email monitoring There is little doubt, then, that, in order to make them truly useful, a tool set that requires little new knowledge or skill on the part of the operator must be developed. We trust that you have enjoyed our excursion into the application of formalisms for information security tasks over the past 24 months. We hope it assisted you in in Getting the Whole Picture.
References 1 The
Stephenson Technique is described in detail in provisional patent titled “A Formal Process for Information Systems Risk Analysis and Management”, in Stephenson, Peter, “Modeling of PostIncident Root Cause Analysis”. International Journal of Digit Evidence 2003;2(2), and in various
Legal email – email monitoring and UK legal landmines
Laws, and regulations Over the years, a number of different laws and regulations have been written in the UK which cover the subject of email monitoring, but unfortunately 18
circumstances. On the other hand, it places an obligation on individuals and organizations - with certain safeguards to make data and encryption keys available to police or security services in the course of investigative work.
Ken Watt, Consultancy Director, INSL
Email is a key part of both our business and personal lives, thanks to its speed and ease of use. It can be difficult to believe that we survived for so long without it – especially with the vagaries of the postal service! But as the managers responsible for maintaining corporate email deal with growing traffic volumes and increasing levels of spam and virus-infected mail, they encounter a minefield of legal traps and regulatory pitfalls. In businesses today it is ultimately the responsibility of board members to ensure that laws are being adhered to, to prevent legal or financial repercussions. Some of the biggest problems occur during the monitoring of corporate email. Many firms use tools to identify spam emails, stop viruses or flag-up inappropriate or illegal use, but it is essential that, at the same time, the individual’s right to privacy is protected to avoid falling foul of the law.
editions of this column over the past 24 months. 2 Available at http://home.comcast.net/ ~prstephenson/DFRWS.htm 3 Howard, John D., Pascale Meunier. “Using a ‘Common Language’ for Computer Security incident Information”, Computer Security Handbook, fourth edition, ed. Bosworth and KabayJohn Wiley & Sons, 2002. Chapter 3.
there is overlap and contradiction between them. There are regulations to protect individuals and their right to privacy with regards to electronic communications and information; however these are often inconsistent with those designed to help employers or law enforcement agencies. And that is just in the UK: the situation for companies operating on a global scale is immeasurably more complex. The different laws and regulations, although originally written to provide structure and guidelines, actually cause more confusion than necessary, and even risk scaring companies off doing any monitoring at all. However, even not doing any monitoring still leaves the company vulnerable as it has a legal obligation to protect employees from offensive material. In 2000, the UK government passed the Regulation of Investigatory Powers Act (RIPA) which clarifies how and why organisations can monitor individuals, and protects employees’ rights. It outlines that businesses must state if emails are going to be monitored, and the reason for that monitoring, but accepts that companies do have the right to capture information under certain
However, RIPA’s declaration that companies have the right to collect information conflicts with the Human Rights Act (HRA), which is focused on an individual’s right to privacy. To make things even more complex, the UK Data Protection Act (DPA) safeguards the rights of individuals regarding information relating to them. This means that any details stored about a person electronically must not only be accurate, but must be available to that individual on request. This is known as Subject Access, which unsurprisingly can be a logistical nightmare to actually deliver. In addition, any company storing personal information is legally bound to provide acceptable levels of both physical and logical security to protect personal data. It is clear that there is no consensus in the UK regarding the legal issues involved, and, due to a lack of legal activity challenging these rulings, very few precedents have been set to help companies steer a course through the legal minefield. The different acts are designed with different goals in mind, resulting in most businesses not knowing which way to turn. For members of the board this can be a real problem. Not only are they
email responsible for the company’s adherence to the law, they are the ones who have to justify IT expenditure to the shareholders. It isn’t an option to keep changing expensive IT systems as the interpretation of the legal issues change, but equally the financial penalties for non-adherence can be significant.
Guidance Despite the bewildering array of laws and regulations which are all open to their own legal interpretation, the 2000 Lawful Business Practices Regulations (LBPR) are designed to explain exactly what companies need to do to ensure they comply with the acts mentioned previously. The regulations provide an overview of the different acts and legislation whilst taking a common-sense approach to business. LBPR states that lawful interception of email on a corporate network must meet three criteria: the interception must be for business purposes; the network must be provided for business purposes; and all users must be informed that email may be intercepted. In practice, it leans towards the employer because essentially the LBPR say that any form of interception by a business in relation to communications could be justified on one basis or another. Its impact is not only on RIPA compliance, it also affects the way that the HRA - and to some extent the DPA - is interpreted in the courts, and provides a tangible framework within which the DPA, HRA and RIPA can be understood and applied.
Cultural differences As if it isn’t confusing enough making sense of UK legislation, it gets much more complicated for international organizations working into Europe or America. In circumstances where data is shared or transferred between different countries, businesses need to understand
and comply with a myriad of regulations. European laws are similar regarding monitoring and privacy, but the different countries apply those laws in different ways. In America, there isn’t an equivalent to the DPA and businesses are much less restricted in their activities regarding privacy, so many US companies working into Europe have had problems bringing their IT systems to the minimum standard required by the EU. The EU has defined a ‘model contract’ that companies who operate in Europe are expected to complete for cases where personal data is exported from the protected EU area to countries that don’t maintain equivalent protection - the US in particular.
anti-spam law are minimal, which in some cases actually encourages spammers to come to the UK from other parts of Europe to avoid the risk of a long stretch in jail. The problems of spam are compounded by the fact that the vast majority of spammers are operating illegally anyway - sending pornography, deals on ‘herbal remedies’ or the offer of buying degrees online. These spammers use every trick in the book to remain anonymous so even where the laws exist, the reduction in spam has been minimal. Obviously simply legislating against it won’t protect you from spam, but companies still have an obligation to their employees to protect them from unsolicited emails as much as is reasonable.
Implications to you Anti-spam added to the mix As if the legalities of emails and monitoring weren’t complex enough, last year more stringent anti-spam laws were introduced to protect companies and end users from the exponential growth in the numbers of unsolicited emails received daily. Until the recent legislation was passed, the only relevant law in the UK was the 1990 Computer Misuse Act (CMA), which was written before the widespread use of email and the Internet. With changing technology and methods of working, the CMA has become out of date in some respects. Although it does make relay abuse, denial of service attacks, creating and sending worm viruses and directory harvesting illegal, it doesn’t specifically deal with the subject of spam. In the EU, all member countries are required to implement anti-spam legislation, although so far only 30% have done so, primarily due to the complexity of implementing this type of law effectively. In the UK for example, it is illegal to spam a personal email address, but not a business one: a law that many consider to be ineffective. In addition, penalties incurred for breaking the
Despite the complexities involved, it is still important that firms monitor employees’ emails, if only to see if email is carrying racist or sexist abuse; bullying; pornography; or illegal or proprietary information. This is why a broader response to email control and management is required, whilst adhering to the necessary legal and regulatory controls. In addition, at INSL we have seen that effective email management that primarily filters out spam can reduce companies’ email traffic by 80%. This demonstrates the size of the problem we are facing. The cost in man-hours if all spam reaches the end user, who then has to read and delete it all, is immense and must not be overlooked. Corporate mail systems are designed to help the business, but the proportion of legitimate business mail crossing the servers is diminishing rapidly, which is clearly unacceptable. For board members wanting to protect the company from financial or legal penalties, trying to implement a solution that meets all the different laws can be difficult. But where the law should help and provide guidelines, it actually makes the situation more complex. 19