Saturday, 19 April 2008

Sunday comes about again.

And it is Wet!

So book writing again. Some time to take a couple pictures. Here we see a Lorikette (a parot) landing.

The application, scope and limits of Letters of Indemnity

Introduction
The Bill of Lading is a document unique document as its negotiability fulfils several purposes. These documents have led to a range of instruments and conventions within international trade. Arrangements which owe their basis of the negotiability of the Bill of Lading are now common place. For these to function as anticipated, the actual and original Bill of Lading must be present through the sale, purchase, letter of credit processes at each stage as the goods on the voyage progress. The system fails when this does not occur. This has led to the use and development of the Letter of Indemnity in international trade.

A Letter of Indemnity is a written duty of a shipper to indemnify a carrier for the liability that the carrier could lay itself open to through the issue of a clean Bill of Lading when the cargo received was not in fact that which was stated on the bill of lading.[1]

Although they are not the ideal solution, Letters of Indemnity are common throughout international shipping. As commercial activity extends, these instruments are being increasingly utilised in the carriage of goods by sea. They may also be identified as letters of guarantee and as counter-letters. Letters of indemnity are employed as either Letters of Indemnity issued at shipment, or Letters of Indemnity issued at discharge. The later are also identified as letters of guarantee.

One of the main issues with the application, scope and limits of any Letter of Indemnity is the extent to which rights and obligations created through the use of letters of intent fail to match those provided by the Bill of Lading.

The failure to produce a Bill of Lading
To understand the scope and application of a Letter of Indemnity it is also necessary to address Bills of Lading. These documents are derived from antiquity in English Common law where they have attained prominence by virtue of ancient mercantile custom[2].

Letters of Indemnity are frequently employed in situations where passage has not concluded according to the stipulations contained within the Bill of Lading. For instance, this could include an alteration to the discharge seaport. Most Letters of Indemnity are issued to procure the release of a consignment when the Bill of Lading is deficient or unavailable. In situations where the receiver or final purchaser is not capable of tendering a Bill of Lading to the carrier in order to obtain the release of a consignment, a Letter of Indemnity may be issued. Although common in most seaborne trade, fungible transactions such as the crude oil trade that are reliant on quick voyages and utilise compound sale and purchase contracts deploy these instruments most frequently.

Letters of Indemnity have been used to fulfil the three primary functions of a bill of lading[3]. These include:
· Use as a receipt;
· To provide evidence of a contract of carriage;
· To supply documentation demonstrating title in the goods.

Letters of Indemnity as a Receipt
Letters of Indemnity have been used in place of a Bill of Lading as receipts. By stating the particulars of the consignment and the expected order and condition within which it was shipped, this instrument[4] is can act as evidence of the condition of a consignment as against the shipper and may also act as evidence as against third parties.

Evidence of a Contract
A Bill of Lading alone does not constitute a contract. It can be used as evidence of the contract. Generally the Bill of Lading will either incorporate the Hague or Hague-Visby Rules[5]. A bill will include either the full terms or incorporate the carriers’ standard terms. A Charterparty bill will explicitly incorporate the Charterparty terms.

Under the Hague[6]/Hague-Visby Rules[7], there is:
· An obligation on the shipper to use due diligence to render the vessel seaworthy prior to and at the commencement of the voyage[8] and a duty on the shipper to maintain the shipment[9] with care.
· A package limitation[10].
· A time limit of one year in which the consignment’s owners can initiate a claim[11].
Primarily, any contract formed using the Hague-Visby Rules stops the shipper from contracting out of the rules. Although it is possible to increase obligations above those set out by the Hague-Visby Rules, the shipper cannot decrease the obligations. A clause which contends this will be void[12].

Demonstrating title in goods
A Bill of Lading is a receipt for goods, a “control document”[13] which acts as a contract to carry and is also “the key to the floating warehouse”[14]. “A Bill of Lading is a commercial document of dignity[15] and integrity based on good faith”[16]. As such it ties several contracts; the sale contract, the shipping contract, the letter of credit and the pledge and any additional security arrangements.

A Letter of Indemnity at shipment is, “a written undertaking by a shipper to indemnify a carrier for any responsibility that the carrier may incur for having issued a clean Bill of Lading when, in actual fact, the goods received were not as stated on the bill of lading”[17]. The courts often exemplify this practice as fraudulent and have had unsympathetic remarks regarding these practices:
Antedated and false bills of lading are a cancer in the international trade. A Bill of Lading is issued in international trade with the purpose that it should be relied upon by those into whose hands it properly comes – consignees, bankers, and endorsees. A bank that receives a Bill of Lading signed by or on behalf of a shipowner (as one of the documents presented under a letter of credit) relies upon the veracity and authenticity of the bill. Honest commerce requires that those who put the bills of lading into circulation do so only where the bill of lading, as far as they know, represents the true facts”.[18]

The problem of whether such letters are legitimate and enforceable with consideration to the issuer of the letter remains as unsettled jurisprudence. A broad uncertainty in the law and between legal scholars remains as to whether situations exists as to where it would be permissible for a carrier to agree to a letter of indemnity.

Clean bills of lading issued in exchange for Letter of Indemnity, and antedated bills of lading that are issued in exchange for Letter of Indemnity should be distinguished. A Bill of Lading is antedated when the date on the bill is advanced forward of the date of shipment. “Shippers often put pressure upon carriers, their masters and ship’s agents to state on the Bill of Lading a date of shipment not corresponding to the true loading or shipment date but instead to insert a date which coincides with a documentary letter of credit or in order to bring the shipment within the period of a subsidy or quota”[19].

Antedated bills of lading normally do not include misleading descriptions of the goods, only an incorrect date. A shipper that predates a Bill of Lading with forethought is engaging in fraudulent practices[20]. Both fallaciously clean bills of lading and antedated bills of lading have been condemned by the courts.[21] While the courts have responded comparably to each practice, distinctions do exist. Both the Hague/Visby Rules[22] and the Hamburg Rules[23] include a provision on estoppel shielding a guiltless third party from a falsely clean bill of lading. Antedated bills of lading have few legislative protections[24].

There is little if any law that implies that the contract could be impacted when delivered to the right party. The law relates to the circumstances where there has been an incorrect delivery. What little law there is concerning this is primarily Australian and is only persuasive authority in the UK.

The Letter of Indemnity is an independent contract, but does not make an independent misrepresentation[25]. A shipper is at liberty to rely on a Bill of Lading “time bar” even if goods are wrongly delivered under a Letter of Indemnity[26]. In cases where the shipper has negligently delivered without the production of a Bill of Lading can still place reliance on the package limitation.[27]

English law permits the party that takes delivery under a Letter of Indemnity at liberty to bring suit against the shipper if the purchase contract entitling the eventual custody of the Bill of Lading was entered into prior to delivery of the goods.[28]

Letter of Indemnity
Ideally the Bill of Lading should reach the destination at the discharge port at the same time as the ship. In many cases this does not occur and release is taken as against a Letter of Indemnity. Under English law, a Master is not required to grant delivery under a Letter of Indemnity[29] unless ordered by the Court[30]. It is acceptable for the Master to necessitate that the original Bill of Lading be offered. Charterparty terms may however require the Master to deliver against a Letter of Indemnity. In many cases where the receiver is not creditworthy, it will be a requirement that the Letter of Indemnity is signed by a bank.

Where a Bank countersigns a Letter of Indemnity without qualification, it is likely that they are signing as an indemnifier and not just a verifier of a customer’s signature. Carriers should make sure that any Letter of Indemnity is issued with the Indemnifiers authority[31].

The P&I Clubs[32] do not consider delivery of a shipment without a Bill of Lading as being a reciprocal risk. If a shipper gives such a Letter of Indemnity, it effectively replaces any P&I cover.

Presenting a Letter of Indemnity (“an Indemnifier”) will leave the party collecting the goods liable to indemnify the shipper both against an action from a Bill of Lading possessor and for expenditure sustained by the vessel including direct costs such as the provision of security or discharge from arrest or economic costs akin to loss of hire[33]. If damages are an insufficient remedy, the Court can order specific performance[34].

Several issues come about through the use of Letters of Indemnity. Some of these that are noted by Prof Tetley[35] include:
1. The effect as against third parties and the rights that arise;
2. The rights and obligations between parties to the letter of indemnity;
3. Complications which arise when there is damage to the cargo during carriage;
4. Complications which arise when the carrier is both the charterer and the ship-owner taken together and only one of those persons has issued the Letter of Indemnity.

