Starting a new business is inevitably fraught with legal risk. But that risk multiplies in a brand new e-business. In the Internet jungle, organisations encounter legal landmines down every trail. Lawyers say it's all too easy to underestimate the extent to which existing legal and commercial frameworks can inhibit e-commerce, both within a given country and in cross-border trade.
"In the rush to join the online business community, it can be easy to overlook some basic principles of risk management and to pay insufficient regard to the potential liabilities that may be only a few clicks away," warns Phillips Fox partner David Kearney. "It is unfortunate that the unique characteristics of the Internet combined with the absence of the usual paper trail may lead to some online retailers paying scant regard to the operation of existing laws to online business. However, for the most part, these laws apply to Internet-based transactions just as if the relevant transaction was conducted by non-electronic means." And there are real areas of difference where the exposure of the online retailer may be greater than that of his bricks n' mortar counterpart, with important implications, particularly in the context of product liability laws.
CIOs are responsible for providing top-class technology support for an organisation's e-commerce effort. But it would be irresponsible of the CIO to proceed with a key technology initiative without assessing the environment within which the investment is made and, if necessary, pointing out to the business any areas of risk it may not have taken into account.
The areas of increased legal risk are manifold and increasing. For instance, there is a range of potential product liability traps for businesses trading online, thanks to the trans-jurisdictional (border-crossing) nature of the Web.
There can be legal problems for both those buying goods and services from foreign manufacturers over the Internet, as well as for those selling to buyers overseas. There's also a real threat from the extent of possible product liability claims, given the "open invitation" nature of Web sites.
Then there's the hazardous business of forming commercial contracts online, given how quickly things can become a done deal in cyberspace. "This issue is particularly important because cyberspace contracts can be formed in the blink of an eye," Kearney says, "and may lead some companies to expose themselves to liability without adequate consideration or legal advice. In most cases, online contracts are as enforceable as contracts written on paper." Product liability law is not the only potential hazard. Other areas of special risk include consumer privacy, copyright and e-mail. All three pose significant risks for anyone managing a commercial Web site or offering goods for sale online.
"Further legal issues are raised when an institution uses the Web for marketing and advertising," notes Queensland University of Technology lecturer Michael Lean in a paper called "The Tangled Web of Rights: Making Sure Your Website Complies With the Law". "It is becoming increasingly important to develop an awareness of, and ensure compliance with, a growing list of items if we are to preserve the ability to move through this tangled Web without infringing the rights of others or breaking the law." Liability, both civil and criminal, is clearly something to keep in mind as you leap into the electronic age.
On the one hand, the principles of the law as it affects e-commerce are simple. In most cases, "click-wrap" online contracts (agreements formed by clicking a computer button to accept a vendor's business terms) are as enforceable as contracts written on paper. That means commercial contracts online can be formed with the click of a mouse but could leave organisations facing a legacy of exposure to liability that could have ramifications down many years.
E-tailers must give careful consideration to the wording of the terms and conditions contained within such contracts. Ideally, they should ensure the button for accepting those terms and conditions is at the very bottom of the page so that the consumer is forced to scroll through the entire wording before clicking on it. That will make it much harder for consumers to argue they either didn't read or didn't have the opportunity to read all of the wording contained within those terms and conditions.
On the other hand, complying with the law can be incredibly complex for an e-business. The Internet spans many jurisdictions and can open the way to a number of potential new markets for a business moving its operations online.
That inevitably means the number of laws that may potentially govern the contract for sale of products also increases. Product liability has thus become increasingly fraught with uncertainty, with the jobs of both lawyers and business executives trying to assess the legal liabilities associated with doing business online complicated by a lack of case law in the Australian jurisdiction.
What is perfectly clear is that when a Web site offers a business transaction to citizens of another state or country, then that transaction may come under the notice of the law of that country. There have already been cases in the US where a state judiciary has determined that an interstate Web site has contravened state law in doing business in that state.
Some online businesses try to reduce their potential exposure by limiting the number of markets to which they will provide their products, explicitly stating on their Web site that orders from countries other than those nominated will not be filled. But for an online business unwilling to limit the number of potential markets, Kearney says, it's unlikely to be commercially feasible to take legal advice on all of those markets. That's where knowledge of the Law of Contract comes in.
The Law of Contract says that for a contract to come into existence acceptance must be communicated. The contract will then be formed in the jurisdiction where acceptance is received. Where a seller acknowledges an offer by way of acceptance, a contract will be formed in the jurisdiction of the purchaser. So an e-tailer must have a jurisdiction clause in the terms and conditions covered in the contract to the effect that the law governing the transaction will be in the jurisdiction of the e-tailer, not the customer. "An online business should always ensure that the laws of their jurisdiction govern the transaction. What jurisdiction governs a particular transaction will depend upon where the relevant contract came into existence," Kearney says.
Product liability issues can also leave the organisation dangerously exposed.
The prudent approach for a business considering the advertising or sale of products over the Web is to be fully informed of both the existence and effect of product liability law while also considering a host of other legal pitfalls.
"Any business considering advertising or selling products over the Internet needs to make sure they are fully informed of both the existence and effect of product liability law," Kearney says.
"Product liability is becoming an increasingly litigious area of law and increased trade via the Internet will contribute to continued growth in claims in this area."A good start is to ensure the organisation's liability insurance coverage is appropriate. Typically, product liability coverage excludes liabilities arising in the US and Canada. That could have disastrous implications for an e-tailer viewing either country as a key market.
