IT Security and your employees – a legal perspective

A good employee can be one of the greatest assets to your business, but employees can also become one of the biggest risks.  Recent research has shown that while most businesses are alert to the dangers of external security threats to their systems and have IT security to compensate for them, the greatest risk actually comes from their own employees.

This may arise from an employee who is not sufficiently aware of, or who ignores, the security policies and procedures, or more seriously, an untrustworthy or aggrieved employee, looking to compete with or cause harm to the business.

You want to ensure that your business is protected from any inappropriate actions that employees may take.  So while you may not be expecting the worst, you have to prepare for it by considering the risks, securing your IT systems and computer-based data, and complying with the legal requirements of the three key laws that relate to IT security and your employees.

Security Measures

Firstly let’s consider some obvious security measures.  To protect your systems and data against hostile attacks, you can use standard tools such as anti-virus, anti-spam and firewall software, along with running regular back-ups of important software and files.  Physical assets can be protected by implementing physical measures such as fire and flood protection, installing access controls to offices and taking out appropriate insurance.  

But, other measures may be less obvious and rely on your employees to maintain the required levels of security.  They can also have significant implications with regard to your statutory obligations under the law.  

Access to IT systems

The Computer Misuse Act (1990) was brought in to give businesses some legal redress against external security threats such as hacking and virus attacks, but it also applies to internal ‘attacks’ from employees.  The Act defines offences relating to ‘unauthorised access’ to computer systems and ‘unauthorised modification’ of computer material.   This points to the need for secure password protection and access controls in your IT systems.  For your employees the key word here is ‘unauthorised’, and it is important (and is the employer’s responsibility) to ensure that employees understand what they are and are not authorised to do.    

Secure password controls rely on your employees using them properly, for example, by not sharing passwords, and not writing them down next to their workstation – simple things, but it is surprising how often this type of security lapse occurs.  For your part, the password technology you use must be appropriate to the level of security you require and should be reviewed regularly.  You must also ensure that an employee’s passwords and access permissions are deleted immediately on termination of their employment.

Further security risks arise from the use of remote access for out-of-office working and of wireless networks, with the need for extra levels of access control as well as file and data encryption. Authentication can also be used to confirm the identity of all those accessing your systems.  

So, the Computer Misuse Act can provide you with some protection and redress, but case law in this area highlights the problems when access controls are inadequate or authorisation levels unclear.

In R v Lennon (2006), the intentions of an ex-employee were clearly to cause damage to his former employers by overloading their systems with e-mails, however, prosecution was unsuccessful, as the e-mails were not unauthorised per se.  Notably, this judgement was subsequently overturned.  In BT plc v Rodrigues (1995), the employee won a case for unfair dismissal as BT had not been clear about the consequences of his collecting passwords for computer facilities to which he was not allowed access.    

Confidentiality and Integrity of computer-based information

Maintaining minimum levels of security and confidentiality is a statutory obligation on all UK businesses, and there are legal requirements within the Data Protection Act (1998) to protect important personal information.   Put simply, you as an employer need to ensure the reliability of any employees accessing personal information, and to protect against ‘accidental loss, destruction of, or damage to personal data’ including when that data is transferred elsewhere.  Here, you must impose security measures that ensure against breaches of the eight principles of the Act, rather than just breaches of security.  The Information Commissioner (IC) can take enforcement action if breaches occur, and this could eventually lead to court action.

So, along with implementing appropriate file and data protection technology, you have to make clear to your employees what is confidential, personal, and business-sensitive information.  And that this information must be protected and not disclosed!

Often, employees do not exercise the same level of caution and attention to detail with phone calls and e-mails as they would with more formal communications, resulting in accidental disclosure.  Increasingly, hackers are using sophisticated ‘social engineering’ tactics to gain confidential information via employees over the telephone.

Unfortunately, there are also numerous examples of confidential paperwork not being disposed of securely, and of laptops being stolen or lost.  Uncontrolled use of USB memory sticks and other digital transfer media can also result in security problems.  

Confidentiality of the data in these instances could be regarded as a joint responsibility between employer and employee – but inadequate security in this area can open your business to the risk of significant fines or even prosecution.

A recent case involved an employee of Norwich Union sending a libellous e-mail, suggesting that one of NU’s major competitors was in financial difficulties.  NU was found liable and had to pay damages of nearly half a million pounds.  

Under the Data Protection Act, mobile operator Orange was found by the Information Commissioner to have breached the security requirements of the Act as new members of staff were allowed to share usernames and passwords when accessing the company’s IT systems.  Recently,the Nationwide building society was fined £980,000 by the Financial Sevices Authority as a result of an investigation prompted by the theft from an employee’s home of a laptop containing personal data.

In addition to maintaining its confidentiality, you also need to protect the integrity of your data.  Sadly, there are many instances of trusted employees misusing their detailed knowledge of their employer’s systems and data by, for example, changing files, creating false accounts, or even transferring balances, in order to commit some form of financial fraud or on-line theft.  So, along with software technology to protect your data, you may want to implement regular data integrity checks, monitoring of systems usage by employees, and checks to see whether certain computers are doing things they should not be doing.

Copyright and IPR

The Copyright, Designs and Patents Act 1988 covers the protection of copyright and intellectual property rights of items such as computer software, product designs, patents and trademarks, making it illegal to copy such material without permission.  The Act gives protection to your business in terms of its own intellectual property but also places requirements on you and your employees not to copy or use material illegally.  

So, your security measures must protect your own IPR and confidential business-sensitive data, and must make sure that your employees do so too.  You also need to ensure that all software is used in line with the relevant licences.  Any breach of licence restrictions may entitle the supplier to damages.  In the worst case scenario, it may mean an injunction preventing use of the software and/or termination of the licence, so your employees need to be aware of any licence restrictions and that it is illegal to copy software and to run or transmit pirated software.

It is useful to note here that there is increasing evidence of employees using company systems and internet access to avoid risks to their own personal computer equipment.  They may want to have the latest thing from the internet, but using your systems to obtain it could open up your business to the associated risks of illegal downloads, access to inappropriate or suspect sites, and illegal software copying.  

Security Policies and Procedures

All of the security measures we have discussed will stem from the security policies and procedures that you implement and maintain for your business.  As we have seen, these are essential to the work of your employees and the secure operation of your business.  They also help you to avoid liability under UK law.  

They will range from carrying out regular security risk assessments, to checking the identity and validity of your suppliers and business contacts.  You will need policies which set out your preferred rules for e-mail and internet usage, and must make sure that your employees are aware that their e-mail communications and internet access may be checked for any breach of the rules.  It is important to note here that the law (the Regulation of Investigatory Powers Act 2000) starts from the assumption that employees have rights of privacy, so care must be taken in the implementation of any monitoring procedures for checking employees and their systems usage.  But, along with the right technology, your security policies and procedures should protect both your business and your employees.

Importantly, you should combine your approach to security with your employment policies.  For example, by making background security checks on all prospective employees and including the security policies and procedures as part of your employment terms so that employees appreciate their importance.  If there are security problems, then penalties can be imposed and action taken via internal disciplinary procedures.

On-going education and training will support your employees and will help to ensure that they understand the security policies and procedures, and can apply them appropriately.  If confidential data was personal to them, was at risk and could be financially damaging, then they would certainly protect it!

As we have seen, security is a two-way process and you need to have your employees on your side, so implementing firm, but workable policies combined with centrally-controlled security technology should help to ensure that your business satisfies your legal obligations and is protected from IT security risks.

Tiffany Kemp

Founder and Managing Director, Devant