An organisation might employ the most sophisticated technology and develop meticulous compliance procedures, but exposure to Internet risks will remain inadequately addressed, unless operational use of Internet technologies is effectively managed. The types of operational risk that might arise were discussed in Chapter 4.
Operational controls help to protect directors, partners, personnel and the organisation as a whole from exposure to liability, while at the same time helping to identify any steps to minimise the impact of risks. Controls define the organisation’s expectations of the use of Internet technologies. Without a policy defining their acceptable and unacceptable use, an organisation may find it difficult to discipline an employee legally.
An organisation should have policies which amount to a framework for the guidance of all personnel in the way they use Internet technologies. There is no universally appropriate set of policies because organisations differ from one another in their use of Internet technologies.
Policies may be placed on the firm’s Intranet, included as a section in an office procedures manual or included as part of each employee’s contract of employment. However this is approached, it is important that the policy is easily accessible to all employees. A sensible approach is to ensure that the policy is explained to each new employee on induction.
The policy should be a framework governing an employee’s use of Internet technologies and establishing the legal relationship of the parties in much the same way as a contract of employment. It should contain reference to disciplinary sanctions. The policy should be drawn with care with the possibility in mind that its production may be required in legal proceedings.
This section identifies some key components for inclusion in an Internet technology security policy. By selecting relevant components, it should be a relatively simple task for an organisation to create and develop its own suite of policies as its use of Internet technologies develops to meet consumer demand.
Why is an Internet technology security policy necessary? A policy, drawn up to meet organisational requirements serves a number of purposes:
• the protection of directors, partners, personnel, and the organisation as a whole from exposure to liability;
• the identification of difficulties and steps to minimise any impact on the organisation;
• the definition of an organisation’s policy in respect of the use of Internet technologies;
• the promotion of awareness and the establishment of good practice.
Helpful general guidance in this area is provided by the Internet Watch Foundation, established in 1996 by ISPs to prevent criminal activity on the Internet and assist users in developing procedures to avoid damaging activities (www.iwf.org.uk).
Simple but important principles – a mixture of good practice and common sense – should be applied to the introduction and implementation of any Internet use policies. They apply to all the policies discussed in this section, with the exception of monitoring, which applies only to employee e-mail and Internet use policies.
Andrew Rose of Clifford Chance explains the firm’s approach to Internet use policies:
The firm is keen to ensure that personnel follow approved procedures when using Internet technologies. Although there is always an appetite for a very detailed and comprehensive policy set, we found that such a solution could be ineffective; policies were too detailed for staff to remember, too specific to various scenarios, and required constant revision and enhancement. Furthermore, with the amount of content required to cover all eventualities, the policy set could become fragmented and include a mix of policies, procedures and guidelines which were confusing to end-users.
The lesson learned was that documentary guidance for staff should be relatively high level and easily accessible. The firm’s Internet use policies are now posted on the Intranet and are reviewed quarterly. Personnel are issued with an information security handbook which is reviewed during induction training; then we rely on their commonsense.
It is sensible to include the views of others in, and connected with, the organisation when creating a policy. All departments and individuals, including junior personnel, should be consulted. Customers and clients might also be involved as consultation will ensure the policy is convenient for them as well as demonstrating commitment to consumer interests.
A policy is unlikely to be effective, unless it is properly communicated and promulgated throughout the organisation. If the consultation exercise has been adequate, there should be sufficient awareness. The most obvious way of communicating a policy is the publication of a formal document. Some organisations may incorporate this in employees’ contracts of employment, or require employees involved to sign a separate policy. Other methods might include posting on the firm’s Intranet, and conducting seminars and workshops.
A policy is unlikely to be useful if it is difficult to interpret or apply. When a policy document is consulted, especially in respect of cyber risks, it is most likely to occur in a crisis, and, therefore, guidance and instruction should be clear and accessible. It is worth remembering that a policy may be referred to by a relatively junior member of staff and that, therefore, in an emergency, clarity is a vital issue.
The legal position in respect of monitoring employee use of e-mail and the Internet was examined in Chapter 9. The key issue is that if monitoring is to occur, the employee(s) concerned must be informed. Any employee who is to be monitored should be informed, for instance, that e-mail use and Internet access may be monitored periodically and that software may be employed for the purpose. This notice should appear in the policy itself and in any contract of employment. Some useful steps might be to:
• inform personnel that privacy of use does not apply to Internet technologies in business hours or in the course of employment;
• inform personnel that inspection will take place periodically;
• inform personnel that unacceptable sites may be blocked;
• warn personnel to disconnect from any site containing unacceptable material;
• inform personnel that stored e-mail may be inspected periodically.