The other minefield where product liability issues arise in the online environment is for businesses that advertise their products for sale via the Internet. Under the Trade Practices Act 1974, corporations engaged in trade or commerce are prohibited from engaging in conduct that is misleading or deceptive or that is likely to mislead or deceive.
That means an organisation advertising its products online must ensure its Web site is not likely to mislead the Web-based consumer as to the nature of the products advertised or in relation to the manner in which those products will be provided to the consumer. And they must be especially careful to ensure the product is of merchantable quality, since the consumer is unlikely to be able to examine the product before the contract is made in order to become aware of any defect.
An organisation must avoid misrepresentations as to the price and place of origin of products. And it is especially important not to make misleading statements in relation to the compliance of a product with relevant standards.
There is also an implied condition in any consumer contract that goods supplied be reasonably fit for any particular purpose communicated to the seller. "This communication need not necessarily be overt, so that goods supplied pursuant to an online contract must be fit for the purpose to which those types of goods are normally put," Kearney says.
Likewise an organisation that fails to specify the overall cost to the consumer of a product, inclusive of all delivery and statutory charges, may open itself to charges of misleading a consumer.
The various provisions under Part V of the Trade Practices Act 1974 are intended to protect Australian consumers contracting with trading companies for the supply of goods and services and are mandatory. They also apply as much to cyberspace as to the physical world. Any consumer contract formed within Australia via the Internet is subject to its operation. That means a company offering its products for sale by electronic means must be aware that the TPA imp- orts into each contract for sale implied warranties where the products are ordinarily acquired for personal, domestic or household consumption.
More importantly, these terms will be implied into the contract where the value of the contract is less than $40,000 - likely to encompass most of online sales of products.
And there's another hazard for Australian e-tailers. Although the online seller may not have manufactured the defective product, where the item is imported, the importer will be deemed to have manufactured it unless the actual manufacturer has a presence within Australia. That makes it vital that the online company puts appropriate risk management procedures in place, including inspecting and testing the quality assurance of products that overseas manufacturers supply before advertising those products on a Web site.
The local seller should also ensure that it uses reliable, identifiable suppliers. Under the TPA's strict liability provisions, a consumer who doesn't know the identity of a manufacturer may serve on a supplier a written request to identify the manufacturer. Unless the supplier can identify the manufacturer within 30 days, the supplier is deemed to be the manufacturer for the purpose of that action.
And since each Australian state government has its own consumer protection legislation and prosecutes businesses that contravene its legislative provisions, organisations should be as aware of the provisions of their own state's legislation as they are of the TPA. They also need some grasp of the law of defamation as it might apply in cyberspace and of Corporations Law (which holds, for example, that companies must display their ACN or ARBN on their Web site).
The Evils of E-mail
When it comes to e-mail, employers are recognising just how much their potential liability for e-mail has increased. Companies without clear written policies for the use of e-mail risk being sued by outsiders and employees alike. It is therefore wise for employers to ensure they have the capacity to monitor use of their computer systems and to educate their employees about the appropriate use of e-mail.
There's a particular danger that employees might send e-mail that contains information with the potential to be defamatory. All staff should be made aware of the need for caution in the wording of e-mails. E-mail misuse, high levels of pornographic content, and sexual and racial harassment via e-mail also expose employers to legal liability.
A comprehensive e-mail policy should remind employees to be cautious when handling confidential information, and should spell out in no uncertain terms acceptable e-mail use and the way the enterprise will deal with breaches. Such breaches include overuse, discrimination and harassment, copyright, defamation, spamming, employee privacy rights, and revelation of trade secrets. The policy should also outline procedures for retaining and deleting old documents on the company's computer system. Important documents may be printed and saved in paper form or stored electronically on backup disks. Corporations should also realise that pending litigation may force them to suspend routine deletion systems to preserve documents for discovery.
But nor should the employer forget that employees also have legitimate expectations of privacy in relation to their e-mail communications, which have to be balanced against the corporate interest. Employers wanting to avoid being sued by employees for invasion of privacy should ensure their e-mail policies clearly explain that electronic messages will be monitored. If such a policy is stated in writing, employees cannot have a legitimate expectation of privacy regarding their e-mail accounts, and any claim that their employer violated their privacy by reading their e-mail is likely to fail, Lean says.
The messaging policy should make clear the rights of employees in relation to their electronic messages. The policy should cover storage requirements: whether backup copies are stored on the server and who has access to them and the level of privacy employees can generally expect. It should clearly spell out exactly what categories of e-mails should be retained and which destroyed, recognising the potential for old e-mail records to provide a smoking gun in litigation.
It should also spell out the circumstances in which management has the right to read and take action on employee e-mail; the legal risks associated with e-mail; and the unacceptability of using e-mail to abuse or harass other employees.
Regarding privacy, at time of writing the Privacy Amendment (Private Sector) Bill, due to come into force on 1 July 2001, was going through federal parliament. If passed, the law will give individuals the right to ascertain what information an organisation holds about them; allow them to ensure such information is accurate; and limit the transfer of information to organisations outside Australia to situations where those countries have effective privacy protection regimes in place.
The act allows using personal information for marketing purposes only where the consumer has the chance to decline to receive marketing communications, and means organisations collecting personal information online must take reasonable steps to ensure that consumers know who is collecting the information and how it is used.
Only by such comprehensive measures as these can organisations hoping to make a killing in cyberspace ensure their business practices don't kill them first.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.