Personal tools
You are here: Home Proceedings Committee Proceedings .nz Oversight Committee Archive Other Items G Adlam Advice
 

G Adlam Advice

This is the text of the advice to the Council from Gavin Adlam, solicitor

19 December, 2001

The Council
The Internet Society of New Zealand Inc
Wellington

(By email)

SRS: Structure and Legal Risks

1.Background

1.1You have asked me to provide advice on some specific aspects of the proposed shared registry system, for management and operation of the .nz domain name system. The Council's requirements have been passed on to me in a meeting with Rose Percival, who also provided copies of the "Proposed Framework and Business Rules" document of 20 November 2001 (v1.0 the "Framework Paper") and the Council memorandum of 21 November 2001 "Governance of the .nz ccTLD" (the "Governance Paper").

1.2The framework contemplated in those two papers for the governance, management and operation of the .nz domain include:

a)InternetNZ, through its Council, accepting the ultimate responsibility to ICANN in accordance with RFC1591;

b)The Council establishing a subcommittee (the ".nz Board" or the "Board") to discharge the Council's governance responsibilities and to implement an operational framework (including the appointment of a ccTLD Manager);

c)A ccTLD manager (the "Manager"), to be appointed by the Board and to have the operational responsibilities and the authority to carry them out on a daily basis.

1.3It is implicit in the governance paper, and consistent with the framework paper, that the .nz Board is a subcommittee of the Council (with members appointed to the Board by the Council, but not necessarily being Councillors) and that the ccTLD Manager is an employee of InternetNZ (appointed by the Board in accordance with the Board's delegated authority to make that appointment).

1.4The Council has now asked for advice on:

a)The extent to which the Society, Council, the Board or the Manager may be exposed to risks arising out of the implementation and operation of the shared registry system;

b)More particularly, the extent to which the Society or the Council might be exposed to claims under the proposed authorisation agreement;

c)Whether it might be appropriate to procure insurance cover against certain of the potential risks;

d)Whether there are other steps or arrangements which are available to the Council to manage or reduce the exposure to the possible risks.

1.5The comments which follow indicate, though only briefly, some of the potential areas of risk to the Society. They also set out the way in which the Society may be liable for the acts or omissions of the Council, the Board (as a subcommittee of Council) and the Manager (as an employee). I have included some further comments on how it might be possible to limit the exposure of InternetNZ to some of these liabilities.

2.Liability for delegated functions

2.1Under the proposed framework, InternetNZ is the party with functional responsibility for the operation of the .nz domain at several levels. Broadly, those are:

a)The policy-setting function, with accountability to ICANN, which is carried out by the Council;

b)The function of implementing the framework, including setting policies and criteria for the registry and registrars, which is carried out by the Board; and

c)The operational functions, including implementing the policies and setting procedures for authorising registrars, contracting with the registrars and registry, enforcing contracts and other performance obligations and dealing with operational complaints and disputes. These functions are primarily carried out by the Manager, though the proposal seems to contemplate that some will be functions of the Board.

2.2Although these functions may be carried out by a separate bodies within InternetNZ for governance purposes, there is no distinction between them for the purpose of considering legal liability or responsibility to third parties. Each of the separate bodies is a representative or delegate of InternetNZ.

2.3In general, when a person or organisation (the Principal ) delegates a function or a task to an agent or employee (a delegate), the Principal will be responsible for the acts or omissions of the delegate within the actual or ostensible authority given under the delegation. The delegate may be personally liable if it exceeds the actual authority given by the delegation, but that will be a claim between the Principal and the delegate.

2.4The ostensible authority is that the authority which third parties are justified in believing the delegate has been given. It may be, and generally is, wider than the actual authority. If the Principal equips the delegate with the appearance of authority, the Principal may be liable to third parties for the consequences of the delegate exercising that authority, even if the delegate exceeds the actual authority given by the Principal or exercises that authority wrongly.