Validity with Regard to Third Parties
A third party is an individual or organisation, not being the shipper or the carrier, who has become innocently involved with the Bill of Lading contract without foreknowledge concerning the fallacy of the assertions in the Bill of Lading or the letter of indemnity. As the third party was not involved with the Letter of Indemnity contract, it ought to consequently have no consequence with regards to the third party.

In the common law, Letter of Indemnity between the shipper and the carrier have no effect on third parties acting in good faith.[36] As discussed above, the common law, as well as statutory law, ensures through the doctrine of estoppel that Letter of Indemnity cannot be used as evidence to show that the goods were damaged prior to loading in defence against a third party’s claim. Letters of indemnity have been considered illegal on several occasions, and thus unenforceable against anyone.[37]

Validity between the Carrier and the Shipper
A letter of indemnity is a prima facie binding contract. The carrier should be able to take action against the shipper to recover any costs sustained through use of the clean bill of lading. Issues arise, as the carrier and the shipper are jointly parties to the same deceit. Many jurisdictions have found Letters of Indemnity invalid as against the shipper.[38] Some jurisdictions have sustained the carrier’s allegations against the shipper supported by the letter of indemnity.[39]

P & I Clubs
P & I Clubs[40] are “mutual non profit making insurers which offer shipowners cover for their contractual and third party liabilities: injury or death of crew or passengers, loss of cargo, collision damages to vessels, damage to the environment, etc”.[41] P & I Clubs do not charge premiums, and rely on “calls” on each vessel for payment of a certain rate per ton. This is paid proportionally first at the commencement of the year then with a remainder to be paid subsequent to the assessment of the costs covering the actual losses for that period.[42] To acquire cover from a P & I Club a shipowner must join as a member of the club. This starts their contractual relationship, governed by the membership rules of the particular club. There are fourteen P & I Clubs currently in business. These are mostly positioned in England, Scandinavia, and the Caribbean[43].

P & I Clubs view the custom of antedating Bills of Lading in the same way as of falsely issuing clean bills of lading. “All liabilities resulting from ante-dating or post-dating of a Bill of Lading are excluded from P & I Club cover.”[44] The clubs deem members who consciously issue incorrectly dated Bills of Lading to be acting fraudulently. The clubs will not indemnify them for liabilities that consequently arise.[45]

P & I Clubs specifically recognize and prohibit the custom of antedating Bills of Lading as one of the exclusions to club cover with deference to cargo liabilities[46]. Contrasting issues concerning the state or quantity of the cargo, indisputable uncertainty as to the date of sailing is unlikely. As such, P & I Clubs have not proposed any suggested actions in such circumstances.[47]

A Change of destination and Letters of Guarantee
The standard form Letter of Indemnity for Change of destination is comparable in structure to the Letter of Indemnity for non-production of the Bill of Lading or Letter of Indemnity for the non-presentation of Bills under a letter of credit.

Letters of Indemnity, in the form of a letter of guarantee are offered at discharge by consignees unable to make available the original bill of lading. The letter of indemnity “…is designed to provide a remedy for a ship-owner, where the master releases cargo at the request of a party, in respect of claims which may be brought as a consequence of such release”[48]. This custom has grown ever more widespread over the years. Short-haul shipping particularly makes use of these instruments.

Letters of indemnity issued at discharge are designated by some authorities as letters of guarantee.[49] A letter of guarantee is characterised as, “a letter…given at discharge and delivery by a consignee who is unable to surrender original bills of lading which have been issued but lost…[and is] a security or suretyship agreement”[50]. The courts frequently do not use specific terminology whilst referring to a letter of indemnity given at discharge, and simply refer to Letter of Indemnity generally.[51]

The Banking System and Financing Requirements
The banking system generally finances international trade.[52] The securing of international disbursements is most often completed using of documentary credits.[53] Transactions normally have the buyer request their bank initiate a credit in the name of the seller. To draw on this credit, the seller must ship the cargo as contracted and present the bank with the suitable documents.[54] The particulars of these instruments is reliant on the precise contractual requirements. A usual C.I.F. contract (cost, insurance, freight) would require the seller to submit:
i) The original Bill of Lading,
ii) A valid insurance policy for the goods whilst in transit, and
iii) The sales invoice as originally agreed.[55]

Documentary credits constrained in that the documents (including the Bill of Lading) are required to be “clean” and “unadulterated”.[56] As a consequence carriers frequently come under severe pressure to issue clean Bills of Lading in order that the seller or shipper is able to tender a Bill of Lading conforming to the documentary credit requirements and thus be paid.
UCP 500 or “The Uniform Customs and Practice for Documentary Credits”[57] is the standard format for documentary credit transactions used within international trade. Article 32 covers the requirement for a clean Bill of Lading though “clean transport documents”.[58]
(a) A clean transport document is one which bears no clause or notation which expressly declares a defective condition of the goods and/or the packaging.
(b) Banks will not accept transport documents bearing such clauses or notations unless the credit expressly stipulates the clauses or notations which may be accepted.

The date on which the cargo was shipped is also a matter of principal significance. Documentary credits regularly require that the merchandise be shipped prior to a specific date. Failure being that the bank will not acknowledge the documents tendered. The date of shipment requirement has led shippers to influence carriers to agree to accept a Letter of Indemnity as offset for antedating the Bills of Lading[59]. This custom of antedating bills of lading is in effect fallaciously dating Bills of Lading to signify that the consignment was shipped in advance of the actual time. This is a fraudulent act equivalent to the issue of a clean Bill of Lading for spoilt goods.[60]

Fraud
English law tends to deal with complicity between a shipper and a carrier to construct an exchange of clean bills of lading for a letter of indemnity which results in the consignee being held liable to the or endorsee though the torts of deceit and negligence or fraudulent misrepresentation.[61] In a commentary on the sway of continental Europe on the law of the UK, Ibbetson stated:
there was still a degree of disharmony between [England and] continental European systems, where the requirements of good faith and fair dealing were far more deeply entrenched, but in 1994 these differences were smoothed out, at least so far as consumer contracts were concerned, by providing that all such contracts should be subject to a general requirement of ‘fairness’”.[62]

The International Chamber of Commerce lists four types of frauds in Letters of Indemnity[63]:
1. Falsified documents, the consignment being non-existent,
2. Goods are of inferior quality or quantity,
3. Same consignment is sold to two or more parties, and
4. Double bills of lading are issued for the same consignment.

The English common law habitually resists any universal obligation of good faith and the accompanying obligations. In particular, the conception of a general duty to inform or the obligation to disclose has been neglected by the common law.[64] Jenkins v. Livesey[65] (House of Lords) promoted the customary perspective held by the common law.

It should be noted that “…academic writers continue(d) to press for some generalization of the circumstances in which such duty [to notify or of disclosure] arose, moving towards though not necessarily reaching, the principles of good faith in negotiations widely recognized by continental legal systems”.[66]

The exchange of a Letter of Indemnity for a clean bill of lading at shipment is thus a deceitful exercise. It undermines the reliability of bills of lading:
Honesty and integrity in relation to the signing of receipts for goods the subject of bills of lading is essential if persons engaged in international trade are to have any confidence in documents which play such a vital role in relation to the authorization of the payment of money. If receipts are signed dishonestly or in bad faith, the confidence of the international trading community is undermined and a whole system that was designed to work for the benefit and protection of both parties to a transaction such as this will be called into question”.[67]

Letters of Indemnity continue to be issued in exchange for clean Bills of Lading even though the courts disapprove of the custom[68] and academics have written against it.[69]

Notwithstanding the danger that the carrier will be accountable to the shipper should the shipper sue, carriers will frequently obeisance to the demands of the shipper who requires clean shipped bills of lading in order to be remunerated. Even where a carrier receives a Letter of Indemnity in return, it may not be reassuring as numerous jurisdictions decline to execute the letter of indemnity contract.[70]

It remains the case that a carrier could escape responsibility for a fraudulent action. It has been suggested that a “particularly nefarious fraud has emerged” through the Letter of Indemnity.[71] A carrier could assert an exception (e.g. as inadequate bindings) leaving the consignee and underwriters to remain unaware of a Letter of Indemnity unless action is commenced. They may remain utterly unaware of its existence.[72] Consignees are frequently naive to the possible existence of a Letter of Indemnity. Even when they discover it, the difficulty of establishing an alleged fraud remains.[73]

The requirements of the tort of deceit are that:
“Fraud is proved when it is shown that a false representation has been made,
i) Knowingly,
ii) Without belief in its truth, or
iii) Recklessly, careless whether it be true or false….”[74]
“If the false statement was made knowingly and that intention is proved then the basis for liability for the tort of deceit is established”.[75]

Evans LJ in Standard Chartered Bank v Pakistan National Shipping Corporation of the English Court of Appeal held in the circumstances where a carrier fabricates a false bill of lading:
“It is clear, in my judgment, that the shipowner would have no defence to the bank’s claim if the master or agent issued a false antedated Bill of Lading in the genuine though careless belief that it would facilitate the particular transaction or maritime trade generally [he] believed he was justified in doing so or that no harm would result”.[76]

Conclusion
Letters of Indemnity are a commonly used instrument within international commerce that is unlikely to vanish any time soon. However, using them in order to secure clean Bills of Lading is a practice that should be discouraged. In spite of legal sanctions this custom remains in common use. Shippers whose wares fail to satisfy the requirements of the documentary credit, the contract of sale, and other commercial instruments ought to be required to come to an arrangement with the consignee or other party to the sale agreement in situations where they cannot convey the merchandise using claused or foul Bills of Lading.

