If you think your job in IT is just a series of distasteful chores, heres another one: Take a lawyer to lunch.
It could be the most important hour you spend all year. Thats because risk management experts in the insurance and legal communities are warning that a range of emerging liabilities associated with technology in general and the Internet in particular are about to make the job of an IT professional a lot more litigious.
Litigation already consumes an inordinate amount of time for people who are supposed to be focusing mental energy on deploying and maintaining IT. According to a survey released earlier this month by the Cutter Consortium, an Arlington, Mass., IT consulting group, 78 percent of IT organizations have been involved in at least one dispute that has ended in litigation.
In the vast majority of these cases, IT personnel were on the plaintiffs side of the aisle, typically suing vendors for products that failed to function as advertised, werent delivered on time, or proved to be defective or useless. But increasingly, risk assessment experts say, IT professionals will find themselves in the defendants role in cases involving a vast array of liabilities whose only common thread is that they involve computer or network technologies. And these days, thats just about everything a company does.
"Change is the very essence of technology—and, unfortunately, change goes hand in hand with risk," said Emily Freeman, director of E-Business Risk Management & Consulting for Marsh Inc., a San Francisco-based insurance services company. Increasingly, Freeman said, IT professionals find themselves in a corporate swirl of "multifaceted risks associated with legal issues, regulatory issues, security issues, business continuity issues, marketing behavior issues—you name it."
Many of the new liabilities are brought on by the use of the Internet as a business platform. In general, these exposures fall into five categories:
• intellectual property issues, currently the focus of about nine out of 10 e-commerce-related lawsuits;
• privacy concerns, unanimously expected to set off the next major wave of litigation;
• network security, which has so far produced few lawsuits but is an area where the potential damages could be enormous;
• workplace issues, largely arising from widespread e-mail abuses; and
• new issues unique to e-commerce and as yet not defined by legislation or case law.
While textbooks could be written about any one of these areas, heres an overview of how each represents an impending legal hazard for corporate enterprises and IT professionals.
Alan Sutin, who heads the IT and e-commerce practice for the U.S. offices of the Greenberg Traurig LLP law firm in New York, estimates that trademark issues "top the list of current litigation by a wide margin. We probably get 10 trademark cases for one of every other kind arising from online business."
The majority of these are triggered by domain name registrations being challenged by trademark holders. But Sutin, a participant in deliberations that resulted in the World Intellectual Property Organizations new international copyright treaty, predicts that copyright and patent disputes will trigger a new round of litigation.
"Were seeing a lot of patent-related cases, particularly business methods patents," Sutin said. As examples, he pointed to Amazon.com Inc.s patent on "one click" transactions, Priceline.com Inc.s patent on the whole name-your-own-price concept, and patents on various online games and contests.
"Those are big liability issues," Sutin said, "because theres no such thing as inexpensive patent litigation. Some of the things for which people file patents are extremely broad, and were constantly seeing suits or threats of suits because what just seemed like an obvious, common or innocuous business practice violates someones business method patent."
Another growing exposure is a direct result of commercial enterprises that suddenly find themselves in the publishing business as a result of their Web presence. J. Leib Dodell, a former First Amendment lawyer who now heads the Internet liability business of the Chubb Group of Insurance Cos. in San Francisco, said most companies are ill-prepared for the challenge.
"The overarching issue is that IT managers, risk managers, general counsels—whoever has the responsibility for supervising what the companys doing online—have to start thinking like publishers think," Dodell said. "They need to be mindful of copyright, trademark, defamation and other areas of the law they probably dont have a lot of prior experience with."
The news media tend to focus on the most notorious copyright infringement cases, such as the music industrys battles with Napster Inc. and MP3.com Inc. But Dodell said the number of all copyright infringement cases is growing "because the Internet makes it so easy to cut and paste content that they dont stop to think about the licensing implications."
"For example," Dodell said, "someone in the IT department sees a Dilbert cartoon in the paper and thinks it would be amusing and relevant to their viewers, so they slap it on the Web site without thinking about the copyright implications. Or it could be something as seemingly innocuous as a bicycle shop that wants to put Lance Armstrongs photograph on their Web site and doesnt think about the commercial misappropriation issue."
Lawyers, risk analysts and insurance experts agree that privacy issues are going to cause explosive growth in corporate liability claims over the next five years. For one thing, its an area lawmakers seem eager to jump into.
"You can always find very egregious examples," Greenberg Traurigs Sutin said. "And they hit home because everybodys reaction is, That could have been me; it could have been my information that was taken and misused. That makes for a very attractive area for politicians." But at the same time, he said, "Its also an area thats ripe for abuse. People do not understand the technologies of the Internet, and they dont understand how much information about them is being collected or the uses that information is being put to."
"Theres been a ton of new legislation," Dodell said. "It has become very fashionable at the state and federal level for legislatures to address perceived shortcomings in online privacy."
Among recent federal privacy laws are COPPA, or the Childrens Online Privacy Protection Act, which requires that companies get written parental permission before requesting or accepting information about any child under age 13. Although the Federal Trade Commission has posted detailed guidelines for compliance, lawyers report widespread ignorance of the laws implications among companies doing business online.
Likewise, HIPAA, or the Health Insurance Portability and Accountability Act, imposes stringent regulations for protecting consumers medical and health information. Whats more, this year, the U.S. Department of Health and Human Services is expected to create the first regulatory rules for determining whether a companys security technologies and policies are adequate—a negligence test that could have huge implications for IT managers across all industries.
