Wanted: Standards and Codes for Allocating Liability

Article excerpt

The euphoria surrounding new forms of electronic commerce, payments, and data interchange will be tempered by a broad range of unpredictable real- world reactions in such areas as consumer behavior, security, privacy, regulation, and financial accountability.

Before consumers change their financial-behavior patterns and even modestly embrace electronic alternatives, they will demand some level of confidence that, at a minimum, the party they think they are communicating with in cyberspace is indeed that party, and that their communications cannot be altered or stolen.

Failures in the systems, processing, identification, or certification of electronic data will undercut public confidence and may even cause new types of financial losses.

Though such failures may result simply from faults in design, construction, or operation of a system, damages may also result from intentional computer attacks that range from the fraudulent replication of electronic value to the theft of a customer's identity.

In either event, the development of electronic commerce will broaden the possibilities for which financial responsibility must be determined and allocated.

Until now, many have viewed the Internet as a marketing tool, perhaps not fully appreciating that transmissions over the Internet may create new bases for and jurisdictions of liability. If a bank does business on the Internet and does not attempt to limit where it is marketing its products and services, it may by definition be doing business worldwide.

Cyberspace commerce will spawn a new set of laws, regulations, and conventions for allocating the inevitable financial losses and damages. Who will be liable for the theft and use of a customer's confidential data? Are bank participants in electronic money programs liable for the illegal replication of value in the system, or for the stored value issued by one of the other participants that fails? Who bears the loss for fraud committed electronically?

Though there are federal and state laws that criminalize intentional tampering with computer systems and communications, scholars, practitioners, and legislators are only now beginning to evaluate the rules of culpability and responsibility for unintentional network-security failures that cause financial losses. Digital-signature statutes are an example of the types of laws that may further both the interests of electronic commerce and distribution of responsibility for risks.

A digital signature, according to the American Bar Association's guidelines of Aug. 1, is "a transformation of a message using an asymmetric cryptosystem and a hash function such that a person having the initial message and the signer's public key can accurately determine (1) whether the transformation was created using the private key that corresponds to the signer's public key and (2) whether the initial message has been altered since the transformation was made."

In short, a digital signature is the "scrambling" formula that both encodes and personalizes digital communications.

To be more effective than the current Internet system where identities and messages can be falsified, a digital signature requires a trusted third party or certification authority that can link a party to its public key. A party to a transaction involving a digital signature should be able to understand the risks and recourse involved in a transaction, even where fraud is involved.

Utah, Washington, Georgia, Florida, Illinois, New York, and Rhodes Island are among the states that have enacted digital signature laws in some form. They are under consideration in an equal number of states. But each of the laws enacted so far is different, and the differences raises issues regarding the uniform application of state and indeed international rules of Internet commerce.

Beyond digital signatures, Georgia's so-called Internet Police Law, which took effect July 1, demonstrates the issues that will be raised by the patchwork of state Internet laws. …