Security: is company data an asset or a threat?Information is a commodity,and for many companies the most valuable asset they possess, especially when it comes to customer relationships. The more a company knows about its customers, the easier it is to reach out and touch them. Now, however, governments across Europe are under pressure to develop legislation in response to the growing consensus that businesses should be made accountable for how personal information is stored, used and distributed. Consequently, a raft of new laws New Laws: see Las Casas, Bartolomé de. have emerged which codify codify to arrange and label a system of laws. privacy rights for the digital age. Cyberlaws The Data Protection Act (DPA DPA - Data Protection Act ) and the Regulation of Investigatory Powers Act (RIPA RIPA. The bank of a river, or the place beyond which the waters do not in their natural course overflow. 2. An extraordinary overflow does not change the banks of the river. Poth. Pand. lib. 50, h.t. See Banks of rivers; Riparian proprietors; Rivers. ) are the first in this new wave of `cybefiaws'--legislation designed to reinforce privacy rights threatened by the unregulated Adj. 1. unregulated - not regulated; not subject to rule or discipline; "unregulated off-shore fishing" regulated - controlled or governed according to rule or principle or law; "well regulated industries"; "houses with regulated temperature" 2. dissemination dissemination Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there of information, in a world where everything from birth records to shopping habits are stored electronically. Much of the thinking behind cyberlaw is so new however, that the majority of companies are unaware it even exists, let alone realise they must now comply. However,unless business leaders take formal action to protect the integrity of their data, it could become a major threat rather than an important asset. Understanding the new cyberlaws As the first wave of cyberlaws comes into force, it is essential that senior managers develop an understanding of how the changes in legislation affect their business and what they must do to protect themselves. The Data Protection Act The Data Protection Act (DPA) hands legal responsibility for all personal data to the company or, more pertinently, its directors. Employees, clients, potential clients, past clients, job applicants, website visitors, contractors, consultants--anyone who has had contact with the company is entitled en·ti·tle tr.v. en·ti·tled, en·ti·tling, en·ti·tles 1. To give a name or title to. 2. To furnish with a right or claim to something: to the sensitive handling of any private information they divulge. When requesting personal information, companies must now ask consumers to `opt-in' to receive additional sales information rather than `opt-out'. Termed `permission marketing', this subtle shift means customers must now proactively agree before their details can be distributed for promotional purposes. Under the DPA, if the corporate network is breached and personal information lost or stolen, be it deliberately or by mistake, company executives themselves can face prosecution. Furthermore, the DPA gives individuals the legal right to prevent their details being processed for marketing purposes. Upon request, a company must now disclose all the data it holds relevant to an individual the purpose for which the data is being used and to whom else it can be disclosed. Any inaccurate data must be deleted. The Information Commissioner is currently establishing the Employment Data Protection Code (EDPC EDPC Electronic Data Processing Center ), which is based on the DPA. The Code of Practice: Monitoring at Work, part of the EDPC, is expected to be published in Summer 2002. The aim of the code is to strike a balance between a worker's legitimate right to respect for his or her private life and an employer's fundamental need to run its business. To achieve this aim, to the satisfaction of both parties, will be a significant task. Critically, companies must take whatever organisational and technological precautions precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. are necessary to protect the information they hold. And today, with information predominantly stored electronically, that means IT security. Regulation of Investigatory Powers Act Enacted in October 2000, RIPA makes the interception of emails illegal without consent from both the recipient and the sender. Conversely con·verse 1 intr.v. con·versed, con·vers·ing, con·vers·es 1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak. 2. , targeted monitoring of company email traffic is acceptable when justified under the Lawful Business Practice Regulations, but only for very specific reasons and all employees should be informed beforehand via a company IT security policy. And, of course, all personal data collected in the process of any email monitoring must be handled in accordance with the DPA. Human Rights Act Implemented in October 2000, the Human Rights Act (HRA HRA Health Reimbursement Arrangement HRA Health Risk Assessment HRA Housing and Redevelopment Authority HRA Human Resources Administration HRA Health Reimbursement Account HRA Housing Revenue Account ) supplements the European Convention on Human Rights “ECHR” redirects here. For the court, see European Court of Human Rights. The Convention for the Protection of Human Rights and Fundamental Freedoms, also known as the European Convention on Human Rights (ECHR (ECHR ECHR European Court of Human Rights ECHR European Convention on Human Rights ECHR Exact Cell Hit Ratio ), guaranteeing the right to privacy