Engaging the carrier to aid in the commission of a deception on an innocent third party is deplorable. It should not be endured by the courts or the shipping industry. The notion of acceptable situations in which one can receive a Letter of Indemnity, or “proper Letter of Indemnity”, only to aggravates the dilemma, resulting in the courts scrutinising the intrinsic worth of every case instead of merely condemning the custom.

The inclination of writers and courts to use the terms Letter of Indemnity issued at shipment and Letters of Guarantee issued at discharge should be distinguished (even though they are both indemnity contracts). These are essentially dissimilar instruments and the transposing of the terminology has led to perplexity and misunderstandings of the dissimilarity between these instruments. Letters of Indemnity and Letters of Guarantee hold separate purposes which when scrutinized draw attention to separate inconveniences and limitations of the law and within the transport trade in general.

As Prof. Tetley argues; “Even when a Letter of Indemnity is issued in seemingly good faith, it can cause confusion and hardship”[77].

Bibliography
1. Anderson, C. (1975) “Admiralty Law Institute: Symposium on Charter Parties: Time and Voyage Charters: Proceeding to Loading Port, Loading, and Related Problems” 49 Tul. L. Rev. 880
2. Beatson, J. (1998) Anson’s Law of Contract, Oxford University Press, Oxford
3. Beatson, J. “Has the Common Law a Future” [1997] CLJ 291
4. Chan, F. (1999) “A Plea for Certainty: Legal and Practical Problems in the Presentation of Non-Negotiable Bills of Lading” 29 Hong Kong L. J. 44
5. Derrington, S & White, W. (2002) “Australian Maritime Law Update: 2001” 33 JMLC 275
6. Dromgoole S. & Baatz Y (1992) “Interest in Goods” (2nd Ed) Chapter 22
7. Gaskell, N. et al., (2000) “Bills of Lading: Law and Contracts”, LLP, London
8. Hazelwood, S.J. (2000) “P & I Clubs: Law and Practice”, 3rd Ed. LLP, London
9. Howard, T. & Davenport, B. (1996) “English Maritime Law Update 1994/95” 27 J. Mar. L. & Com. 427
10. Ibbetson, A (1999) “Historical Introduction to the Law of Obligations”, Oxford University Press, Oxford
11. International Institute for the Unification of Private Law, (1994) UNIDROIT Principles of International Commercial Contracts. Available Online at: http://www.unidroit.org/english/presentation/main.htm
12. Keily, T. (1999) “Good Faith and the Vienna Convention on Contracts for the International Sale of Goods (CISG)” 3 Vindobona Journal of International Commercial Law and Arbitration, 15
13. Myburgh, P.A. (1995) “Current Developments Concerning the Form of Bills of Lading – New Zealand” in Ocean Bills of Lading: Traditional Forms, Substitutes, and EDI Systems, A.N. Yiannopoulos (Ed.), Kluwer Law International, The Hague, 1995, 237
14. Nicholas, B. (1989) “The Obligation to Disclose Information” in Contract Law Today, D.R. Harris and D. Tallon (Eds), Oxford University Press, Oxford, 1989, 169
15. Parker, B. (2003) “Liability for Incorrectly Clausing Bills of Lading” [2003] LMCLQ 204
16. Rutten, Lamon (UNCTAD), (2004) “A Primer on New Techniques Used By The Sophisticated Financial Fraudster (With Special Reference to Commodity Market Instruments)” UNCTAD/DITC/COM/39 (7th March 2003) UNCTAD secretariat
17. Sharpe, D. (1995) “Recent Developments in Maritime Law” 19 Mar. Law. 301
18. Tetley, William (1985) “Maritime Liens & Claims”, 1st Ed., 1
19. Tetley, William (1994) “International Conflict of Laws”, 1st Ed.,
20. Tetley, William (1998) “Maritime Liens & Claims”, 2 Ed.,
21. Tetley, William (2003) “International Maritime and Admiralty Law”, 1st Ed., 2003
22. Tetley, William (2004) “Glossary of Maritime Law Terms”, 1st Ed., viewed at: http://www.mcgill.ca/maritimelaw/glossaries/maritime/
23. Tetley, William (2004) "Good Faith in Contract, Particularly in the Contracts of Arbitration and Chartering (Corrective vs. Distributive Justice)" 35 JMLC 561-616.
24. Tetley, William (2004) "Letters of Indemnity at Shipment and Letters of Guarantee at Discharge" [2004] ETL 287-344.
25. Todd, P. (1990) “Modern Bills of Lading”, Blackwell law, Oxford
26. Weale, John (2004) “Letters of Indemnity: Some Practical Considerations” Maritime Arbitrators of Canada
27. Wilson, J.F. (2001) “Carriage of Goods by Sea”, 4th Ed. Longman, Harlow, UK
28. Yiannopoulos, A.N. (1995) “XIVth International Congress of Comparative Law: Current Developments Concerning the Form of Bills of Lading” in Ocean Bills of Lading: Traditional Forms, Substitutes, and EDI Systems. A.N. Yiannopoulos (Ed.), Kluwer Law International, The Hague, 1995, 3

Cases
Alimport v. Soubert Shipping Co. Ltd. [2000] 2 Lloyd’s Rep. 448 (Q.B. Com. Ct.)
Amann Aviation Pty Ltd. v. Commonwealth of Australia (1991) 66 ALJR 123 (H.C. Aust.)
Barclay’s Bank Ltd. v. Customs and Excise [1963] 1 Lloyd’s Rep. 81 (Q.B. Com. Ct.)
Berisford Metals Corp. v. S/S Salvador 1986 AMC 874 (2 Cir. 1985)
Collern & Co. Ltd v. China Ocean Shipping Company [1993] P & I International 16 (Sup. Ct N.S.W.)
Compania Naviera Vascongada v. Churchill [1906] 1 K.B. 237 (K.B. Div.)
Demsey & Associates v. S.S. Sea Star, 1970 AMC 1088 (S.D.N.Y. 1970)
Derry v. Peek (1889) 14 A.C. 337 (H.L.)
Donahue v. Stevenson [1932] AC 562 (H.L.)
East West Corp. v. DKBS 1912 [2003] 2 All ER 700 (C.A.)
Encyclopedia Britannica v. SS Hong Kong Producer 1969 AMC 1741(2 Cir. 1969)
Hedley Byrne & Co. Ltd. v. Heller & Partners Ltd. [1963] 1 Lloyd’s Rep. 485 (H.L.)
Hunter Grain v. Hyundai, (1993) 117 ALR 507 (Fed Ct, Aust.)
Jenkins v. Livesey [1985] AC 424 (H.L)
Kwel Tek Choa v. British Traders and Shippers Ltd [1954] 1 Lloyd’s Rep. 16 (Q.B. Com Ct.)
Leamthong v Artis [2004] EWHC 2226
Lickbarrow v Mason (1794) STR 683
Motis Exports Ltd. v. Dampkibsselskabet Af 1912 [1999] 1 Lloyd’s Rep 837 (Q.B. Com. Ct.)
Pacific Carriers Ltd. v. Banque Nationale de Paris, [2001] N.S.W.S.C. 900 (October 16 2001) (Unreported) (Sup. Ct. N.S.W.)
Pacific Carriers v BNP Paribas (High Court of Australia 5th Aug 2004)
Peer Voss v. APL Co. Pte Limited [2002] 2 Lloyd’s Rep. 707 (Singapore C.A.)
Pickard v. Spears (1837) 112 E.R. 179 (H.L.)
Renard Constructions Pty v. Minister for Public Works (1992) 26 NSW LR 234 (NSW C.A.)
Sanders v Maclean (1883) 11 QB 304 at 341
Standard Chartered Bank v. Pakistan National Shipping Corporation and Others (No. 2) [1998] 1 Lloyd’s Rep. 684 (Q.B. Com. Ct.)
The Aegean Sea [1998] 2 Lloyd’s Rep 39 (Q.B. Com Ct.)
The Carso 1930 AMC 1740 at p. 1758 (S.D. N.Y. 1930).
The Ines [1995] 2 Lloyd’s Rep. 144 (Q.B. Com Ct.)
The Nea Tyhi [1982] 1 Lloyd’s Rep. 607 (Q.B. Com. Ct.)
The New York Star [1980] 2 Lloyd’s Rep. 217 (P.C)
The Rafaela S [2003] EWCA Civ 556,[2003] All E.R. (D) 289 (Apr.) (C.A.)
The Sagona [1984] 1 Lloyd’s Rep. 194 (Q.B. Com. Ct.)
The Saudi Crown [1986] 1 Lloyd’s Rep. 261 (Q.B. Adm. Ct.)
The Stettin (1889) 14 P.D. 142
The Sormovskiy 3068 [1994] 2 Lloyd’s Rep 266 (Q.B. Adm. Ct.)
The Stone Gemini [1999] 2 Lloyd’s Rep. 255 (Fed. Crt., Aust, NSW Adm.)
The Zhi Jiang Kou [1991] 1 Lloyd’s Rep. 493 (C.A. N.S.W.)
United Baltic Corp. v. Dundee Perth & London Shipping Co. (1928) 32 Ll. L. Rep. 272
United Philippine Lines, Inc v Metalsrussia Corp. Ltd. 1997 AMC 2131 (S.D. N.Y. 1997)
Statues and Regulations
Bills of Lading Act (1855) 18 & 19 Vict. c. 111. (U.K.)
Carriage of Goods by Sea Act 1992, U.K. c. 50
Limitation Act 1980, U.K
Misrepresentation Act 1967, U.K. c. 7
Pomerene Bills of Lading Act 1916, 49 U.S. Code 102
Protocol to Amend the International Convention for the Unification of Certain Rules of Law Relating to Bills of Lading, Brussels, February 23, 1968
Rome Convention 1980 E.E.C. 80/934, signed at Rome, June 19, 1980
Swedish Maritime Code, 1994, 2nd Ed. Andrea Upplagan T.O.M. 30 June 2000, Stockholm
Unfair Terms in Consumer Contracts Regulations 1994, U.K
United Nations Convention on the Carriage of Goods by Sea, Hamburg, March 31,1978
United Nations Convention on Contracts for the International Sale of Goods, Vienna, April 11, 1980
U.S. Carriage of Goods by Sea Act (COGSA), April 16, 1936, ch. 229, Sec. 1, 49 Stat. 1207

