories:

(a) Regulatory policies. This type of policy would covers statutory obligations that are imposed upon the corporation. For example the recently enacted Privacy (Private Sector) Amendment Act 2000 sets out in relation to the collection and storage of personal information [ 96] certain controls that need to be put in place [ 97].

(b) Advisory policies. This type of policy covers certain codes of conduct that the corporation requires of its employees. This policy may substantially overlap with the regulatory policy especially in the area of workplace heath relations [ 98].

(c) Informative policies. This type of policy is not an enforceable policy but is directed at informing employees on certain issues such as credit control, interaction with suppliers, goals of the corporation and a mission statement.

In addition to policies, management should also develop appropriate standards concerning information assets. These standards should specify the use of technologies in a uniform way and within the policies that management has promulgated. Standards have a strong legal component as they are compulsory and must fit within the legal compliance structure of the corporation. When the corporation instigates periodic security reviews and assessment it is based on formulated policies and guidelines that the review is taken. In a compliance regime it is useless to have policies, standards and guidelines in place if the corporation does not test that a compliance environment exists. The corporation does not want to condone a culture of non-compliance as this could result in both corporate and officer liability for any damages that may arise. To assist in compliance, ongoing training should be part of the corporation's culture. This will act as a defence if an incidence does occur which calls into question the commitment of management in dealing with security and its obligation to protect information assets.

Physical Safeguards

Physical controls involve physical protection of the facility, monitoring the physical environment, intrusion detection mechanisms, close circuit TV (CCTV) and physical locks of data storage centres.

Summary

This part has primarily concentrated on the administrative controls that need to be implemented by management from an information security perspective. The preparation of relevant documents can greatly assist management in developing a culture of information security compliance. This has two effects. Firstly it should assist in better protecting information assets by letting all staff know what is required of them. Secondly, it will provide evidence of management's commitment to the protection of corporate information and therefore should act as a defence against any action suggestingh that management failed in its fiduciary duty to implement reasonable security measures for the protection of information assets.

++++++++++

Conclusion

In this paper it has been identified that management unnecessarily exposes itself to substantial liability - both civil and criminal - if reasonable security measures are not implemented. As Patrice Rapalus, CSI Director states in the 2001 CSI/FBI Computer Crime and Security Survey [ 99] that:

"The survey results over the years offer compelling evidence that neither technologies nor policies alone really offer an effective defense for your organization. Intrusions take place despite the presence of firewalls. Theft of trade secrets takes place despite the presence of encryption. Net abuse flourishes despite corporate edicts against it. Organizations that want to survive in the coming years need to develop a comprehensive approach to information security, embracing both the human and technical dimensions. They also need to properly fund, train, staff and empower those tasked with information security."

Information security is an issue that management cannot take lightly. It requires an ongoing holistic approach with continual adjustment and review on a regular basis. It involves not just a technical appraisal but demands a legal review and assessment so that management is better placed to protect itself should an incident occur. End of article

 

About the Author

Adrian McCullagh, B.App. Sc (Computing), LLB (HONS), Ph. D., is a senior solicitor with the Brisbane offices of Freehills, a national law firm in Australia.
E-mail: adrian_mccullagh@freehills.com.au

 

Acknowledgments

The author would like to thank Michael Fernon, Martin McEneiry and Nicolla Ross of Freehills for providing valuable comments concerning this paper. Despite their invaluable assistance any errors remaining in this paper are solely attributed to the author.

 

Notes

1. The Federal Commissioner of Taxation v. United Aircraft Corporation (1943) 68 C.L.R. 525 at 534.

2. See F.C.T. v. Brent (1971) 125 C.L.R. 418 per Gibbs J at 426 endorsed the comments of Latham CJ; But see Smith Kline and French Laboratories (Australia) Limited and anor v. The Secretary to the Department of Community Services and Health Re: ALPHAPHARM Pty Ltd (1990) 95 A.L.R. 87 where Gummow J, extended in obiter dictum the concept that even though secret information is not property it did possess some proprietary characteristics.

3. "Electronic Numerical Integrator And Computer," at http://www.cis.upenn.edu/~rauenbus/eniachist.html.

4. "National Museum of History: Information Age - People, Information & Technology" Smithsonian Institution, http://photo2.si.edu/infoage/infoage.html.

5. New industries have specifically developed due to the increased usage of computers dedicated to semiconductors, data warehousing, and software, to name a few.

6. Reno v. ACLU No 96-511, decided 26 June 1997, at http://www.aclu.org/court/renovacludec.html.

7. Alternatively, it is also argued that the legal concept of "property" should be expanded so as to include vital corporate information such as financial critical information.

8. Such information would include both debtor's ledger and creditor's ledger, customer lists, supplier lists as well as other similar types of information.

