Presentation on theme: "Drt 6455 eCommerce Law lesson 2 – Legal Security Mangement Example of An Act to Establish a Legal Framework for IT associate professor faculty of law university."— Presentation transcript:
drt 6455 eCommerce Law lesson 2 – Legal Security Mangement Example of An Act to Establish a Legal Framework for IT associate professor faculty of law university of montreal university of montreal chair in e-Security and e-Business law www.gautrais.com
2 An Act to establish a legal framework for information technology (Quebec) (L.R.Q. c-1.1)
3 Know your Law : Guide Respecting the Management of Technology-based documents - An Act to establish a legal framework for information technology (R.S.Q., C-1.1)Know your Law : Guide Respecting the Management of Technology-based documents - An Act to establish a legal framework for information technology (R.S.Q., C-1.1) (11/2005) Afin dy voir clair Guide relatif à la gestion des documents technologiques
4 plan 1 – Legal change, new legislation … a guide 2 – Guiding Principles of the Act 3 – Managing technology-based documents in a secure manner 4 – Use of technology-based documents as evidence 5 – Legal Management of Digital Signature
6 2.1illustrations of innovation New risks New technologies New advantages New inconvenients New objectives New words New laws
7 2.1.A new risks Ignorance Immateriality Habits Obscurity Internationality Identification of document attributes –Confidentiality –Authentification –Non-repudiation –Disponibility –Integrity
8 2.1.B new technologies technology-based document Email = technology-based address Internet « Log » Identifier etc.
9 2.1.C new advantages Quick Efficient Transportable Immaterial
10 2.1.D new inconvenients Quick Immaterial New Habit Multiplicity Effectivity –Law is not clear (EX: 34) –34. « Where the information contained in a document is declared by law to be confidential, confidentiality must be protected by means appropriate to the mode of transmission, including on a communication network. » –Law is difficult to apply
11 2.1.E new objectives Remove barriers to eCommerce –EX: writing –EX: signature –EX: original Precise security –EX: email / SMS –EX: whats means to be secure? protect people –EX: 29 AELFITAELFIT
12 identifier etc… transfer documentation certification document technology-based document Life cycle 2.1.F new words
13 2.1.G new laws New Processual –EX: SOX Section 404 and Internal control –EX: PIPEDA Schedule 1 –EX: AELFITAELFIT
15 2-2-A Technological neutrality Law doesnt favor one technology in particular –EX: Utah, Singapore, Italy, Portugal, Germany, etc. –EX: certification But law need to be a little prescriptive –Neutre doesnt mean silence –Silence in laws EX: Whats the meaning of « Integrity »? EX: 34 AELFITAELFIT
16 2-2-A Technological neutrality United Nations Convention on the Use of Electronic Communications in International Contracts (2005)United Nations Convention on the Use of Electronic Communications in International Contracts –8.1. A communication or a contract shall not be denied validity or enforceability on the sole ground that it is in the form of an electronic communication. –9.1 Nothing in this Convention requires a communication or a contract to be made or evidenced in any particular form. AELFIT –5.The legal value of a document, particularly its capacity to produce legal effects and its admissibility as evidence, is neither increased nor diminished solely because of the medium or technology chosen. Chinese Law –Article 7 The use of a data message as evidence may not be refused solely on the grounds of its creation, transmission, receipt or storage in electronic, optical, magnetic or other similar fo
17 2-2-B Functional e quivalent What are functions of paper and transpose them to electronic –Document finding a criteria –writing transposable –Signature at each concept –Original –Copy
18 2-2-C integrity Main criteria which give some « Legal Value » to a document –Evidence Admissibility Probative force –But what it is?
19 writing AELFIT (L.R.Q. c. C-1.1) art. 5AELFIT (2) A document whose integrity is ensured has the same legal value whether it is a paper document or a document in any other medium, insofar as, in the case of a technology-based document, it otherwise complies with the legal rules applicable to paper documents. (…) Where the law requires the use of a document, the requirement may be met by a technology-based document whose integrity is ensured.