Most components of an Internet technology security policy involve, in some way, the processing of personal data. Underlying all Internet activity is the need to ensure compliance with the DPA. In view of the ease with which personal data can be transmitted, it is important that employees using Internet technologies have a general awareness of its provisions and the need for compliance. Examples of particular categories of employees concerned would include those involved in marketing activities and management of the firm’s website, in both of which cases information is frequently gathered from visitors.
An employee who is required to observe policies and procedures in the workplace should be aware of how the policy is to be administered. The policy should, therefore, set out the framework for the management of the organisation’s Internet technology security policy. It should identify, for instance, responsibility for implementing the policy, staff training procedures, disciplinary offences and sanctions, and dispute resolution procedures.
Richard Spooner of Baker Tilly comments on the firm’s approach to use policies:
The (Internet risk) management structure is supported by a computer usage policy which governs access controls, physical controls, the security of e-mail and the encryption of data, for instance, on USB memory sticks.
It is a comprehensive resource and there is a provision in the contract of employment of all staff that they will observe the firm’s code of conduct in this respect. While there is no formal staff monitoring to ensure compliance, there are IT controls that monitor, for instance, e-mail, for inappropriate content and abuse. Beyond this, staff are expected to behave responsibly and any serious breach is referred to the HR department for disciplinary action.
An outline of some key features of the more important Internet security policies are discussed below.8 They are not comprehensive because every organisation will have particular requirements and preferences. However, they may help as a baseline from which to develop policies which can then be tailored to the organisation’s needs.
The policies considered are for:
• use of e-mail;
• use of the World Wide Web;
• use and operation of websites;
• management of the delivery of electronic services;
• business continuity and disaster recovery issues;
• Web 2.0 and social networking.
The issues to be addressed in an e-mail use policy can practically be considered in the following categories: business use of e-mail; personal use of e-mail; e-mail security; legal implications of e-mail; and e-mail notices.
Business use
The policy should establish standards of conduct expected of all those using e-mail in the workplace and can be divided into categories. The first category addresses the potential for exposure to legal liability. The policy should contain guidance on the need to avoid breaches of confidentiality, negligent misstatements and unsupervised conclusion of online contracts.
The second category concerns the handling of e-mail in the course of business. The policy should set out the position on accepting instructions by e-mail; stating the sender’s identity and position in the organisation; professional undertakings given by e-mail; the preferred style and content of e-mail communications; forwarding e-mail and the checking of e-mail during a recipient’s absence.
The third category addresses the subject of e-mail. The policy should address offensive, obscene, harassing, threatening or defamatory e-mail content including attachments; the despatch of unsolicited e-mail; unauthorised participation in discussion groups and social networking sites; and interfering with others’ e-mail without permission.
Personal use
The policy should state whether or not the use of e-mail for personal use is acceptable. If permitted, the policy should stipulate the circumstances in which personal use is allowed. There are two areas to address.
The first concerns use prejudicial to the organisation. The policy should prohibit personal use amounting to commission of a criminal offence, causing loss or damage to the organisation and infringing the rights of other employees. The second concerns the abuse of personal e-mail. The policy should specify that personal use must be on a reasonable scale and not for personal financial gain.
E-mail security
The policy should establish the measures to be taken to ensure that, where necessary, e-mail is secure from interference or corruption. The policy should contain instructions in the following areas: encryption procedures, virus defence, and e-mail storage.
The policy should contain instructions for the use and application of encryption procedures, and the need to consult recipients and review encryption requirements regularly.
The policy should contain instructions to address the risk of virus intrusion; specifically procedures for scanning incoming e-mail, the opening of attachments from unfamiliar sources and the use of any installed anti-virus software.
The policy should contain instructions for the storage of e-mails both sent and received, and procedures for ensuring that stored e-mails are secure from unauthorised access. While there is no time specified for the retention of archived e-mail, data protection provisions require a balance to be achieved between retaining information for no longer than is reasonably necessary, and ensuring that data subjects have access to any information to which they might be entitled under the DPA.
Legal implications of e-mail
The use of e-mail in the course of business has legal implications in the same way as traditional correspondence. The issues that arise can be considered in two categories. The first category addresses the validity of e-mail in legal proceedings. The policy should remind users that e-mail may be admissible in evidence and that computer records might be admissible in legal proceedings.