Footnotes
[1] United Philippine Lines, Inc v Metalsrussia Corp. Ltd. 1997 AMC 2131 at p. 2133 (S.D. N.Y. 1997). In this case, a letter of indemnity was issued for this purpose.
[2] Lickbarrow v Mason (1794) STR 683;
[3] Bowen LJ’s judgment in Sanders v Maclean (1883) 11 QB 304 at 341.
[4] The Hague-Visby Rules state that a Bill of Lading is an adequate receipt. An indemnity given by the shipper to the carrier is illegal and ineffective when the carrier has made an intentional misrepresentation about the state of the cargo. The Hague-Visby Rules do not contain detailed provisions regarding the legality of the custom of issuing clean bills for defective merchandise against a letter of indemnity from the shipper.
[5] Situations where the Bill of Lading may contain neither of the Hague, Hague-Visby Rules or even the Hamburg Rules are atypical (the Hague-Visby rules are most commonly used).
[6] “The International Convention for the Unification of Certain Rules of Law relating to Bills of Lading” was signed at Brussels on the 25th August 1925
[7] “The International Convention for the Unification of Certain Rules of Law relating to Bills of Lading” was signed at Brussels on 25th August 1924 as amended by the Protocol signed at Brussels on 23rd February 1968 and by the Protocol that was signed at Brussels on 21st December 1972.
[8] Article III, Rule I
[9] Article III Rule II
[10] Article III Rule 6
[11] Article IV Rule 5(a)
[12] Article 3 Rule 8 and Article V, but see Article VI
[13] Goode R., Commercial Law (2nd Ed) p.902.
[14] Dromgoole S. & Baatz Y “Interest in Goods” (2nd Ed) Chapter 22
[15] The Carso 1930 AMC 1740 at p. 1758 (S.D. N.Y. 1930).
[16] Tetley, W. “Letters of Indemnity at Shipment and Letters of Guarantee at Discharge”
[17] Tetley,W. Marine Cargo Claims, 3rd Ed., Editions Yvon Blais, Montreal, 1988, at 821.
[18] Standard Chartered Bank v. Pakistan National Shipping Corporation and Others (No. 2) [1998] 1 Lloyd’s Rep. 684 at 688 (Q.B. Com Ct.). Lord Justice Evans, comments regarding Cresswell, J.’s statement in the Court of Appeal decision, approved with the assertions and additionally remarked: “This requirement of honest commerce is stringently enforced by the English Courts. If a false bill of lading is knowingly issued by the master or agent of the shipowner, and if the claimant was intended to rely on it and did rely upon it and as a result of doing so has suffered loss, then the shipowner is liable in damages for the tort of deceit”. (Standard Chartered Bank v. Pakistan National Shipping Corporation and Others (No. 2) (C.A.), supra note 1, at 221). See also Howard, T. & Davenport, B. “English Maritime Law Update 1994/95” (1996) 27 J. Mar. L. & Com. 427.
[19] Hazelwood, S.J. P & I Clubs: Law and Practice, 3rd Ed., LLP, London, 2000 at 179.
[20] Ibid.
[21] Standard Chartered Bank v Pakistan Nation Shipping Corporation and Others (No. 2) (C.A.); Hunter Grain v. Hyundai (1993) 117 ALR 507 (Federal Court of Australia).
[22] Art. 3(4) of the Protocol to Amend the International Convention for the Unification of Certain Rules of Law Relating to Bills of Lading, Brussels, 23rd February, 1968 [the Hague/Visby Rules].
[23] Art. 16(3)(b).
[24] Pomerene Bills of Lading Act (United States), 1916, 49 U.S. Code 102, addresses the practice of antedating. Section 22, protects parties who have relied on the date in the bill of lading to their detriment. It is uncommon for statute to include such protections.
[25] The Stone Gemini
[26] Pacific Carriers v BNP Paribas (High Court of Australia 5th Aug 2004)
[27] Collern & Co. v China Ocean Shipping Company [1993] P&I International 16
[28] Carriage of Goods by Sea Act 1992, Section 2.2(a)
[29] The Stettin (1889) 14 P.D. 142; The Sormorskiy 3068 [1994] 2 Lloyds Rep. 266 {deals where the bill is mislaid}.
[30] Motis Exports v Dampskisselskabett AF 1912 [1999] 1 Lloyd’s Rep. Affirmed [2000] 1 Lloyd’s Rep. 211
[31] Pacific Carriers v BNP Paribas
[32] P&I Clubs (or Protection and Indemnity Clubs) are covered later in this paper in more detail.
[33] The Stone Gemini [1999] 2 Lloyd’s Rep. 255 (Federal Court of Australia)
[34] Leamthong v Artis [2004] EWHC 2226
[35] Tetley, W [2004] ETL 287-344
[36] See Hunter Grain v. Hyundai; Brown, Jenkinson & Co. v. Percy Dalton; Standard Chartered Bank v. Pakistan National Shipping; St. Paul Fire and Marine Ins v. Typin Steel.
[37] Brown, Jenkinson & Co., v. Percy Dalton, the court held that a letter of indemnity contract was illegal and unenforceable as the object of the contract was to commit a tort. See Hellenic Lines, Ltd. v. Chemoleum Corp. 1971 AMC 2605 (N.Y. Supr. Ct. App. Div), the majority of the court held that indemnity agreements are against to public policy and thus are not enforceable.
[38] See Brown, Jenkinson & Co. v. Percy Dalton, & Hellenic Lines, Ltd. v. Chemoleum Corp.
[39] See Shanghai Ocean-going Shipping Co. v. Xiamen Foreign Trade Co. recapitulated by Chen, at 92.
[40] Protection and Indemnity Clubs
[41] Gyselen, L. “P&I Insurance: The European Commission’s Decision Concerning the Agreement of the International Group of P&I Clubs,” in Marine Insurance at the Turn of the Millennium. M. Huybrechts (Ed.) Intersentia, Antwerpen, 1999, 181, at 181.
[42] Ibid., at 182.
[43] Tetley, W. International Maritime and Admiralty Law, Editions Yvon Blais, Montreal, 2002, at 591.
[44] Luddenke, at 36.
[45] Hazelwood, at 179.
[46] Ibid. The American Steamship Owners Mutual Protection and Indemnity Association Form Policy, encompasses cargo liability in stipulation 7, but specifically excludes ante-dating in provision 7(g): “(7) Liability for loss of or damage to or in connection with cargo or other property (except mail or parcels post), including baggage and personal effects of passengers, to be carried, carried or which has been carried on board the insured vessel. Provided, however, that no liability shall exist hereunder for: …(g) Loss, damage or expense arising from the intentional issuance of bills of lading prior to receipt of the goods described therein, or covering goods not received at all.”
[47] Hazelwood, at 179-180.
[48] The Stone Gemini [1999] 2 Lloyd’s Rep. 255, at 266 (Australian Federal Court. NSW).
[49] Tetley at 824.
[50] Ibid.
[51] Tetley, W [2004] ETL 287-344
[52] Hare, J. Shipping Law & Admiralty Jurisdiction in South Africa, Junta & Co., Cape Town, 1999, at 459.
[53] Ibid., In the United States, the documentary credit is generally refered to as a ‘letter of credit’.
[54] Wilson, J. Carriage of Goods by Sea, 4th Ed. Longman, England, 2001, at 140.
[55] Ibid., at 140-141.
[56] Hare, at 459.
[57] Uniform Customs and Practice for Documentary Credits, 1993 Revision, International Chamber of Commerce Publication No. 500. A text of UCP 500 can be found at the site: http://www.iccwbo.org/. In the US, the Uniform Commercial Code, regulates documentary credits in a manner similar to that of the UCP 500.
[58] UCP 500, ibid., Art. 32.
[59] See Standard Chartered Bank v. Pakistan Nation Shipping Corporation and Others (No. 2) (C.A.).
[60] In Standard Chartered Bank v. Pakistan Nation Shipping Corporation and Others (No. 2) (C.A.), the carrier was held liable in the tort of deceit for antedating bills of lading in exchange for a letter of indemnity. The Court held that the carrier would have no defence to the bank’s claim, who was the holder of the bill of lading, and that the carrier was held to the same standard of commercial honesty that was required form the other parties to the letter of credit transaction.
[61] Parker, B. “Liability for Incorrectly Clausing Bills of Lading” [2003] LMCLQ 201, at 205. For example see Brown Jenkinson v Percy Dalton, discussing fraudulent misrepresentation with regard to the issuance of clean bills of lading in exchange for letters of indemnity. For cases dealing generally with the tort of negligence and the tort of deceit, see The Saudi Crown [1986] 1 Lloyd’s Rep. 261 (Q.B. Adm. Ct), Standard Chartered Bank v. Pakistan National Shipping Corporation and Others (No. 2) (C.A), and Hedley Byrne & Co. Ltd. v. Heller & Partners Ltd. [1963] 1 Lloyd’s Rep. 485 (H.L.).
[62] Ibid., at 258. The 1994 regulations that required ‘fairness’ were the Unfair Terms in Consumer Contracts Regulations 1994 (U.K).
[63] ICC International Maritime Bureau, “A Profile on Maritime Fraud”, August 1982.
[64] Ibid., at 252, citing Nicholas, B. “The Obligation to Disclose Information” in D.R. Harris and D. Tallon, Contract Law Today, Oxford, 1989, 166. The obligation to inform, or the obligation to disclose, arises most commonly in English law in the context of the question of “whether…a right to rescind [a contract] should arise where a contracting party had failed to disclose information that would have affected the other party’s decision to enter the contract.” There are, unique instances in English law where a duty to disclose does arise; Beatson, Anson’s Law of Contract, Oxford, 1998, at 257-269.
[65] [1985] AC 424, at 439.
[66] Ibbetson, at 252, taking special note of Beatson, J. “Has the Common Law a Future”[1997] CLJ 291, at 303-307.
[67] Hunter Grain v. Hyundai, holding the carrier responsible for accepting a letter of indemnity in exchange for a clean bill of lading.
[68] Ibid. See also Brown Jenkinson v. Percy Dalton, Standard Chartered Bank v. Pakistan Nation Shipping Corporation and Others (No. 2) (C.A.) supra note 1; United Baltic Corp. v. Dundee Perth & London Shipping Co. (1928) 32 Ll. L. Rep. 272, where the practice of issuing letters of indemnity was criticized by the court, with Wright J. using particularly strong language at p. 272: “The practice of issuing clean bills of lading when goods are damaged is very reprehensible. It leads to trouble, and the people who do it ought to suffer.”
[69] See Tetley, “Chapter 38: Letters of Indemnity and of Guarantee” at 821, who, at p. 823, states that “letters of indemnity should not be condoned, by the courts, or by commerce, rather they should be discouraged.” See also Hazelwood, at 178.
[70] See Brown Jenkinson v. Percy Dalton, supra note 1, where the Court of Appeal held that the indemnity was unenforceable because it was an illegal contract, with the purpose of perpetrating fraud on the buyer. See also the Hamburg Rules, which dictate in Article 17.3 that the carrier will have no right of indemnity against the shipper if his intention in issuing the clean bill of lading was to defraud a third party, including a consignee, who acts in reliance on the description of the goods in the bill of lading.
[71] UNCTAD 2003
[72] Tetley, at 824. See also Bokalli, at 118, framing the problem from the point of view of the insurance companies, who, once the good have arrived damaged, pay out and then are subrogated into the rights of the consignees. These firms are often left without recourse as the carrier claims that the damage falls into one of the exculpatory provisions.
[73] In Xiamen Special Zone Jijian Trade Co. v. Tianjing Ocean Shipping Co. (reported by Xia Chen, “Chinese Law on Carriage of Goods by Sea under Bills of Lading” (1999) 8 Currents Int’l Trade L. J. 89, at 93.) the consignee suspected fraud in the form of antedated bills of lading, however the evidence was not sufficient to unequivocally prove the fraud. The consignee then obtained a court order that mandated that the vessel provide all information related to the loading, and the Court itself also undertook its own investigation. Upon completion of the investigations, the Court held that there was in fact fraud and the carrier was liable.
In commentary on the above decision, it has been noted that it is “often not easy for a cargo consignee to prove such fraud between the shipper and the carrier without having been present at the time of loading. [In the above case] the petitioner obtained the court’s order to preserve evidence on board the vessel, in addition to interviewing the vessel’s officials and other crew members and inspecting the cargo by professionals. In the meantime the court also launched an investigation of its own in accordance with Article 74 of the Law of Civil Procedure which provides that when there exists a danger that evidence may disappear or when it is difficult to gather evidence, the parties involved may petition the court for an order to preserve evidence and the court may also initiate its own efforts in preserving the evidence.” (Ibid., at 93).
[74] Derry v. Peek (1889) 14 A.C. 337 (H.L.) at 374.
[75] Standard Chartered Bank v. Pakistan National Shipping Corporation and Others (No. 2), at 224. See also Gaskell, N. Bills of Lading: Law and Contracts, LLP, London, 2000 at 179: “…the act of knowingly issuing a false bill of lading is an intentional deceit or fraud.”
[76] Standard Chartered Bank v Pakistan National Shipping Corporation and Others (No. 2), ibid., at 221 and 224.
[77] Tetley, W (2004) [2004] ETL 287-344

