New Zealand Law Commission
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
[T]he law of tort is the general law, out of which the parties can, if they wish, contract; and . . . the same assumption of responsibility may, and frequently does, occur in a contractual context. Approached as a matter of principle, therefore, it is right to attribute to that assumption of responsibility, together with its concomitant reliance, a tortious liability, and then to inquire whether or not that liability is excluded by the contract because the latter is inconsistent with it. (Henderson v Merrett Syndicates Ltd  2 AC 145 (HL), per Lord Goff of Chieveley, 193)
138 THE LAW OF TORTS GOVERNS CIVIL RIGHTS AND DUTIES owed among various members of society. Unlike the law of contract (where obligations are consensual in nature), rights and duties in tort are imposed by law. Sir Ivor Richardson, the current President of our Court of Appeal, recently said:
[T]he law of torts may be viewed as supplementing contract law by devising rules for allocating or spreading losses in situations where it is too costly for potential injurers and potential victims to enter into contractual relationships with each other to make that allocation. . . . And precedential decisions of the courts in common law jurisdictions may supply a level of detail that is costly to duplicate through private bargaining.46
139 Civil proceedings in tort take the form of an action for recovery of compensatory damages or other available remedies for injuries or losses caused by the acts or omissions of another or others in breach of a right or duty imposed by the law.47
140 In a commercial context the law of torts is concerned primarily with compensating losses caused to economic interests, whether physical or intangible, when a right is breached or a duty is not adequately performed. Under the Accident Rehabilitation and Insurance Compensation Act 1992 s 14 and its predecessors, it is not generally possible to bring claims for damages arising out of personal injury in New Zealand. This has had an effect on the way in which the law has developed.
141 There is no exhaustive definition of the law of torts. Historically, new torts developed, from time to time, to address social needs arising from the changing nature of society. For example, in M’Alister (or Donoghue) v Stevenson  AC 562 (HL) the concept of a duty of care was expanded in a way which addressed the development of (then) modern packaging and distribution methods for consumer goods. Before that the courts had not recognised that a duty to take reasonable care in the manufacturing of products could extend beyond contractual relationships. This was despite the existence of distribution networks involving wholesalers and retailers which did not involve contractual relationships between the manufacturer and the ultimate customer.48 At the present time new torts seem to be emerging to meet modern society’s concerns, for example, invasion of privacy: Bradley v Wingnut Films Ltd  1 NZLR 415; and harassment: Khorasandjian v Bush  QB 727.
142 It is perhaps best to start with Lord Atkin’s dictum in M’Alister (or Donoghue) v Stevenson  AC 562 (HL) in which his Lordship, in discussing the concept of “neighbourhood” for negligence purposes, said:
The liability for negligence, whether you style it such or treat it as in other systems as a species of “culpa”, is no doubt based upon a general public sentiment of moral wrongdoing for which the offender must pay. But acts or omissions which any moral code would censure cannot in a practical world be treated so as to give a right to every person injured by them to demand relief. In this way rules of law arise which limit the range of complainants and the extent of their remedy. The rule that you are to love your neighbour becomes in law, you must not injure your neighbour; and the lawyer’s question, Who is my Neighbour? receives a restricted reply. You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour. Who, then, in law is my neighbour? The answer seems to be – persons who are so closely and directly affected by my act that I ought reasonably to have them in contemplation as being so affected when I am directing my mind to the acts or omissions which are called in question. (580)
Those observations of Lord Atkin form the basis of our current law of negligence, even though that law has expanded somewhat to meet changing social and policy requirements (see paras 168–169).
143 In the context of electronic commerce it is relevant to question whether Parliament should seek to impose restrictions upon the operation of the law of torts because of the prospect of exposing persons trading through the internet to “liability in an indeterminate amount for an indeterminate time to an indeterminate class”: Ultramares Corporation v Touche NY Rep 170, 174 (1931).
144 Examples of the type of issues raised by electronic commerce conducted over the internet are:
145 The second of our guiding principles proceeds on the premise that fundamental principles underlying the law of torts should not be changed but should be adapted, if necessary, to meet the needs of the electronic environment. The question is whether there is any need to adapt the law to take account of technological developments.
