Is your company data an asset or a threat?
The issue will be discussed with particular reference to the U.K.
Information is a commodity. Indeed, for many companies it's the most valuable asset they possess, especially when it comes to customer relationships. The more a company knows about its customers, the easier it is to reach out and touch them.
Now though, governments across Europe are under pressure to develop legislation in response to the growing consensus that businesses should be made accountable for how personal information is stored, used and distributed. Consequently, a raft of new laws have emerged which codify privacy rights for the digital age.
The Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA) are, in the United Kingdom, the first in this new wave of 'cyberlaws' - legislation designed to reinforce privacy rights threatened by the unregulated dissemination of information, in a world where everything from birth records to shopping habits are stored electronically.
Much of the thinking behind cyberlaw is so new however, that the majority of companies are unaware it even exists, let alone realize they must now comply. And yet, unless business leaders take formal action to protect the integrity of their data, it could become a major threat rather than an important asset.
Understanding the New Cyberlaws
As the first wave of cyberlaws comes into force, it is essential that senior managers develop an understanding of how the changes in legislation affect their business and what they must do to protect themselves.
The Data Protection Act
The DPA hands legal responsibility for all personal data to the company or, more pertinently, its directors. Employees, clients, potential clients, past clients, job applicants, web site visitors, contractors, consultants - anyone who has had contact with the company is entitled to the sensitive handling of any private information they divulge.
When requesting personal information, companies must now ask consumers to 'opt-in' to receive additional sales information rather than 'opt-out'. Termed 'permission marketing,' this subtle shift means customers must now proactively agree before their details can be distributed for promotional purposes. Under the DPA, if the corporate network is breached and personal information lost or stolen, be it deliberately or by mistake, company executives themselves can face prosecution.
Furthermore, the DPA gives individuals the legal right to prevent their details being processed for marketing purposes. Upon request, a company must now disclose all the data it holds relevant to an individual, the purpose for which the data is being used and to whom else it can be disclosed. Any inaccurate data must be deleted.
The Information Commissioner is currently establishing the Employment Data Protection Code (EDPC), which is based on the DPA. The Code of Practice: Monitoring at Work, part of the EDPC, is expected to be published in summer 2002. The aim of the code is to strike a balance between a worker's legitimate right to respect for his or her private life and an employer's fundamental need to run its business. To achieve this aim, to the satisfaction of both parties, will be a significant task.
Critically, companies must take whatever organizational and technological precautions are necessary to protect the information they hold. And today, with information predominantly stored electronically, that means IT security.
Regulation of Investigatory Powers Act
Enacted in October 2000, RIPA makes the interception of emails illegal without consent from both the recipient and the sender. Conversely, targeted monitoring of company email traffic is acceptable when justified under the lawful business practice regulations, but only for very specific reasons and all employees should be informed beforehand via a company IT security policy. And, of course, all personal data collected in the process of any email monitoring must be handled in accordance with the DPA.
Human Rights Act
Implemented in October 2000, the HRA supplements the European Convention on Human Rights (ECHR), guaranteeing the right to privacy and freedom of expression.
Contrary to the intentions of RIPA, which permits companies to monitor employee IT use, the HRA asserts the right for email privacy. Exact interpretations of the HRA however, remain a matter of contention; although it currently only applies to the public sector, the legislation could potentially be exploited in defense of companies who fail to secure their internal information resources.
Cyberlaw In Practice
Cyberlaw can be a complex and ambiguous area, which is frequently misunderstood. Myths continue to surround the subject, largely because many of the new cyberlaws have yet to be tested in the courts. For business leaders, unraveling the mystery of internal IT security is a forbidding task. What is certain however is that companies must do something.
The new cyberlaws effectively formalize the rules on IT best practice in business - pleading ignorance is no longer a defense. Without measures regulating internal information security and employee email behavior, companies are at risk of breaking the law. Moreover, regulations inherent to specific industry sectors such as medicine, finance and government often demand even tighter controls than the DPA, making the issue of data security all the more pressing.
The DPA explicitly decrees that all companies establish the appropriate technical and organizational safeguards to ensure personal data cannot be lost, damaged or stolen. In practice this translates as continuous management of the information entering, exiting, circulating and stored within the company network.
For effective internal email monitoring a company must:
- comply with regulatory practices and procedures
- maintain effective system operations
- monitor standards of service and staff training
- detect or prevent criminal use of the system.
