An overview of the legal principles surrounding business IT.There are five key areas that CIOs should be considering, along with their board of directors or appointed executive team, when assessing technology-related legal risks and issues.1. Data protection This is a broad heading that covers three areas: Privacy issues: (ie: personal information relating to identifiable people). Do your contract terms, published policies, IT systems and corporate practices ensure compliance with the Privacy Act and related regulations?  Confidential information: This is non-personal information that is either confidential to your organisation or  to another organisation or  person and which has been imparted to you in confidence. Do your systems classify and store such information in the most secure manner possible, restricting internal access to a ‘need to know’ basis only?Data security: This relates to data and document/file retention, integrity and security over time. Does your organisation have clear corporate policies  that then drive your IT systems architecture, and ensure that data, documents and other files are stored with a high degree of integrity for the required time and will be readily retrievable?These issues should be considered closely, especially in a cloud computing context when data is stored on third party systems, often offshore, and along with data from other organisations. Will your data be secure and  readily retrievable in an acceptable form? Do you know which country or countries your data will be stored in and whether local laws in that jurisdiction may have an impact on the security of your data or your ability to retrieve it?  2. Intellectual property rights Does your organisation have the legal right to be using the software applications and other intellectual property (eg: trade marks, content subject to copyright ownership, possibly a patented invention, etc.) in the manner in which you are using them? There are two components to this question: Firstly, the existence of the primary legal right in question (whether by ownership or licence). Secondly, whether the manner of use accords with that right. For example, is your organisation acting within the terms of its existing software licences given the infrastructure it is used on, the location it is used, and the number of users, etc? Wrongful use may be exposing your organisation to a claim for damages or other form of legal remedy in time.3. IT supply arrangementsDo your IT contracts provide your  organisation with the best possible legal  position for the relevant material risks?  Whether the contract relates to cloud computing services, outsourced services, system support and maintenance, data storage, software or system supply and integration, the relevant material  issues need to be considered and addressed effectively in the contract. Also, do your supply contracts best mitigate against budget, time  and scope overruns relative to the supply arrangement in question?4. Industry or organisation- specific regulatory issuesBeyond purely IT-specific legal issues,  there will be other regulatory requirements which your organisation needs to be aware of and comply with. For example, these might relate to record retention requirements under the Companies Act, the Financial Reporting Act or general audit requirements; unsolicited electronic messages; money laundering; the storage and retrieval of public records, etc. Specific assessment needs to be undertaken of the broader regulatory context which applies to your organisation, so as to ensure that your IT systems are best designed to ensure compliance (and provide the best evidence of that compliance if required).5. Corporate governance issuesMany of the above issues tie in with – and are to a large degree dependent on – the extent to which your organisation has a clear and robust corporate governance model, with related policies and practices. For example, data protection breaches often flow from poor or non- existent HR policies – not necessarily a failure with the IT systems. Also, if your organisation was involved with litigation (whether defended or initiated), would you be able to quickly find the best evidence possible (including in relation to the integrity of that evidence) from within your IT systems to support your claims? Hopefully that information, once retrieved, also evidences strong corporate governance practices for your organisation generally (as may be required).  Companies and other organisations with strong corporate governance practices will often have a risk committee or other corporate risks owner who either sits on the board or reports directly to the board and works closely with the CIO and other executive heads. This practice is scalable to fit the size and nature of the organisation and is a good first step towards addressing the risks and issues noted above  on an ongoing basis. Stay positiveThe above points are a high-level checklist  and provide a platform to progress from.  Non-compliance may result in a range of consequences, from minor fines through to director liability and conviction, major damages claims, an injunction preventing continued use of intellectual property, or major brand damage in the case of data protection breaches. Compliance and good governance on the other hand are likely to result in brand enhancement, efficient and harmonious internal procedures, and the avoidance of costly  blunders.