THE C O M P U T E R LAW AND SECURITY REPORT 1 CLSR

arbitrator cleverly closed the hearing at opening time and although the arbitrator did not join them, the parties cemented a new relationship in the bar. Apart from the cost of the drink, the arbitration exercise was surprisingly cheap - quite possibly because it did not take much time. The arbitrator telephoned enough of his thinking to settle the parties minds on the Monday and they had his binding award by the end of the week. For all the paperwork they generate, computer systems only exist in the minds of men and women and unless a dispute resolution process can enable the parties to continue to build on that knowledge it will inevitably destroy the very thing the parties are squabling over.

C.C. Dilloway FCMA, FBCS, JDipMA, FCl Arb./ndependent Data Processing Consultant, Arbitrator, Expert Witness

COMPUTER DISPUTES: HAVE THE COURTS BECOME TOO USER-FRIENDLY?

Post-'Olivetti' When I last wrote on the subject of computer disputes, (1985-86 3 CLSR 5). I discussed the hazards faced by suppliers of systems. These hazards were due to the nature of the product, the lack of computer literacy amongst users, and not least to the choice of law available to potential plaintiffs, who, from the outcome in Mackenzie Patten v. British Olivetti, were likely to be looked upon favourably by the courts. I concluded that the answer lay in training salespeople to be aware of their responsibilities in describing software and in adopting procedures designed to eliminate the possibility of misunderstandings as to system capabilities. Given the various concerns that were expressed about the Olivetti decision, one might have thought that there would have been some sort of counter-reaction. At the very least, it seemed reasonable to assume that the same set of standards would not be applied to the next generation of computer users, who normally have either the resources or the experience to arrive at a more considered purchasing decision. After all, in a commercial business to business transaction, one would expect the reasonably prudent businessman to read a contract, to think carefully before committing large sums of money, and not to be taken in by 'salestalk'. The evidence however indicates otherwise; namely that the consumerist approach to these types of disputes goes on unabated, thus allowing users to shift their responsibilities onto their suppliers. The implications of such a policy are, I believe, so harmful to the future of the computer industry, that it seems timely to re-examine the present state of affairs and to make a plea for a more realistic appreciation by the courts of the way in which systems are supplied. No-one would deny the need for the legislation, enacted over the past two decades, to ensure that customers get a fair deal and to prevent suppliers from evading their proper responsibilities. And yet it now seems that principles, which undoubtedly ought to apply in business to consumer transactions, are being applied in situations where the user pleads ignorance and reliance on expertise as a convenient excuse for his own shortcomings.

Exxel seminar I recently attended a most informative seminar organised by Exxel consultants, at which one of the speakers, who has a great deal of experience in acting as an expert witness in

computer-related litigation, gave a graphic account of just how far this trend has gone. It was stated that claims are now made on the basis that the supplier's 'fitness for purpose' obligation extends even to those purposes not made known at the pre- contract stage, and that the supplier is responsible for discovering undisclosed matters (which the customer subsequently claims to have been of paramount importance). It is also claimed that the supplier has a joint responsibility for the management and success of a project or installation, and has a duty to assist and 'support' the customer. In addition, there is a presumption in favour of the customer when it comes to recollecting those important oral discussions: and against the supplier when it comes to assessing the reasonableness of attempts to limit liability.

Attitude of the courts Whilst there is still a significant dearth of reported cases, it would appear that proceedings are often commenced, only for the supplier to back off and settle, on the advice of counsel and experts, because of the perceived attitude of the court. I have heard of cases where plaintiffs, having completed their opening pleadings, have been given leave to amend those pleadings after the defence has opened its case. Little wonder that so few cases proceed to trial. This attitude denotes a lack of appreciation, on the part of the court, of the practicalities involved in the supply of systems, and of the way in which such supplies differ from the normal supplies of goods. The customer is always seen as a simple businessman faced with the might of a large systems supplier. The plaintiff 'had a business to run' and didn't have time to read the contract or to oversee the implementation of a new system. This type of pleading quite ignores the fact that part of 'running a business' is in managing the change brought about by the introduction of new technology. I have in my experience come across cases where the supplier is blamed because:

• the customer suffered delays due to this failure to key in set-up data in line with the implementation schedule.

• the customer's staff failed to come to grips with a new system because they had not been released from their normal duties for system training.

• the customer failed to prepare, in conjunction with his auditors, a proper account plan prior to installing a general ledger system.

It is frequently the case that customers want to pay the price of a packaged software application and yet still expect this to meet all their requirements (including their highly complex and completely unique discount structure!). In upholding such expectations, the law is demanding that suppliers devote the resources normally associated with consultancy and bespoke programming services, to an essentially straightforward type of transaction.