2.5The Principal may reduce its exposure to liability for delegated activities by reducing the level of control which it exercises over those activities. Thus, if the Principal engages a party under contract to deliver certain outcomes, and leaves the contractor with its own discretions and responsibilities in achieving those outcomes, then the liability to third parties may be borne by the contractor and not by the Principal. The Principal may avoid exposure to third party claims if it ensures that, in fact and to the knowledge of the third party, the contractor has no authority to bind the Principal and carries out its functions as an independent contractor.

2.6To the extent that the contractor can show that its actions are the direct result of the Principal's instructions, the Principal is likely to be liable for any claims which arise from them.

3.Liability under the proposed framework : .nz Board

3.1The current proposals are for a Board to be constituted as a subcommittee of the InternetNZ Council. The details of who is on the Board and how they are appointed are important in consideration of a suitable governance structure, but are less significant in respect of the rules of liability. The Board would not be a separate legal entity from the Council, so that any acts or omissions of the Board would be regarded legally as acts or omissions of the Council.

3.2As a result, the responsibility or liability for anything done by the Board, or claims made against the Board, would be the responsibility of InternetNZ acting through its Council. This means, of course, that any monetary claim which succeeds could be pursued against the whole of the assets of InternetNZ.

3.3It would be possible to conceive of a situation in which Council publicly delegates certain functions to the Board, and the members of the Board publicly accept full (ie personal) responsibility for carrying out the delegation and for indemnifying the Council. That does not seem a plausible scenario.

3.4The question of liability is distinct from the delegation and functional responsibilities that should be implemented for the purposes of good governance. For governance and management purposes, as long as the delegation arrangements are appropriate and clearly expressed, and the functional separation between the full Council and the subcommittee are properly understood, the governance arrangements can be implemented effectively. However, if any liability arises towards any third party, then there is no distinction in legal terms between the Board and the full Council, unless the acts or omissions of the Board are so far outside their actual or ostensible authority that liability falls on them personally rather than as a delegate of the Council.

4.Liability for acts or omissions of ccTLD Manager

4.1The current proposal is that the ccTLD Manager will be an employee of InternetNZ. Although it is proposed that the Board should appoint the Manager, and that the Manager will report to the Board rather than to the Council, the Board is merely a delegate of the Council for this purpose. The only legal entity which is capable of entering into an employment contract is InternetNZ (acting through the Council or some person to whom the Council has delegated the authority).

4.2In the same way as InternetNZ is liable for the acts or omissions of the Board and will be the legal entity involved in any claims arising out of the Board's activities, the same considerations will apply in respect of any claims arising out of the Manager's activities. As with the Board, the only circumstance in which InternetNZ might have no responsibility would be if the Manager clearly acted so far outside the actual or ostensible delegated authority, that those actions could not be attributed to the Council or InternetNZ. In practice, even in those circumstances, if a formal claim is made then it would be made against InternetNZ, which would then have the task of distinguishing its position from that of the Manager.

4.3If the Manager is an individual, to be engaged on an employment contract, it is not likely that InternetNZ could get any form of indemnity from the Manager. If the Manager is a body corporate which is contracted to carry out the operational functions, it may be possible to frame a contract which leaves the responsibility for those functions with the Manager. That has not been proposed in the Framework or Governance papers.

5.Nature of risks and claims

5.1It is almost inevitable that the function of managing and operating the top level domain will give rise to actual or perceived mistakes, breaches of duty, disputes and claims. At the highest level, InternetNZ (through its Council) has accepted the responsibilities referred to in RFC1591. To carry out those responsibilities it will, at least, have to put in place a policy and operational framework.

5.2It would be feasible for InternetNZ to delegate or subcontract parts of the management and operation of the Registry and the DNS system to other parties, so that the residual functions of InternetNZ continue to be:

a)Setting policy guidelines;

b)Monitoring and enforcing performance by the managers/operators of their contracts and related obligations.

5.3To the extent that InternetNZ follows a proper process in setting policy, and the policies themselves are not unlawful or outside the roles for which it has authority, then InternetNZ would be exposed to very little risk as a direct result of those high level actions. One matter which should be considered more closely is whether the proposals for setting authorisation criteria and setting terms for standard authorisation and registrant contracts might amount to arrangements for which authorisation should be sought under the Commerce Act 1986.

