According to the Spanish operetta, La Verbena de la Paloma, ‘Nowadays science makes progress very fast’. And it is true. Who could have imagined only a few decades ago a virtual reality existing alongside the ‘real’ off-line world? Who could imagine then an online world where humans would work, do business, enjoy their spare time, access information and which could also enable them to commit illegal acts?
Obviously, the law cannot foresee future acts in order to provide citizens with legal security. As a consequence, the law usually appears with delay to solve the problems that already exist in society. This phenomenon inevitably also takes place in the new technologies scenario.
Despite the tremendous efforts invested in creating a legal and good practices framework, both at an international level (ISO 27001, ISO 25999, etc) and at a national level (LISI, LSSI, LOPD, Electronic Signature, Electronic Administration, etc), new legal and technological challenges – such as social networks, data leakage, online transactions, cybercrime, copyright abuse or botnets – continue to appear.
The realities of the business world (both online and offline) and the emergence of a substantial increase of technological threats puts companies in a situation in which they now need to be able to identify any risks that may impact on one of their most valuable assets, their data or commercially sensitive information.
Businesses are often placed in a situation in which they are forced to manage some of these risks and to assume others. Thus they must balance on one side, ways to be flexible, modern and efficient and, on the other side, to limit the use of the same new technologies by their employees, to avoid data leakage and the loss of confidential or copyright material.
Una empresa puede adoptar varias medidas para protegerse contra las amenazas tecnológicas además de las que llegan por internet. No obstante, queda mucha distancia por recorrer hasta llegar al equilibrio entre la protección de una empresa, la capacidad para luchar contra los ataques por internet y la consecución de la madurez jurídica en que insisten la sociedad y sus empresarios. Estas son las opiniones de los autores de este artículo, Carlos Saiz y Javier López, letrados del bufete ECIJA.
They must also neutralise the potential for online infringements that may negatively impact on the reputation of the company or of its directors.
Like any form of contingency planning there are a number of ways to face such challenges. The pro-active response is to ‘build in’ all those instruments (technological or otherwise) that are required to avoid potential incidents. The reactive way is to remedy any damages already caused. Evidently, the best solution should combine both models, although any action plan must always bear in mind that complete invulnerability is not possible.
Pro-active solutions should therefore consist of an adequate plan, which combines legal and technical actions, that will enable a company to detect illegal activities, allow it to capture and use e-evidence before the Court, and which provides quick and dramatic solutions that may be effective in terms of both legal and technology security.
In order to achieve such an aim it may therefore be convenient to use tools to assist with surveillance and evidence gathering tasks, including specific software, periodic audits and level risk controls, alongside surveillance instruments that may detect threats and vulnerabilities concerning a company’s online presence.
The internet can act as a positive channel to transmit and exchange information but phenomena such as Cloud Computing (where services are hosted and utilised via a virtual ‘cloud’) and the ability to access a global market may also however multiply the opportunities of some to commit illegal acts, and also increase the difficulty to chase and halt unlawful actions.
Therefore once an incident is detected, due to the volatility of evidence collecting on the internet, any system adopted by a company must guarantee the possibility to obtain eevidence that may be valid in a Court. Furthermore, obtaining such evidence may make it easier for a company to determine the most suitable action, legal or technical, to neutralise any actual or potential future incidents.
In conclusion, while a company may take various measures to protect themselves from technological or online threats, there remains a long way to go in order to reach an equilibrium that balances company protection, the ability to fight against attacks that come via the internet, and to achieve the legal rule maturity that society and business demands.