e-procurement legal aspects on information security 02004-02-11 nicklas lundblad

E-procurement

Legal Aspects on Information Security

02004-02-11Nicklas Lundblad

Questions

What is e-procurement? Why study e-procurement? What legal aspects are there on

information security in e-procurement?

Open discussion

E-procurement – definition

Multi layered internet application with catalogues, payment mechanisms, orders and negotiations.

”Buying on the Internet”

Two important categories

Private e-procurement (B2B e-commerce) Contracts establish practice

Public e-procurement (B2G e-commerce) Legal basis of practice

E-business landscape

E-procurement models

Set pricing

Many to many

One to many

Flexible pricing

E-auctions

E-exchanges

E-commerce

E-markets

Why study e-procurement?

Complex interactions of law, technology and business logic

Important future application Large data flows and numerous

vulnerabilities Many examples and models Some research – more needed!

Law, information security and business logic in e-procurement

Law Information Security

Business Logic

E-procurement

E-business in the EU

E-business in SME:s

E-business sophistication path

Security Awareness?

Source: Pilot studies 2000 in the EU

Legal Aspects and Information Security

Different cases Law regulates choice of security

solutions Security priorities conflict with law Et cetera…

Object: Find cases where law and information security interact

Legal Aspects and Information Security in e-procurement

Legal aspects Information Security

Privacy Personal data, company data

Traceability, non-repudiation et cetera

IPR Databases, copyright, patents

Redundacy, updated information

E-signatures Qualified/advanced Authentication et cetera

E-commerce Information duties Identity theft

Trade secrets Distribution of data, aggregation of patterns

Vulnerable business models

Public Procurement Law

Legal req on procurement (business

Extra procedural requirements

Competition Law Collusion of interests Coordination of purchasing flows

Criminal law Fraud Control

Privacy

Example: Rules on data protection in the directive (95/46/EC) Consent Purpose Security of systems

Case: Privacy

The company you are working for wants to monitor use of the e-procurement system and chart buyer-supplier relationships to ensure that no bribery et cetera is going on.

What are the legal aspects?

Employee monitoring

Case: Privacy

The e-procurement operator you use has collected data on all your transactions and is now selling them to your competitors.

What are the legal aspects?

Case: Privacy

The company you are working fo suspects fraud and has set up an advanced honeynet to catch the fraudster. They chart all activity in the e-procurement application for behaviour that could be fraudulent.

What are the legal aspects?

HoneyNet

Case: Privacy

You have set up a procurement portal and now you have to design the back end systems. Are there any legal requirements on your procurement systems that flow from the fact that these systems handle personal data for authentication, communication et cetera?

System Requirements & Data Protection

Article 17 Data Protection DirectiveSecurity of processing1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

System Requirements and Data Protection

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:- the processor shall act only on instructions from the controller,- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form

IPR

Example: Intellectual property rights Patents Copyright Databases

Case: IPR

You implement a security solution for exchanging personal data. A week later a person contacts you and demands that you license the solution from him, since he has a patent pertaining to this method.

What are the consequences?

P3P – The Story

Case: IPR

The marketplace provider you use has been copying your database of articles and selling them to others. Besides being dishonest it shows your categorisation of the business, which you consider an important information asset.

What are the legal aspects?

E-signatures

Example: Directive on electronic signatures & regulations on electronic invoicing

Case: E-signatures

The company you work for issue certificates for an e-market. You are now looking into a business development project for rich electronic signatures, i.e. signatures that refer to data aggregated by trading partners, credit institutes and other actors. You also want to be able to sell data on the financial amount signed for for advertising purposes.

What are the legal aspects?

Electronic signatures and data protection

Article 8Member States shall ensure that a certification-

serviceprovider which issues certificates to the public may collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject.

E-commerce

Example: information duties Data that must be provided by information

society service providers Name Geographic address Details & e-mail addresses Registration number/where he/she is registered Relevant supervisory authority VAT-number… Et cetera

Case: E-commerce

The CEO of your company tells you to eliminate all data that can be used to a) spam the company and b) steal the identity of the company to raise security.

What are the legal aspects?

Trade secrets

Examples: Laws on Trade Secrets, NDA (contractual agreements et cetera)

Trade Secrets

1 § A trade secret is defined as information about business or management facts such that a business has chosen to keep them secret, and the revelation of which would hurt the competitiveness of the company.

Trade Secrets and Logs

Can logs be trade secrets? How are logs protected? Does it matter who hosts the logs?