146 This chapter considers those torts which are likely to give rise to difficulties in the electronic environment in the context of business-to-business transactions involving international trade. It is necessary to assume that the law to be applied in the international transaction will be the law of New Zealand;52 accordingly, the law is addressed from that perspective.
147 Trespass to property is a wrongful interference with goods in the possession of another (Todd et al 1997 para 11.2.1). The interference must be direct and physical, but the defendant need not make personal contact with the goods (eg, it is a trespass to goods if damage is caused by use of a projectile: Todd et al para 11.2.2). It is unclear whether the interference with goods may be unintentional, or whether actual damage to the goods must result in order for the elements of the tort to be established: for example, Wilson v New Brighton Panelbeaters Ltd  1 NZLR 74. However, as the usual remedy for trespass to property is damages for the diminution of value or cost of repairing the goods, it is unlikely that a potential plaintiff will commence proceedings unless his or her property has been damaged. In an electronic environment, the main question which arises is whether it is possible to recover in trespass for damage caused by a computer hacker or a computer virus.53
148 The question of whether it is possible to claim damages in trespass for losses caused by hacking or a computer virus raises three basic issues:
149 The tort of trespass to goods requires direct and immediate interference with the plaintiff’s goods by the defendant (Todd et al para 11.2.2; Clerk and Lindsell 1995 paras 13-159–13-161). There is no requirement that the defendant physically touch the plaintiff’s goods; for example, in Hamps v Derby  2 KB 311 the defendant interfered with the plaintiff’s goods (racing pigeons) by shooting at them.
150 Although there appear to have been no cases in which transmission of a computer virus has been held to constitute a trespass to goods, there is a clear analogy between deliberately shooting at personal property with the intention of causing damage to it and deliberately transmitting a computer virus (whether by email or on an infected disc) with the intention of damaging the recipient’s computer system. In both cases, the wrongdoer seeks to harm the plaintiff’s property by use of a device capable of inflicting damage at a distance.54 The same result is achieved where a hacker deliberately alters computer files in order to cause inconvenience or damage to the owner.
151 There is authority in English criminal cases that altering a magnetic disc constitutes damage to property: Nicholas Alan Whiteley (1991) 93 Cr App Rep 25; Cox v Riley (1986) 83 Cr App Rep 54. In Nicholas Alan Whiteley, the Court of Appeal stated that where “the interference with the disc amounts to an impairment of the value or usefulness of the disc to the owner, then the necessary damage is established” (29). In doing so Lord Lane CJ distinguished between tangible property being damaged and the damage itself being tangible. The decision suggests that such conduct would constitute wrongful interference with goods in civil proceedings.
152 Authorities differ as to whether intention is a necessary element of the tort of trespass to goods. The authors of The Law of Torts in New Zealand suggest that trespass should be regarded as a purely intentional tort, and that unintended acts should be actionable in negligence (Todd et al 1997 para 11.2.1). However, in Wilson v New Brighton Panelbeaters  1 NZLR 74, 77 Tipping J appeared to assume that unintended interference with goods is trespass provided there is evidence of damage.55 Similarly, in National Coal Board v JE Evans & Co Ltd  2 KB 861 the English Court of Appeal held that the wrongful interference with the plaintiff’s goods must at least be negligent for there to be any liability in trespass.56
153 On this basis, liability in trespass for wrongfully transmitting a computer virus does not necessarily require knowledge of the existence of the virus on the part of the defendant. It will be sufficient if the defendant should have known of the existence of the virus and failed to take adequate precautions to prevent its transmission. This raises the question of what constitutes an adequate standard of care against infection by or transmission of computer viruses; this issue is addressed in paras 172–176. However, unlike the tort of negligence, there is no need to prove that the damage suffered by the plaintiff was foreseeable by the defendant (Todd et al, para 11.2.4; Mayfair Ltd v Pears  1 NZLR 459; see also para 169 of this report).
154 Damage caused by a computer virus is not of a physical nature. The computer, or rather the storage device (such as a hard disc) within which data is recorded, is not rendered inoperative in any physical sense. Rather, it is prevented from operating properly. It is also possible that data stored on the computer may be lost (Gringras 1997 66–69). The loss caused to a business by virus infection may therefore include:
155 The damages available in trespass include the cost of repairing the goods, loss of profits or use of the goods, and in appropriate cases, exemplary damages. Where there is a risk of the interference continuing or being repeated, injunctive relief may also be available (Laws NZ, Tort, paras 285–286).
