Cyberliability: focusing on internal IT security

Cyberliability: focusing on internal IT security

Paul RutherfordPaul Rutherford is Chief Marketing Officer at Clearswift Corporation, Ruscombe, Berkshire, UK.

Keywords: Legal matters, Computer security, Computer privacy

Abstract Governments across Europe are enacting legislation to make businesses accountable for how personal information is stored, used and distributed. Much of the thinking behind cyberlaw is so new that many companies are either unaware that it exists or that they must comply. This article outlines the main features of new UK cyberlaw and explains how the changes in legislation affect businesses and what they must do to protect themselves. New cyberlaws are turning the spotlight away from external risks and onto the threat from within – the intranet.

Information is a commodity. Indeed, for many companies it is the most valuable asset they possess, especially when it comes to customer relationships. The more a company knows about its customers, the easier it is to reach out and touch them.

Now though, governments across Europe are under pressure to develop legislation in response to the growing consensus that businesses should be made accountable for how personal information is stored, used and distributed. Consequently, a raft of new laws have emerged which codify privacy rights for the digital age.

In the UK, the Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA) are the first in this new wave of "cyberlaws" – legislation designed to reinforce privacy rights threatened by the unregulated dissemination of information, in a world where everything from birth records to shopping habits are stored electronically.

Much of the thinking behind cyberlaw is so new, however, that the majority of companies are unaware it even exists, let alone realise they must now comply. And yet, unless business leaders take formal action to protect the integrity of their data, it could become a major threat rather than an important asset.

Understanding the new cyberlaws

As the first wave of cyberlaws comes into force, it is essential that senior managers develop an understanding of how the changes in legislation affect their business and what they must do to protect themselves.

The Data Protection Act

The Data Protection Act (DPA) hands legal responsibility for all personal data to the company or, more pertinently, its directors. Employees, clients, potential clients, past clients, job applicants, Website visitors, contractors, consultants – anyone who has had contact with the company is entitled to the sensitive handling of any private information they divulge.

When requesting personal information, companies must now ask consumers to "opt-in" to receive additional sales information rather than "opt-out". Termed "permission marketing", this subtle shift means customers must now proactively agree before their details can be distributed for promotional purposes. Under the DPA, if the corporate network is breached and personal information lost or stolen, be it deliberately or by mistake, company executives themselves can face prosecution.

Furthermore, the DPA gives individuals the legal right to prevent their details being processed for marketing purposes. Upon request, a company must now disclose all the data it holds relevant to an individual, the purpose for which the data is being used and to whom else it can be disclosed. Any inaccurate data must be deleted.

The Information Commissioner is currently establishing the employment data protection code (EDPC), which is based on the DPA. The code of practice: monitoring at work, part of the EDPC, is expected to be published in summer 2002. The aim of the code is to strike a balance between a worker's legitimate right to respect for his or her private life and an employer's fundamental need to run its business. To achieve this aim, to the satisfaction of both parties, will be a significant task.

Critically, companies must take whatever organisational and technological precautions are necessary to protect the information they hold. And today, with information predominantly stored electronically, that means IT security.

Regulation of Investigatory Powers Act

Enacted in October 2000, RIPA makes the interception of e-mails illegal without consent from both the recipient and the sender. Conversely, targeted monitoring of company e-mail traffic is acceptable when justified under the Lawful Business Practice Regulations, but only for very specific reasons and all employees should be informed beforehand via a company IT security policy. And, of course, all personal data collected in the process of any email monitoring must be handled in accordance with the DPA.

Human Rights Act

Implemented in October 2000, the Human Rights Act (HRA) supplements the European Convention on Human Rights (ECHR), guaranteeing the right to privacy and freedom of expression.

Contrary to the intentions of RIPA, which permits companies to monitor employee IT use, the HRA asserts the right for e-mail privacy. Exact interpretations of the HRA, however, remain a matter of contention; although it currently only applies to the public sector, the legislation could potentially be exploited in defence of companies who fail to secure their internal information resources.

Cyberlaw in practice

Cyberlaw can be a complex and ambiguous area which is frequently misunderstood. Myths continue to surround the subject, largely because many of the new cyberlaws have yet to be tested in the courts. For business leaders, unravelling the mystery of internal IT security is a forbidding task. What is certain, however, is that companies must do something.

The new cyberlaws effectively formalise the rules on IT best practice in business – pleading ignorance is no longer a defence. Without measures regulating internal information security and employee e-mail behaviour, companies are at risk of breaking the law.

Moreover, regulations inherent to specific industry sectors such as medicine, finance and government often demand even tighter controls than the DPA, making the issue of data security all the more pressing.

The DPA explicitly decrees that all companies establish the appropriate technical and organisational safeguards to ensure personal data cannot be lost, damaged or stolen. In practice this translates as continuous management of the information entering, exiting, circulating and stored within the company network.

For effective internal e-mail monitoring a company must:

• •

  comply with regulatory practices and procedures;

• •

  maintain effective system operations;

• •

  monitor standards of service and staff training; and

• •

  detect or prevent criminal use of the system.

The IT threat – it's not what you think

With so much information stored electronically, the answer to how business should meet the new cyberlaws inevitably lies in the way companies regulate their IT.

Much has been made of the external IT threat on the Internet. In the media, news of the latest international virus epidemic never seems very far away. When it comes to meeting the new cyberlaws, however, the spotlight is turning away from external risks and onto the threat from within – the intranet:

1. 1.

   Litigation:

2. 2.
   • •

     Companies are legally responsible for the information on their systems.

   • •

     Corporate data, trade secrets, research material and copyrights are all potential targets for theft.

