IT Security

 

contact

Make IT security one of your top priorities

If your business depends on electronically-stored information, ignoring the factors which may compromise its security can have catastrophic effects. The consequences can be in terms of legal liabilities, financial loss and diminution of investor confidence.  You only have to bear in mind the initial hitches with the launch of the Nectar loyalty card to get some idea of the magnitude of the problem!

Last year, the Department of Trade and Industry examined the issues attaching to information security.  This has resulted in a survey which recognises the growing priority attached to information security by UK businesses of all kinds and the growing spectrum of risk.

Amongst the risks identified, computer viruses can do the most damage in spite of the use of anti-virus software.  It is said however that the biggest problems ultimately stem from employees. Your staff can be responsible for malicious as well as accidental security breaches although technical and environmental factors may also play a part.

The legal problems arising from IT security breaches which we commonly encounter as lawyers might be summarised as follows:

  • Breaches of data protection legislation which may result in compensation claims or criminal penalties. The DTI survey found that only 48% of businesses had documented data protection compliance procedures in place.
  •  Data protection law is changing!  You should be aware of the provisions of the Privacy and Electronic Communications Directive which deals with security and confidentiality requirements of electronic communications, inclusive of the spamming and the use of "cookies" and other spyware.
  • It is sadly still the case that the outsourcing of IT application maintenance, website hosting etc. is all too often granted to poor service providers. Although it must be additional to the careful appointment and monitoring of the professional quality any providers, protective contractual terms must always be put in place. Just one appropriate term might be the reservation of a right to implement penetrative testing of the outsourced provider's systems.
  • Content acquired and exchanged between parties will almost certainly contain third party-owned intellectual property, such as trade marks, copyright and database right. Materials are sometimes appropriated or are made accessible with little thought of the existence of intellectual property rights in them. It goes without saying that permission or formal licence needs to be obtained from the rights owners if use is intended to be made of their intellectual property.
  • Other "content" liabilities may arise such as defamation (for which an employer of a person who circulates a defamatory email could be liable) or misuse of the Internet otherwise by the publication of obscene material or racially or sexually harassing statements.
  • Transactional websites for e-commerce must keep confidential information such as credit card details secure. The survey found that 51% of such websites encrypt electronic transactions. The Electronic Communications Act 2000 deals with the provision of cryptography services and the verification of electronic signatures but its main provisions have yet to be brought into force. Well-drafted terms and conditions are an absolute necessity for e-commerce sites, whether B2B or B2C.

Much has been said recently regarding the increasing focus on proper corporate governance.  IT security issues must be tackled of necessity if businesses are to thrive and even survive.  Many companies do plenty but they often fail to see the necessity of going the "extra mile" to ensure that all of their IT systems and procedures are secure in all respects.

The protection of electronically-processed information assets against loss, misuse, unlawful disclosure or damage can be achieved by the implementation of a battery of measures. These might be technical ones such as firewalls and procedural activities like staff training and awareness programmes and the implementation of a monitored IT security policy but it is first necessary to obtain a comprehensive understanding of all the risks.