The second category addresses the need for e-mail to conform to legal and professional requirements. The policy should remind users that, where required to do so, the form of e-mail should comply with the Business Names Act 1985, the Companies Acts, and relevant business and professional codes.
E-mail notices
There are various situations in which an organisation may wish to endorse e-mail with one or more conditions relating to their despatch. Typical notices concern confidentiality, copyright and viruses. Where an organisation requires such notices to appear on e-mail, the policy should specify which notices and the terms in which they should appear.
Some e-mail notices attempt to disclaim liability for the content of the message. Disclaimer clauses are subject to the test of reasonableness In addition, the endorsement of such a notice if giving advice to a consumer is not likely to engender confidence in the organisation.
Many organisations place notices on e-mail in respect of precautions taken by themselves and those to be taken by the recipient. The object is an attempt to avoid any legal liability that may arise for the transmission of a virus.
Notices in respect of the formation of online contracts also appear on e-mail. These might typically state that the views expressed in the e-mail are those of the author only and do not represent the enterprise, unless specifically stated; and the author has no authority to enter into or conclude a contract by e-mail.
E-mail notices do not automatically carry legal validity. This is ultimately a matter of interpretation by the courts, and there may well be instances in which they are found not to be binding. Most notices of this type are subject to the test of reasonableness.
Business use
The policy should establish principles of conduct that are expected of employees in the workplace. There are three areas requiring specific mention: social networks/discussion groups, downloading material and inappropriate material.
The policy should specify that only authorised personnel should take part in discussion groups and that when participating in such activities, unauthorised release of information will be a disciplinary offence.
The policy should state that when downloading material, this must be for business use only, and that downloaded material becomes the property of the firm. A requirement for virus-scanning procedures to be undertaken when accessing and downloading material should also be included.
The policy should specify that sexually explicit and other material inappropriate to the workplace should not be downloaded, stored or distributed. The policy might also stipulate that accidental connection to a site containing unacceptable material must be terminated immediately.
Personal use
The firm must decide whether to permit use of the Internet for personal reasons. The legal position was explained in Chapter 9. If personal use is permitted in the workplace, the policy should specify any personal or non-business use that is permitted.
Security
The policy should detail the security measures installed to protect against unauthorised or hostile intrusion. The policy should state the firewall technology employed, how the firewall should be used and the business functions that it permits, together with a notice that attempts to avoid firewall technology may result in disciplinary procedures.
The policy should stipulate requirements in respect of passwords. Passwords are vulnerable to manipulation. The policy should be as specific as possible about their use.
Former employees
Disaffected former employees pose a particular threat. Some issues to consider include making regular security checks of the network perimeter, closing former employees’ connections and ensuring all laptop computers are returned by employees leaving the firm.
A policy governing the use and management of the website is advisable both to guide personnel and to enable more effective management of relationships with casual visitors, consumers and others visiting the site.
Content
The policy should specify procedures that ensure content is accurate and legally up to date. There should be procedures established for checking that the site content has not been interfered with, or the site itself defaced. These procedures should be specified and responsibilities assigned.
A disclaimer is published on a website to draw visitors’ attention to the fact that the information on the site is not comprehensive and that further information and guidance may be appropriate. A policy should state that the website must contain a statement for visitors to the effect that information and advice posted on the site is accurate to the best of the organisation’s belief, that no liability can be accepted for action taken as a result of visiting the site, and that visitors should realise that individual circumstances differ and that further advice is appropriate before action is taken. The legal validity of disclaimers was discussed in Chapter 9.
Jurisdiction
The policy should require a statement to be posted on the site to the effect that advice and information is given on the basis of the law of England and Wales, or whatever other jurisdiction is appropriate.
Linking
Difficulties that can arise in respect of linking to other sites were considered earlier. There should be a settled and defined policy in respect of links with other sites.
First, the policy should provide for a written agreement to be in place, establishing the terms and conditions on which the site will agree to be linked to another site. Second, there should be a policy document establishing the terms and conditions of any agreement to accept a link from another site. Third, there should be a disclaimer in respect of unlawful or unsuitable material on the linked site.
Copyright
Protection is required in respect of information and advice posted on the site, and also to ensure that personnel do not use material from another site without permission.
The policy should, therefore, require that copyright notices are displayed in respect of any material for which copyright is to be retained. Conversely, the policy should require there to be a written agreement for the use by the organisation of any material published on another site.
Security of data
It is helpful and reassuring for visitors to be informed of the steps taken to ensure security where information is to be supplied through a website. The policy for management of the organisation’s site should specify the security measures in place and any procedures for their review and update.
