Summary: Legal risk management

Someone considering legal issues for the first time may perceive only one part of the phenomenon: regulations. Even if issues of scope of application, choice of law, enforcement, etc. are included, much else that must be taken into account in analysing legal risk may be overlooked.

Consider a situation where Liisa has the possibility to bring an action against Pekka. Liisa may do so or refrain from doing so. If she does, she may win or lose. Pekka’s risk that the outcome favours Liisa also depends on:

• Liisa’s ability to produce evidence relative to Pekka’s ability to refute it;
• Pekka’s ability to substantiate his defensive arguments relative to Liisa’s ability to refute this evidence;
• Pekka’s costs if Liisa wins. These include litigation costs.

The weighing described above works well in a situation where Pekka is already facing a threat of legal action by Liisa. The remainder of this section presents perspectives on the proactive management of legal risks.

Identifying the greatest risks. The nature of a person’s activities helps identify which rules are most important to them. For example, banks, telecommunications operators, and providers of medical and legal services are traditionally very aware of their need to obtain and maintain appropriate licences for their operations. Providers of gaming services are also well aware of the broad range of laws governing their activities. All companies are acutely aware of the need to understand their tax-related obligations.

Impact on human life. Strict cost–benefit analysis may be useful in making operational decisions, but it becomes problematic in matters concerning human life and safety. Laws and regulations enacted to protect human life and to compensate personal injury must be respected in particular. Failure to comply with such rules raises moral and ethical concerns and may also lead to exceptional or punitive measures when those rules are enforced.

Due diligence in relation to identified risks. No company asks a lawyer to find all the laws in the world that might apply to everything the company does. A typical due diligence strategy starts by identifying and examining those laws that could have a devastating effect on the business. Other laws and regulations, including those of foreign countries, may become relevant as the company grows or changes in nature.

Practical limitations on territorial enforcement powers. In the era of e-commerce, some companies may be alarmed by potential legal obligations with respect to hundreds of jurisdictions whose residents have access to the site’s content. Some may cease operations for this reason. Most others seek to adopt pragmatic approaches, including filtering or otherwise blocking access from countries that classify the product or service as illegal.

Relative costs of breaching a civil obligation. Committing a crime is different from failing to comply with a civil obligation. Sometimes the costs of responding to a civil claim are lower than the costs of compliance. This most commonly occurs in connection with a commercial contract when performance has become uneconomic, or in connection with a civil claim that involves a fixed financial consequence. In suitable circumstances, it may be calculated that abandoning the obligation and accepting the monetary risk of damages is cheaper than fulfilling the obligation.

Risks to personal reputation, safety and liberty. Cybersecurity practitioners sometimes encounter situations where they are tempted or encouraged to break the law. In such cases, it must be remembered that one may personally suffer the consequences of one’s actions regardless of the incentives offered by an employer or client.

Likelihood of enforcement. Sometimes persons with legal rights decide not to enforce them. For example, where the business harm is minor, the risk of a claim by a person who has suffered only a small loss may be low. The risk increases significantly if the rights of many such persons can be combined into a class action.

Challenges in collecting, preserving and presenting evidence. Both enforcing legal rights and defending against claims depend on the ability to prove contested facts or to refute those presented by the opposing party. One must consider in advance which matters will require evidence if the other party brings legal action, and how evidence can be proactively collected and preserved. It is also important to define retention parameters for all relevant data so that the routine destruction of documents does not cause problems in this respect.

Vicarious liability refers to the liability of an employer (or others with subordinates) for the actions of their subordinates. The only certain way to reduce it is to influence employees’ behaviour so that the number of actions leading to liability decreases. This should be taken into account, for example, in information security policies insofar as they aim to reduce liability towards third parties.

Risky activities can be localised into separate limited liability entities. This is a complex topic that requires careful planning.

Legal risks outside the legal system. In some circumstances, the greatest risk arising from legal action or its threat is not related to regulation itself. It may arise from the potential impact of legal action on an organisation’s reputation or on the maintenance of business licences granted by the state.

Laws can change. Societies and their decision-makers are becoming increasingly aware of cybersecurity. As a result, states and their representatives may increase enforcement actions, reassess current policies, and respond rapidly with updated or new legislation.

Question 1

This module deals with the impact of legal matters on activities in the field of cybersecurity, but others too must be sufficiently familiar with the legislation of their own country. One must be able to recognise the possibility that regulation affects one’s own actions, and the emergence of ethical issues must also be noticed. This summary section does not directly address either of these topics but rather

risks arising from legal matters going wrong.

ways to avoid ethical problems through more precise interpretation of the law.

opportunities to make legislation more effective in promoting cybersecurity.

procedures by which possible judgments are as lenient as possible.

Question 2

This section presents 12 perspectives, most of which relate to companies and other legal persons. In how many is the risk experienced by a natural person clearly addressed?

1

2

3

4

Question 3

Corporate actions are, of course, also carried out by people, but in how many of the 12 points in this section is it directly indicated that an individual or group of individuals does or refrains from doing something?

1

2

3

4

Posting submission...