Picking your way through the legal minefield; by Mike Hill, Vice President – Marketing, Chronicle Solutions (UK) PLC and Shelagh Gaskill, Partner, at law firm Masons.
There are many pieces of legislation and regulation that have some impact on our security, monitoring and data retention policies. Some apply to all businesses, some apply only to businesses dealing with consumers, and some are specific to certain industries. Much of this legislation is vague or hard to interpret, some of it doesn’t account for the change in technology over recent years; some of it even appears to contradict other legislation and much of it has no current case-law to clarify how it should be interpreted. How do we, as IT security professionals, pick our way through this forest of legislation and implement a practical security, monitoring and data retention solution that’s likely to keep us, and our directors, out of jail without bankrupting the company?
Some years ago, a senior figure in the IT industry said: "The good thing about standards is that there are so many to choose from!" He was being somewhat sarcastic about the attempts of the IT industry to help its customers by standardising on certain user interfaces and operating systems. The legal framework within which we operate is rather like that, only you can’t choose which laws you want to comply with; and the penalty for getting it wrong varies from a small fine through to significant costs and potential imprisonment of directors.
The legislation affects many different areas of our business. In all but the smallest businesses there is more than one person responsible: HR, accounts, legal, compliance and anti-money-laundering managers all bear some responsibility. What’s almost always true is that they will end up in the IT department talking to the person responsible for security. So what do you advise them to do?
Let’s consider some of the legislation: the Data Protection Act 1998 (DPA), for example. This is primarily concerned with companies that deal with the public and that hold "personal information" about them in some sort of organised filing system. If such data is held then the individual has the right to request copies of such data and this has to be produced within 40 days. So if you’re a B2B company and don’t deal with members of the public you don’t have to worry about it, right? Wrong, I’m afraid. The definition of ‘personal data’ applies to any individual, including your contact lists of your own suppliers and your own employees and ex-employees. So if you keep records of who your contacts are or records of your employee’s salary details (as you surely must) then the DPA applies. And it applies to any email or other electronic communication containing such personal information and to paper files if they are stored in an organised and retrievable form.
There are other pieces of legislation that may require you to store electronic communications anyway, such as the Financial Services and Markets Act, or (if you do business in the USA, or with US companies) the rules of the Securities and Exchange Commission (SEC). Following ENRON, the Sarbanes Oxley Act in the USA whose equivalent over here is going to be new legislation on audit rights over companies, is all about accounting for revenue accurately. In order to do this and to show your auditors that you have done this correctly, you will have to record and keep information.
Roughly what these pieces of legislation require, if they apply to your company, is that all electronic communications that are in any way related to your business, must be stored for at least three years (the length of time required varies) in a form that cannot be changed or modified. They don’t require easy retrieval, but if you are asked to produce a particular email then you don’t want it to cost a fortune. EDS didn’t think about that when they were recently required to produce some emails for a court action in the USA. They estimated the cost of actually finding and retrieving the particular emails at $4.7m!
Then there’s the issue of what you’re entitled to look at and keep. Under the Regulation of Investigatory Powers Act 2000 monitoring and storing employee’s private emails (if you allow them reasonable private use of business systems as most organisations do) is a breach of statutory duty unless you have their consent and the consent of the sender or recipient to or from your employees. This appears to contradict the requirements of some of the legislation we’ve already discussed. However there are circumstances in which NOT monitoring and storing emails may also infringe an employee’s rights. Suppose one of your employees is sexually harassing another by email, and the victim takes you to an employment tribunal alleging that you allowed harassment in the workplace… if you haven’t recorded the emails then it could be argued that you haven’t taken steps to protect them. Of course, the allegation of sexual harassment could itself be malicious, and if you haven’t recorded email conversations then you won’t be able to produce evidence to demonstrate that either.
The answer here is to monitor and record, but you must inform your employees that you are doing so and include this in your communications policy and state that their first use of business systems for private use will be their deemed consent to your monitoring. This allows them to make an informed decision about whether or not they want to send and receive private emails at work. This procedure is really easy for your employees but how do you get the consent of the senders or recipients of their emails? Look at what the international and city firms of solicitors are doing. They put a statement at the end of all their emails warning that they will monitor emails in serious cases and that continued email correspondence with their employees in a private capacity will be deemed consent to the monitoring by the senders and recipients. The same holds good for visiting unacceptable internet sites.
There is a range of relatively low-cost products on the market to help you do this. They range from ‘blocking and filtering’ products that try to stop people accessing unsuitable websites and prevent the sending or receipt of unsuitable, illegal or confidential material, through to "monitoring and alerting" systems that allow all the traffic but monitor it, alert on suspicious behaviour, and record what you select (you’re unlikely to want to record spam, for example). The disadvantage of blocking and filtering products is that they can never be 100pc effective: ingenious employees will always find a way round them, and they don’t collect evidence to be produced subsequently since they prevent the very activity you may want to detect.
For the cost of a few pounds per employee you can implement a monitoring, alerting and recording system that will help you comply with many of the laws and regulations, demonstrate that you are taking reasonable steps to protect your employees, your customers and your business, and hopefully keep your directors out of jail. It would be best to choose one that actually examines the content of the electronic communications, so that you can choose to store what is relevant, and you can retrieve it cheaply, quickly and easily. You need to be clear with your employees on what you’re doing and why. You may even find that their behaviour changes because they know they’re being monitored, and you get other benefits such as reduced bandwidth requirements and greater staff productivity!
Chronicle Solutions (UK) PLC is exhibiting at Infosecurity Europe 2005. Now in its tenth year, the information security event provides an education programme, new products and services, more than 250 exhibitors and 10,000 visitors. Held from April 26 to 28 in the Grand Hall, Olympia, it is for IT professionals involved in information security.