20 2839. The integrity of a document is ensured if it is possible to verify that the information it contains has not been altered and has been maintained in its entirety, and that the medium used provides stability and the required perennity to the information. 2839 CCQ
21 2-2-D writing Examples of laws requiring a writing form –13 (4) Copyright Act –19 Consumer Protection Act (Ontario) –Consumer Protection Act (Quebec) What are writing functions (see UNCITRAL eCommerce Model Law with Guide to Enactment (1996))UNCITRAL eCommerce Model Law with Guide to Enactment
22 writing 48. In the preparation of the Model Law, particular attention was paid to the functions traditionally performed by various kinds of writings in a paper-based environment. For example, the following nonexhaustive list indicates reasons why national laws require the use of writings: (1) to ensure that there would be tangible evidence of the existence and nature of the intent of the parties to bind themselves; (2) to help the parties be aware of the consequences of their entering into a contract; (3) to provide that a document would be legible by all; (4) to provide that a document would remain unaltered over time and provide a permanent record of a transaction; (5) to allow for the reproduction of a document so that each party would hold a copy of the same data; (6) to allow for the authentication of data by means of a signature; (7) to provide that a document would be in a form acceptable to public authorities and courts; (8) to finalize the intent of the author of the writing and provide a record of that intent; (9) to allow for the easy storage of data in a tangible form; (10) to facilitate control and sub- sequent audit for accounting, tax or regulatory purposes; and (11) to bring legal rights and obligations into existence in those cases where a writing was required for validity purposes.
23 writing UNCITRAL Model Law criteria: article 6UNCITRAL Model Law usable for subsequent reference As in Ontario And in REC (est of Canada) As in United Nations Convention on the Use of Electronic Communications in International Contracts (2005)United Nations Convention on the Use of Electronic Communications in International Contracts –9.2. Where the law requires that a communication or a contract should be in writing, or provides consequences for the absence of a writing, that requirement is met by an electronic communication if the information contained therein is accessible so as to be usable for subsequent reference.
24 writing French Law (March 12th, 2000) http://www.legifrance.gouv.fr/citoyen/jorf_nor.ow?numjo=JU SX9900020L Art. 1316-1. - L'écrit sous forme électronique est admis en preuve au même titre que l'écrit sur support papier, sous réserve que puisse être dûment identifiée la personne dont il émane et qu'il soit établi et conservé dans des conditions de nature à en garantir l'intégrité.
25 writing Problem with usable for subsequent reference Criteria –EX: arbitration clause (2640 CCQ) –EX: CPA –No way to be aware (criteria number 2) Problem with integrity criteria too Problem with distinct criterias. de critères distincts –Integrity –Usable for subsequent reference –Visible Form (UK) –Record (UETA)
26 2-2-E signature 2827 CCQ: A signature is the affixing by a person, to a writing, of his name or the distinctive mark which he regularly uses to signify his intention.. Limitations concerning biometry usage in AELFIT ART. 44AELFIT -No obligation -Finality -Destruction -Transparence to the Information Access Commission (CAI) -Etc
27 signature Electronic signature: is it reliable ? Is it legal ?
28 signature Difficult to say because definition is not so clear because contract decline every liability 2 1
31 signature 1) Identity of signatory 2) Intention to sign
32 signature United Nations Convention on the Use of Electronic Communications in International Contracts (2005) 9. 3. Where the law requires that a communication or a contract should be signed by a party, or provides consequences for the absence of a signature, that requirement is met in relation to an electronic communication if: (a) A method is used to identify the party and to indicate that partys intention in respect of the information contained in the electronic communication;
33 signature Same in Quebec and Civil Code of Quebec (1994) (2827 CCQ) Ontario et Electronic Commerce Act (2000) British Columbia et Electronic Transaction Act (2001) China –Article 2 All references to an "electronic signature" in this law are to electronic data that are contained in or attached to a data message and are used to identify the signatory and indicate its endorsement of the contents of such data message. But theres an other criteria
34 signature United Nations Convention on the Use of Electronic Communications in International Contracts (2005) 9. 3. and (…) (b) The method used is (…) : (i) As reliable as appropriate for the purpose for which the electronic communication was generated or communicated, in the light of all the circumstances, including any relevant agreement;
35 signature Ontario and Electronic Commerce Act (…) (a) the electronic signature is reliable for the purpose of identifying the person; and (b) the association of the electronic signature with the relevant electronic document is reliable.
36 signature British Columbia and Electronic Transaction Act (…) 21 (d) prescribing records or classes of records for which a requirement under law for the signature of a person must be satisfied by an electronic signature and proof that, in view of all the circumstances including any relevant agreement and the time the electronic signature was made, (i) the electronic signature is reliable for the purpose of identifying the person, and
37 signature Uniform Electronic Transaction Act (USA) the use of security procedures is simply one method for proving the source or content of an electronic record or signature. A security procedure may be technologically very sophisticated, such as an asymetric cryptographic system. At the other extreme the security procedure may be as simple as a telephone call to confirm the identity of the sender through another channel of communication. It may include the use of a mother's maiden name or a personal identification number (PIN). Each of these examples is a method for confirming the identity of a person or accuracy of a message.