   • •

     Staff subjected to offensive data or e-mail messages are entitled to take industrial or legal action against the company.

3. 3.

   Breaches in confidentiality:

4. 4.
   • •

     All private customer, staff and supplier information is deemed sensitive and must be treated as such.

   • •

     Confidential information or private correspondence may be betrayed, be it knowingly or by mistake.

   • •

     Unauthorised individuals may read e-mails before they reach the intended recipient.

The people problem

A threat not to be underestimated

Within British law the concept of "vicarious liability" decrees an employer can be held responsible for the actions of its employees. In the context of IT security this means if an employee were to send an e-mail, internally or to an outsider, that contained confidential or offensive information, the company could be held liable. If the e-mail were then forwarded on, each subsequent sender and their respective employers could also be made liable.

The following case histories illustrate just some of the potential consequences for organisations that fall foul of the new cyberlaws.

• •

  A Norwich Union employee circulated false rumours that a competitor was experiencing financial difficulties over the internal e-mail system. The rumours leaked to brokers and customers, and the competitor sued Norwich Union for libel. Norwich Union settled out of court for a reported £450,000.

• •

  In the USA, two employees of the investment bank Morgan Stanley have alleged that they suffered emotional and physical distress as a result of an e-mail circulated to six other employees containing racist remarks. The bank is facing a $60m lawsuit.

• •

  Two employees at the Nissan Motor Company, fired for sending explicit e-mail messages, subsequently sued for unfair dismissal claiming violation of privacy under the HRA. But, having designated an e-mail policy that clearly prohibited the use of company owned computer systems for non-business purposes, Nissan won the lawsuit.

When it comes to the IT threat, it is not technology itself that is the problem, rather the way people use it. In the eyes of the law, e-mails have all the authority of a letter but their disposable nature tends to encourage an informal, almost intimate attitude. Compare the time spent on composing an e-mail to that of a letter and it is easy to understand how, under the everyday pressure of work, mistakes and misunderstandings occur.

A recent report by PricewaterhouseCoopers revealed how, having installed security at the Internet gateway, many companies simply sit back and hope for the best. Only 32 per cent have a dedicated policy review process and just 20 per cent have an accurate itinerary of their existing security measures.

A popular misconception is that by writing an e-mail security policy document a company has fulfilled its IT security obligations. This is not necessarily the case. To be effective, such policies must be supported by appropriate staff education and training, sufficient and targeted controls on Web and e-mail use and regular reviews and assessments.

The fact is, piecemeal solutions are fundamentally flawed because without any overall co-ordination it is impossible to cover IT security from every angle. Only by adopting a strategy that combines the appropriate technological measures implemented by a dedicated IT security policy and effective staff communication and training, can companies be sure they are completely secure.

Educating employees is a major preventative measure because an IT security policy, although protecting you from a technical point of view, is powerless without the co-operation of the people that must observe it.

A formal consultative process is crucial if staff are to understand why the policy is important, how it will help to protect both them and the company and, critically, why it must be underpinned by the appropriate IT technologies. Adopting an open approach to IT security is the only way to create the emotional "buy-in" needed to foster real awareness and, crucially, a change in attitude to e-mail usage.

Developing an IT security programme

Companies such as Clearswift are able to assist in developing IT security policies[1]. Before embarking on an IT security policy programme, a champion should be nominated – someone who can assume responsibility for implementing an IT policy. In collaboration with a team of senior managers plus HR and IT personnel, the champion can then develop and implement the following steps:

1. 1.

   Establish:

2. 2.
   • •

     Identify the threats that managers believe are most pressing for the company.

   • •

     Define a policy to address the threats the company is facing.

3. 3.

   Educate:

4. 4.
   • •

     Educate employees to the threat of e-mail misuse and abuse.

   • •

     Run a series of internal briefings to explain the policy objectives, the process by which incidents will be processed and the potential consequences for offenders.

   • •

     Produce supporting materials to help staff understand the dangers they expose the company to through careless use of e-mail and Internet resources.

   • •

     Formalise their commitment with a policy agreement addendum to their contract of employment.

5. 5.

   Enforce:

6. 6.
   • •

     Install software systems such as Clearswift MIMEsweeper or ENTERPRISEsuite to enforce the policy[2].

   • •

     Develop a clear set of review procedures – a policy is only as effective as its last update.

Beyond cyberlaw – IT best practice

There is more to content security than satisfying the cyberlaws. Intranet security is good for business and increases IT efficiency.

1. 1.

   Better for business:

2. 2.
   • •

     Prohibits the storage, sending, receiving or circulation of inappropriate or offensive content.

   • •

     Adds disclaimers that negate legal liability.

   • •

     Helps businesses comply with regulatory auditing and tracking legislation.

   • •

     Prevents e-mail misuse that could damage the company brand and reputation.

   • •

     Boosts employee productivity by prohibiting the circulation of time wasting e-mails.

3. 3.

   Better for IT efficiency:

4. 4.
   • •

     Stops infections and data-loss from internally or externally transported e-mail viruses and executables.

   • •

     Restricts large files and unauthorised file types, increasing available system resources and productivity.

   • •

     Helps businesses manage resources more effectively by monitoring internal and external e-mail usage.

The threats to electronic communication infrastructure, be they Internet, e-mail or intranet based, are now more pressing than ever. Every company must take responsibility for the integrity of their IT networks – or face the consequences.

Notes

1. 1.

   Clearswift is a world leader in email and web security (www.clearswift.com).

2. 2.

   Clearswift MIMEsweeper is the world's most popular content security solution. The Clearswift ENTERPRISEsuite is designed to help organisations gain control over e-mail use based on source, content and destination and to offer protection from virus infiltration and SPAM.