Sophisticated search engine technology allows security managers to check employee e-mail traffic for certain 'key' words or phrases. Words that might be included in commercially-sensitive messages. Which begs a question.. Just how far can managers go when it comes to monitoring 'personal' communications?
When City pa Claire Swire wrote that now-infamous set of lusty e-mails to her ungallant law firm beau Bradley Chait – who then promptly circulated them to his mates – little did she know that these lurid tales would be sent around the world.

Given the uproar this case created, it's probably true to say that, in future, Ms Swire will be rather more circumspect in her 'e-dealings'. She is far less likely to have realised that her messages started an urban myth. A myth that will have done more to help security professionals promote e-mail monitoring than any number of conferences, seminars, courses and product launches.

Simply put, the whirlwind of forwarded e-mails has clearly demonstrated that, once a secret is 'out' on the Internet, it really is out. There is no knowing how many people will read it, in what countries and in what time. For companies specialising in the financial services sector or in IT, the defence industries, publishing and r&d this is a particularly important issue. For organisations like these a large amount of knowledge really does translate into power – or vast sums of money.

Griffin IT Management's Colin Braziel, a senior member of the Security Consultants' Association, comments: "It's vital that these companies and corporations keep a close watch on all electronic communications being made by their employees. A secret that slips out here could cost millions there." Sophisticated search engine technology has already been developed, of course, and is available for security managers to check e-mail traffic for certain 'key' words or phrases liable to be included in commercially-sensitive messages. Just how far, though, can the security manager go in monitoring e-mails? The practice could be called snooping, a word loaded with negative connotations. Given that the UK's Human Rights Act 1998 contains a clause protecting peoples' right to privacy, companies do have to watch their step.

The DTI's Lawful Business Practice Regulations
By way of clarifying the issue, the Department of Trade and Industry issued the Lawful Business Practice Regulations. Intended to spell out practical guidelines on the matter, the regulations have been the subject of an outspoken attack by the British Chamber of Commerce, which labelled them "confused, ill-thought out and full of uncertainty".

These fears are rooted in a belief that there are potential clashes between the regulations – passed by the Department of Trade and Industry under the Regulation of Investigatory Powers Act – the Data Protection Commissioner's Code of Practice and the Human Rights Act.

This claim has been contested by Whitehall 'insiders' and Braziel, who insists that the key message is simple.

"As long as staff are kept informed of the fact that their e-mails could be monitored, there is a clear policy regarding what material e-mails might contain and an easily-understood disciplinary code in respect of what could happen if these rules are broken," says Braziel, "then companies are in the clear." An official from the Home Office told SMT: "Before the regulations on e-mail interception were developed it was a somewhat grey area. Simply, there was no policy in place. Now, though, employers have guidance documents to which they can refer and, as far as we are aware, they are quite happy with them." Indeed, a glance at the regulations suggests that, far from restricting the right of employers to check e-mail correspondence, they give them the authority to do so. A Department of Trade and Industry official claims that the business regulations had been framed to prevent clashes between existing legislation and the Human Rights Act. They allow privacy rights to be infringed "wherever lawful business practice" is carried out.

IT security is just as vital for companies specialising in the financial services sector or in r&d as it is for the defence industry. A large amount of knowledge really does translate into power – or at the very least vast sums of money – so that knowledg

The basic aim of the Lawful Business Practice Regulations is to set down, both explicitly and implicitly, those occasions when access to telephone calls and e-mails should be considered legal.

'Allowable' scenarios would include:

  • recording evidence of transactions (eg insurance telesales) to protect a company against possible claims at a later date
  • ensuring compliance with regulatory and self-regulatory rules and guidance
  • checking routine business correspondence when a worker is away from the office or off sick
  • monitoring e-mail traffic for dangerous computer viruses and illegal material (including pornographic material and/or racist texts)
  • maintaining service standards and training
  • on a more basic level, combating crime
Monitoring policies out in the open
All that companies have to do is ensure that they inform their employees of their monitoring policies, clearly and well in advance of a new person being taken on. However, Colin Braziel suggests that companies – and, in particular, their security managers – must do more, regularly reminding staff that their e-mails could well be subjected to scrutiny.

