Since the deregulation of Voice over Internet Protocol (VoIP) in 2005, many South African organizations are now attempting to leverage its cost saving and competitive values. However it has been recently cited that VoIP is one of the greatest new risks to business. This risk is cited to increase Information Security insurance premiums in the near future. Due to the dynamic nature of the technology, regulatory and legislative concerns such as lawful interception of communications and privacy may also contribute to business risk. VoIP consists of both direct communications (voice conversation) and indirect communications (voice mails, emails and instant messaging). Due to this dual nature, complying with regulations such as the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) should be considered. In order to leverage value from the VoIP implementation, an executive or SME owner should look to implement the technology with knowledge of the potential risk of civil liability. This is further highlighted by the King III Report which makes the Directors and CEO of an organisation ultimately responsible for IT Governance and Information Security Governance.Â The report goes further to say, any new technology, such as VoIP, should comply with all South African legislation and regulations. This responsibility encourages the practice of both due care and due diligence. However, recent trends exercised by Information Security professionals, responsible for drafting Information Security policies, often neglect the regulatory requirements and choose to only implement international best practices with no considerations to the risk of civil liability. Although these best practice frameworks may inadvertently comply with existing local legislation, a chance of an oversight is a possibility. Oversights may not only result in criminal sanctions but also civil action due to losses or damages suffered by a third party. Using both the identified regulations and relevant international best practices one may attempt to ensure good Governance with regards to VoIPâ€™s dual nature. The aim is to aid executives and SME owners in mitigating the risk of civil liability to better leverage VoIPâ€™s value by utilizing the proposed VoIP: Civil Liability Risk Table. This should aid in the exercise of due care and due diligence when implementing VoIP as a means of conducting business communication.