9. A hacker is any person who gains access to a computer system without authority or who gains access to a computer system with authority but exceeds that authority. See United States v. Morris, 928 F.2d 504, 510 (2d Cir. 1991) holding that a computer user, with authorised access to a computer and its programs, was without authorisation when he used the programs in an unauthorised way. This issue has not, as far as the author can determine, been decided in Australia but it is suggested that Courts in Australia would accept the reasoning of the Morris case.

10. As will be established these duties significantly overlap.

11. Griseri, P, "Ethical Codes of Conduct: Developing an Ethical Framework for Corporate Governance", Chapter 13 in "Corporate Governance & Corporate Control" edited Sheik, S., and Rees, W., Cavendish Publishing, 1995

12. "Corporate Governance and Directors Liability - Legal, economic and Social Analyses on Corporate Social Responsibility", Edited by Hopt, K.J and Teubner G.; W de G, 1985 University European Institute.

13. (1986) 4 NSWLR 722.

14. When it is clear that the company is operating close to an insolvent state then the directors must take into consideration what affect their decisions and actions will have upon creditors to the company.

15. Harlowe¹s Nominees Pty Ltd v. Woodside NL (1968) 121 C.L.R. 483; Barwick CJ, Mctiernan and Kitto JJ. at p 429 For a discussion as to the meaning of the phrase see: Heydon J "Directors¹ Duties and the Company¹s Interests" in "Equity and Commercial Relationships" Ed. Finn P., The Law Book Company Limited 1987.

16. [1900] 1 Ch. 656.

17. ibid at 671 see also Harlowe¹s Nominees Pty Ltd v. Woodside (lakes Entrance) Oil Co. NL (1968) 121 CLR 483 at 493 where the majority of the High Court stated:

"Directors in whom are vested the right and duty of deciding where the company's interests lie and how they are to be served may be concerned with a wide range of practical considerations, and their judgment, if exercised in good faith and not for irrelevant purposes, is not open to review in the courts."

18. The rule has been encapsulated in section 180(2) of the Corporations Act 2001 which provides as follows:

A director or other officer of a corporation who makes a business judgment is taken to meet the requirements of subsection (1), and their equivalent duties at common law and in equity, in respect of the judgment if they:

(a) make the judgment in good faith for a proper purpose

(b) do not have a material personal interest in the subject matter of the judgement

(c) inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate, and

(d) rationally believe that the judgement is in the best interests of their corporation.

vThis rule has primarily had its genesis in US corporate jurisprudence. See "Safe Harbour or Sleepy Hollows: Does Australia need a Statutory Business Judgement Rule" Ramsay, I., ed. "Corporate Governance and the Duties of Company Directors" Centre for Corporate Law and Securities Regulations, University of Melbourne, 1997.

19. (1986) Mills v. Mills (1938) 58 CLR 112, Where Dixon at p 185 stated:

"Directors of a company are fiduciary agents, and powers conferred upon them cannot be exercised in order to gain some private advantage or for any purpose foreign to the power"

also see New Ltd v. Australian Rugby League (1996) 21 ACSR 635.

20. as he then was.

21. (1984) 156 CLR 41

22. ibid. at 96-97

23. Keach v. Sandford (1726) 25 ER 223.

24. Finn P.D. "Fiduciary Obligations", The Law Book Company Limited, 1977 at p. 1.

25. Boardman v. Phipps [1967] 2 A.C. 46

26. A further case that has recently followed this line of reasoning is the case of Pancontinental Mining Limited v. Commissioner of Stamp Duties (1989) 15 IPR 612. But this case needs also to be taken into context. Firstly, the Queensland Supreme Court was bound by precedent to follow the United Aircraft case. Secondly, this case is also a revenue case which centred upon whether the transfer of the confidential information was property within the ordinary sense. It appears that when it comes to revenue law the courts are ready to classify confidential information as not being property but in other areas of the law the courts struggle to adequately deal with the categorisation of confidential information. See Gurry, F., "Breach of Confidential Information".

27. (1991) 23 IPR 607 at p 633.

28. (1990) 27 FCR 460.

29. Corporations such as Bloombergs, Pont Data, the Australian Stock Exchange to name a few profitably operate within their respective information markets.

30. New industries and technologies such as data warehousing have emerged to assist corporations to decipher the mounting difficulties in analysing the increasing volumes of data collected.

31. An example of a professional standard of conduct is the recently revised standard concerning computer security AS 7799 which is based upon the International standard ISO 17799.

32. Cameron, B "Computer Hacking, Denial of Service Attacks and Information Loss" (2000) 3(6) INTLB 7; Daniels t/a Deloitte Haskins & Sells v AWA Ltd (1995) 37 NSWLR 438.

33. section 181 of the Corporations Act 2001.

34. section 181 of the Corporations Act 2001.