and freedom of expression. Contrary to the intentions of RIPA, which permits companies to monitor employee IT use, the HRA asserts the right for email privacy. Exact interpretations of the HRA however, renuiin a matter of contention; although it currently only applies to the public sector, the legislation could potentially be exploited in defence of companies who fail to secure their internal information resources (1) The data and information assets of an organization, department or unit. See data administration. (2) Another name for the Information Systems (IS) or Information Technology (IT) department. See IT. . Cyberlaw in practice Cyberlaw can be a complex and ambiguous area which is frequently misunderstood. Myths continue to surround the subject, largely because many of the new cyberlaws have yet to be tested in the courts. For business leaders, unravelling the mystery of internal IT security is a forbidding task. What is certain however is that companies must do something. The new cyberlaws effectively formalise the rules on IT best practice in business--pleading ignorance is no longer a defence. Without measures regulating internal information security and employee email behaviour, companies are at risk of breaking the law. Moreover, regulations inherent to speci:fic industry sectors such as medicine, finance and government often demand even tighter controls than the DPA, making the issue of data security all the more pressing. The DPA explicitly decrees that all companies establish the appropriate technical and organisational safeguards to ensure personal data cannot be lost, damaged or stolen. In practice this translates as continuous management of the information entering exiting circulating and stored within the company network. For effective internal email monitoring a company must: 1. Comply with regulatory practices and procedures 2. Maintain elective elective non-urgent; at an elected time, e.g. of surgery. elective adjective Referring to that which is planned or undertaken by choice and without urgency, as in elective surgery, see there noun Graduate education noun system operations 3. Monitor standards of service and staff training 4. Detect or prevent criminal use of the system The IT threat--it's not what you think With so much information stored electronically, the answer to how business should meet the new cyberlaws inevitably lies in the way companies regulate their IT. Much has been made of the external IT threat on the Intemet. In the media, news of the latest international virus epidemic never seems very far away. When it comes to meeting the new cyberlaws however, the spotlight is turning away from external risks and onto the threat from within--the intranet. Litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. * Companies are legally responsible for the information on their systems * Corporate data, trade secrets, research material and copyrights are all potential targets for theft * Staff subjected to offensive data or email messages are entitled to take industrial or legal action against the company Breaches in confidentiality * All private customer, staff and supplier information is deemed sensitive and must be treated as such * Confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead or private correspondence may be betrayed, be it knowingly or by mistake * Unauthorised individuals may read emails before they reach the intended recipient The people problem--A threat not to be underestimated Within British law the concept of `vicarious vicarious /vi·car·i·ous/ (vi-kar´e-us) 1. acting in the place of another or of something else. 2. occurring at an abnormal site. vi·car·i·ous adj. 1. liability' decrees an employer can be held responsible for the actions of its employees. In the context of IT security this means if an employee were to send an email, internally or to an outsider, that contained confidential or offensive information, the company could be held liable. If the email were then forwarded on, each subsequent sender and their respective employers could also be made liable. The following case histories illustrate just some of the potential consequences for organisations that fall foul of the new cyberlaws. * A Norwich Union Norwich Union is an insurance company in the UK. It is the biggest life-insurer in the UK, and has a strong position in motor insurance. It is part of the Aviva group, itself created by a merger of Norwich Union and CGU plc in 2000. employee circulated false rumours that a competitor was experiencing financial difficulties, over the internal email system. The rumours leaked to brokers and customers, and the competitor sued Norwich Union for libel libel 1) n. to publish in print (including pictures), writing or broadcast through radio, television or film, an untruth about another which will do harm to that person or his/her reputation, by tending to bring the target into ridicule, hatred, scorn or contempt of . Norwich Union settled out of court for a reported 450,000 [pounds sterling]. * In the US, two employees of the investment bank Morgan Stanicy have alleged that they suffered emotional and physical distress as a result of an email circulated to 6 other employees containing racist remarks. The bank is facing a $60m lawsuit. * Two employees at the Nissan Motor Company, fired for sending explicit email messages, subsequently sued for unfair dismissal unfair dismissal n → despido improcedente unfair dismissal n → licenciement abusif unfair dismissal unfair n → claiming violation of privacy under the HRA. But, having designated an email policy that clearly prohibited the use of company owned computer systems