Perhaps the most significant model for future legislation is the Financial Modernization Act, popularly known as Gramm-Leach-Bliley for its principal congressional authors. In addition to regulating how personal information about consumers can be shared and exchanged by insurance companies and financial institutions, it requires that consumers be informed about privacy policies and practices and gives them limited control—via opt-out—over whether and how personal information is disseminated.
While several corporate divisions often share responsibility for liability exposures arising from an enterprises overall use of technology and the Internet, it is the IT department where heads will roll if a network security failure results in a loss of competitive advantage or trade secrets, a privacy lawsuit, or identity theft. That situation represents a failure of top corporate leadership, according to Marshs Freeman, who said that security risks, like many other company exposures to liability, cannot be the sole responsibility of a single department.
"We have to get over the silo mentality, where everybody has their own little narrowly defined areas of functionality," Freeman said. "Youve got treasury people, risk management people, compliance people, IT people, security people, marketing people, and each operates a lot in their own domain."
Managing security is going to be impossible without a "cross-functional perspective," Freeman said.
"Many IT managers think of themselves as risk managers of technology," Freeman said. "They may not realize all that entails, but a lot of them understand it cannot be managed by just one department alone."
For example, Freeman said, "if you dont get HR involved, when you terminate an employee, do they really change the guys password? Do they make sure the guy walked out without the crown jewels? What is the termination procedure as it relates to IT security?"
Likewise, the companys legal department has to be working in sync with the IT department to avoid security risks arising from outsourcing and partnerships.
"IT people understand that security is an onion with a lot of different layers," Freeman said. "Its not just a matter of hardening the front door at the network level. What kind of diligence can IT exercise over hosting companies, for instance? If the lawyers dont put anything in the contract that allows you to do due diligence of third-party contractors, nothing IT can do by itself will keep the doors locked."
Joel Rothman, a Boca Raton, Fla., lawyer who specializes in technology risk issues, said he is seeing mounting sentiment among IT professionals that their insurers are falling down on the job by failing to sue software companies for continually releasing products riddled with glaring security defects.
"A growing number of people think a major lawsuit may be the only way to stop the cycle of hacker exploit; vulnerability discovered; patch the problem," said Rothman, who two years ago founded the Techrisk.org discussion group and is now legal counsel to the Cylant.com security division of Software Systems International LLC, of Moscow, Idaho. "You have to completely change the software companies attitude about their liability for security holes."
When legal experts describe liability exposure in the workplace, the bogeyman that repeatedly pops up is e-mail.
"People have a tendency to say things in e-mail they wouldnt say in formal memoranda or correspondence," Greenberg Traurigs Sutin said. "They transmit photographs and other types of documents they would never send through interoffice mail. And because these are digital documents that often get backed up onto disks or tapes, they tend to live forever. Lawyers have gotten very sophisticated about framing discovery requests to get their hands on the stuff, so weve seen a big increase in liability exposure as a result."
For Brian Casey, an attorney with Lord Bissel & Brook, in Atlanta, another kind of e-mail exposure recently became a personal issue. "I had a situation where my stockbroker, a very honest, upstanding guy, got an e-mail from his brother and just printed it out along with his other e-mail to read later," Casey said. "But he printed it on a shared office printer, not realizing it contained an ethnic slur. An African-American employee found it on the printer, saw it had some derogatory and prejudicial statements in it, and reported him. He was dismissed immediately." Thanks to e-mail, Casey said, the lesson is that "employment-related liability—be it the employers liability as a result of an employees conduct or the employees own risk of being terminated—has increased significantly."
Unique E-Commerce Issues
While most forms of exposure resulting from e-commerce are old issues dressed in new clothes, experts cite a few that arise from unprecedented features of the Internet. For example, Chubbs Dodell sees a potential for lawsuits resulting from personalized online advice generated by bots or agents.
"The Internet is breaking down the traditional distinction between advice given in a professional/client relationship, where there is an expectation of a reasonable degree of expertise and service, and the kinds of advice printed in magazines or newspapers, where the courts have recognized much greater latitude in publishing advice columns that are meant to be read by a broad range of people," Dodell said. "A lot of Web sites offer an Ask a doc kind of feature, where a user can enter fairly detailed personal information and then receive what appears to be a response tailored to his particular situation. That begins to look more like the professional/client relationship, which could essentially give rise to a malpractice claim."
Lord Bissel & Brooks Casey said he is concerned about what forms of digital communication constitute a written contract as required by the statute on fraud—real estate transactions being the most common—and about a widespread misunderstanding about electronic signatures, his own area of expertise.
"Frankly," Casey said, "I think there are a fair number of businesses running Web sites that are either ignorant about e-signatures or believe that what theyre doing on their Web site, to the extent that it involves getting a signature from someone in an electronic format, qualifies as an electronic signature. I dont see the consumer language thats required by the federal electronic signature law." In fact, Casey said, the very distinction between a written contract and an oral contract has been stood on its head by the Internet.
"The whole paradigm has changed," Casey said. "You now have a situation where a voice print can be a written signature under the law and a typed e-mail is construed as an oral contract. Its totally confusing to lawyers. I can only imagine how confusing its going to be for businesses."