Braziel's message to managers is simple: "You should update yourself. It's like everything else. A timely reminder. The purely educational side of the security equation." Braziel firmly believes that the best way to educate is to cite a story from the national press – the Swire saga being a good case in point. After all, the consequences of failing to adopt an 'open' approach could be serious. Sacked employees could claim unfair dismissal at an industrial tribunal, stating that they had not been told of a monitoring policy.

In extremis, workers might sue a company under the terms of the Human Rights Act.

Review the Commissioner's Code
Another piece of legislation that security managers will need to watch out for is the aforementioned Data Protection Commissioner's draft Code of Practice.

Philip Jones, an adviser from the Data Protection Registrar, says: "It's simply not the case that businesses should always be denied access to employee e-mails. There may well be circumstances when security or IT managers must access them. Financial transactions and suspected cases of harassment or bullying in the workplace are good examples." Jones adds: "Employers should have a clear and sensible policy that must be concisely explained to employees such that they know what's going on in a given firm." That's the main thrust of the Data Protection Commissioner's Code. The Lawful Business Practice Regulations are no different from the Data Protection Act in that they do not require the consent of employees to have their e-mails intercepted. That said, it must be explained to individual employees that, under certain circumstances, it may be necessary to do so.

Government perspectives
The Government is clearly keen to ensure businesses are aware of the issues. Last year, it embarked on the £1 billion scheme 'UK Online'. This includes an agenda for 'e-Government', and elaborates on concerns that safeguards must be built-in to Internet e-mail regulations as a way of protecting privacy.

Network surveillance: an action plan for managers

Network surveillance is one of the aspects of a security consultant’s work that is increasingly having to enter the security manager’s vocabulary. If you’re responsible for IT security and want to regain control of the network, or you simply wish to monitor your network to ensure employees are not putting your company at risk, do you know where to begin?

According to Chris Durnan, managing director of network surveillance specialist Peapod, a few fundamentals are required. First, know your traffic. How many hours are spent on the web? Which departments use the most resources? How much SPAM e-mail is waded through every day?

Most importantly, is the company exposed to litigation or exploitation because of the e-mail that is sent and received? If so, how do you proceed?

Durnan says: “Pointing fingers without solid documentary evidence could quickly land your company with an unwanted industrial tribunal case. It’s quite possible for an employee to decide not to return to work and claim constructive dismissal on the grounds that you have created or maintain a ‘hostile working environment’.”

Is there an action plan that managers can adhere to? Durnan suggests several pointers that are well worth bearing in mind: n never conduct surveillance without the consent of the board n make sure you have the means to record ALL of the data - if a case ends up in court you will need to prove your methodology, and that the data is a true account of events

  • place all evidence somewhere safe and add the time, date and signature of the operator, together with a witness signature
  • once you think you have caught the culprit, check every supposition thoroughly (it’s common for ‘rogue’ employees to use another person’s PC or logon ID)
  • circulate a memo telling your staff that the network is provided for business purposes, and that you reserve the right to monitor network traffic
  • obtain as much advice as you can from your local ‘cybercop’ (see ‘News’, SMT, January 2001, p7)
Need more details on network surveillance products and services? If so, a good place to start is the ‘E-Commerce Expo’. This exhibition runs from 3-5 April at the NEC, Birmingham. Further details can be found on the Internet (www.ebizexpo.com)

Source

SMT

Postscript

Copies of the DTI's Lawful Business Practice Regulations are available on the Internet at www.dti.gov.uk/ cii/ regulatory/ telecoms/telecommsregulations/ lawful_business_practice_ regulations.shtml

The Data Protection Commissioner's Draft Code of Practice can be downloaded at www.dataprotection.gov.uk (click on the section entitled 'Drafts for Consultation')