Electronic Markets and Security Requirements - The Legal Basis

responsibilities of the parties involved. This paper concentrates on the legal situation in Switzerland. However, the security aspects will also be valid from the international point of view. Especially in a crossborder situation, where there are no more physical borders and where data flows freely, security measures cannot target on an isolated and clearly defined environment anymore. In IS security, controls are more than just technical and organizational measures to secure availability , integrity and confidentiality. Control encompasses the policies, procedures , practices and organizational structures that assure the adequacy of information asset management and the consistency and reliability of IS activities. The integration of classic EDP techniques with telecommunications (telematics) increases the demand for controls, where more than just technical aspects are considered. This paper will treat the legal framework and the associated technical questions. Most of the recent developments of information interchange, like electronic signatures and EDI, are not yet represented in most of the European laws. A stable legal framework under public law has to be established to assure a trusted legal environment. In the meantime, there will be an urgent need for well defined contractual relations. The private agreements are limited, they can only be legally binding for the contracting party, thus automatically limiting the chances of open markets in todays legal framework. The simplified situation in figure 1 is showing the typical relations between public and private law: Although there are countries like Germany where the relations between the PTT are nowadays stipulated under private law, most of the key points, like the liability rules, are still based on public law and there is only narrow margin for private arrangements. Some laws are already directly affecting electronic Data Privacy Law (DSG) According to Art. 7 DSG personal data has to be protected by the use of appropriate and proportional security measures. A more detailed description can be found in Art. 9 VDSG. The responsibility lies with the data owner. In cases, where personal data will be processed outside the owners facilities, e.g. transmitting and storing data, the owner has to make sure that the mandatory will treat the data the same way he is allowed to (Art. 11 DSG). The supplier of enhanced services who is processing personal data is subject to the Privacy law, which means that he might be obliged to notify his data processing activities (Art. 11 DSG). Security measures According to …