156 There is a duty imposed on plaintiffs at common law to take reasonable steps to mitigate losses (Laws NZ, Tort, para 43). However, it should be noted that this duty only arises after the damage has been caused. Thus, the law (as well as commercial good sense) requires a business whose computers are infected with a virus to respond quickly. But there would be no penalty for failing to take steps before the damage occurred; for example, losses caused by failure to back up a computer on a regular basis would not constitute a failure to mitigate losses, because that failure occurred before the wrongful interference occurred.
157 Views have been expressed that a defence of contributory negligence may be available in response to an action based on trespass to goods; for example, in Dairy Containers Ltd v NZI Bank Ltd  2 NZLR 30, Thomas J came to that conclusion after analysing the Contributory Negligence Act 1947. This view is not firmly established and has been the subject of academic criticism (Todd et al 1997 para 21.1.4(a)). The law remains unsettled in this area. The Law Commission recommended in its recent report, Apportionment of Civil Liability (NZLC R47 1998), that the whole of the law regarding contribution in civil cases be reformed and if that reform is enacted it will be possible to raise contributory conduct by way of defence. Having regard to the views expressed in Apportionment of Civil Liability the Commission does not consider it necessary to embark upon a reconsideration of this issue in this context.
158 Although the action for breach of confidence has its origins in equity rather than tort, we include it in this discussion because of the likelihood that confidential information will be stored electronically. The extent to which the law is able to protect businesses who store confidential information is therefore of importance.
159 Liability for breach of confidence typically (although not necessarily always) arises in equity when information which is confidential57 is imparted in circumstances importing an obligation of confidence and that information is used by the confidant to the detriment of the confidor.58 Remedies include injunctions to prohibit the disclosure of confidential information, orders for the delivery or destruction of the information, and damages.59 It may not be necessary to prove that the defendant has caused harm to the plaintiff by unauthorised use of the confidential information60 and the mere threat of improper use is a sufficient foundation for injunctive relief: Ross Industries (New Zealand) Ltd v Talleys Fisheries (unreported, HC, Auckland, 5/9/97, CP68/97), 3.
160 Electronic commerce has thrown some aspects of the law relating to breach of confidence into sharp focus. In particular the use of electronic communications technology raises essential questions about the availability of remedy when:
161 It is technically possible to obtain information from a computer in a way which does not give rise to liability in conversion or trespass to property. For example, where a computer is part of a network it may be possible for a hacker to penetrate security barriers and copy commercially sensitive or valuable files. In such a case, there may be no damage to the computer or the files on which to base an action for trespass to property. Similarly, because the files are copied rather than stolen, the owner is not deprived of possession, and may therefore be prevented from claiming damages for conversion. In any case, the remedy for conversion would in many cases be unsuitable because the defendant would be required to pay damages rather than destroy or deliver up the information. In the absence of any prior contractual or fiduciary relationship between the owner of the files and the hacker, and assuming the files are not protected by copyright, it is likely that breach of confidence will be the owner’s only possible remedy.62
162 Whether a remedy for breach of confidence is in fact available is, however, somewhat uncertain. The traditional requirement that the information be imparted in circumstances giving rise to an obligation of confidentiality generally concerns a situation where A deliberately gives information to B in circumstances where A intends the information to be confidential and B is aware (or ought to be aware) of that fact. This differs from the scenario outlined above, because the information is not voluntarily imparted, but taken. In its 1981 report, Breach of Confidence, the Law Commission for England and Wales concluded at para 4.10:
it is very doubtful to what extent, if at all, information becomes impressed with an obligation of confidence by reason solely of the reprehensible means by which it has been acquired, and irrespective of some special relationship between the person alleged to owe the obligation and the person to whom it is alleged to be owed.63
This position was described by the English Commission as a “glaring inadequacy” (para 5.5) and legislation was proposed which, among other things, would have imposed civil liability for improperly acquiring information by using or interfering with a computer or data retrieval system without authority (cl 5(2)(a)(iii) of the Commission’s yet to be enacted draft Breach of Confidence Bill).