Public procurement law

Principles of Public Procurement and their potential impact

Concrete legal requirements (examples from Swedish law)

Public Procurement principles

The fundamental principles of European Community law with regard to public procurement are the principles of non-discrimination, equal treatment, transparency (openness and predictability), proportionality and mutual recognition.

Non-discrimination

The principle of non-discrimination prohibits all discrimination based on nationality. No contracting entity may, for example, give preference to a local company simply because it is located in the municipality.

But what about national differences in security?

National attack patterns?

Source: SIBIS 2003

National awareness?

Equal treatment (part of ND)

According to the principle of equal treatment all suppliers must be treated equally. All suppliers involved in a procurement procedure must, for example, be given the same information at the same time.

What architectural demands follow?

What does ”at the same time” mean in the digital world?

How is it verified?

Transparency (ND)

According to the principle of transparency the procurement process must be characterised by predictability and openness. In order to ensure equal conditions for tenderers the contract document has to be clear and unambiguous and contain all the requirements made of the items to be procured.

Online publishing of tenders & security

Proportionality

The principle of proportionality states that qualification requirements and requirements regarding the subject matter of the contract must have a natural relation to the supplies, services or works which are being procured and not be disproportionate.

Security and proportionality

What is the natural relation of security to goods, services and work?

How is this determined? By whom?

Mutual recognition

The principle of mutual recognition means among other things that documents and certificates issued by the appropriate authorities in a Member State must be accepted in the other Member

Security certifications?

ISO? CC?

Case: EU-law on public procurement

” Electronic signatures The text agreed encourages the use of electronic signatures and allows Member States to require that electronically transmitted tenders be accompanied by the electronic equivalent of handwritten signatures, that is, a "qualified electronic signature". The integrity of data and the confidentiality of tenders are provided for elsewhere in the Directives and do not depend on the choice of whether to require electronic signatures and in which form. ” http://europa.eu.int/rapid/start/cgi/guesten.ksh?

p_action.gettxt=gt&doc=IP/03/1649%7C0%7CRAPID&lg=EN

Case: EMITS at European Space Agency

Lists current invitations to tender

Interest declarations online

Industry web portal 10 000 users/month! Problems legal/is

Classified info! Flow of

users/personal data

Public Law (Swedish example)

” The principle of good business practice

4 § The award of public contracts should be so arranged as to take advantage of existing competition and should also in other respects accord with the conventions of good business practice.  No unwarranted considerations should affect the treatment of tenderers, candidates or tenders. ”

Unwarranted considerations?

Security requirements? E-signatures? Traceability? Standard compliance? Certification (ISO?CC?) Access/Security policies?

Case: Swedish Law I

Electronic bids are allowed in Swedish public procurment, if the basic rules are followed and if the procuring party assents. They must then, according to legislation, be confirmed and this can also be done electronically ”with some kind of electronic signature” (Prop 1999/2000:128).

What is ”some kind of electronic signature?”

Case: Swedish Law II

Furthermore, the bids must be recieved and stored in a secure manner.

What is secure enough? What are the requirements? (TTP:s, Timestamps et cetera)

Case: Swedish Law III

Commercial secrecy. The bids are made public after the process, if the bidder does not request extended secrecy. (Max 2 years!)

What does this mean in the cases where security is a factor in the procurement process?!

The Public Procurement Process – simplified

NeedsNeeds

Specification Specification

Advertisement Advertisement

OfferOffer

Bid opening Bid opening

Evaluation Evaluation

Decision Decision

Contract!

The Public Procurement Process – security aspects

NeedsNeeds

Specification Specification

Advertisement Advertisement

OfferOffer

Bid opening Bid opening

Evaluation Evaluation

Decision Decision

Security needsincluded?

Security standards

Secure publishing?

Secure Transactions?

Timestampsverification

Security issues?

Security andTerms.

Post-contract e-procurement solutions - issues

Authentication Payments Monitoring & control Updates & patches to systems

Competition Law

Example: Competition laws, national and international

What is the problem?

Security requirements to hold companies out…

Security requirements to keep them in…

Criminal Law

Examples: Conventions, national laws

Case: Criminal Law

The company you work for wants to set a trap for a bidder that partakes in an e-auction that they also partake in to show that the other company is actually a fake bidder introduced by a competitor.

What are the legal aspects?

Other legal aspects

Standards, law, information security and e-procurement (public and private) ebXML, UDDI, SAML, tpaML et cetera

Contractual agreements

Questions?

?

Presentation data

Presentation available at: http://www.skriver.nu/lais

Contact: nicklas@acm.org Next session 20.2 Project Assignment