The euphoria surrounding new forms of electronic commerce, payments, and data interchange will be tempered by a broad range of unpredictable real-world reactions in such areas as consumer behavior, security, privacy, regulation, and financial accountability.
Before consumers change their financial-behavior patterns and even modestly embrace electronic alternatives, they will demand some level of confidence that, at a minimum, the party they think they are communicating with in cyberspace is indeed that party, and that their communications cannot be altered or stolen.
Failures in the systems, processing, identification, or certification of electronic data will undercut public confidence and may even cause new types of financial losses.
Though such failures may result simply from faults in design, construction, or operation of a system, damages may also result from intentional computer attacks that range from the fraudulent replication of electronic value to the theft of a customer's identity.
In either event, the development of electronic commerce will broaden the possibilities for which financial responsibility must be determined and allocated.
Until now, many have viewed the Internet as a marketing tool, perhaps not fully appreciating that transmissions over the Internet may create new bases for and jurisdictions of liability. If a bank does business on the Internet and does not attempt to limit where it is marketing its products and services, it may by definition be doing business worldwide.
Cyberspace commerce will spawn a new set of laws, regulations, and conventions for allocating the inevitable financial losses and damages. Who will be liable for the theft and use of a customer's confidential data? Are bank participants in electronic money programs liable for the illegal replication of value in the system, or for the stored value issued by one of the other participants that fails? Who bears the loss for fraud committed electronically?
Though there are federal and state laws that criminalize intentional tampering with computer systems and communications, scholars, practitioners, and legislators are only now beginning to evaluate the rules of culpability and responsibility for unintentional network-security failures that cause financial losses. Digital-signature statutes are an example of the types of laws that may further both the interests of electronic commerce and distribution of responsibility for risks.
A digital signature, according to the American Bar Association's guidelines of Aug. 1, is "a transformation of a message using an asymmetric cryptosystem and a hash function such that a person having the initial message and the signer's public key can accurately determine (1) whether the transformation was created using the private key that corresponds to the signer's public key and (2) whether the initial message has been altered since the transformation was made."
In short, a digital signature is the "scrambling" formula that both encodes and personalizes digital communications.
To be more effective than the current Internet system where identities and messages can be falsified, a digital signature requires a trusted third party or certification authority that can link a party to its public key. A party to a transaction involving a digital signature should be able to understand the risks and recourse involved in a transaction, even where fraud is involved.
Utah, Washington, Georgia, Florida, Illinois, New York, and Rhodes Island are among the states that have enacted digital signature laws in some form. They are under consideration in an equal number of states. But each of the laws enacted so far is different, and the differences raises issues regarding the uniform application of state and indeed international rules of Internet commerce.
Beyond digital signatures, Georgia's so-called Internet Police Law, which took effect July 1, demonstrates the issues that will be raised by the patchwork of state Internet laws. While seeking to protect trade names, trademarks, and copyrighted materials, Georgia's law may also prohibit the use of any domain name or E-mail address that does not include the precise name of the mailbox owner, and outlaw the common practice of hype-linking Web pages.
Banks should evaluate and participate in the development of cyberspace law. They should particularly monitor factors that will bear upon their liability - questions of jurisdiction and standards of prudence applicable to electronic commerce and security.
The issue of jurisdiction is preeminent. Liability cannot be determined without knowing what state's laws apply, or what country's. To the extent banks have viewed the Internet simply as a marketing vehicle, they should revisit their past decisions and assess what state, local, and international jurisdictions they may have "inadvertently" subjected themselves to.
Minnesota, for example, has been active in asserting jurisdiction over communications on the Internet retrievable in the state. The attorney general even posts a warning on the state government Web site, and has brought several cases. These are mainly in the areas of pornography, gambling, and trademark infringement, but the standards of jurisdiction being developed in these cases will be applicable to commercial situations.
Legislatures and courts will struggle with electronic commerce, comparing it to the mail, telephones, and radio waves. In the meantime, because settlement is often more cost-effective than trials, much "law" may be made simply by the cases brought by zealous prosecutors.
Managements must be able to decipher the standards of conduct that will apply to their actions regarding safeguarding of a bank's systems, servers, and customers.
Numerous private and public bodies are establishing or considering the publication of such standards. The Office of Management and Budget, for one, has published standards applicable to federal automated information security programs. The National Institute for Standards and Technology has issued "Generally Accepted Systems Principles and Practices."
The National Information Infrastructure Task Force of the President's National Security Telecommunications Advisory Committee has invited the private sector to explore the formation of an Information Systems Security Board to focus on testing, auditing, and educational standards related to computer system security.
The Bankers Roundtable and Consumer Bankers Association have published best practices and principles to guide institutions in the use, communication, and transfer of customer information and the security of systems.
In the absence of more authoritative materials, courts and prosecutors are likely to be guided by standards such as these in determining the extent to which an institution has helped or hindered a security breach, and what role it played in the resulting financial loss.
Hovering like the sword of Damocles is the specter of regulatory involvement in cyberspace banking.
Regulators have already shown a sensitivity to the risks of electronic banking and technology ventures. In its December approval of four national banks' investment in Mondex USA, the Office of the Comptroller of the Currency placed great reliance on the commitment by those banks to establish security systems to deal with the new elements of risk inherent in electronic money products.
Similarly the Fed, in its May order approving Cardinal Bancshares' acquisition of Five Paces Inc. (the software venture that developed the first Internet bank) and its December order approving several bank holding companies' investments in the Integrion home banking venture, noted that it had taken into account the measures taken by the companies involved to assure the security of account data and other financial information electronically transmitted.
In traditional commercial and financial transactions, risk allocation rules are generally well understood. In cyberspace, where such rules may not exist or may differ from those of the physical world, it will be particularly important to consider how not to set the painful example from which such rules are to be made.
In this regard, banks should monitor and evaluate the development of electronic commerce from several critical points of view:
The extent to which they wish to limit the jurisdictional reach of their electronic transmissions.
The creation of electronic laws, rules, and regulations by legislatures and regulators.
The effects of foreign states' or governments' electronic data interchange laws, rules, and regulations.
The evolution of security standards and "Internet etiquette."
The promulgation of best practices regarding employee conduct, use of customer data, and the prevention, detection, and containment of computer attacks.
The standards of prudent management oversight in cyberspace.
The availability of insurance to cover the new financial and management exposures that will inevitably develop.