163 Notwithstanding the view of the English Commission, this Commission believes that a person who obtains confidential information by reprehensible means is subject to a duty of confidence.64 In Franklin v Giddins  Qd R 72, 80, Dunn J stated that
it would be extraordinary if a defendant, who acquired by eavesdropping or other improper covert means the secrets of the plaintiff because he would not have been able to get them by consensual arrangement, could defend proceedings by the plaintiff on the ground that no obligation of confidence could arise without communication of the information by the defendant.65
164 We believe this to be a correct statement of the law.66 We note that in Ross Industries (New Zealand) Ltd v Talleys Fisheries Ltd, the proposition that a duty of confidence can only arise in the context of relationship of trust or confidence between the parties was specifically rejected by the court. The Commission is of the opinion that an adequate remedy is available when confidential information is stolen from a computer by a hacker. However, we invite submissions as to whether a statutory remedy of breach of confidence should be enacted. In doing so we express a strong provisional inclination to the view that a statutory remedy could not readily be justified for the electronic environment alone. The nature of the electronic environment simply throws the problems into sharper focus.
165 In Malone v Metropolitan Police Commissioner  Ch 344, Megarry V-C held that no duty of confidence attaches to information acquired by interception of a telephone conversation:
It seems to me that a person who utters confidential information must accept the risk of any unknown overhearing that is inherent in the circumstances of communication. . . .
When this is applied to telephone conversations, it appears to me that the speaker is taking such risks of being overheard as are inherent in the system. . . . No doubt a person who uses a telephone to give confidential information to another may do so in such a way as to impose an obligation of confidence on that other; but I do not see how it could be said that any such obligation is imposed on those who overhear the conversation, whether by means of tapping or otherwise. (376)
Megarry V-C was careful to limit the above statement to the facts of the particular case – tapping conducted by the Post Office on Post Office premises at the request of police who in turn were acting pursuant to a warrant (383–384). But it apparently remains open to argue that no obligation of confidence attaches to the person who intercepts electronic communications, because parties who use electronic communication are deemed to have accepted the risk of messages being intercepted.
166 Although the Commission acknowledges the law is uncertain, we consider that a person who without authority intercepts a message containing confidential information would be subject to a duty of confidence. In reaching this conclusion, we note that while Malone v Metropolitan Police Commissioner has never been overruled, and has not been held inapplicable in New Zealand, it seems to have been limited to its facts in England. In Francome v Mirror Group Newspapers Ltd  1 WLR 892, 895, Sir John Donaldson MR referred to the decision as “somewhat surprising”, and Meagher, Gummow and Lehane regard it as being wrongly decided (1992 para 4109).67 However, until such time as a court holds that the interception of electronic communications imposes a duty of confidence on the person who obtains the confidential information, uncertainty is likely to continue. Once again, we invite comment on whether statutory reform is necessary to remove this uncertainty.
Is a statutory remedy of breach of confidence necessary to impose civil liability for unauthorised copying or interception of confidential information?
167 Liability for the tort of negligence arises when a duty of care owed to another is breached and loss is caused to that person as a result of the breach. The topic is vast, and the categories of negligence are not closed. It is therefore likely that new commercial and communications practices will in time lead to developments in the law of negligence. For the purposes of this paper, however, we focus on two discrete issues which are of particular relevance to electronic commerce: transmission of viruses and liability for advice.
168 In order to establish liability for a negligent act or omission it is first necessary to establish that the defendant owes a duty of care to the plaintiff. This may be accomplished because the case falls within a recognised duty of care, such as liability for a false statement (eg, an action for negligent misrepresentation: see Hedley Byrne & Co Ltd v Heller & Partners Ltd  AC 465). If, however, the case falls outside the scope of established duties, it is necessary to consider the principles set out by the House of Lords in Anns v London Borough of Merton  AC 728:68
First one has to ask whether, as between the alleged wrongdoer and the person who has suffered damage there is a sufficient relationship of proximity or neighbourhood such that, in the reasonable contemplation of the former, carelessness on his part may be likely to cause damage to the latter, in which case a prima facie duty of care arises. Secondly, if the first question is answered affirmatively, it is necessary to consider whether there are any considerations which ought to negative, or to reduce or limit the scope of the duty or the class of person to whom it is owed or the damages to which a breach of it may give rise. (751)
169 In the context of electronic commerce, issues of proximity or neighbourhood are especially problematic. Who is one’s “neighbour” in an electronic world? It is not unreasonable to regard a computer user as having a relationship of proximity with any other computer user with whom he or she is in contact, whether directly or indirectly. Thus, such a relationship would exist wherever information is transferred from one computer to another, either by means of a network or by the physical transfer of information through memory devices such as floppy discs or compact discs. In the case of an internet website, it would be reasonable to extend the relationship to anyone visiting the site. Indeed, it is at least possible to say that any computer network user should realise that negligence on his or her part may ultimately cause damage to any other user of the network, if a virus is transmitted. Thus, the inquiry regarding the nature of a duty of care on the internet is not likely to be whether such a duty could exist, but rather, the number of people to whom the duty is owed.