for non-business purposes, Nissan won the lawsuit. When it comes to the IT threat, it's not technology itself that's the problem, rather than the way people use it. In the eyes of the law, emails have all the authority of a letter but their disposable nature tends to encourage an informal, almost intimate attitude. Compare the time spent on composing an email to that of a letter and it's easy to understand how, under the everyday pressure of work, mistakes and misunderstandings occur. A recent report by PricewaterhouseCoopers revealed how, having installed security at the Internet gateway (1) See cable/DSL gateway. (2) A router or server that converts IP packets to IPX, AppleTalk or some other non-IP format and vice versa. It is used to connect non-IP networks to the Internet. , many companies simply sit back and hope for the best. Only 32% have a dedicated policy review process and just 20% have an accurate itinerary of their existing security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . A popular misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. is that by writing an email security policy document a company has fulfilled its IT security obligations. This is not necessarily the case. To be effective, such policies must be supported by appropriate staff education and training, sufficient and targeted controls on web and email use and regular reviews and assessments. The fact is, piecemeal piecemeal patchy, e.g. necrosis of the liver in which groups of hepatocytes are separated by small groups of inflammatory cells and fine, fibrous septa following extension of the inflammatory process beyond the limiting plate. solutions are fundamentally flawed because without any overall co-ordination it is impossible to cover IT security from every angle. Only by adopting a strategy that combines the appropriate technological measures implemented by a dedicated IT security policy and effective staff communication and training, can companies be sure they are completely secure. Educating employees is a major preventative measure because an IT security policy, although protecting you from a technical point of view, is powerless without the cooperation of the people that must observe it. A formal consultative process is crucial if staff are to understand why the policy is important, how it will help to protect both them and the company and, critically, why it must be underpinned by the appropriate IT technologies. Adopting an open approach to IT security is the only way to create the emotional `buy-in' needed to foster real awareness and, crucially, a change in attitude to email usage. www.clearswift.com The Clearswift Policy Programme There are 3 phases to the Clearswift Policy Programme: Establish-Educate-Enforce Before embarking on an IT security policy programme, a champion should be nominated--someone who can assume responsibility for implementing an IT policy. In collaboration with a team of senior managers plus UR and IT personnel, the champion can then develop and implement the following steps: Establish * Using the Clearswift IT Security Audit, identify the threats that are most pressing for the company * Define a policy to address the threats faced using the guidelines in the Clearswift IT Security Audit Educate * Educate employees to the threat of email misuse and abuse. * Run a series of internal briefings to explain the policy objectives, the process by which incidents will be processed and the potential consequences for offenders. * Produce supporting materials to help staff understand the dangers they expose the company to through careless careless adj., adv. 1) negligent. 2) the opposite of careful. A careless act can result in liability for damages to others. (See: negligent, negligence, care) use of email and Internet resources. * Formalise their commitment with a policy agreement addendum addendum n. an addition to a completed written document. Most commonly this is a proposed change or explanation (such as a list of goods to be included) in a contract, or some point that has been subject of negotiation after the contract was originally proposed by to their Contract of Employment. Enforce * Install Clearswift MIMEsweeper or ENTERPRISEsuite to enforce the policy. * Develop a clear set of review procedures--a policy is only as effective as its last update. Beyond cyberlaw--IT best practice There's more to content security than satisfying the cyberlaws. Intranet security is good for business and increases IT efficiency. Better for business: * Prohibits the storage, sending, receiving or circulation of inappropriate or offensive content. * Adds disclaimers that negate ne·gate tr.v. ne·gat·ed, ne·gat·ing, ne·gates 1. To make ineffective or invalid; nullify. 2. To rule out; deny. See Synonyms at deny. 3. legal liability. * Helps businesses comply with regulatory auditing and tracking legislation. * Prevents email misuse that could damage the company brand and reputation. * Boosts employee productivity by prohibiting the circulation of time wasting emails. Better for IT efficiency * Stops infections and data-loss from internally or externally transported email viruses See e-mail virus. and executables. * Restricts large files and unauthorised file types, increasing available system resources (1) In a computer system, system resources are the components that provide its inherent capabilities and contribute to its overall performance. System memory, cache memory, hard disk space, IRQs and DMA channels are examples. and productivity. * Helps business monitor internal and external email usage. www.clearswift.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion