e-procurement legal aspects on information security 02004-02-11 nicklas lundblad
TRANSCRIPT
E-procurement
Legal Aspects on Information Security
02004-02-11Nicklas Lundblad
Questions
What is e-procurement? Why study e-procurement? What legal aspects are there on
information security in e-procurement?
Open discussion
E-procurement – definition
Multi layered internet application with catalogues, payment mechanisms, orders and negotiations.
”Buying on the Internet”
Two important categories
Private e-procurement (B2B e-commerce) Contracts establish practice
Public e-procurement (B2G e-commerce) Legal basis of practice
E-business landscape
E-procurement models
Set pricing
Many to many
One to many
Flexible pricing
E-auctions
E-exchanges
E-commerce
E-markets
Why study e-procurement?
Complex interactions of law, technology and business logic
Important future application Large data flows and numerous
vulnerabilities Many examples and models Some research – more needed!
Law, information security and business logic in e-procurement
Law Information Security
Business Logic
E-procurement
E-business in the EU
E-business in SME:s
E-business sophistication path
Security Awareness?
Source: Pilot studies 2000 in the EU
Legal Aspects and Information Security
Different cases Law regulates choice of security
solutions Security priorities conflict with law Et cetera…
Object: Find cases where law and information security interact
Legal Aspects and Information Security in e-procurement
Legal aspects Information Security
Privacy Personal data, company data
Traceability, non-repudiation et cetera
IPR Databases, copyright, patents
Redundacy, updated information
E-signatures Qualified/advanced Authentication et cetera
E-commerce Information duties Identity theft
Trade secrets Distribution of data, aggregation of patterns
Vulnerable business models
Public Procurement Law
Legal req on procurement (business
Extra procedural requirements
Competition Law Collusion of interests Coordination of purchasing flows
Criminal law Fraud Control
Privacy
Example: Rules on data protection in the directive (95/46/EC) Consent Purpose Security of systems
Case: Privacy
The company you are working for wants to monitor use of the e-procurement system and chart buyer-supplier relationships to ensure that no bribery et cetera is going on.
What are the legal aspects?
Employee monitoring
Case: Privacy
The e-procurement operator you use has collected data on all your transactions and is now selling them to your competitors.
What are the legal aspects?
Case: Privacy
The company you are working fo suspects fraud and has set up an advanced honeynet to catch the fraudster. They chart all activity in the e-procurement application for behaviour that could be fraudulent.
What are the legal aspects?
HoneyNet
Case: Privacy
You have set up a procurement portal and now you have to design the back end systems. Are there any legal requirements on your procurement systems that flow from the fact that these systems handle personal data for authentication, communication et cetera?
System Requirements & Data Protection
Article 17 Data Protection DirectiveSecurity of processing1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
System Requirements and Data Protection
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:- the processor shall act only on instructions from the controller,- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form
IPR
Example: Intellectual property rights Patents Copyright Databases
Case: IPR
You implement a security solution for exchanging personal data. A week later a person contacts you and demands that you license the solution from him, since he has a patent pertaining to this method.
What are the consequences?
P3P – The Story
Case: IPR
The marketplace provider you use has been copying your database of articles and selling them to others. Besides being dishonest it shows your categorisation of the business, which you consider an important information asset.
What are the legal aspects?
E-signatures
Example: Directive on electronic signatures & regulations on electronic invoicing
Case: E-signatures
The company you work for issue certificates for an e-market. You are now looking into a business development project for rich electronic signatures, i.e. signatures that refer to data aggregated by trading partners, credit institutes and other actors. You also want to be able to sell data on the financial amount signed for for advertising purposes.
What are the legal aspects?
Electronic signatures and data protection
Article 8Member States shall ensure that a certification-
serviceprovider which issues certificates to the public may collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject.
E-commerce
Example: information duties Data that must be provided by information
society service providers Name Geographic address Details & e-mail addresses Registration number/where he/she is registered Relevant supervisory authority VAT-number… Et cetera
Case: E-commerce
The CEO of your company tells you to eliminate all data that can be used to a) spam the company and b) steal the identity of the company to raise security.
What are the legal aspects?
Trade secrets
Examples: Laws on Trade Secrets, NDA (contractual agreements et cetera)
Trade Secrets
1 § A trade secret is defined as information about business or management facts such that a business has chosen to keep them secret, and the revelation of which would hurt the competitiveness of the company.
Trade Secrets and Logs
Can logs be trade secrets? How are logs protected? Does it matter who hosts the logs?
Public procurement law
Principles of Public Procurement and their potential impact
Concrete legal requirements (examples from Swedish law)
Public Procurement principles
The fundamental principles of European Community law with regard to public procurement are the principles of non-discrimination, equal treatment, transparency (openness and predictability), proportionality and mutual recognition.
Non-discrimination
The principle of non-discrimination prohibits all discrimination based on nationality. No contracting entity may, for example, give preference to a local company simply because it is located in the municipality.
But what about national differences in security?
National attack patterns?
Source: SIBIS 2003
National awareness?
Equal treatment (part of ND)
According to the principle of equal treatment all suppliers must be treated equally. All suppliers involved in a procurement procedure must, for example, be given the same information at the same time.
What architectural demands follow?
What does ”at the same time” mean in the digital world?
How is it verified?
Transparency (ND)
According to the principle of transparency the procurement process must be characterised by predictability and openness. In order to ensure equal conditions for tenderers the contract document has to be clear and unambiguous and contain all the requirements made of the items to be procured.
Online publishing of tenders & security
Proportionality
The principle of proportionality states that qualification requirements and requirements regarding the subject matter of the contract must have a natural relation to the supplies, services or works which are being procured and not be disproportionate.
Security and proportionality
What is the natural relation of security to goods, services and work?
How is this determined? By whom?
Mutual recognition
The principle of mutual recognition means among other things that documents and certificates issued by the appropriate authorities in a Member State must be accepted in the other Member
Security certifications?
ISO? CC?
Case: EU-law on public procurement
” Electronic signatures The text agreed encourages the use of electronic signatures and allows Member States to require that electronically transmitted tenders be accompanied by the electronic equivalent of handwritten signatures, that is, a "qualified electronic signature". The integrity of data and the confidentiality of tenders are provided for elsewhere in the Directives and do not depend on the choice of whether to require electronic signatures and in which form. ” http://europa.eu.int/rapid/start/cgi/guesten.ksh?
p_action.gettxt=gt&doc=IP/03/1649%7C0%7CRAPID&lg=EN
Case: EMITS at European Space Agency
Lists current invitations to tender
Interest declarations online
Industry web portal 10 000 users/month! Problems legal/is
Classified info! Flow of
users/personal data
Public Law (Swedish example)
” The principle of good business practice
4 § The award of public contracts should be so arranged as to take advantage of existing competition and should also in other respects accord with the conventions of good business practice. No unwarranted considerations should affect the treatment of tenderers, candidates or tenders. ”
Unwarranted considerations?
Security requirements? E-signatures? Traceability? Standard compliance? Certification (ISO?CC?) Access/Security policies?
Case: Swedish Law I
Electronic bids are allowed in Swedish public procurment, if the basic rules are followed and if the procuring party assents. They must then, according to legislation, be confirmed and this can also be done electronically ”with some kind of electronic signature” (Prop 1999/2000:128).
What is ”some kind of electronic signature?”
Case: Swedish Law II
Furthermore, the bids must be recieved and stored in a secure manner.
What is secure enough? What are the requirements? (TTP:s, Timestamps et cetera)
Case: Swedish Law III
Commercial secrecy. The bids are made public after the process, if the bidder does not request extended secrecy. (Max 2 years!)
What does this mean in the cases where security is a factor in the procurement process?!
The Public Procurement Process – simplified
NeedsNeeds
Specification Specification
Advertisement Advertisement
OfferOffer
Bid opening Bid opening
Evaluation Evaluation
Decision Decision
Contract!
The Public Procurement Process – security aspects
NeedsNeeds
Specification Specification
Advertisement Advertisement
OfferOffer
Bid opening Bid opening
Evaluation Evaluation
Decision Decision
Security needsincluded?
Security standards
Secure publishing?
Secure Transactions?
Timestampsverification
Security issues?
Security andTerms.
Post-contract e-procurement solutions - issues
Authentication Payments Monitoring & control Updates & patches to systems
Competition Law
Example: Competition laws, national and international
What is the problem?
Security requirements to hold companies out…
Security requirements to keep them in…
Criminal Law
Examples: Conventions, national laws
Case: Criminal Law
The company you work for wants to set a trap for a bidder that partakes in an e-auction that they also partake in to show that the other company is actually a fake bidder introduced by a competitor.
What are the legal aspects?
Other legal aspects
Standards, law, information security and e-procurement (public and private) ebXML, UDDI, SAML, tpaML et cetera
Contractual agreements
Questions?
?
Presentation data
Presentation available at: http://www.skriver.nu/lais
Contact: [email protected] Next session 20.2 Project Assignment