By: Sonny Zulhuda
(This article first appears in the E-Security Bulletin vol. 18 – (Q1-2009), published by CyberSecurity Malaysia in 1st Quarter of Year 2009, under the title ‘The requirement of information availability in the E-Commerce Act 2006’)
One of the key components in information security is the information availability, which seeks to ensure that authorized users have access to information and associated assets whenever required. This availability factor is so important to the extent that its deficiency can adversely affect other aspects of information security, namely the integrity and confidentiality of information.
This significance cannot be seen bigger in the area of electronic commerce. Imagine if the security of an information system used by an e-payment service provider is compromised by a denial-of-service (DOS) attack thus affects the availability of service, not only are the commercial data and the electronic processing thereof being jeopardised, but also the whole supposedly-trusted system can fail miserably.
Given its popularity and inter-dependence in today’s economic and business activities, electronic commerce (e-commerce) is a battlefield worth trying and fighting for. For ordinary people, it is an avenue to intensify their economic power. For business, this is a free channel to more than one billion potential market on the planet.
It is therefore understandable that the Government is strongly interested to see e-commerce succeeds. In a regional workshop in 2005, the Malaysian Minister of Domestic Trade and Consumer Affairs, Datuk Hj Mohd Shafie Apdal (as he then was), was quoted as saying: ‘it is not going to be acceptable or in any national interest to have a growing section of commercial activity operating outside the law. If there is no law then we have to create new laws, for e-commerce is not a transitory phenomenon. E-commerce is here now, it is growing and I see nothing to slow its exponential development.’
The Government is due to provide a legal framework which facilitates, instead of halts, this growth. At the same time, such framework shall ensure that the e-commerce it seeks to promote is resilient, sustainable and secure. In this short article, we will see how the law on e-commerce in Malaysia recognizes the issue of information security, especially the information availability aspect, and makes it an incentive for the e-commerce players.
Electronic Commerce Act 2006
The Electronic Commerce Act (ECA) 2006 (Act 658) provides for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfil legal requirements and to enable and facilitate commercial transactions through the use of electronic means and other related matters. The Act applies to any commercial transaction conducted through electronic means including commercial transactions by the Federal and State Governments. Nevertheless, the use of such means is not made mandatory. From the outlook of this Act, one can see that it is modelled to a great extent on the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (Model Law) 1996. Certain legal principles adopted including the principles of functional equivalence and technology neutrality.
With the passing of ECA 2006, e-commerce in Malaysia is not what or how it was before the existence of this statute. One fundamental task is fulfilled, namely, providing legal certainty as to the validity and legality of electronic transactions. IT users and the owners of information assets ought to get some assurance that their activities are lawful, their communications and transactions valid and their transactions are protected.
Information Security Standards under ECA 2006
It is note-worthy that ECA 2006 sets up certain information security standards to be applied on the e-commerce activities, among others, on legal recognition of electronic message, writing, and originality of document. The effect of this is indirectly making an information security best practice as an incentive for the legality of e-commerce itself.
Many legal concepts are being tied with the requirement of accessibility of the information or the information system. For example, for the purpose of granting legal recognition of an electronic message, section 6(2) of the Act expressly provides that:
‘Any information shall not be denied legal effect, validity or enforceability on the ground that the information is not contained in the electronic message that gives right to such legal effect, but is merely referred to in that electronic message, provided that the information being referred to is accessible to the person against whom the referred information might be used’ [emphasis added].
As a practical illustration, people who are parties to an e-transaction such as online auction are bound by the terms of contract stipulated in an electronic format such as those on the auction provider’s website, as long as that information (i.e. the online terms) are accessible and available for subsequent reference. This requirement of ‘accessibility’, it is submitted, indicates that the purported user of electronic message must make sure that there is in place and under his control a system from which an electronic message at issue can be accessed and provided. This is exactly what the principle of information availability is all about. Therefore in order to achieve the protection under these provisions, efforts must be made to ensure the information system is neither intruded nor compromised so that access not denied whenever it is required.
Similar information availability principle can be found in the provision on the originality of a document, albeit that it also imposes other measures on information integrity and confidentiality. Section 12(1) of ECA 2006 provides that:
‘Where any law requires any document to be in its original form, the requirement of the law is fulfilled by a document in the form of an electronic message, if –
(a) There exists a reliable assurance as to the integrity of the information contained in the electronic message from the time it is first generated in its final form [emphasis added]; and
(b) The electronic message is accessible and intelligible so as to be usable for subsequent reference [emphasis added].
Section 12(2) went on saying that the integrity of the information depends very much on whether the information has remained complete and unaltered; and the standard of reliability shall be assessed in the light of the purpose for which the document was generated and in the light of all other relevant circumstances.
Reading the whole provisions would enable us to suggest that the standard of information security required for ascertaining the originality of an electronic message will vary according to the context of every given communications and can also depend on the nature of harm and threats to any electronic message in any given information system. Thus, the more sensitive communication and information system is, the higher level of measures will be required to achieve a reliable assurance of an information integrity. This particular provision is arguably very central to the idea of setting information security standard for the e-commerce to work effectively.
To conclude, it is noted that ECA 2006 has paid a serious attention to information availability being a central prerequisite for e-commerce players in Malaysia. While the Act may not be a comprehensive ‘masterpiece’, it could arguably play vital role for the information security legal framework in Malaysia.