Legal Q&A: Security and user access management
Recognising the extent of the risks of a security breach and having clear terms of use are key, says Kathryn Wynn
What are the commercial and legal risks associated with unauthorised access to a wireless network?
An unsecured wireless connection, or one with weak security, is the technological equivalent of leaving your office front door open or at least unlocked. So it should come as no surprise that individuals and regulators expect better levels of security from organisations.
At a high level, the commercial risks are simple enough to grasp; customer data and commercially sensitive information could fall into the wrong hands with catastrophic consequences. However, it is not unusual for businesses to have poor audit trail functions, or an inadequate understanding of the full extent of the information on their network. Understanding what is at risk is the first step to understanding the full extent of that risk.
In addition to data theft, malicious hackers could introduce viruses into your network, clog up bandwidth or access inappropriate material while connected.
From a regulatory perspective, unauthorised access to a wireless network could cause an organisation to be in breach of its legal obligations, particularly if personal information is accessed.
Every organisation’s core legal duty is to implement appropriate organisational and technological safeguards in relation to the network. While regulators recognise that it is unreasonable to expect businesses to stay one step ahead of the most sophisticated hackers, if the unauthorised access is due to security measures that are not up to standard, it could face a fine of up to £500,000, or other action by the Information Commissioner’s Office (ICO).
Also, the ICO has a policy of publicising any enforcement action that it takes, so there is also a possibility of adverse publicity resulting from a security breach.
For FSA-regulated entities, there is a high risk that unauthorised access to a network will constitute a breach of the FSA rules. Fines given by the FSA for poor security and data management are substantial, and have been known to surpass £3m.
In addition to regulatory issues, there is also the possibility of having to fend off claims of breaches of confidentiality and other contractual claims.
What can my business do to guard against those risks?
It is vital that your business understands what data it has and what might be the consequences of a breach of security.
All businesses need to take a critical look at network security and access arrangements, taking into account the nature of the risk. If your business does not have the expertise in-house to carry out this type of risk assessment, consider bringing in a consultant.
You should also put in place an “in case of emergency” plan, setting out the practical steps your organisation (and who within your organisation) would take in the event of a breach. Most organisations have extensive security polices, but these tend to be weak on the control framework around what should happen when things go wrong. You should think about how it would seek to manage relationships with regulators, employees and customers in the event of a security breach.
How can we ensure that end users are doing their bit to prevent unauthorised access?
Ensuring that robust technical measures are in place is only part of the overall picture. It is also important to monitor and control the activities of the end users accessing the network.
All end users who access the network must be required to comply with the terms of use. This includes temporary staff, contractors, suppliers and even customers or clients using a hot spot facility on your premises or with access to your network.
Typically, such terms will include provisions around keeping passwords secure by setting strong ones and changing them regularly, as well as basic things which are often overlooked, such as prohibiting the downloading of illegal and pornographic content and so on.
You could also restrict end users to using specific hardware to access the network, for example not allowing employees to access the network from a home PC.
The additional benefit of a clear set of terms of use is that it can be used to notify end users that your organisation will monitor their internet use to check compliance with the terms (it is a data protection requirement that individuals are notified of any monitoring and the purposes of it).
Having a clear set of rules which, if broken, would jeopardise the security of the network means the organisation can take appropriate action if end users do not comply. For employees, this could be disciplinary action and for customers it could be disabling access to the network.
You also need to have clear procedures for disabling user access, from staff who are leaving your employment to clients who have just left the building. When an employee leaves your organisation, what happens to their security pass? Access to a wireless network is no different – the disabling needs to happen almost immediately. A slip in procedure could cut across a robust security infrastructure and leave your organisation without a justifiable defence if questioned by a regulator.
Kathryn Wynn is an associate at law firm Pinsent Masons