Reducing risk in use of IT

E-mail is increasingly being used by the profession not just for internal communication but as a method of communicating with clients. All methods of communication carry risks but there are risks which are peculiar to the use of e-mail and the Internet. Some of these risks are addressed in the following article (“Legally Online”) by Liz McRobb, head of the Technology and IP Group at Shepherd & Wedderburn, which was first published in The Scotsman on 18 October 1999.

“Against the backdrop of reduced cost, improved communication and real commercial advantage, most organisations would argue that the risks of going on-line are manageable. However, the growth of electronic commerce has exposed these organisations to significant new security risks and financial liabilities.

“The threat comes as much from within as from external hackers. Every business which allows staff e-mail access to the outside world, or provides staff with Internet access, faces a number of security and liability risks. An employee can spark sexual or racial harassment claims by sending even one offensive e-mail to a fellow employee. And employers can find themselves being sued for defamation if their employees send e-mails that denigrate their competitors.

“The external threat was clearly demonstrated by the recent hacking of the Scottish Executive website. The story in itself was not headline world news, but the fact that a group of hackers had succeeded in declaring “war” on Wales – as a result of sheep rustling by Welsh Office officials – using the website of the Scottish Executive as its platform, confirmed that no organisation is immune to cyber attacks.

“The security breach is one of many where the security loopholes of organisations have been exposed to a worldwide audience. This year, a US hospital was accused of allowing access to confidential patient records without any password or security protection, while Virgin Records’ site has been hacked on more than one occasion with hackers claiming they could access credit card information.

“Staff who send information to customers on-line may inadvertently send confidential material to one customer that is meant for another by the mere click of a button. They could also mistakenly commit their employers to binding contracts by an informal exchange of e-mails.

“Time-wasting by employees surfing the net while they are at work is also a significant cost to business. Imagine how the numbers add up if each employee spends half an hour each day making personal use of the Internet – to book a holiday or check up on the latest sports news.

“Business can also find that they are paying for bandwidth that they do not need for commercial use simply because of the amount of personal use of the Internet by employees. Add to this the risk of staff downloading unlicensed software from the Internet, which could expose employers to possible action by organisations, such as the Federation Against Software Theft.

“Disgruntled employees who are leaving can send out customer lists and confidential documents by e-mail to their new employers or provide password information to competitors that helps them to hack into systems.

“While it is almost impossible to achieve total security, the challenge is to balance risks and business priorities. Each organisation should have a positive strategy for online risk management, which should have three main strands. First, a policy on IT use for staff should set out the bounds of what is and is not considered acceptable use of the firm’s PCs, Internet and e-mail access.

“Second, a range of off-the-shelf IT security products can help to protect organisations from unauthorised external access and will also allow monitoring of staff use of e-mail and the Internet. This can provide the valuable management information needed to spot problems before they get out of hand.

“Third, training is an essential component in the battle against on-line risks. Any misuse will reduce dramatically as soon as staff understand the time that can be lost by copying the most recent Internet joke to friends; the subsequent impact on network resources; and the offence certain jokes can cause to many people.

“A clear policy for dealing with these issues can make the difference when defending an unfair dismissal claim.

“By continually repeating this message and keeping policies up to date, business can significantly reduce the likelihood of claims being made against them as a result of sexual harassment, defamation, breach of confidence and copyright infringement”.

Liz McRobb is lead partner in Shepherd & Wedderburn’s joint venture with Basilica Computing, online-risk.com

It is impossible, as Liz McRobb’s article indicates, to achieve total security and impossible for the use of e-mail in an organisation to be totally risk free. But it is a critical aspect of a firm’s management of risks to endeavour to achieve maximum security and minimum risk in the use of IT generally, including e-mail. Most firms have satisfactory systems to deal with incoming and outgoing post but can the same be said in relation to e-mails, faxes, voicemail etc? Clearly, there needs to be a defined strategy and clear guidelines addressing points including the following:

• How often should the e-mail system be checked for new messages?
• Should incoming e-mails be diverted in the absence of the addressee? Some systems can be programmed to acknowledge incoming mail with a message advising the sender that the addressee is out of the office.
• How are e-mails password protected? Can that be reconciled with the need for action to be taken on e-mails addressed to absent personnel?

E-mail users need to appreciate and take into account the following points:

•  The fact that messages will not be received instantaneously and that e-mail may not be reliable for time sensitive communications – check that the addressee received the message – request an acknowledgement confirming receipt if deadlines are involved
•  For certain categories of e-mail, hard copies of messages and confirmations of delivery should be filed – showing the time in each case
• E-mail communications could have contractually binding effect – users need to be clear about their authorisation to issue communications
• The fact that confidential or sensitive messages intended for a particular receipt could be mis-delivered or passed on to other parties
• There are dangers in using symbols such as “£” which could be altered in the process of sending – “GBP” should therefore be used instead
• There is a risk of viruses being transmitted – so virus-check all files that are received from or sent to an external user
• Guidelines and disciplinary rules should make it clear that issuing correspondence electronically without authority is as serious an offence as signing a letter on behalf of the firm without such authority.

Alistair Sim is Associate Director at Marsh UK Limited

The information/advice in this page is (a) advice on practical Risk Management and not on legal issues and (b) is necessarily of a generalised nature. It is not specific to any practice or to any individual, nor should it be relied on as stating the correct legal position.