The IT Threat - It's Not What You Think
With so much information stored electronically, the answer to how business should meet the new cyberlaws inevitably lies in the way companies regulate their IT.
Much has been made of the external IT threat on the Internet. In the media, news of the latest international virus epidemic never seems very far away. When it comes to meeting the new cyberlaws however, the spotlight is turning away from external risks and onto the threat from within - the intranet.
- Companies are legally responsible for the information on their systems.
- Corporate data, trade secrets, research material and copyrights are all potential targets for theft.
- Staff subjected to offensive data or email messages are entitled to take industrial or legal action against the company.
Breaches in confidentiality:
- All private customer, staff and supplier information is deemed sensitive and must be treated as such.
- Confidential information or private correspondence may be betrayed, be it knowingly or by mistake.
- Unauthorized individuals may read emails before they reach the intended recipient.
The People Problem
This is a threat not to be underestimated. Within British law the concept of 'vicarious liability' decrees an employer can be held responsible for the actions of its employees. In the context of IT security this means if an employee were to send an email, internally or to an outsider, that contained confidential or offensive information, the company could be held liable. If the email were then forwarded on, each subsequent sender and their respective employers could also be made liable.
The following case histories illustrate just some of the potential consequences for organizations that fall foul of the new cyberlaws.
- An employee of the Norwich Union insurance company circulated false rumors over the internal email system that a competitor was experiencing financial difficulties. The rumors leaked to brokers and customers, and the competitor sued Norwich Union for libel. Norwich Union settled out of court for a reported £450,000.
- In the U.S., two employees of the investment bank Morgan Stanley have alleged that they suffered emotional and physical distress as a result of an email circulated to six other employees containing racist remarks. The bank is facing a $60m lawsuit.
- Two employees at the Nissan Motor Company, fired for sending explicit email messages, subsequently sued for unfair dismissal, claiming violation of privacy under the HRA. But, having designated an email policy that clearly prohibited the use of company owned computer systems for non-business purposes, Nissan won the lawsuit.
When it comes to the IT threat, it's not technology itself that's the problem, rather the way people use it. In the eyes of the law, emails have all the authority of a letter, but their disposable nature tends to encourage an informal, almost intimate attitude. Compare the time spent on composing an email to that of a letter and it's easy to understand how, under the everyday pressure of work, mistakes and misunderstandings occur.
A recent report by PricewaterhouseCoopers revealed how, having installed security at the Internet gateway, many companies simply sit back and hope for the best. Only 32 percent have a dedicated policy review process and just 20 percent have an accurate itinerary of their existing security measures.
A popular misconception is that by writing an email security policy document a company has fulfilled its IT security obligations. This is not necessarily the case. To be effective, such policies must be supported by appropriate staff education and training, sufficient and targeted controls on web and email use, and regular reviews and assessments.
The fact is, piecemeal solutions are fundamentally flawed because without any overall co-ordination it is impossible to cover IT security from every angle. Only by adopting a strategy that combines the appropriate technological measures, implemented by a dedicated IT security policy and effective staff communication and training, can companies be sure they are completely secure.
Educating employees is a major preventative measure because an IT security policy, although protecting you from a technical point of view, is powerless without the co-operation of the people that must observe it.
A formal consultative process is crucial if staff are to understand why the policy is important, how it will help to protect both them and the company and, critically, why it must be underpinned by the appropriate IT technologies. Adopting an open approach to IT security is the only way to create the emotional 'buy-in' needed to foster real awareness and, crucially, a change in attitude to email usage.
Beyond Cyberlaw - IT Best Practice
There's more to content security than satisfying the cyberlaws. Intranet security is good for business and increases IT efficiency.
Better for business:
- prohibits the storage, sending, receiving or circulation of inappropriate or offensive content;
- adds disclaimers that negate legal liability;
- helps businesses comply with regulatory auditing and tracking legislation;
- prevents email misuse that could damage the company brand and reputation;
- boosts employee productivity by prohibiting the circulation of time wasting emails.
Better for IT efficiency:
- stops infections and data loss from internally or externally transported email viruses and executables;
- restricts large files and unauthorized file types, increasing available system resources and productivity;
- helps businesses manage resources more effectively by monitoring internal and external email usage;
Paul Rutherford is CMO for Clearswift Corporation (www.clearswift.com).