Thursday, 17 April 2008

Testing the security of the DNS Infrastructure - Has the security of the DNS Infrastructure Improved? (Continued)

The threats of an insecure DNS
The threats are many, we do not plan to cover all of them in this document and they are as limitless as one’s imagination. We will briefly cover a few in the following sections.
The threats mentioned below have been broken down into the categories of those against Confidentiality, Availability and Integrity.

Threats to Confidentiality
Eavesdropping Attacks
Mail
If you run any other software on the DNS server, and the DNS is compromised in such a manner that allows the attacker operating system level access to the server hosting the DNS, any data traversing the server that runs the DNS will be able to be intercepted and captured by the attacker.

For example, if your DNS server was also a mail relay for your organisation, the attacker could read all mail messages entering or exiting your domain. If there was a lack of adherence within your organisation to obeying your security policy, and sensitive information was being regularly transmitted via email, the attacker could collect a lot of valuable information from this attack.

General Traffic Sniffing
If the DNS was poorly located in such a way that all traffic entering or exiting your organisation had to pass it, the compromised server could be used to eavesdrop on all inbound and outbound traffic, such as:

  • E-Commerce transactions,
  • Remote access sessions, and
  • File transfers.
Trust Relationship Exploit
If the security of your organisation had been poorly configured to allow the DNS to access other servers within your organisation, or even in your bastion zones, it could be used as a springboard by a successful attacker from which to launch attacks against other more valuable information assets.