43 2-2-F original AELFIT (L.R.Q. c. C-1.1) ART. 12AELFIT 12. A technology-based document may fulfil the functions of an original. To that end, the integrity of the document must be ensured and, where the desired function is to establish 1) that the document is the source document from which copies are made, the components of the source document must be retained so that they may subsequently be used as a reference ; 2) that the document is unique, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, in particular through the inclusion of an exclusive or distinctive component or the exclusion of any form of reproduction ; 3) that the document is the first form of a document linked to a person, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, to identify the person with whom the document is linked and to maintain the link throughout the life cycle of the document.
44 original a) source document = integrity Signed contract
45 original b) Single document = integrity + application Bill of lading
46 original c) First form of a document linked to a person = integrity + application Will
48 2-3 Managing Technology-based document in a secure manner Transfert Retention Accessibility Transmission
49 transfert Definition: to change a technology-based document from one medium to an other. Example: an enterprise numerize sums of papers on a couple of CD. Legal conditions: –1) documentation with WHO – WHAT – HOW; –2) ensure integrity.
50 Retention Definition: to store documents so that they can be found later. Examples: –a consumer buys a product online. –For administrative or taxation reasons, an entreprise need to retain large number of documents, something for 3 or 6 or 10 years. Legal Conditions : –1) Désignate an assigned person, within the organization, for security matters or sub-contract to a trird-party service. –2) Ensure that documents kept are: Complete Available throughout the time thay are retained. –3) Ensure that the assigned person who modifies a retained document, and thus knowingly, compromise the integrity of the document, explains in the document itself: WHO WHAT HOW WHEN
51 consultation Definition: To make a document presented in intelligible form to the authorized persons. Examples: –PIPEDA / all Privacy protection acts –Securities Act Legal Conditions : –intelligible, legible. –Freedom to choice paper or electronic –Organization of confidential documents access Limiting access Identifying an assigned person; Ensuring it is impossible to do an extensive search; Setting up a secure system; Respecting conditions about confidential document.
52 transmission Definition: To send a document from one person to an other. Example: –Email –EDI –SMS Legal Conditions: For a sent document to have the same validity as the received document: –Ensure integrity + documentation –Assume that a technology-based document is sent when the sender has no more control on it. (For example, with a transmission slip) –Assume that a technology-based document is received when it is available to the recipient. (For example, with a acknowledgement of receipt) –Ensure that a technology-based document with confidential information Used an appropriate method Transmission is documented
56 Not sure… – Bélanger c. Future Électronique, 2005 QCCRT 0570 Bélanger c. Future Électronique – Citadelle, Cie dassurance générale c. Montréal (Ville), 2005 IIJCan 24709 (QC C.S.)Citadelle, Cie dassurance générale c. Montréal (Ville) – Vandal c. Salvas  IIJCan 40771 QC. C.Q. Vandal c. Salvas AELFIT
57 Regulation help – articles 63 and f… 63. A multidisciplinary committee shall be formed to promote the harmonization, both at the national and international levels, of the technical processes, systems, norms and standards established for the purposes of this Act. To that end, the Government shall, after consultation with the Bureau de normalisation du Québec, call upon persons from the business community, the information technology industry and the scientific and technical community, persons from the public, parapublic and municipal sectors and persons belonging to the professional orders, all of whom must have expertise in the field of information technology AELFIT
60 2.5 Legal Management of Digital Signature Image available at pst.libre.lu/mssi-luxmbg/p1/data-enc.gif
61 2.5 Legal Management of Digital Signature 3 main legislative attitude –Minimalist UK –Prescriptive Singapore Portugal Hungary Hong Kong Malaysia Italy Germany –Hybrid Quebec France Etc.
62 2.5 Legal Management of Digital Signature Substantives elements –Certificate –Documentation Policy CPS (Certification Practice Statement) –Participants Signatory Relying Party Certification authority And others (as auditor / accreditator / etc.) –Liability
63 2.5 Legal Management of Digital Signature Procedural elements –Entities Responsible for Controlling the Certification Process Auditor Accreditator Certificator Etc. –Documentation External Assessment Documentation Internal Assessment Documentation