5.4The other parties (whether separate contractors, or functional bodies of InternetNZ such as the proposed Board or Manager) have more detailed functions to carry out and are required to exercise discretions, make judgments, enter into contracts and enforce them and to implement (possibly formulate) detailed policies and procedures from day to day. The ways in which they perform these functions are likely to have direct effects on the interests of individual citizens or companies. They could, for example, face challenges such as claims that the "standard" registrar contracts are oppressive, amount to a wrongful exercise of monopolistic or market power or are inconsistent with the original policy guidelines. They could face claims by registrars (and aspiring registrars) that the criteria for registration fall outside the policy, or the decisions made on applications for registration are inconsistent with the criteria.

5.5They could also face claims by registrants that they have been disadvantaged in some way by the conduct of a registrar (holding the Board or Manager responsible for authorising a registrar which turns out to be unreliable or even dishonest), or claims that confidential material has been misused by registrars or even by the Manager or the Board.

5.6Inevitably disputes will arise between registrars, and between registrants and registrars, and between registrants and claimants who consider that they have some claim to a name. Registrars will process names on the basis of inadequate authentication of an applicant for a new name or for a change. Parties who feel that they have been disadvantaged by any decision or error or exercise of discretion will seek to advance their claims against any party they can conceivably bring a claim against, particularly if that party has "deep pockets".

5.7Other examples of claims which registrants are likely to bring, include:

a)Claims against the Manager or Board (whichever is responsible) for granting authorisation to a registrar who turns out to be dishonest, incompetent or merely inadequate;

b)Claims against a Manager or registrar that information held by the registrar has been misused, or disclosed without authority;

c)Claims about the reallocation or "freezing" or cancellation of names;

d)Claims of liability for loss of fees already paid, or loss of names and the use of names when registrars fail or are "de-accredited".

5.8Although I have referred above to claims against or risks faced by the separate functional bodies in the governance and management hierarchy, if those bodies are part of InternetNZ (as a subcommittee of Council and an employee), any claims or costs will be incurred by InternetNZ. If all levels of the delegation hierarchy are occupied by the same legal entity, that same legal entity will ultimately bear the responsibility, if there is one. To the extent that InternetNZ has other assets which might be available for meeting a claim, they will in effect be made available for meeting claims at any level of the hierarchy.

6.Risk management strategies

6.1In general, it can be said that high standards of governance and management will implicitly correlate with good risk management. In particular, establishing clear lines of delegation, and publishing the terms of delegation and the criteria by which the delegate will make decisions and exercise discretions, increases the chance that any error on the part of the delegates will not result in claims to the "principal" for wrongly granting the delegation or setting the criteria.

6.2To the extent that the various levels in the hierarchy can ensure that their own tasks are carried in accordance with proper processes, and the criteria by which they delegate more detailed operations are made public and justified, the easier it will be for them to disclaim responsibility for operational decisions (or errors) made by those lower in the hierarchy. Even while all of the various parties have a direct relationship with InternetNZ, the processes of careful and transparent delegation will help to minimise risks and exposures to liability, although any liability which is established will ultimately fall upon InternetNZ.

6.3If a framework is established so that the different levels in the hierarchy are occupied by independent contractors, who are allocated a range of tasks and responsibility for carrying them out (including the powers to exercise discretion, enter into contracts, comply with and enforce the contracts that they enter into and to be responsible for their own mistakes), the liability for those functions will be much more difficult to attribute to those entities further up in the hierarchy of delegation.

6.4The business of accrediting and contracting with registrars, enforcing those contracts and dealing with claims by registrars, registrant and others is only a part of the operations of InternetNZ, but it is probably the most risky part. It may be possible to treat that part of the operations as a separate and independent function, and to sever the risks and liabilities which attach to it from the wider operations of InternetNZ. I do not consider that there is any satisfactory way of achieving that outcome while a single legal entity is responsible for the full range of functions.

6.5It would be possible to achieve some degree of separation by ensuring that those functions where liabilities are most likely to arise (such as the exercise of discretion about the authorisation or "de-accreditation" (cancellation) of registrars, or exercising remedies in respect of registrars failing to comply with their obligations under the registration contract), could be exercised by a party which is separate from and has an independent contractual relationship with InternetNZ for the purpose of carrying out those functions.

6.6Depending upon the detail of how the respective functions are to be allocated, that independent contractor could be the party described in the proposal as the .nz Board (ie by forming a separate subsidiary to carry out the tasks allocated to the .nz Board). Another possibility is that the .nz Board is a high level manager, setting policies and criteria for authorisation, which allocates to an independent contractor, the ccTLD Manager, the role of contracting with and supervising the registrars.

6.7While including a separate legal body would be necessary to achieve separation of the exposure to risk, it is not a sufficient condition by itself. The delegation arrangements would need to lay down the criteria and policies and to specify the required deliverables or outputs, while relinquishing control to that body of the decisions and actions which give rise to the exposures. If the Council or the Board decide to retain that control, in the terms of the delegation agreement or the way it is implemented, InternetNZ will retain the responsibility which goes with that control.

7.Insurance

7.1In the course of discussion, the suggestion was made that it might be appropriate to have professional indemnity insurance cover for InternetNZ and related organisations. My understanding is that professional indemnity cover is usually provided to indemnify consultants and advisers who are providing professional advice against claims for negligent advice. However, there is no doubt that there are some risks involved in the management of the DNS, and there is an exposure to liabilities or losses arising throughout the interdependent web of people and equipment where errors might occur.

7.2It would be appropriate for InternetNZ to investigate more closely the insurance market to see what policies would be available (whether referred to as professional indemnity cover or public liability or by some other name) which could provide some protection to InternetNZ. It should be recognised that insurance as a risk management tool is really of value to deal with claims (and the cost of defending claims) where the amount of possible liability is greater than the organisation can comfortably meet from its own resources.

7.3The experience to this time in New Zealand has been that the amounts at issue, in arguments over competing claims for domain names or alleged errors or misjudgments in the management of the domain name system, would not have put InternetNZ at risk. However, with the introduction of multiple registrars, having varying levels of experience, there is still the potential for larger claims. That risk would justify some further investigation into the cost and range of cover available under a suitable form of insurance.

7.4With InternetNZ indicating publicly, by the process of authorisation, that the authorised registrars meet the criteria for acceptability, I expect that claimants will seek remedies against InternetNZ if they are doubtful of their chances of success and recovery against a troublesome (or insolvent) Registrar.

8.Conclusion

8.1In summary, I consider that:

a)On the basis of the framework as proposed, with the Board as a subcommittee of the Council and the Manager as an employee, any claims arising out of the actions of the Board or the Manager will be claims against InternetNZ;

b)As the proposed authorisation agreement will be entered into by the Manager or the Board, InternetNZ will be a party to any disputes or claims arising out of those agreements;

c)I expect that other parties, including registrants and others who have disputes or claims against registrants, registrars or the registry, will seek to enforce those claims against InternetNZ if they see any possibility of doing so. That will particularly be the case where they have problems with registrars who are unable or unwilling to provide remedies. Some of those claims will be based on the argument that InternetNZ has authorised the registrar, which amounts to a representation that the registrar is competent, so InternetNZ will have to provide a remedy for the incompetence or other fault of the registrar;

d)I expect that some of these exposures could be insured against, but I cannot advise on the extent and cost of insurance cover which might be available. I suggest that InternetNZ should make inquiries of its insurance broker;

e)A sound framework for delegating and monitoring the governance, management and operational functions, with the relevant skills and disciplines, will incidentally serve to manage and control exposures to risk;

f)The framework could be adapted to include a separate entity, with the task of implementing policies laid down and of managing the contractual interface with registrars. If those arrangements publicly and adequately removed the operational functions from InternetNZ, that would reduce the exposure of InternetNZ to the risks arising out of those operational functions. However, that would also require InternetNZ to relinquish the detailed management of the operations.

8.2&9;Please let me know if you need any further explanation of any of these matters, or if I can help in any other way.

Regards

Gavin Adlam

Document Actions