Many data protection notices simply state that information and data collected from visitors to the site will be held in compliance with the DPA. A privacy policy should contain more detail It is suggested that the following information should be given: the fact that personal data is being gathered; how the personal data will be used; with whom, if anyone, the personal data will be shared; whether the personal data will be exported outside the European Union; the data subject’s choices regarding the use of the collected data; safeguards in place to protect loss of, or damage to, collected data; procedures for amendment and updating; the right to opt out of marketing mailing; and the identity of the data controller.
A policy for the delivery of legal services electronically should address the following issues: the need for legal compliance, the content of contracts for the supply of services, and provisions governing electronic payments.
Legal compliance
The policy should identify the legal, regulatory and professional provisions governing the services delivered electronically. These include reference to basic consumer legislative and regulatory provisions applicable to traditional services. They will also specify legislative and regulatory provisions applicable to the Internet, as discussed earlier. The policy should ensure that each employee concerned is equipped with sufficient knowledge required for adequate compliance. The policy should also specify the jurisdiction and applicable law that will govern any contracts into which the firm might enter for the provision of online services.
Contracts
The policy should establish the terms and conditions upon which services are provided electronically, and display these appropriately on the website. It should contain the procedures concerned in supplying services electronically and any provisions seeking to limit liability.
The policy should specify the services to be provided, accompanied by a statement that the availability of a particular service does not constitute an offer, but merely an invitation to treat. The policy should also specify the information required under the Consumer Protection (Distance Selling) Regulations 2000 and any documentary evidence of the transaction to be retained as a record of any transactions conducted online.
The policy should address liability in respect of any ancillary services supplied through a linked site and specify that in respect of all transactions, the law of England and Wales (or as appropriate) will apply.
Electronic payments
It is important that those in the organisation who might be responsible for collecting and administering electronic payments are familiar with the PCI Data Security Standard. It is also sensible to inform consumers who are using the service how it is administered so as to provide reassurance over questions of privacy and security.
The policy should specify the measures in place; for example, the association with any electronic payments software supplier, and compliance with the PCI Data Security Standard. The policy should also state the security systems in place to ensure security of transactions taking place online.
The risks arising from mismanagement of data were considered earlier. In documenting a data management policy, certain issues should be addressed.
Data type
Consideration should be given to the type(s) of data being collected and stored. There might be various categories such as marketing, financial and ‘personal interest’ or family data. Some data might be ‘sensitive’ data within the meaning of the DPA. The policy should specify the measures to be taken to protect specific categories adequately.
Accuracy
Procedures should be specified in the policy to ensure that any data collected is both up to date and accurate. These will include the need to review data sources, and checking and storage procedures, as well as reviewing old data.
Security
The policy should state the measures in place to ensure safe storage of data and any procedures to be adopted for its transfer (such as obtaining consents), together with any precautions to be taken to prevent unauthorised access and transfer, whether internal or external. These measures should include both the technologies to be employed and the nomination of any personnel and their responsibilities with regard to the authorised handling of data.
The policy should identify the methods by which data is collected (for instance, through the organisation’s website, by e-mail or by an extranet), and procedures to be adopted for its safe storage. The policy should specify procedures to be adopted for data subjects to ‘opt out’ of providing personal data, and those to ensure that data collected and held cannot be passed to third parties without authority.
The policy should identify procedures to be observed for obtaining any necessary consents in respect of its use or its release in the ordinary course of business or in response to legal proceedings. Procedures should be specified governing the handling of requests by data subjects for access to data; the correction and updating of data; and the storage, removal or deletion of data.
Implementation and compliance
The policy should set out the steps taken to ensure compliance. These are likely to include the need to document the technology to be employed and procedures to be adopted.
The policy must be promulgated, so that personnel with specific responsibilities are clearly identifiable to other personnel and all personnel are aware of the need to comply with certain procedural requirements.
The policy should establish the steps to be taken for personnel education and training, and the procedures for raising awareness of new legal and technological developments that may affect compliance issues.
The risks arising from incidents that affect the ability of an organisation to function were considered earlier. Steps should be taken to ensure that in the event of such incidents, responsibilities and accountabilities for managing the situation are clearly defined and understood.
Committee
A committee should be formed of senior management representatives supported by specialists in IT, compliance and operational issues. Thought should be given to its composition, the qualifications and experience of its membership, and its remit on identifying, categorising and managing the risk.