35. Baxt, R. "Duties and Responsibilities of Directors and Officers² 14th ed 1998. Also see the above discussion as to the meaning of ³in the best interest of the company as a whole".

36. (2000) 176 ALR 411.

37. Note, Kirby J. does not rely upon the special relationship position as he believes that there is a general duty imposed upon all persons, including directors, to take reasonable precautions to protect a corporation from the random nefarious activities of third parties.

38. See also Section 477 (3) of the Cybercrime Act 2001 which provides for a penalty of up to 10 years imprisonment.

39. section 408D(1).

40. section 408D(3).

41. There are other provisions in the Cybercrimes Act (2001) that also apply. See Section 477.

42. Item 334 of Schedule 3 of the Corporations Act lists Section 1307 as an offence section. Penalty is 100 penalty units or 2 years imprisonment or both.

43. As is clearly identified in AS 7799, information security is NOT limited to the implementation of secure technology such as firewalls or Single Sign On Mechanisms or encryption technology. The weakest link in security is not necessarily the technology, though in improperly implemented then this may be the case. The weakest link has traditionally been identified as being the human interface. See Harris, S., "ALL IN ONE: CISSP Certification" McGraw Hill/Osborne, 2002.

44. section 181 (1).

45. section 180 (1).

46. The commentary in Ford's Principles of Corporations Law on section 181(1)states there are two primary duties imposed:

"Although s 181(1) refers to directors and other officers acting in good faith in the best interests of the company and acting for a proper purpose, these are two separate duties ..."

If the section is examined more closely, this commentary does not appear to be correct. Instead of the section imposing two separate duties on directors, it imposes an obligation on directors to perform all their duties in a certain manner, that is, in good faith and for a proper purpose. This is significantly different from imposing two distinct duties, and requires an examination of what the director's duties might be.

47. (1998) 16 ACLC 1577.

48. supra note 22.

49. It is not uncommon for a corporation to establish a Legal Compliance Committee and an Audit Committee. It suggested in this paper that modern corporations should also establish an Information Compliance Committee, which should be empowered to monitor corporate compliance with the ever increasing obligations dealing with the collection, storage and security of information.

50. This primarily includes all physical items and goods such as trading stock and capital items.

See Re. Mistmorn Pty Ltd (in Liq) v. Yasseen (1996) 21 ACSR 173.

.

51. Copyright {section 196, Copyright Act 1968), Patents (section 13.2 ,Patents Act 1990), Goodwill : Muller & Co's Margarine v. Inland Revenue Commissioner (1901) AC 217.

52. an example of this is the income generated from the leasing of land or physical assets.

53. [1943] 68 CLR 525.

54. I.R.C. v. Rolls-Royce Ltd. [1962] 1 W.L.R. 425 where the House of Lords unanimously determined that a lump sum payment for the disclosure of certain "know-how" otherwise known as "trade secrets" was income and not a capital receipt.

55. (1971) 125 C.L.R. 418.

56. see also Hepples v. FCT (1990) 94 ALR 81.

57. Ibid. at p 424.

58. This case may have been decided differently if Mrs. Brent had written the story out and instead of selling the story she sold the copyright to the story.

59. (1990) 95 ALR 87.

60. Since this case the Federal Government has enacted the Therapeutic Goods Act 1989 (Cwth), under which is established the Secretary to the Federal Government Department of Health is required to establish and maintain the Australian Register of Therapeutic Goods.

61. See Prince Albert v. Strange (1849) 47 ER 1302 where the centred its reasoning upon the so called "common law right of property" as regards to a breach of confidence.

62. See Morison v. Moat (1851) 68 ER 241.

63. Saltman Engineering Co. Ltd v. Campbell Engineering Co. Ltd [1963] 3 All ER 413.

64. Supra note 28 at p 635.

65. "Legislating the Criminal Code : Misuse of Trade Secrets" Law Commission, at http://www.lawcom.gov.uk/library/lib-crim.htm#libcp150.

66. (1979) 68 Cr App R. 183.

67. Lennard's Carrying Company Ltd v. Asiatic Petroleum Company Ltd. [1915] AC 705 at p 713.

68. An offence is defined as an offence against a law of the Commonwealth, which would include the Trade Practices Act, The Corporations Act as well as any other laws of the Commonwealth.

69. A buffer is a temporary storage area, usually in RAM. The purpose of most buffers is to act as a holding area, enabling the CPU to manipulate data before transferring it to a device.

Because the processes of reading and writing data to a disk are relatively slow, many programs keep track of data changes in a buffer and then copy the buffer to a disk. For example, word processors employ a buffer to keep track of changes to files. Then when you save the file, the word processor updates the disk file with the contents of the buffer. This is much more efficient than accessing the file on the disk each time you make a change to the file. From http://www.webopedia.com.

