It's a minefield out there when it comes to IT and the law. Get yourself on a sure footing with Alan Calder's guide to the key rules and regulations.
IT professionals in the UK have to ensure their organisations comply with an increasingly complex web of stature, regulation and foreign legal requirements.
On top of this, they have to meet contractual obligations and protect the confidentiality, availability and integrity of corporate information.
Complex web of UK regulation
The Data Protection Act (DPA) is at the heart of these obligations, and there are key intersections between this law and the requirements of the PCI DSS (Payment Card Industry Data Security Standard), the EU Privacy Directive, the Human Rights Act (HRA), the Regulation of Investigatory Powers Act (RIPA) and the Freedom of Information Act.
There are also a number of foreign laws that may affect UK companies: California's SB1386, which deals with data breaches, appears to include companies worldwide in its scope, although the law has not yet been used against a non-Californian company. US anti-spam (the CAN-SPAM Act) and copyright (the Digital Millennium Copyright Act) may also affect UK companies. Even SOX, the US corporate governance law, has an impact on the IT departments of many UK subsidiaries of US-listed organisations.
UK companies trading in Europe may also be affected by local versions of EU directives or laws, which go further than those applicable in the UK.
Ignorance of the law is no defence and can cost a business millions if it proceeds against an employer or alleged attacker without due process, and without having made the correct initial arrangements. It could even put an employer or information security professional in the dock and let the guilty party off the hook. It is an increasingly complex area, and one in which expert and up-to-date legal advice is essential.
THE DATA PROTECTION ACT
The DPA is the most important UK IT law. The DPA applies to any organisation (called a data controller) that processes personal data – data about living human beings (called data subjects), not about corporations. It is a principles-based law: it sets out eight general principles, rather than detailed requirements. Data controllers have to determine for themselves how best to comply with its principles. The website of the Information Commissioner (www.ico.gov.uk) contains substantial compliance guidance; certification to ISO/IEC 27001 is usually recognised as evidence that an organisation has taken adequate steps to meet its DPA compliance obligations.
The penalty for non-compliance with DPA was, from the outset, derisory, with the result that compliance has (at best) been inconsistent. Data protection has, however, been in the news recently and, following a number of high-profile data breaches (HMRC and many others), the Information Commissioner has been given the power to levy substantial fines where he considers an organisation to have been recklessly negligent in its compliance with the DPA. As a minimum, any laptops or other portable media that contain personal data should be encrypted to FIPS 140.
The tariff of fines for non-compliance is being devised at the moment, and the first fines might be expected before the year end – so sensible IT professionals should take action now to ensure they're not going to land their companies in trouble.
FREEDOM OF INFORMATION AND THE ENVIRONMENT
The DPA intersects with the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations.
The FOIA provides a general right of access to all types of information held by public authorities and those providing services for them. There is a long list of information types that do not have to be provided and this list is growing. Information about private companies that is contained in any tender documents is not automatically excluded.
The Information Commissioner is responsible for the DPA, the FOIA and the Environmental Information Regulations, which enable people to access environmental information held by or on behalf of public authorities and those bodies carrying out a public function.
Part of the information requested under either the FOIA or the Environmental Regulations might also be personal information and, as such information may not be disclosed, public sector organisations need to be clear about how they classify, maintain and archive these different types of information.
HUMAN RIGHTS AND INVESTIGATORY POWERS
A person's rights under HRA, which incorporates into UK law the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms, are extensive. Most of the rights within the Convention are qualified, insofar as they are subject to limitations if the employer can show necessity to protect the rights and freedom of others. In particular, an employee could argue in a court or tribunal that the employer monitoring or tapping the employee's work telephone, email or internet activity was a breach of her/his rights under HRA.
The Regulation of Investigatory Powers Act (RIPA) deals with the same issues. It makes it unlawful to intentionally intercept communications over a public or private telecommunications network “without lawful authority”. Interception could be legal if both parties consented to the interception or, where an employee has not given express consent, if the monitoring is to record evidence of business transactions; ensure compliance with regulatory or self-regulatory guidelines; maintain the effective operation of the employer's systems; monitor standards of training and service; prevent or detect criminal activity; or prevent the unauthorised use of computer or telephone systems (ensuring that the employer's policies are not breached). The interception of personal electronic communications will almost certainly also be covered by the DPA.