170 Indeed, Gripman has suggested in “The Doors are Locked but the Thieves and Vandals are Still Getting In” that a duty of care in negligence should be imposed on a business user of a computer system
to prevent hacker intrusions that can severely damage the corporation itself or other internet-connected third party corporations damaged resulting from the original hacker intrusion. (1997 172)
The types of “hacker intrusion” to which Gripman refers are summarised as:
We return to deal with the steps that can be taken to protect a computer system when discussing the standard of care in paras 172–176.
171 The liability of an internet service provider (ISP) in negligence is problematic. However, unless the ISP can be regarded, properly, as an agent of a user or as having failed to take adequate steps to ensure that users of its services do not infect other users with viruses it is unlikely that an ISP would be liable in tort.
172 Where a duty of care exists, there is a legal obligation to exercise a reasonable standard of care:
[S]omething which a reasonable man, guided upon those considerations which ordinarily regulate the conduct of human affairs, would do; or doing something which a prudent and reasonable man would not do. (Blyth v Birmingham Waterworks Co (1856) Ex Ch 781, 784)
Thus, if computer users owe a duty of care to others connected to the same network not to transmit viruses, the question becomes, what is a reasonable standard of care? Liability in negligence does not accrue if a defendant who causes the damage has nevertheless exercised a reasonable standard of care in his or her dealings with a plaintiff.
173 In assessing what is a reasonable standard of care, courts may take into account current industry practice and the nature of the particular virus.70 The extent of the risk may be balanced against the cost and difficulty of taking precautions against that risk. Thus, the reasonableness of any particular set of precautions depends on the nature of the risk. The standard of care may also be elevated if the user claims to be an expert; in such a case, the appropriate standard would be that expected of a reasonable expert, in the field in which the user claims to be an expert. It follows from this that a company which regularly conducts business transactions via computer networks, or the operator of a popular website, may reasonably be expected to employ a higher level of precautions than a casual browser.
174 In general, the risk of transmitting a virus is great if the virus is one which affects commonly used computer software. Conversely, the cost and difficulty of installing software to guard against commonly occurring viruses is not great. However, it should be noted that the duty to take adequate precautions is not fixed in time. Rather, it is, “an obligation which keeps pace with the times. As the danger increases, so must . . . precautions increase”: Lloyds Bank v Railway Executive  1 All ER 1248, 1253. Accordingly, merely installing virus protection software may not be an adequate precaution if that software is not regularly updated.
175 Determination of an appropriate standard of care is linked to the basic purposes of the law of tort. In a computer context Gripman has summarised these as follows:
There are technical means by which computer systems can be made more secure: examples are firewalls, and encryption technology.71 It is also possible to acquire anti-viral programs. By acquiring such programmes and educating staff as to the problems that can arise through unauthorised entry to a computer system the possibility of breaching any standard of care may be minimised. It would be wise for those engaged in electronic commerce to take expert advice on protection measures that are open to them to minimise the prospect of being sued in tort.72
176 Historically, the law has imposed lower standards of care when a defendant is a minor (see, for example, Spiers v Gordon  NZLR 897, and Mullin v Richards  1 WLR 1304). However tortious acts on the internet may be carried into effect by children of any age without knowledge of that from other persons operating within the internet at any particular time. Unless a child was too young or immature to form the requisite intent (for an intentional tort) it is likely that liability would exist. A separate duty (actionable at the suit of the injured person) may also arise against the minor’s parents for failing to supervise the child’s activities properly (Laws NZ, Torts, para 27).
