VoIP: A Corporate Governance Approach to Avoid the Risk of Civil Liability

• Author: Tian Gerber - Kerry-Lynn Thomson - Mariana Gerber
• Pages: 281-298



















 !∀#

281





Tian Gerber

♣

♣♣

♣

, Kerry-Lynn Thomson, Mariana Gerber

Abstract: Since the deregulation of Voice over Internet Protocol (VoIP) in 2005,

many South African organizations are now attempting to leverage its cost saving and

competitive values. However it has been recently cited that VoIP is one of the greatest new

risks to busines s. This risk is cited to increase Information Security insurance pre miums in

the near future. Due to the dynamic nature of the technology, regulatory and legislative

concerns such as lawful i nterception of communications and privacy may also contribute to

business risk. VoIP consists of both direct communications (voice conversatio n) and

indirect communications (voice mails, emails and instant messaging). Due to this dual

nature, complying with regulations such as the Regulation of Interception of

Communications and Provision of Co mmunication-Related Information Act (RICA) should

be co nsidered. In order to leverage value from the VoIP implementation, an executive or

SME owner s hould look to implement the technology with knowledge of the potential risk

of civil liability. This is further highlighted by the King III Report which makes the

Directors and CEO of an organisation ultimately responsible for IT Governance and

Information Security Go vernance. T he report goes further to say, any new technology,

such as VoIP, should comply with all South African legislation and regulations. This

responsibility encourages the practice of both due care and due diligence. However, recent

trends exercised by Information Security pr ofessionals, responsible for drafting Information

Security policies, often neglect the regulatory requirements and choose to only implement

international best practices with no considerations to the risk of civil liability. Although

these best practice frameworks may inadvertently comply with existing local legislation, a

chance of an oversight is a possibility. Oversights may not only result in criminal sanctions

but also civil action due to losses or damages suffered by a third party. Using both the

identified regulations and relevant international best practices one may attempt to ensure

good Governance with regards to VoIP’s dual nature. The ai m is to aid executives and SME

owners in mitigating the risk of civil liability to better leverage VoIP’s value by utilizing

the proposed VoIP: Civil Liabilit y Risk Table. This should aid in the exercise of due care

and due diligence when implementing VoIP as a means of conducting business

communication.

1. Introduction

The adoption of VoIP has increased both locally and internationally in recent years. This increased rate o f

adoption is largely due to the value a VoIP implementation may provide an organization. The VoIP

implementation provides this value in two primary ways. Firstly a VoIP implementation is more cost

effective than other communication implementations and secondly enables employees to work more

efficiently d ues to its dual natures of both direct and indirect communications. This dual nature allows

employees to communicate utilizing multiple communication platforms from a single VoIP device.

However this value is at risk f rom potential security threats from b oth external and internal sources. It has

been noted that VoIP alters the existing risk portfolios, en abling risks such as identity theft, intellectual

property theft and interruption of service, which may result in damage to a thir d party which may lead to

civil liability. The risk introduced by implementing VoIP has warranted increased payments o n security

and privacy insurance premiums by international organizati ons (Trautman & Altenbaumer-Price, 2011).

These risks, should value be maintained, could possibly be mitigated by adhering to applicab le best

♣

Corresponding author: Tian Gerber , NMMU email: s20701 3987@live.nmmu.ac.za

T.

Gerber

, K

-

L Thomson, M.

Gerber

282

practices and exercisin g proper governance. An exploration of laws ap plicable to a VoIP implementation

and appropriate best practices and guidelines should be explo red.

2. Guidelines and Legislation

When implementing a new technology, such as VoIP, as a means of communication, an organizatio n

should first investigate all implementation requirements I oDSA, 2009, pp. 71-72). For the purposes of

this dissertation the term Director(s) will represent members of the board and all applicable directors

serving the board such as the CIO or CEO. B esides managing the change to a new communication

implementation or the training that needs to be conducted, Directors responsible for governing the

organization and t herefore Information Technology (IT) matters should look at applicable legislation,

guidelines and be st practices ( IoDSA, 2009, p. 73; Nthoiwa & Francis, 2010; Kotze, 2012). This is do ne

as part of organization’s legal obligation to provide information security with regards to both external and

internal threats (Etsebeth, 2011; Trautman & Altenbaumer-Price, 2011). This should aid in ensuring that

the VoIP implementations and its utilization are in adherence to all civil law r equirements and

implemented with sound Corporate Governance principles. The King III Report provides Principles for

the proper Corporate Governance of an organization. These Principles provide the high level co ntrols that

should be considered when addressing governance. The King III report makes specific provision for IT

Governance and an entire chap ter is devoted to providing Principles for the proper governance of IT. One

such principle, 5.5 statement 33 or 5.5 (33), states the following with regards to co mpliance with

applicable laws and codes: “W hen considering the company’s compliance with applicable la ws, rules,

codes and standards, the Directors should ensure that IT related laws, rules, codes and standards are

considered. Companies must comply with applicable IT laws and consider adherence to applicable IT

rules, codes and standards, guidelines and leading practi ces” (IoDSA, 2009, p. 73). This makes the

responsibility of the governing Board of Directors two-fold. The Directors should ensure compliance to

all applicable laws within Sou th Africa and, further, all applicable laws, codes, standards, guidelines and

leading practices with regards to any technological implementation, such as VoIP. This is further

compounded by an inter national IT best practice framework, COBIT 5, which makes provision for the

monitoring and assessment of compliance with external requirements ( ISACA, 2011, pp. 207-21 0). This

requires Dir ectors to ta ke the necessary steps to avoid the most prevalent civil liability risks as part of

their legal obligation to provide adequate information security for voice communication (Etsebeth, 2011).

The organization may be held civilly liable should all of the following constitutes of a delict be found to

be true: “A delict is the act of a person that in a wrongful and culpable way causes harm to another”

(Neethling, Potgieter, & Visser, 2006, p. 3). Therefore, to a void a delict, an organization may need to

prove that it has in fact adhered to all applicable IT rules, codes and standards, guidelines and leading

practices to prevent harm to another. This is done as the organization should be aware, or be made aware,

of the potential risk to clients and employees utilizing the VoIP implementation. If the organization is

unable to motivate the lack of applicable IT controls and Processes, it may be held civilly liab le for losses

and damages (Etsebeth, 2011). An organization would need to demonstrate that it is implementing the

best security practices and exercising good gover nance with regards to VoIP. In the section to follow, as a

possible means to avoid liability, the implementation of appropriate King III guidelines and COBIT 5

controls with regards to a VoIP implementation will be discussed.

3. VoIP Best Practices

The Principles and Processes to follow were identified through a process of qualitative content a nalysis

(Krippendorff, 2003, p. 18). Applicable P rinciples were id entified from the King III Report as it is the

primary good governance code for South African organizations wishing to list themselves on the JSE and

makes specific notation o f the importance of governing IT within an organization. Further more, the latest

iteration of the COBIT framework, COBIT 5, was analyzed as it is considered an international best

practice with regards to IT governance practices. The Principles and Processes were identified for the

purposes of aiding with the governance and securing of a VoIP implementation. The identified Principles

and Processes will be p roposed as possible answers to questions that may be asked of an organization in

the case of potential civil liability. In order to implement V oIP correctly, in accordance with governance

best practices, securely and within the scope of South African law, international best practices could be