While there will certainly be a series of court and tribunal cases over the next few years that deal with the conflicts between the HRA and the RIPA, employers need to introduce (with due process) an Acceptable Use Policy if they wish to be able to take legal or disciplinary action in respect of inappropriate employee behaviour.
PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS 2003
The Information Commissioner is also responsible for enforcing these regulations, which cover use by telecommunication network and service providers and individuals, of any publicly available electronic communications network for direct marketing purposes, and any unsolicited direct marketing activity by telephone, fax, electronic mail (which includes text/video/picture messaging, SMS and email) and by automated telephone calling systems.
The key right conferred both on individuals and on corporate entities is the right to register their objection to receiving unsolicited direct marketing material, and these regulations provide a mechanism for doing this. A number of requirements, including in some circumstances the obligation to obtain the prior consent of the person to whom marketing messages are to be directed, are imposed on direct marketers and these will intersect with obligations under the DPA; organisations have to ensure they comply with both, and systems therefore, have to be designed to make this possible.
There is also a number of IT-related regulations that impact how organisations carry out their business. The first of these is the Companies Act 2006, which consolidated and replaced all previous UK company law. This Act contains many provisions that recognise the electronic nature of today's commercial world. Its provisions include the requirement that organisations identify themselves clearly in all their email and on their websites. It allows for email to be used to form contracts and to be evidence in a court; and it sets out in detail the conditions under which public companies can use websites and email for the whole range of shareholder communication.
The Electronic Communications Act had already started to tackle the issue of electronic signatures and this Act was designed to regulate the usage of cryptography and to make provision for appropriately authenticated electronic signatures to be used in electronic commerce and for them to be admitted as evidence in court.
E-Commerce and distance selling
Organisations selling goods and services through e-commerce must also be aware of a growing range of distance selling regulations.
The Financial Services (Distance Marketing) Regulations set out rules about information that must be supplied to consumers when financial services are sold at a distance (eg, electronically). The Consumer Protection (Distance Selling) Regulations describe information that all consumers (not businesses) are entitled to receive from suppliers, and their rights to cancel a transaction. The Electronic Commerce Regulations contain specific requirements covering (among other things) information to be provided by e-commerce businesses, how prices should be presented and how unsolicited email should be identified. Again system, website and sales process design (and customer information) has to take these various requirements into account.
There is clearly an intersection between all of these regulations, the DPA and, for organisations that accept payment cards, the requirements of the PCI DSS.
COMPUTER MISUSE ACT 1990 (CMA)
The CMA is of renewed importance to UK IT professionals. It is designed to provide advice on securing computer material against unauthorised access or modification and outlaws within the UK, hacking and the introduction of computer viruses. It has not been entirely successful in doing so.
Its implications though, are far reaching: anyone using someone else's user name without proper authorisation is potentially committing an offence. Anyone copying data who is not specifically authorised to do so, is potentially committing an offence. It also has relevance for organisations whose employees may be using organisational facilities to hack other sites or otherwise commit offences identified under the Act.
Organisations could use the Regulation of Investigatory Powers Act (RIPA) to ensure that staff are complying with the law; they would certainly need to have explicit user authorisations and acceptable use policies in place, or any disciplinary action based on the CMA would almost certainly fail – and fail expensively, given the intersection between CMA, RIPA and HRA.
Police and Justice Act 2006 (the ‘PJA')
The Police and Justice Act 2006 (which deals with many other issues) also amended the CMA, and increased the maximum sentence for “unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc” (aimed primarily at denial of service attacks, but with a far wider effect) from five to 10 years.
Information is, by any standard, intellectual property or IP. The internet starting point for organisations that want detailed advice on intellectual property is the website of the UK Patent Office (which, since April 2007, has been operating as the UK Intellectual Property Office), www.ipo.gov.uk. The principal legislation on copyright can be found in the Copyright Designs and Patents Act 1988. It has been amended a number of times and there is no official consolidation of it. Copyright issues include both paper and electronic documents, as well as patents, trademarks and designs.
A most important issue in dealing with copyright is for the organisation to ensure that it is not infringing the copyright of its software suppliers. Any software that is running on the organisation's network is potentially subject to copyright restrictions and it is essential that the organisation ensures that it has the correct type and number of licences for this software.
SAFEGUARDING ORGANISATIONAL RECORDS
Records must be protected from loss, destruction or falsification. Some records must be retained to meet statutory or regulatory requirements, while others may be needed to provide adequate defence against potential civil or criminal action or to prove the financial status of the organisation to the range of potential interested parties, including shareholders, tax authorities and auditors, or to meet contractual liabilities.