177 A debate has raged for some time as to whether, in an action for negligence, the recovery of “pure” economic loss is possible. In New Zealand the courts have held that the distinctions drawn by the House of Lords in Murphy v Brentwood District Council  1 AC 398 (HL) do not apply in New Zealand. This view has subsequently been upheld by the Privy Council in a building case which held that the New Zealand courts were entitled to follow their own path in this regard: Invercargill City Council v Hamlin  3 NZLR 513 (CA); appeal dismissed  1 NZLR 513 (PC).
178 The real issue in the context of electronic commerce is whether there are any policy considerations that would justify limiting the scope of a duty of care based on the formulation in Anns v London Borough of Merton  AC 728. Some of the issues which need to be addressed in that regard are:
A simple requirement that harm be foreseeable may provide no adequate control over the potential ambit of liability, so more restrictive tests may need to be applied. Thus the courts may require specific knowledge or foresight on the part of the defendant of exactly who would suffer harm and how it would come about and what form it would take. (Todd et al 1997 para 4.3.3)
– the court should not allow a plaintiff greater recovery in tort than he or she was prepared to pay for in contract;
– whether the plaintiff had or could have some alternative right of recourse against the defendant (eg, where a plaintiff could have bargained for protection in contract); and
– whether insurance is available for the type of loss involved; and if not, why not?
179 Sometimes exemplary damages are sought. Exemplary damages are damages which are designed to punish conduct rather than to provide compensation. They are usually awarded for intentional actions. The Court of Appeal has made it clear that exemplary damages are available in negligence in only the most exceptional cases: Ellison v L  1 NZLR 416 (CA), 419.
180 In negligence proceedings, the plaintiff is required to prove that there is a causal connection between the defendant’s negligent act or omission and the plaintiff’s damage. This is not merely a question of determining that the defendant’s act or omission is a factual cause of the plaintiff’s loss; the plaintiff must also prove that the defendant’s negligence and the plaintiff’s damage are sufficiently closely connected (see generaly Todd et al 1997 chapter 20). In other words, liability is limited on policy grounds when the harm is considered to be too remote from the negligence: Overseas Tankship (UK) Ltd v Morts Dock and Engineering Co Ltd, The Wagon Mound (No 1)  AC 388.
181 In the context of computer networks, the need to prove causation may be of particular importance in cases where a plaintiff’s computer or website has been infected several times by the same virus. Multiple infections by the same virus will not usually cause more damage than a single infection; it would therefore be a complete defence to prove that the plaintiff’s computer was already infected when the defendant transmitted the virus.
182 The issue of remoteness of damage may arise when the plaintiff’s computer or website has not been infected by direct contact with the defendant. Although there would be little difficulty in establishing that the defendant’s negligent dissemination of a virus is a factual cause of the plaintiff’s loss, it may not be a legal cause if the plaintiff is too remote from the defendant (Gringras 1997 73–76). Several factors may be relevant to this issue:
183 Liability in tort for loss caused by false or negligent advice is not an issue which raises particular problems for those engaging in electronic commerce. However, because advice is a product which can be delivered electronically, it is an area of commerce which can realistically be expected to reap the maximum gain from electronic communications.
184 The duty of care (in the context of negligent advice) has been summarised by Lord Oliver in Caparo Industries plc v Dickman  2 AC 605 (HL) thus:
[T]he necessary relationship between the maker of a statement or giver of advice (‘the adviser’) and the recipient who acts in reliance upon it (‘the advisee’) may typically be held to exist where
(1) the advice is required for a purpose, whether particularly specified or generally described, which is made known, either actually or inferentially, to the adviser at the time when the advice is given;
(2) the adviser knows, either actually or inferentially, that his advice will be communicated to the advisee, either specifically or as a member of an ascertainable class, in order that it should be used by the advisee for that purpose;
(3) it is known, either actually or inferentially, that the advice so communicated is likely to be acted upon by the advisee for that purpose without independent inquiry; and
(4) it is so acted upon by the advisee to his detriment. (638)
185 The third requirement that the advisee be known to the adviser, either specifically or as a member of an ascertainable class, would preclude liability where advice is published on a website and relied on by a browser. But the same may not be true if an advisee forwards the advice to a third party who does meet the test.
