Print
What is “information security law”?
01/11/2008 – 7:02 am by Lance MichalsonInformation security law is an emerging area of the law which is currently at the same stage of development as so-called “Internet law” or “cyber law” was at in the early 21st century.
There is no single law in South Africa that deals exclusively with information security. Therefore one has to have an understanding of the various guides, best practices and relevant sections from existing statutes and the common law which impact on information security in order to understand the legal requirements a little more fully.
Information security law concerns itself with the following areas of law:
The law of contract: where information technology contracts such as outsourcing, service provision, application service provider and software licensing agreements are beginning to impose security obligations on vendors and business partners. These agreements increasing require the providers of information technology to warrant against security vulnerabilities, such as viruses and trojan horses, and organisations are more frequently being contractually obligated to protect a customer’s, employee’s, or business partner’s personal or confidential information.
The law of delict: where the concepts of “reasonableness” and “duty of care” are being relied upon to determine whether or not organisations have been negligent in not taking the necessary security precautions, or are liable for loss suffered where it is proved by a party who suffered loss that their loss should have been reasonably foreseeable and due to the others parties negligence, loss or damage has been suffered by the other party.
The law of evidence: in connection with forensic issues relating to information in electronic form which may have been modified or deleted in an attempt to hide the evidence and the taking of necessary steps to ensure that the reliability and admissibility of the electronic evidence will be maintained in the eyes of a Court of law.
Common law fraud: for example identity theft
Computer related fraud: in terms of section 87 of the ECT Act where the victim of an information security attack conducted by means of impersonation or spoofing could lay a criminal charge of fraud against the attacker based on the attacker’s attempt to mislead or misappropriate something of value
Common law privacy claims: where for example a person submits personal information to an organisation for a certain purpose and the organisation reveals the information to a third party who misuses the information causing the person to suffer damage or loss (for example, in the context of ‘data swops’ between organisations).
Cyber crime: which involves any illegal act which involves a computer whether the computer is an object of a crime, an instrument used to commit a crime or a repository of evidence related to a crime and includes the statutory cyber crimes set out in sections 85 to 88 of the ECT Act.
Public key infrastructures: (e.g. the SA Post Office Trust Centre) which includes digital certificates, electronic authentication, electronic signatures and “advanced” electronic signatures.
Information Security Governance: being corporate governance in the context of information security.
Similar Posts:
- Michalsons Information Security Services
- What is ICT law?
- What is information security?
- What is “information management”?
- Draft and Review Information Security Policies
You must be logged in to post a comment.