Threats to Integrity
The following are examples of what could happen in the event of a compromise of integrity of your DNS.

Mail Redirection
If an attacker can alter the address of your primary mail exchanger (MX) record, they can effectively:
  • Deny your ability to receive mail,
  • Receive all of your mail and reply to it making it look like it came from your organisation and bring your organisation into disrepute by sending obscene or inaccurate replies,
  • Publicising sensitive mail messages on newsgroups or other media thereby causing loss of trust from your customers/shareholders,
Web Redirection
In this scenario, if an attacker can alter your DNS records, they could redirect your customers to:
  • Your competitors site,
  • A bogus site containing anti-social content,
  • A site that looks like your site but contains inaccurate content,
  • A site that states your site has gone out of business,
  • Redirect users and capture their credentials (eg Internet banking)
  • E-Commerce Redirection

In this scenario, if an attacker can alter your DNS records, they could redirect your customers to another site:

  • which takes their orders, accepts the payment but doesn’t provide the goods, or
    proxies all traffic back to your real e-commerce server to capture customer details and credit card information.
Masquerading
In this scenario, an attacker places their address into your DNS so it appears as they are one of your systems, and then commits acts against other hosts on the Internet pretending to be from your domain.

This is as simple as removing one of your IP Addresses and inserting theirs in the DNS configuration files. When their address resolves in someone’s log files, it will appear to look like a server from your domain. They commit the attacks on others and then change it back to normal and when the person suffering the attack goes hunting for the attacker, it looks like you did it.
This type of attack could cause very bad publicity for your organisation and subsequent loss of customers/shareholders.

Threats to Availability
Your DNS is probably the most critical part of your organisation, without it:
  • People cannot determine where to send mail to you, and
  • People cannot determine how to get to any of the services you provide.
Redirection
In this attack, the attacker simply redirects the address of any of your servers to a non-functioning address thereby making your site inaccessible.

Another twist on this attack could be used to direct all of your web and mail traffic to a server within your domain, on another DMZ, which was not running a mail relay or web server. This would have the added effect of causing additional load on your security enforcing devices such as packet filters and firewalls as the traffic bounced in towards the server not running the services and out again as it got rejected resulting in twice the traffic levels normally experienced by your organisation.

Deletion
In this attack the attacker removes entries from your DNS servers thereby making those hosts inaccessible.


DNS is Critical
In summary DNS is arguably the most important service on any Internet based network (Verisign, 2003). The domain naming service is more crucial than even the web server or mail. Without DNS, the Internet stops (McCahill et al. 1995), no mail, no web no e-commerce (RFC1862).

Wednesday, 16 April 2008

Has the security of the DNS Infrastructure Improved? (Part 1)

Introduction and objectives
With the suggestion that pharmming[1] attacks are on the increase (Leon, 2005), the security of the DNS infrastructure has come into question again.

Using qualitative research, the following questions have been investigated in this paper serial;

  1. If the Levels of Security (based on patching practices) has improved since 2000,
  2. How the TLD[2]’s and Australian servers compare to the general population of DNS Servers worldwide,
  3. How security the Internet is based on the overall level of DNS Security.
A short account of the Domain Naming Service
BIND, the Berkeley Internet Name Domain service was created by a team of computer scientists at the University of California at Berkeley. The US Defence Advanced Research Projects Administration (DARPA) funded a graduate student project to enable this research. Bind versions up to and including 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. The initial BIND project team included Douglas Terry, Mark Painter, David Riggle and Songnian Zhou.

Ralph Campbell and Kevin Dunlap, continued the original work at the CSRG for 2 years--from 1985 to 1987. BIND maintenance was subsequently handled by Mike Karels and O. Kure.
BIND Version 4.9.2 was sponsored by Paul Vixie of Vixie Enterprises who became the principal architect and programmer of BIND. ISC, the Internet Software Consortium, have subsequently taken over support of BIND.

What is DNS?
DNS or the domain name system the methodology used on the Internet to translate domain names into IP (Internet Protocol) addresses. The process of maintaining a central list of domain name/IP address correspondences by host file was found to be impractical.

DNS was developed as a service to enable this process over the distributed Internet as seamlessly as possible. Every name of every computer on the Internet is translated using a DNS server.

The Basics of making a DNS server secure
DNS queries operate over UDP port 53 and Zone transfers (and certain other longer queries) operate over TCP port 53. Using security enforcing devices, such as packet filters and firewalls to filter traffic allowing only query access to the DNS server over these ports is the first step in securing your DNS.

Next, the operating system of the server running the DNS software must be secured. To do this, restrict access to authorised users only and prevent access from unauthorised users. This may seem like an oblivious statement but it is one that seems to be missed on numerous occasions (Dept. of Commerce, 2004).

Also, operating system should have the bare minimum of functionality installed, that is, no other services should run on the DNS server – it should be a bastion host. Further, file and directory permissions should be the leanest possible for normal operation.

These points are just a start; which is why many organisations have taken to outsourcing DNS (Booth, 2004).

The version of software you should run on your DNS is the latest supported version available at the time. Make sure you have all of the latest applicable security patches applied.
Securely configuring your DNS software is a must, without this important step, the integrity of your DNS will be compromised. A general rule of thumb when configuring DNS (as with most other Internet Systems) is to “Enable on that which is required, from only the locations it is required, and disable the rest” (Ashbury, 2000).

Primary DNS
The DNS software needs to be configured in such a manner as to allow:
  • Anyone, anywhere, to resolve the names of your externally visible hosts to IP Addresses and vice versa,
  • A primary DNS to forward queries for hosts it does not know to a root server (or ideally not handle forwarded requests), and
  • The primary DNS for your domain to update the configuration of the secondary DNS servers for your domain.
Secondary DNS
The software on the secondary DNS needs to be configured in such a manner as to allow:
  • Anyone, anywhere, to resolve the names of your externally visible hosts to IP Addresses and vice versa,
  • The DNS to forward queries for hosts it does not know to a root server, and
  • The primary DNS for your domain to update the configuration of the secondary DNS servers for your domain.
The threats of an insecure DNS
The threats are many, we do not plan to cover all of them in this document series and they are as limitless as one’s imagination. We will briefly cover a few in the following sections. See tomorrow for more. The threats mentioned will be broken down into the categories of those against Confidentiality, Availability and Integrity.

[1] Pharming – Attacks designed to compromise a DNS Server and use it for the attackers purpose
[2] TLD, Top Level Domains

Research Paper - Serial over the next few days.

Testing the security of the DNS Infrastructure
Has the security of the DNS Infrastructure Improved?


Abstract
This research was designed to test the composition and security of the Internet backbone, DNS. Quantitative experiments designed to record the versions and a relative security grading will be compared with a prior study completed in 2000.

From this experiment we will determine if the Levels of Security (based on patching practices, vulnerabilities and versions) has improved since 2000. An analysis of how the TLD[1]’s and Australian servers compare to the general population of DNS Servers worldwide will also be conducted.

These results will allow an extrapolation of the state of security on the Internet in general as the Internets level of security is based on the overall level of DNS Security.

[1] TLD, Top Level Domains

Tuesday, 15 April 2008

HRM, it’s not just hiring for compliance

Introduction
The greatest threat to an organisation’s security comes from inside its own walls. Staff, ex-staff and consultants are the greatest risk faced by any organisation. Most of the risk is a direct result of inadequate HRM processes and awareness. The rise in IT governance legislation and other requirements has driven organisations to monitor and implement controls over the Human Resources operations.

Not only does this process make them more effective when implemented appropriately, it is helping make the organisation more secure.

Security, a cost now leads to savings later. Through the effective management of Human Resources may be an expenditure now, it leads to reduced risk and long term savings.

The drive for compliance
Compliance has become a prime business concern across most sectors[1]. Changes to reporting and regulatory regimes such as Sarbanes Oxley, BASEL II, FISMA, and the changes to the privacy legislation have changed the face of business in general and information technology’s role in governance.

Grembergen (2004) in the chapter, “Governing Information Technology through COBIT’ asserts that “the four main focus areas for IT Governance are driven by stakeholder value. Two are outcomes: value delivery and risk mitigation. Two are drivers: strategic alignment and performance measurement.”

