E-Commerce:Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia
Security - Federal Legislation • Computer Fraud and Abuse Act 18 U.S.C. § 1030 • Identity Theft and Assumption Deterrence Act of 1998 • Amends 18 U.S.C. § 1028 • Gramm Leach Bliley requirements for financial institutions - (Public Law 106-102) 15 U.S.C. § 6801 et seq. • HIPAA requirements for healthcare services - Health Insurance Portability and Accountability Act of 1996 • Children’s Online Privacy Protection Act of 1998 15 U.S.C. § 6501 et seq. • Federal Trade Commission Act
Security – Federal Legislation • Federal Focus on Protecting Infrastructure • USA Patriot Act • Creation of National Infrastructure Protection Center • Maritime Transportation and Security Act of 2002 • Sarbanes-Oxley Act of 2002
Security – State Legislation • Pennsylvania legislation • Wiretapping and Electronic Surveillance Control Act 19 Pa.C.S.A. § 5701 et seq. • Hacking and Similar Offenses 18 Pa.C.S.A. § 7611 et seq. • Computer Theft (unlawful access) § 7613 • Unlawful Duplication of Computer Data § 7614 • California SB1386 law relating to disclosure to public if private information is hacked or inadvertently disclosed to third parties (effective July 1, 2003)
SOX and Security • Moving away from business judgment rule – Delaware Law • Old law: Directors not obligated to ferret out wrongful conduct • Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125, 130 (Del. 1963) (directors have no duty affirmatively to seek out corporate employees’ wrongdoing)
SOX and Security • New law: Directors must develop internal programs to assure compliance with laws • Smith v. VanGorkom, 488 A.2d 858 (Del. 1985) (board decision must be “informed”) • Kahn v. MSB Bancorp., Inc., 24 Del. J. Corp. L. 266, 1998 (Del. Ch.) (protection under the business judgment rule may be lost through gross negligence) • In re Caremark International Derivative Litigation, 698 A.2d 959 (Del Ch. 1996) (even though directors and officers may not be liable for wrongdoing that they have no reason to suspect, they have an affirmative duty to establish a compliance system).
SOX and Security • Moving away from business judgment rule – Criminal Sentencing • Sentencing Reform Act of 1984: Organizational Sentencing Guidelines cited in Caremark as evidencing need for corporations to adopt effective compliance programs to detect violations of law • U.S. Sentencing Commission (Jan. 10, 2003) adopts emergency plan for harsher sentences in corporate crime cases • Advisory Commission (Oct. 7, 2003) report to U.S. Sentencing Commission on sentencing organizations that recommends more sophisticated compliance programs.
SOX and Security • Moving away from business judgment rule – Duties under SOX • Section 404 -- SEC must prescribe rules requiring annual reports to contain an “internal control report” stating management’s responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and assesses the “effectiveness” of such structure and procedures • Requires management to assess and implement internal controls for security of MIS and business process security – responsibility likely with audit committee
SOX and Security • Moving away from business judgment rule – Duties under SOX • Section 409 -- public companies must disclose on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer necessary to protect investors and the public interest • Section 302 – certifications required from executives; covers internal controls • Directors and audit committee in particular, to meet new standards, must develop risk assessment and response to protect company information infrastructure
SOX and Security • Developing and implementing appropriate security procedures • National Institute of Standards and Technology 800 Series • supports the implementation of the Federal Information Security Management Act (FISMA) of 2002 • Focused on federal information systems, but relevant to private systems, processes and assessment issues • For more information -- http://csrc.nist.gov/index.html