Respective responsibilities In all of this, spare a thought for the much-maligned computer or system salesman. I would not claim for a moment that the computer industry is entirely free of the hyperbole and practices common to all types of selling. I do believe however, that the task of selling systems is being made increasingly difficult by the very considerable duty of care now expected. It means that salespeople have to be extremely cautious about the words used to describe performance and capabilities, particularly when formulating sales proposals. The

13

MAY - JUNE THE COMPUTER LAW AND SECURITY REPOR1

quantification of benefits that can be achieved is particularly dangerous unless properly qualified. So too is a statement that the proposed system will meet 'all your requirements'. Such statements can come to have a very different meaning from that originally intended. Proper training now needs to be provided in the art of writing good sales proposals; benefits achievable should be made expressly subject to the customer fulfilling his responsibilities. Indeed, it is by stressing the respective responsibilities of supplier and customer, at an early stage in the negotiations, that the changes of a subsequent dispute can be significantly reduced. No matter how self-evident such aspects may appear to be, it needs to be stressed that a successful implementation depends materially on the customer's commitment to the new system, and those tasks that the customer should carry out (location preparation, data input) should be clearly identified. If this is done, then at least both parties are clear as to what is expected of them. Likewise, it is particularly important to keep records of all meetings and conversations, initially signed and dated. This may add to the volume of paperwork, but can be crucial in dispute resolution, particularly where memory has blurred or where those originally involved have moved on.

Arbitration

Resort to litigation is, at the present time, a very costly aria unsatisfactory means of attempting to resolve disputes. Several organisations, including the Society for Computers and Law, are looking at methods of arbitration, particularly where the claims involve relatively small sums of money. Steve Larner and Sandy Douglas, (writing on page above), mention a scheme for settling disputes by first searching for a technical solution, moving to formal arbitration only when neither this nor a cash settlement are possible. There are problems with formal arbitration, and for this reason, many experts still prefer a full judicial hearing. Nevertheless, whilst suppliers continue to expect unsympathetic treatment at the hands of the court, the search for analternative means of resolving disputes, by people better suited to adjudicate on matters of new technology, must go on. The Report would welcome the views of any readers who wish to comment on the points raised in this article, who have had similar experience, or who wish to state opposing views.

David Greaves Editorial Panellist

RISK MANAGEMENT

C O M P U T E R S E C U R I T Y - T H E P E O P L E F A C T O R

Do you check your bank statement? If not, why not? Is it because it has been produced by a Computer, and the Computer is always correct? During the first quarter of 1986, several instances arose in the UK where errors were found in bank statements. Money had been withdrawn - using a cash dispenser card - supposedly without the account holder's authority. The banks took the stance that it was the personal responsibility of card holders to ensure that both the card and their Personal Identity Number (PIN) were kept secure otherwise this form of abuse is impossible. The people who lost the money did not agree! They expected their computerised bank accounts to be correct and the banks to have provided sufficient safeguards to their accounts. They relied not on computers, but on people to ensure the computers were given accurate input data. At a recent international computer security conference, several papers were presented, each one advocating a different method of encrypting and authenticating f inancial transactions, with key management using the Public Key system methodology. Each system was extremely well thought out and theoretically sound. Each system had the same basic weakness - how do you initiate the first key in the fund transfer system. The systems were weakest where people had to be involved. It was interesting to note that the predominant worries and proposed solution all related to financial systems. Why was this? Well, money and Electronic Funds Transfer systems are very much of interest - after all, banks must ensure that funds are transferred correctly and accurately. A study of the detected frauds and computer crime statistics for UK and USA shows how fraud has increased. The statistics do not include such cases as the Australian incident where a bank was robbed of £40,000. This was accomplished by the thieves using a stolen truck and a JCB digger to ram a selected bank

with the digger. The safe and cash dispenser were picked up in the jaws of the JCB, and lifted into the low loader. They then drove off - presumably to examine their haul. In view of such a sophisticated crime, I do not believe that they were examining how the cash dispenser worked so as to commit further frauds. Fortunately such incidents are rare. Or perhaps it is unfortunate. It is far easier to provide a physically secure environment than to protect a message transmission network.

Statistics Statistics related to computer fraud and computer crime are worth looking at. BIS investigations into computer fraud in 1986 revealed over 190 cases with an average loss of £262,000. This amount has increased eightfold since the last review in 1983 as some spectacular frauds have since come to light. One which received a lot of publicity is the alleged illegal transfer of £6 million from a major bank to the personal Swiss bank account of a software programmer. The programmer simply diverted the first ten transactions of the day to his bank and was pleasantly surprised at his haul. In 1985, the American Bar Association Criminal Justice Task Force published their report into computer crime. It revealed annual losses from some 283 major USA organisations of between $145 and $730 million dollars - or between 2 - 10 million dollar losses per respondent. The Task Force concluded that computer crime was "a problem of substantial, and growing, significance". Part of the survey analysed how respondents related computer crime to other types of "white collar" crime. They related computer crime as:- - less important than most violent crimes (rape, murder,

assault). - less important than drug related crimes or espionage. - more important than shoplifting and counterfeiting. Computer crime was accepted as being on a par with consumer and tax fraud, commercial espionage, bribery, and corruption etc.

14