Is your company data an asset or a threat?
The issue will be discussed with particular reference to the U.K.
Information is a commodity. Indeed, for many companies it's the most valuable asset they possess, especially when it comes to customer relationships. The more a company knows about its customers, the easier it is to reach out and touch them.
Now though, governments across Europe are under pressure to develop legislation in response to the growing consensus that businesses should be made accountable for how personal information is stored, used and distributed. Consequently, a raft of new laws have emerged which codify privacy rights for the digital age.
The Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA) are, in the United Kingdom, the first in this new wave of 'cyberlaws' - legislation designed to reinforce privacy rights threatened by the unregulated dissemination of information, in a world where everything from birth records to shopping habits are stored electronically.
Much of the thinking behind cyberlaw is so new however, that the majority of companies are unaware it even exists, let alone realize they must now comply. And yet, unless business leaders take formal action to protect the integrity of their data, it could become a major threat rather than an important asset.
Understanding the New Cyberlaws
As the first wave of cyberlaws comes into force, it is essential that senior managers develop an understanding of how the changes in legislation affect their business and what they must do to protect themselves.
The Data Protection Act
The DPA hands legal responsibility for all personal data to the company or, more pertinently, its directors. Employees, clients, potential clients, past clients, job applicants, web site visitors, contractors, consultants - anyone who has had contact with the company is entitled to the sensitive handling of any private information they divulge.
When requesting personal information, companies must now ask consumers to 'opt-in' to receive additional sales information rather than 'opt-out'. Termed 'permission marketing,' this subtle shift means customers must now proactively agree before their details can be distributed for promotional purposes. Under the DPA, if the corporate network is breached and personal information lost or stolen, be it deliberately or by mistake, company executives themselves can face prosecution.
Furthermore, the DPA gives individuals the legal right to prevent their details being processed for marketing purposes. Upon request, a company must now disclose all the data it holds relevant to an individual, the purpose for which the data is being used and to whom else it can be disclosed. Any inaccurate data must be deleted.
The Information Commissioner is currently establishing the Employment Data Protection Code (EDPC), which is based on the DPA. The Code of Practice: Monitoring at Work, part of the EDPC, is expected to be published in summer 2002. The aim of the code is to strike a balance between a worker's legitimate right to respect for his or her private life and an employer's fundamental need to run its business. To achieve this aim, to the satisfaction of both parties, will be a significant task.
Critically, companies must take whatever organizational and technological precautions are necessary to protect the information they hold. And today, with information predominantly stored electronically, that means IT security.
Regulation of Investigatory Powers Act
Enacted in October 2000, RIPA makes the interception of emails illegal without consent from both the recipient and the sender. Conversely, targeted monitoring of company email traffic is acceptable when justified under the lawful business practice regulations, but only for very specific reasons and all employees should be informed beforehand via a company IT security policy. And, of course, all personal data collected in the process of any email monitoring must be handled in accordance with the DPA.
Human Rights Act
Implemented in October 2000, the HRA supplements the European Convention on Human Rights (ECHR), guaranteeing the right to privacy and freedom of expression.
Contrary to the intentions of RIPA, which permits companies to monitor employee IT use, the HRA asserts the right for email privacy. Exact interpretations of the HRA however, remain a matter of contention; although it currently only applies to the public sector, the legislation could potentially be exploited in defense of companies who fail to secure their internal information resources.
Cyberlaw In Practice
Cyberlaw can be a complex and ambiguous area, which is frequently misunderstood. Myths continue to surround the subject, largely because many of the new cyberlaws have yet to be tested in the courts. For business leaders, unraveling the mystery of internal IT security is a forbidding task. What is certain however is that companies must do something.
The new cyberlaws effectively formalize the rules on IT best practice in business - pleading ignorance is no longer a defense. Without measures regulating internal information security and employee email behavior, companies are at risk of breaking the law. Moreover, regulations inherent to specific industry sectors such as medicine, finance and government often demand even tighter controls than the DPA, making the issue of data security all the more pressing.
The DPA explicitly decrees that all companies establish the appropriate technical and organizational safeguards to ensure personal data cannot be lost, damaged or stolen. In practice this translates as continuous management of the information entering, exiting, circulating and stored within the company network.
For effective internal email monitoring a company must:
The IT Threat - It's Not What You Think
With so much information stored electronically, the answer to how business should meet the new cyberlaws inevitably lies in the way companies regulate their IT.
Much has been made of the external IT threat on the Internet. In the media, news of the latest international virus epidemic never seems very far away. When it comes to meeting the new cyberlaws however, the spotlight is turning away from external risks and onto the threat from within - the intranet.
Breaches in confidentiality:
The People Problem
This is a threat not to be underestimated. Within British law the concept of 'vicarious liability' decrees an employer can be held responsible for the actions of its employees. In the context of IT security this means if an employee were to send an email, internally or to an outsider, that contained confidential or offensive information, the company could be held liable. If the email were then forwarded on, each subsequent sender and their respective employers could also be made liable.
The following case histories illustrate just some of the potential consequences for organizations that fall foul of the new cyberlaws.
When it comes to the IT threat, it's not technology itself that's the problem, rather the way people use it. In the eyes of the law, emails have all the authority of a letter, but their disposable nature tends to encourage an informal, almost intimate attitude. Compare the time spent on composing an email to that of a letter and it's easy to understand how, under the everyday pressure of work, mistakes and misunderstandings occur.
A recent report by PricewaterhouseCoopers revealed how, having installed security at the Internet gateway, many companies simply sit back and hope for the best. Only 32 percent have a dedicated policy review process and just 20 percent have an accurate itinerary of their existing security measures.
A popular misconception is that by writing an email security policy document a company has fulfilled its IT security obligations. This is not necessarily the case. To be effective, such policies must be supported by appropriate staff education and training, sufficient and targeted controls on web and email use, and regular reviews and assessments.
The fact is, piecemeal solutions are fundamentally flawed because without any overall co-ordination it is impossible to cover IT security from every angle. Only by adopting a strategy that combines the appropriate technological measures, implemented by a dedicated IT security policy and effective staff communication and training, can companies be sure they are completely secure.
Educating employees is a major preventative measure because an IT security policy, although protecting you from a technical point of view, is powerless without the co-operation of the people that must observe it.
A formal consultative process is crucial if staff are to understand why the policy is important, how it will help to protect both them and the company and, critically, why it must be underpinned by the appropriate IT technologies. Adopting an open approach to IT security is the only way to create the emotional 'buy-in' needed to foster real awareness and, crucially, a change in attitude to email usage.
Beyond Cyberlaw - IT Best Practice
There's more to content security than satisfying the cyberlaws. Intranet security is good for business and increases IT efficiency.
Better for business:
Better for IT efficiency:
Paul Rutherford is CMO for Clearswift Corporation (www.clearswift.com).