Protiviti (2003) assert that entry level considerations for compliance with Sarbanes Oxley legislation hinges on the effective management of human resources. Control frameworks to achieve statutory compliance all require HR control implementation and monitoring.
These changes to compliance requirements have focussed a growth in IT recruitment not experienced since before the dot-com crash of 2001. This has even led to the Sarbanes Oxley act being dubbed the zero unemployment for auditors act (Apani 2002).

With these changes and the rapid growth in staff complements, it is essential to remember that the skill set of IT staff is a key determinant in measuring how effective they are likely to be in implementing and maintaining an organisation’s business requirements. In addition, training may also function as a set of golden handcuffs (Treen 2001) to IT Staff helping retain them in times of mobility.

Hawkins et al describe and interpret several central existing suppositions, models and practices in the IT Governance domain. Further, they support a goal of increasing the comprehension and knowledge of IT Governance. In particular they detail the role of Human Resources management from both an IT and overall perspective as it applies to IT Governance. Organisational security awareness is determined to be essential to achieving compliance. It is also important to remember that IT governance applies to all staff and not just those involved in IT.

Minimising the IT Governance breach has become essential (Coe 2003). It has turned out to be increasingly difficult for many organisation's to divide overall tactical operations from the contributory IT plan that facilitates the business mission to be satisfied.
COSO and COBIT define effective IT Governance[2] as including:

  • Protection of shareholder/stakeholder value,
  • Quantification and comprehension of IT risks,
  • Organising IT ventures, opportunity, return and risks
  • Aligning IT with the goals of the organisation while accepting IT as a critical input to and component of the strategic plan,
  • Maintaining current operations and plans for the future
COSO[3] asks the question of organisation’s as to whether their IT function subscribes to a philosophy of continuous learning. COSO further details that organisations provide “necessary training and skill development to its members” in order to be compliant. As COSO is the foundation for many of the Sarbanes Oxley baselines, most large US organisations and their international subsidiaries have to come to terms with HRM and training issues which they have thus far been able to sweep under the carpet.

Personal requirements are a key requirement in many sections of COBIT[4]. Of particular importance is the section “PO7 - Manage Human Resources”. The ISACA has defined the control of managing human recourses as:
The control over the IT process of managing human resources that satisfies the business requirement to acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes is enabled by sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss.

The control framework, PO7 requires that an organisation implements processes to monitor and maintain:
  • Recruitment and promotion
  • Training and qualification requirements
  • Awareness building
  • Cross-training and job rotation
  • Hiring, vetting and dismissal procedures
  • Objective and measurable performance evaluation
  • Responsiveness to technical and market changes
  • Proper balance of internal and external resources
  • Succession plan for key positions
Other than the baseline of meeting statutory requirements, organisations should look to the benefits they can obtain from these controls (ISACA). Adequate staffing of the IT section within an organisation has been shown to provide effective and efficient operations throughout the business. Other paybacks comprise of improved motivation, retention and development of individuals and teams within the organisation (NSF Project #9708399).

It has been further demonstrated that employee inclusiveness; increased personnel contribution; and improved resilience and information security within operations all return beneficial results within an organisation far exceeding the compliance requirements (Romeo 2002 and O’Bryan et al 1995). Many organisations have provided testimonial support to benefits delivered to the management of the organisation including cost savings and superior effectiveness of operations (Mead 1998).

BS 7799.2:2002 or AS/NZS 7799.2:2003[5] has been adopted as a model for many organisations within both the commercial and government sectors. The NSW state government has mandated compliance with this framework for all state owned bodies.
Human resource management is a key control within the ISMS framework. In particular, section 5.2.2 (below) deals almost exclusively with the control over Human Resource Management:
Section 5.2.2 Training, awareness and competency
The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by:
a) determining the necessary competencies for personnel performing work effecting the ISMS;
b) providing competent training and, if necessary, employing competent personnel to satisfy these needs;
c) evaluating the effectiveness of the training provided and actions taken;
d) maintaining records of education, training, skills, experience and qualifications.
The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.

Organisations seeking certification or compliance against ISO 17799 need to have integrated the Human Resources and security functions in order to maintain an effective training and awareness system. Further, they need to evaluate training in order to implement system of continuous learning within the organisation.

In order to mandate the implementation of ISO 17799, the NSW Government OIT[6] has developed a set of standards and guidelines for any NSW government agency to use in developing an ISO 17799 compliant strategy.

From the perspective of the Human Resources professional, the key sections which need to be addressed in the guidelines are:
1 Segregation of duties,
2 Recruitment, and
3 The Monitoring of personal.

Many of these controls are essential requirements for either COSO or COBIT. It is thus possible to conclude that Human Resource management is an essential function in achieving IT Governance. Banerjee et al, further assert that HR management is not only a stage in IT Governance, but is essential to ensuring continued ethical behaviour from staff.

Christopher (2003) demonstrates that a lack of training can lead to employees making “one of the worst mistakes” and “giving out sensitive data”. He highlights the point that training and education are essential components which may be used to effectively empower staff to make correct decisions.

He further states that most breaches of corporate security are caused as a result of “weakness in human firewalls”. This details the need for awareness training for staff as technology will fail where staff are not fully educated in stopping attacks against the organisations information infrastructure.

It is emphasised that training and technology needs to be used together to ensure strategic security in corporations is successfully deployed. To achieve this effectively, horizontal teams need to be implemented from IT, HR and department heads to develop effective security management strategies[7]. “Policy setting is a give and take between business and security”[8].
The key issue at stake is that management needs to educate and communicate both the corporate policy itself, and the need for its being, across the organisation (O’Brien 1999). Management must place channels for feedback within the organisation (Mitnick and Simon 2002) to ensure that the message of security is being communicated.

Turnbull (2004) argues that organisations face new challenges and that they need to plan for these to be successful. Best practice is achieved through a process of knowledge and empowerment across all staff. New domestic and global HR privacy demands are driving many of these changes adding yet another layer to the compliance framework.

Defining the roles, HR needs to work with Info Sec
Kovacich, presents a total systems approach to the all the topics needed for the “infosec professional”. He asserts that defining the position of the information systems security officer (ISSO) is just a beginning.

Compliance is just the foundation for HR security controls; there are numerous reasons to ensure that Human Resources have defined the roles within IT and in particular Security (Dhillon 2001).

One concern influencing HR practice recently has resulted from a widespread shortage of security, audit and compliance skills (McCarthey 2001). The compliance drive detailed in the previous paragraphs has led to a debate amongst many professionals (not just those from HR) over the practice of hiring criminal hackers.

The claim that hackers are the proverbial “fox in the henhouse” (Savage 2004) strongly supports the claim that criminal hackers should not be hired into the security industry. Being that these people are able to utilise their skills productively within the information industry without being involved in security and that there are others who are trustworthy in the industry leads strongly to the conclusion that past convictions should exclude one from employment within the security industry.

“Trust has to be evaluated on a case by case basis" has been touted as a reason for hiring hackers on a case by case basis. Mitnick, the president of an information security firm and past convicted “hacker” uses this stating that his clients are happy with his services. He has said that he should be judged by his actions (Savage 2004).

Mitnick’s actions speak for themselves as he committed several felony offences while on parole for earlier offences (Associated Press 2004). The example may have been extreme, hiring criminals and handing them the keys, but the practice is not uncommon which further emphasises the need for high-quality practice and compliance within a organisations HR function (Wood 1997).

Good hiring policy, detailed background checks and controls should all be designed to increase the chances of hiring the correct person for the role and ensuring that they remain satisfied and effective (Wood 1993). This creates a series of processes that help reduce risk and improve efficiency within an organisation.

Awareness – where does this take us
Dhillon (2001) stated that “education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment”.
Further, “a mismatch between the needs and goals of the organization could potentially be detrimental to the health of an organization and to the information systems in place…. organizational processes such as communications, decision making, change and power are culturally ingrained and failure to comprehend these could lead to problems in the security of information systems" .

Mitnick and Simon state that there are three key steps that should be instilled within employees thought process:
  • Step One: Verification of Identity
  • Step Two: Verification of Employment Status
  • Step Three: Verification of Need to Know
They further state that deceptive tactics are generally used to access or obtain private company information by masquerading as a trusted party. For this reason it is essential to verify the legitimacy of employees, contractors, vendors, or business partners.

It is further stated by Mitnick and Simon that effective information security is maintained only if an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

For this reason, a well-rounded awareness program must cover as many of the following key areas as possible[9]:
Security policies related to systems passwords (these include computer and voice mail).
The procedure for disclosing sensitive information or materials.
Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.

Physical security requirements such as wearing a badge.
The responsibility to challenge people on the premises who aren't wearing a badge.
Best security practices of voice mail usage.

How to determine the classification of information, and the proper safeguards for protecting sensitive information.

Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.

Additionally, the awareness program relies on the following tasks to be successful:
The development and distribution of an IT security policy that reflects business needs tempered by known risks;
Informing users of their IT security responsibilities, as documented in the organisation’s security policy and procedures; and
Establishing processes for monitoring and reviewing the program.
The NIST manual states that effective IT security awareness and training programs explain the appropriate conventions of conduct for the use of the organisation’s IT systems and information.
HRM is crucial as changing peoples’ attitudes and behaviour in terms of IT security can be a challenging task (NIST 800-50). New controls often appear to conflict with the way staff have done their job for years. An awareness and training program is crucial in that it is the vehicle for disseminating information that employee’s, including managers, need in order to do their job.
Coe (2003) has stated that “recurring evaluation and maintenance of employee awareness, specialized training and management awareness are all required components of a successful security program”. An effective information security program needs to properly account for the strengths and limitations of employees to successfully secure an organisation’s data.
“Keeping your network safe, HR must protect sensitive data from internal and external security threats” (Romeo, 2002).

Peter Hind (2004) has asked the question of, “why the IT department has responsibility for IT security?” General training is essential and should be amortised as a cost over the entire organisation.

Conclusion
Human Resources Management is an often overlooked, but essential component of information security within an organisation. Information security personal and Human resources need to work together to ensure the overall effectiveness of controls. Technology is no longer the panacea it has been touted to be.

The increase in threats coupled with the growing need to ensure compliance make HR’s involvement with security all the more crucial to an organisation’s continued success. With the greatest threat to an organisation’s security inside its own walls, the majority of information security risk is a direct result of inadequate HRM processes and awareness.
Human Resources operations and controls over information security increase an organisation’s effectiveness when implemented appropriately.

Bibliography
1. Australian Standards Institute, AS/NZS 7799.2:2003,BS 7799.2:2002, “Information security management systems; Part 2: Specification for information security management systems” [BS title: Information security management systems, Part 2: Specification with guidance for use]
2. Apani Networks 2002 “Sarbanes-Oxley Act and its impact on IT Security”, 2004 CNET Networks
3. Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 “The association of demographic variables and ethical behaviour of information system personnel”, Industrial Management & Data Systems 96/3 [1996] 3–10 MCB University Press
4. Coe, Kathleen, Aug 2003, “Closing the Security Gap, Data Protection initiatives should include employee training”, “HR Magazine – Vol 48 No8”
5. Dhillon, Gurpreet (ed), 2001, “Information Security Management: Global Challenges in the New Millennium” Idea Group Publishing, ISBN:1878289780
6. Grembergen, Wim Van (ed), 2004, “Strategies for Information Technology Governance” Idea Group Publishing, ISBN:1591402840
7. Hawkins, Steve; Yen, David C. and Chou, David C. 2000 “Awareness and challenges of Internet security”, Information Management & Computer Security 8/3 [2000] 131-143 MCB University Press
8. Hind, Peter; 2004 “Give it Away, Take my security please… (At the Coal Face)”, CIO Magazine, IDG Communications NSW Australia, May 2004, ISSN 1328-4045
9. Kovacich, Gerald L. “The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program, Second Edition”, ISBN:0750676566, Butterworth Heinemann © 2003
10. Information Systems Audit and Control Association, ISACA, “COBIT”, IL 60008 USA,
11. IT Governance Institute, “IT CONTROL OBJECTIVES FOR SARBANES-OXLEY” Rolling Meadows, IL 60008 USA, ISBN: 1-893209-67-9
12. Mead, Richard, 1998, ‘International Management, Cross-Cultural Dimensions‘, 2nd Edn, Blackwell Publishing, UK
13. Mitchell, Ruth C. and Marcella, Rita, and Baxter, Graeme, 1999 “Corporate information security management” New Library World Volume 100. Number 1150. 1999. pp. 213-227, MCB University Press
14. Mitnick, Kevin D. and Simon, William L. 2002, “The Art of Deception: Controlling the Human Element of Security” John Wiley & Sons, USA, ISBN:0471237124
15. National Science Foundation, 1999, “NSF Research Needs Workshop: Building Systems Integration for Performance and Environmental Quality Final Report 99”, NSF Project #9708399, “Results from Oct. 97 Workshop and Research Community” Center of Building Performance and Diagnostics, Carnegie Mellon Univeristy
16. NSW Government (OIT)
Information Security Guideline for NSW Government
· Part 1 Information Security Risk Management
· Part 3 Information Security Baseline Controls
17. O’Brien, James A., 1999, ‘Management Information Systems, Managing Information Technology in the Internetworked Enterprise‘, 4th Edn, Irwin McGraw-Hill Ltd, US
18. O’Bryan, Bernard Burch and Pick, Roger Alan, 1995 ‘Keeping information systems staff (happy)’, Emerald - The International Journal of Career Management, Volume 7 · Number 2 · 1995 · 17–20
19. Protiviti (Independent Risk Consulting), Guide to the Sarbanes-Oxley Act IT Risks and Controls (FAQ) Dec 2003
Publications from the National Institute of Standards and Technology (NIST)
20. NIST Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program”
21. NIST Special Publication 800-35, “Guide to Information Technology Security Services“
22. NIST Special Publication 800-36, “Guide to Selecting Information Technology Security Products”
23. Romeo , Jim, Dec 2002, “Keeping your network safe, HR must protect sensitive data from internal and external security threats”, “HR Magazine – Vol 47 No12”
24. Treen, Doug, 2001, “The HR Challenge for the high-tech start-up”, JANUARY/FEBRUARY 2001, IVEY BUSINESS JOURNAL, The University of Western Ontario Press
25. Turnbull, Ian, “Privacy in the Canadian Workplace — Best Practices”, Paper from HR Privacy 2004: Managing the New Challenges, Society for Human Resource Management/ HR Technology
26. Wood, Charles Cresson, 1997 ” Securely handling staff terminations”, Information Management & Computer Security, Vol. 5 No. 3, 1997, pp. 21-22, MCB University Press Limited, 0968-5227
27. Wood, Charles Cresson, 1993 ” Background checks for employees in computer-related positions of trust (A further contribution on security system checks for employees)”, Information Management & Computer Security, Vol. 3 No. 5, 1995, pp. 21-22, MCB University Press Limited, 0968-5227
Web Sites
1. Christopher, Abby, CIO Magazine, “The human firewall”, 28/10/2003 http://cio.co.nz/cio.nsf/0/CD50373FD1A06BD3CC256DCD00015C68?
2. “Computer Security Awareness – Quiz from the Fermi National Accelerator Laboratory”, http://computing.fnal.gov/security/checklist.html
3. Countering financial crime risks in information security [Financial Crime Sector Report] http://www.fsa.gov.uk/pubs/other/fcrime_sector.pdf
4. Hay/McBer (2000). “Research into teacher effectiveness: A model of teacher effectiveness report by Hay McBer to the Department for Education and Employment”. Report prepared by Hay/McBer for the government of the United Kingdom, http://www.dfee.gov.uk/teachingreforms/mcber/.
5. McCarthey, John, CIO Magazine, Nov. 15, 2001 “RISK MANAGEMENT, Plan for People, Not Just Systems” http://www.cio.com/archive/111501/where.html
6. McLelland, Ross (2004), “Emotional intelligence in the Australian context”, Pacific Consulting, http://www.pacificconsulting.com.au/articles_ei.htm
7. Savage, Marcia, Hiring Hackers, A Heated Debate, 16th Apr 2003, CRN, viewed 06th Mar 2004, <http://www.techweb.com/wire/story/TWB20030416S0003>.
8. The Associated Press. “Famous hacker Kevin Mitnick gets hacked”, 11th Feb 2003, CNN, viewed 22nd Mar 2004 < http://www.cnn.com/2003/TECH/internet/02/11/hacker.hacked.ap/>
9. The House of Representatives (H.R. 5005)Homeland Security Act of 2002, November 19, 2002, viewed 6th March 2005 <http://news.findlaw.com/hdocs/docs/terrorism/hsa2002.pdf >

[1] IT Governance Institute
[2] COBIT Version 3.2
[3] COSO, Committee of Sponsoring Organisations of the Treadway Commission
[4] COBIT, is maintained by the ISACA
[5] Information security management (ISMS) Part 2: Specification for information security management systems (Australian Standards Institute)
[6] OIT, Office of Information and Communications Technology, NSW Department of commerce
[7] NIST 800-50, “Building an Information Technology Security Awareness and Training Program”
[8] Christopher (2003), The Human Firewall.
[9] Modified from the controls listed in NIST Special Publication 800-50