Function
The committee’s function will vary according to the requirements of each organisation but might include:
• identification of data needed for the organisation to function;
• identification of IT systems and networks for the organisation to provide a basic service;
• introduction of systems for retrieval of data;
• devising procedures for identifying solutions and their deployment and management;
• ensuring the availability of, and access to, any necessary documentation;
• allocating responsibilities in key areas of the organisation for the continuing operation of the organisation while the incident is addressed;
• devising recovery procedures and promulgating these throughout the organisation.
The rapid growth of social networking has resulted in this type of technology insinuating itself into the workplace. Employees familiar with social networking technologies routinely communicate with colleagues through these sites, both in and outside working hours. The popularity of social networking puts pressure on organisations to allow at least some use of this type of communication in the workplace.
The threats arising from social networking were discussed earlier. They expose an organisation to considerable vulnerability because of the danger that these sites relate to activities such as gambling, pornography, illegal software downloads and the posting of defamatory material.
Technology
As a matter of course, any policy should include provision for the use of technology that addresses the potential danger of employees accessing such sites. Technology is available that will check and filter malicious websites hosting both suspicious code and content.
The application of this technology should be supported by a rigorous policy of identity and access management, controlling the numbers and categories of employee who are permitted access to social networking sites. There are various controls that can be implemented. Controls may be imposed, for instance, by group, by department, or even by timing – by authorising access for non-business purposes at certain times, for example during lunch hours.
Employee behaviour
The somewhat anarchic development and use of social networking sites demands that employers should have clear and comprehensive guidelines for employees in their use of this method of communication. Specific issues on which an employer should provide guidance include:
• the type of data and illustrations to be posted;
• verification as to the identity of other users and contacts;
• the need for awareness of sensitive and personal data;
• the need for awareness of the potential for reputational damage to an organisation, and criminal and civil implications in respect of casual posting of information;
• the need to preserve confidentiality of personal data, both individual and organisational;
• the need to preserve confidentiality in respect of personal identity and passwords.
The use of social networking sites is a clear example of a situation where an organisation may wish to monitor the activities of its employees. The legal position regarding monitoring in these circumstances was considered in Chapter 9. Any policy that involves monitoring should state clearly that this is taking place, so that employees are fully aware of the position.
As organisations develop the provision of Internet-based goods and services, consideration should be given to developing a suite of policies, or protocols, identifying and specifying the organisation’s ‘best practice’ requirements regarding the use of Internet technologies.
The increasing trend for organisations to employ remotely located personnel using portable IT devices increases the need for clear and comprehensive guidance in this area. Specific issues on which an employer might consider providing guidance include requirements to:
• ensure the physical security of laptop computers and other portable devices;
• report any loss or damage to such devices;
• ensure that all data stored on any portable device is encrypted to an adequate standard, whether at file, folder or hard-disk level;
• back up all stored data at server level;
• ensure compliance with the organisation’s identity and access management policy in respect of the use and management of passwords and sign-in and log-in procedures;
• apply protective measures to secure data stored in portable devices, such as firewall, anti-virus, spyware and adware protection and updating procedures.
In the case of USB devices, advice and guidance should be issued governing the circumstances of their use, the need to encrypt stored data, the need for central management and the requirement to back up data.
As Internet technologies develop, the need to maintain and develop a suite of policies will increase. This function should be assigned to the organisation’s risk management committee. This committee is best placed to identify the risks in each case and, therefore, to recommend strategies for their management.
In support of the management of its technology, compliance and operational procedures, an organisation’s risk management processes may involve the transfer of its Internet risks to a specialist insurer. There are many and various brokers and underwriters now offering cover for this type of risk.
Typical areas for which cover is offered include:
• infringement of intellectual property rights;
• defamation;
• protection against reputational damage;
• misleading advertisements;
• breaches of confidentiality (for example, as a result of data breaches in respect of employees, clients and consumers);
• damage to systems, networks and computer hardware and software (for example, as a result of hacking intrusions or virus attacks);
• compensation for loss of revenue as a result of business continuity failure;
• breaches of statutory duty (for instance, non-compliance with certain e-commerce provisions);
• in certain cases, legal expenses insurance.
There is no uniform policy since the requirements of each organisation differ and specialist insurers may provide cover for individual risks. Further, a set of circumstances which may pose a significant risk for one organisation may be comfortably managed by another.
In each case, an organisation should return to its risk assessment and management plans and identify the critical risks to which it is most exposed and seek cover accordingly.
8 Certain passages have been drawn from protocols contained in the Internet Policies Toolkit, published by the Law Management Section of the Law Society.
18.117.165.82