All forms of record are included: paper, electronic documents and emails. Electronic mailbox policies that delegate responsibility to individuals to destroy email records are likely to be in breach of these requirements.
Due consideration should be given to the possible degradation of media over time and any manufacturer's recommendations for storage should be followed. Similarly, system upgrades and changes must allow for archived electronic data to remain accessible throughout its retention period.
Records should be destroyed once they have reached the end of their retention period.
DISABILITY DISCRIMINATION ACT (DDA)
The IT professional also needs to be aware of the DDA, which made it unlawful to discriminate against any person in respect of their access to, or use of, a means of communication, information services or the services of any profession or trade, or any local or other public authority.
The DDA clearly includes websites and on-screen or browser-based communication methodologies within its scope.
The Act does not require a service provider to adopt one way of meeting its obligations rather than another. The focus of the Act is on results. Where there is a physical or electronic barrier, the service provider's aim should be to make its services accessible to disabled people.
THE DATA PROTECTION ACT
The eight principles of the DPA are that personal data must be:
1 Fairly and lawfully processed
2 Processed for the specified purposes
3 Adequate, relevant and not excessive
4 Accurate and up to date
5 Kept no longer than necessary
6 Processed in accordance with the data subject's rights
7 Secure (“appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”)
8 Not transferred to countries which do not provide adequate protection for the data (ie, protection to at least the level required in the EU).
The DPA covers “structured” data storage and applies to both electronic and paper records. The Information Commissioner is the only statutory authority for administering and maintaining the public register of data controllers. The DPA's reach includes: CCTV records; websites and internet activity; recruitment and selection of staff; employment records; staff monitoring; and information about workers' health.
The DPA places restrictions on transferring personal data to countries that are not within the EU. This restriction is important for organisations offshoring or consolidating any part of their operations. The EU Safe Harbor arrangements were devised to enable US companies to handle the data of EU residents despite the fact that the US does not meet the DPA requirements.
A data subject is entitled to make a written request, called a Subject Access Request, to the data controller (accompanied by a minimal set fee) and to be given, within 40 days, a copy of all information held about them.
Data subjects have a number of other rights, such as having inaccurate data about them amended or deleted; preventing processing that is likely to cause them damage or distress and to sue for compensation if damage or distress has been caused, and preventing processing for direct marketing purposes.
WHAT'S THE DEAL WITH PCI DSS?
There's a lot of interest in PCI, but changing deadlines and a lack of clarity and education has made it difficult to understand. Target dates for compliance with the PCI DSS have long since passed. Many organisations – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant.
The latest version (1.2) outlaws the use of WEP in wireless networks and was available from 1 October 2008. The PCI Security Standards Council (www.pcisecuritystandards.org) has issued standards for Pin Entry Devices and for online shopping carts applications.
Key facts about PCI:
1 PCI DSS is not a law. Enforcement can only be carried out by contractual means.
2 Enforcement is through the commercial banks that have the merchants as customers. Thousands of banks are involved, many with more pressing challenges than policing PCI. The enforcement of PCI compliance is nationally and internationally inconsistent.
3 PCI DSS is a prescriptive standard with a one-size-fits-all approach to information security requirements.
Non-compliance though, is short-sighted and risky. All businesses that accept payment cards are prey for hackers and criminal gangs that seek to steal payment card and individual identity details. Many attacks are automated, seeking out website and payment card system vulnerabilities remotely. Once a vulnerability has been discovered, an attack can start – without staff at the target company having a clue.
When the attack is exposed, the target company will be subject to a harsh and expensive set of repercussions. These will range from customer desertion and brand damage to significant penalties and operating requirements imposed by the target company's acquiring bank, which will include a higher level of monitoring in the future.
Breach of PCI can be expensive. TJX (the owner of TK Maxx) took a $118m earnings hit in 2007 to cover the fines and other costs that resulted from a widely reported wireless security breach that may have affected 100 million cardholders. It also had to divert resources to handle legal suits and class actions and has belatedly had to comply with PCI DSS anyway.
PCI DSS is designed to ensure that merchants are effectively protecting card holder data. It recognises that not all merchants may have the technical understanding to identify for themselves the steps necessary to achieve this, and short-circuits that danger by providing explicit and detailed requirements. All merchants, and their service providers, should get in line with PCI DSS, and ensure they stay compliant.