There are many pieces of legislation and regulation that have some impact on our security, monitoring and data retention policies. Some apply only to businesses dealing with consumers, and some are specific to certain industries.
Much of this legislation is vague or hard to interpret, some of it does not account for recent changes in technology; some of it even appears to contradict other legislation and much of it has no current case-law to clarify how it should be interpreted. How do IT security professionals pick their way through this forest of legislation and implement a practical security, monitoring and data retention solution that is likely to keep them, and their directors, out of jail without bankrupting the company?
"The good thing about standards is that there are so many to choose from!" This senior figure in the IT industry was being somewhat sarcastic about the attempts of the industry to help its customers by standardising on certain user interfaces and operating systems. The legal framework within which we operate is rather like that, only you cannot choose which laws you want to comply with; the penalty for getting it wrong varies from a small fine through to significant costs and imprisonment of directors.
The legislation affects many different areas of our business. In all but the smallest there is more than one person responsible: HR, accounts, legal, security and compliance managers all bear some responsibility. They will inevitably end up in the IT department talking to the person responsible for security. So what do you advise them to do?
Let us consider some of the legislation: the Data Protection Act 1998 (DPA), for example. This is primarily concerned with companies that deal with the public and that hold 'personal data' about them in some sort of organised filing system. If such data is held then the individual has the right to request copies of such data and this has to be produced within 40 days. So if you are a B2B company and do not deal with members of the public you do not have to worry about it, right? Wrong, I am afraid. The definition of 'personal data' applies to any individual, including your contact lists of your own customers, suppliers, employees and ex-employees. So if you keep records of who your contacts are or records of your employees' salary details (as you surely must) then the DPA applies. And it applies to any e-mail or other electronic communication containing such personal information and to paper files if they are stored in an organised and retrievable form.
There are other pieces of legislation that may require you to store electronic communications anyway, such as the Financial Services and Markets Act, or (if you do business in the USA, or with US companies) the rules of the Securities and Exchange Commission (SEC). Following ENRON, the Sarbanes Oxley Act in the USA whose equivalent over here will be new legislation on audit rights over companies, is all about accounting for revenue accurately. In order to do this and to show your auditors that you have done this correctly, you will have to record and keep information.
Roughly what these pieces of legislation require, if they apply to your company, is that all electronic communications that are in any way related to your business must be stored for at least three years in a form that cannot be changed or modified. They do not require easy retrieval, but if you are asked to produce a particular e-mail then you do not want it to cost a fortune. EDS did not think about that when they were recently required to produce some e-mails for a court action in the USA. They estimated the cost of actually finding and retrieving the particular e-mails at $4,7m!
Then there is the issue of what you are entitled to look at and keep. Under the Regulation of Investigatory Powers Act 2000, monitoring and storing employees' private e-mails (if you allow them reasonable private use of business systems as most organisations do) is a breach of statutory duty unless you have their consent and the consent of the sender or recipient to or from your employees. This appears to contradict the requirements of some of the legislation we have already discussed. However, there are circumstances in which NOT monitoring and storing e-mails may also infringe an employee's rights. Suppose one of your employees is sexually harassing another by e-mail, and the victim takes you to an employment tribunal alleging that you allowed harassment in the workplace... if you have not recorded the e-mails then it could be argued that you have not taken steps to protect them. Of course, the allegation of sexual harassment could itself be malicious, and if you have not recorded e-mail conversations then you will not be able to produce evidence to demonstrate that either.
The answer here is to monitor and record, but you must inform your employees that you are doing so: include this in your communications policy and state that the first use of business systems for private use will be their deemed consent to your monitoring. This allows them to make an informed decision about whether or not they want to send and receive private e-mails at work. This procedure is really easy for your employees but how do you get the consent of the senders or recipients of their e-mails? International and city firms of solicitors put a statement at the end of all their e-mails warning that they will monitor e-mails in serious cases and that continued e-mail correspondence with their employees in a private capacity will be deemed consent to the monitoring by the senders and recipients.
The same holds good for visiting unacceptable Internet sites.
For the cost of a few pounds per employee you can implement a monitoring, alerting and recording system that will help you comply with many of the laws and regulations, demonstrate that you are taking reasonable steps to protect your employees, your customers and your business, and hopefully keep your directors out of jail. It would be best to choose one that actually examines the content of the electronic communications, so that you can choose to store what is relevant, and you can retrieve it cheaply, quickly and easily. You may even find that the behaviour of your employees changes because they know they are being monitored, and you get other benefits such as reduced bandwidth requirements and greater staff productivity!
© Technews Publishing (Pty) Ltd | All Rights Reserved