70. Carter and Kratz "Denial of Service Attacks" at http://www.fbi.gov.

71. Bourque, R., and Bell, B., "Dealing with Liability Risks to Owners of Computers Used in Denial of Service Attacks" at http://www.simpsonthacher.com/FSL5CS/articles/articles711.asp.

72. http://www.usdoj.gov/criminal/cybercrime/ccpolicy.html#DDSA.

73. A trojan horse is a program that is hidden in some other software or document that will when activated cause some function that was unknown to the owner of the computer on which it is located. Usually the function of the trojan horse is to cause some damage to the host computer or in the case of a distributive denial of service attack damage to a fourth parties system. From http://www.webopedia.com/TERM/T/Trojan_horse.html.

74. Zombies: Computer systems infiltrated by intruders for the purpose of launching DoS attacks. Once an intruder gains control of a "zombie", he installs a daemon program that listens for requests to start or stop attacks against a given victim. By gaining control of many zombies and controlling them remotely, an intruder can launch huge attacks and make it more difficult for authorities to track the intruder's real location. Per Radin., M., http://www.mazunetworks.com/white_papers/radin-print.html.

75. As stated it is not possible to prevent a DoS or a DDoS but it is possible to manage the risks involved so as to minimise the effect of these types of attacks.

76. Corporations and ISP's could be held liable for unwittingly allowing computers on their networks to become pawns, or zombie machines, in distributed denial of service attacks that harm customers or other companies: "Forum Warns of Hidden DDoS Legal Liability", Tim Greene, Network World, 10 February 2000.

77. [1932] AC 562, at p. 580.

78. Council of the Shire of Wyong v Shirt (1980) 29 ALR 217.

79. [1911] 12 C.L.R. 165.

80. ADSL means asymmetric digital subscriber line, a new technology that allows more data to be sent over existing copper telephone lines (POTS). ADSL supports data rates of from 1.5 to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data (known as the upstream rate). From http://www.webopedia.com/TERM/A/ADSL.html.

81. Since the general public is now being targeted as possible zombie sites it is interesting as to whether the suppliers of PC technology have a duty of care to ensure that their products are safe. As Professor Bill Caelli of the Queensland University of Technology in Australia has often stated the PC (person computer) was never designed to be connected to a network and certainly was never designed to effect commercial transactions. Caelli believes that the supply of a PC without appropriate security is analogous to supplying a motor vehicle without brakes. Once a PC is connected to an ISP, the end user should not be unnecessarily exposed and should have a sufficient breaking/warning system when encountering danger. This then calls into play the duty of care that suppliers of PC technology have to end users. Caelli believes that PC suppliers do owe such a duty of care but as yet there have not been any cases dealing with this issue.

82. Harris, S., "All- In-One: CISSP Certification, exam guide" McGrawHill/Osborne, 2002.

83. Schwartua, W. "Its about Time: A metric for Security", at http://www.infowar.com/chezwinn/articles090800/timemetricICSA14Feb00.shtml.

84. ibid.

85. A "risk" is a potential harm or loss to a system times the probability that a threat will materialise.

86. Supra note 83 at p. 78-87.

87. Supra note 83 at p 78.

88. Supra note 83 at p 84.

89. That is what is the frequency. For example a hacker attack may occur five times per week; or it is expected that the building will suffer serious damage through fire every 30 years.

In the case of a hacker incident the frequency would be 250 whereas for a fire incident the annual frequency would be approximately 0.0333.

90. There are a number of automated information risk analysis tools available on the market.

91. Supra note 83 at p. 85.

92. Section 21 of the Insurance Contracts Act 1984 (Cwth).

93. CISO Systems "SAFE guarding the E-Business Network - The war against Hackers and Crackers" excerpts from the Osborne McGraw-Hill book "Hacking Exposed: Network Security Secrets & Solutions" McClure, S., Scambray, J., and Kurtz, G.

94. Power, R., "2001 CSI/FBI: Computer Crime and Security Survey"; though as stated in this survey this position is changing. For the first time in seven years external attacks exceeded internal attacks. See http://www.gocsi.com.

95. Krutz, R., and Vines, R., "The CISSP Prep Guide: Mastering the Ten Domains of Computer Security" Wiley, 2001.

96. This Act only applies to personal information about individuals and does not apply to information about corporations. Such information would include employee records or customer records.

97. National Privacy Principle 4 provides that an organisation must implement reasonable security measures to protect personal information that has been collected and stored by the corporation.

98. Work Place Health and Safety Act 1995 (Qld).

99. Supra note 94.


Editorial history

Paper received 18 April 2002; accepted 14 June 2002.


Contents Index

Copyright ©2002, First Monday

Copyright ©2002, Adrian McCullagh

Management Responsibility in Protecting Information Assets: An Australian Perspective by Adrian McCullagh
First Monday, volume 7, number 7 (July 2002),
URL: http://firstmonday.org/issues/issue7_7/mccullagh/index.html