That dirty word: compliance
Compliance isn't a very popular word for businesses. In fact, until relatively recently if you asked most companies about their IT compliance policy they would point blandly to a pro forma document warning employees not to download inappropriate material from the internet. Or they wouldn't have one at all.
However, recent changes to New Zealand's copyright legislation have brought into the spotlight the need for businesses, as employers, to have a comprehensive IT compliance policy.
To put it bluntly, employees infringe copyright on virtually a daily basis. Employers who haven't taken adequate steps to prevent this happening may be liable for that infringement. As it is no secret that many rights holders are looking for high-profile companies to make an example of, the bigger the company the bigger the risk…Why is having an IT policy (suddenly) so important? There has been a widespread media circus surrounding the proposed change to the Copyright Act in Section 92A.
This draft section requires an ISP to have a reasonable policy to terminate the internet account of a repeat copyright infringer. Leaving aside the fact that this is something virtually every ISP's terms and conditions have allowed them to do for years, the debate has raged on as to standards of proof and who should or could be terminated or when. The result has been that Section 92A still hasn't come into force.
However, in all the excitement, everyone appears to have forgotten about all the other changes that have been enacted. These amendments make employers potentially liable for copyright infringement by their employees. While these amendments are expressed to apply only to 'Internet Service Providers' (ISPs), an ISP is defined to include anyone who "hosts material on websites or other electronic retrieval systems that can be accessed by a user".
As a result, almost every business may fall within the definition of an ISP.So, what does that mean in practice? Put simply, unless a suitable compliance policy is in place, a business could be liable for any copyright infringement carried out by its employees.
Compliance requirements
Under the amendments, where a user downloads and stores material which infringes copyright, the ISP will be taken to have infringed copyright if the ISP knew or had reason to believe that it did so and did not take immediate steps to delete the material or prevent access to it.
Similar rules apply to ISPs caching material. In general, ISPs are not liable unless they modify the material, breach any conditions imposed by the copyright owner, interfere with lawful use, or omit to update the material. ISPs are liable for caching infringing material when they have noticed that the material has been deleted or blocked from its original source.
This means that employers are potentially liable for any infringing material contained in an email received by an employee, or anything downloaded by an employee. Failure to have in place an appropriate IT policy could be disastrous.