Picking your way through the legal minefield

February 2005 Security Services & Risk Management

There are many pieces of legislation and regulation that have some impact on our security, monitoring and data retention policies. Some apply only to businesses dealing with consumers, and some are specific to certain industries.

Much of this legislation is vague or hard to interpret, some of it does not account for recent changes in technology; some of it even appears to contradict other legislation and much of it has no current case-law to clarify how it should be interpreted. How do IT security professionals pick their way through this forest of legislation and implement a practical security, monitoring and data retention solution that is likely to keep them, and their directors, out of jail without bankrupting the company?

"The good thing about standards is that there are so many to choose from!" This senior figure in the IT industry was being somewhat sarcastic about the attempts of the industry to help its customers by standardising on certain user interfaces and operating systems. The legal framework within which we operate is rather like that, only you cannot choose which laws you want to comply with; the penalty for getting it wrong varies from a small fine through to significant costs and imprisonment of directors.

The legislation affects many different areas of our business. In all but the smallest there is more than one person responsible: HR, accounts, legal, security and compliance managers all bear some responsibility. They will inevitably end up in the IT department talking to the person responsible for security. So what do you advise them to do?

Let us consider some of the legislation: the Data Protection Act 1998 (DPA), for example. This is primarily concerned with companies that deal with the public and that hold 'personal data' about them in some sort of organised filing system. If such data is held then the individual has the right to request copies of such data and this has to be produced within 40 days. So if you are a B2B company and do not deal with members of the public you do not have to worry about it, right? Wrong, I am afraid. The definition of 'personal data' applies to any individual, including your contact lists of your own customers, suppliers, employees and ex-employees. So if you keep records of who your contacts are or records of your employees' salary details (as you surely must) then the DPA applies. And it applies to any e-mail or other electronic communication containing such personal information and to paper files if they are stored in an organised and retrievable form.

There are other pieces of legislation that may require you to store electronic communications anyway, such as the Financial Services and Markets Act, or (if you do business in the USA, or with US companies) the rules of the Securities and Exchange Commission (SEC). Following ENRON, the Sarbanes Oxley Act in the USA whose equivalent over here will be new legislation on audit rights over companies, is all about accounting for revenue accurately. In order to do this and to show your auditors that you have done this correctly, you will have to record and keep information.

Roughly what these pieces of legislation require, if they apply to your company, is that all electronic communications that are in any way related to your business must be stored for at least three years in a form that cannot be changed or modified. They do not require easy retrieval, but if you are asked to produce a particular e-mail then you do not want it to cost a fortune. EDS did not think about that when they were recently required to produce some e-mails for a court action in the USA. They estimated the cost of actually finding and retrieving the particular e-mails at $4,7m!

Then there is the issue of what you are entitled to look at and keep. Under the Regulation of Investigatory Powers Act 2000, monitoring and storing employees' private e-mails (if you allow them reasonable private use of business systems as most organisations do) is a breach of statutory duty unless you have their consent and the consent of the sender or recipient to or from your employees. This appears to contradict the requirements of some of the legislation we have already discussed. However, there are circumstances in which NOT monitoring and storing e-mails may also infringe an employee's rights. Suppose one of your employees is sexually harassing another by e-mail, and the victim takes you to an employment tribunal alleging that you allowed harassment in the workplace... if you have not recorded the e-mails then it could be argued that you have not taken steps to protect them. Of course, the allegation of sexual harassment could itself be malicious, and if you have not recorded e-mail conversations then you will not be able to produce evidence to demonstrate that either.

The answer here is to monitor and record, but you must inform your employees that you are doing so: include this in your communications policy and state that the first use of business systems for private use will be their deemed consent to your monitoring. This allows them to make an informed decision about whether or not they want to send and receive private e-mails at work. This procedure is really easy for your employees but how do you get the consent of the senders or recipients of their e-mails? International and city firms of solicitors put a statement at the end of all their e-mails warning that they will monitor e-mails in serious cases and that continued e-mail correspondence with their employees in a private capacity will be deemed consent to the monitoring by the senders and recipients.

The same holds good for visiting unacceptable Internet sites.

For the cost of a few pounds per employee you can implement a monitoring, alerting and recording system that will help you comply with many of the laws and regulations, demonstrate that you are taking reasonable steps to protect your employees, your customers and your business, and hopefully keep your directors out of jail. It would be best to choose one that actually examines the content of the electronic communications, so that you can choose to store what is relevant, and you can retrieve it cheaply, quickly and easily. You may even find that the behaviour of your employees changes because they know they are being monitored, and you get other benefits such as reduced bandwidth requirements and greater staff productivity!





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Risk management and compliance enforcement
Security Services & Risk Management
Having a risk management and compliance programme (RMCP) is not just a procedural formality; it is a legal requirement under Section 42 of the Financial Intelligence Centre Act (FICA).

Read more...
The dangers of poor-quality solar cables
Security Services & Risk Management Smart Home Automation
Reports indicate that one in six fires attended by South African firefighters is linked to substandard solar installations, often due to faulty wiring or incompatible components.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it is a gamble.

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it’s a gamble.

Read more...
Managing mining physical security risks
Zulu Consulting Security Services & Risk Management Mining (Industry) Facilities & Building Management
[Sponsored] Risk-IO, a web app from Zulu Consulting, is designed to assist risk managers in automating and streamlining enterprise risk management processes, ensuring no steps are skipped and everything is securely documented.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
Rewriting the rules of reputation
Technews Publishing Editor's Choice Security Services & Risk Management
Public Relations is more crucial than ever in the generative AI and LLMs age. AI-driven search engines no longer just scan social media or reviews, they prioritise authoritative, editorial content.

Read more...