186 The tort of defamation protects the reputation of an individual against false or unjustified allegations. It is established when the plaintiff proves that
187 There is little doubt that electronic transmission of a defamatory statement which identifies the plaintiff constitutes publication for which the publisher will be liable: Rindos v Hardwick (unreported, 31/3/1994, SC WA Ipp J, 164/1994); see 6(1) Laws of Australia paras 18–19. Publication merely requires that the defamatory statement be made to a person other than the plaintiff. The statement may be written or spoken as New Zealand law, under the Defamation Act 1992, does not distinguish between different forms of publication. Thus, forwarding email containing a defamatory statement to a person other than the plaintiff, or downloading such a statement from the internet, could give rise to liability in defamation, regardless of the identity of the original maker of the statement. Indeed, a recent case has held that merely publishing the URL73 address of a website which in turn contains defamatory statements may constitute republication of that article: International Telephone Link Pty Ltd v IDG Communications Ltd (unreported, HC, Auckland, 20 February 1998, CP344/97). The main issue is not therefore whether liability in defamation can arise from electronic communications, but rather who may be liable, and in particular, whether network service providers may be liable for publishing defamatory comments made by their subscribers.
188 Two American cases have considered the liability of network providers for defamatory statements. In Cubby, Inc v CompuServe Inc 776 F Supp 135 (SDNY 1991), CompuServe, an ISP, was held not liable for republishing defamatory statements contained in an online newsletter which was written by a separate company. This decision turned on the fact that CompuServe did not exercise editorial control over content in the newsletter; nor did it have knowledge of content:
CompuServe has no more editorial control over such a publication than does a public library, bookstore or news-stand, and it would be no more feasible for CompuServe to examine every publication it carries for potential defamatory statements than it would be for any other distributor to do so. (140)
189 However, in Stratton Oakmont Inc v Prodigy Services Inc NYS 2d Index No 31063/94,  WL 323710, Prodigy (another ISP) was held liable in defamation because it exercised a degree of editorial control over the content of material published on a bulletin board. Prodigy advertised itself as a family-oriented computer network, employed software to screen messages for offensive language before they were published on the bulletin board, and required subscribers to adhere to content guidelines. It also appointed “Board Leaders” to enforce those guidelines, and provided them with the ability to delete messages which contravened the guidelines. This control did not necessarily mean that Prodigy, or any of its agents, had actual knowledge of the defamatory statement, leading at least one commentator to observe that the practical effect is to encourage a “hands off” approach on the part of ISPs (Carey 1997 1634).
190 Defamation law in New Zealand is governed by the Defamation Act 1992. Section 21 of that Act provides that a person who publishes defamatory material as a “processor or distributor”74 has a defence of innocent dissemination if
that person alleges and proves
(a) That that person did not know that the matter contained the material that is alleged to be defamatory; and
(b) That that person did not know that the matter was of a character likely to contain material of a defamatory nature; and
(c) That that person’s lack of knowledge was not due to any negligence on that person’s part.
Whether a New Zealand ISP could be liable on the same fact situations as arose in Cubby and Stratton Oakmont would therefore depend on proving lack of knowledge without negligence. The standard of care in such circumstances would need to take into account the relevant standard practice of the industry together with any public policy issues such as whether or not a duty should be placed on ISPs to censor the material placed on their network by their clients, and if so, in what circumstances.
191 We seek submissions as to whether legislation is necessary to limit the boundaries of liability in tort having regard to the problems in defining one’s neighbourhood in an electronic environment. Any legislation to limit the boundaries of the law of torts would have to be based firmly on the floodgates principle: that it is necessary to prevent persons trading or operating on the internet from being exposed to “liability in an indeterminate amount for an indeterminate time to an indeterminate class”: Ultra Mares Corporation v Touche NY Rep 170, 174 (1931).
192 Should submissions be made which can justify the need for legislation to curb potential liability in tort, we will address those issues in our second report. Our provisional view is that legislation would not be feasible because of the difficulty in articulating any restrictions in a sensible and workable manner.
Are there any policy reasons for limiting the boundaries of tortious liability incurred from the use of electronic communication networks having regard to the problems of defining “neighbourhood” in an electronic environment?