Long arm of the law

Long arm of the law

The popularity of remote working has given rise to legal pitfalls for firms that do not protect data

With increasing numbers of workers using mobile devices, companies should be aware of the potential legal pitfalls before allowing their staff to go free range. Dino Wilkinson highlights the key questions IT directors need to ask.

If I equip workers with a Wi-Fi-enabled laptop, are they allowed to use any wireless connection they can pick up?

Workers who use an internet connection without permission may be committing an offence. The Communications Act 2003 says a person is guilty of an offence if they dishonestly obtain an electronic communications service ­ and do so with intent to avoid a payment applicable to the provision of that service.

Such a law criminalises the activity known as “war driving”, where individuals search for unsecured wireless networks, often by driving around and trying to pick up a signal from home networks. It is usually without malicious intent and merely a way of piggybacking on someone else’s connection. However, there is scope for unscrupulous individuals to connect into corporate networks or home systems storing sensitive information.

Although few convictions have been reported since the law was introduced, a man was fined £500 and sentenced to 12 months conditional discharge in 2005 after being found guilty of hunting for free network connections in a residential area. The law could place your staff in a difficult position as it is not easy to distinguish between a free public Wi-Fi service and an unsecured private connection. Employers should establish a policy to cover appropriate security settings for employees who use wireless connections at home for work-related activities.

What other laws should I be aware of in relation to hacking and attacks on my computer network?

There are criminal sanctions under the UK’s Computer Misuse Act 1990 for various misdemeanours. When the act was first introduced, these offences broadly covered gaining unauthorised access to material held on a computer, committing such an offence with intent to commit a further offence, and making unauthorised modifications to the content of a computer.

While the law may have made certain hacking-type activities unlawful, the act was criticised once organisations started suffering denial-of-service attacks that were not caught by the legislation because the attacks did not amount to unlawful access or modification to the computer’s contents.

Such a position changes with the introduction of the Police and Justice Act 2006, which encompasses “any unauthorised act in relation to a computer”. The changes cover both denial-of-service attacks and the distribution of malicious code.

Employees will generally be authorised to access their employer’s network having been given passwords or authenticating devices to do so. Workers must ensure they keep passwords and devices safe to avoid unauthorised third parties gaining access.

However, the act also raises another issue for employers: if a home worker is using their own computer equipment to connect to a corporate network, the employer may also require access to the employee’s home computer system.

If a company wishes to carry out an inspection of home computers as part of an investigation, for example, it would need the employee’s consent or a court order to avoid committing a criminal offence under the Computer Misuse Act 1990. Such issues may be addressed by including appropriate consent in contracts of employment.

When laptops and CD-ROMs containing personal data go missing, is an employer liable?

There have been increasing incidents of data loss or data theft reported in the media over recent months. Under English law, any person who, either alone or with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed is a data controller for the purposes of the Data Protection Act 1998.

All data controllers must comply with the eight data protection principles set out in Schedule 1 of the act. In particular, the seventh principle requires data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction, or damage to personal data.

It was this principle that the Information Commissioner’s Office, ­the body that enforces the Data Protection Act in the UK ­ felt Marks & Spencer was guilty of breaching after it lost a laptop containing details of 26,000 employees. The information was on the laptop in unencrypted form when stolen in April 2007.

The Information Commissioner’s Office issued an enforcement notice requiring the retailer to ensure that all laptop hard drives are encrypted by the end of April. Failure to comply is an offence under the Data Protection Act and may lead to criminal proceedings resulting in fines or imprisonment for company directors.

Another company, Skipton Financial Services, had a similar incident and was forced to give an undertaking to the Information Commissioner’s Office in February this year that any personal data held on laptops would be suitably encrypted to provide effective protection against unauthorised access, and that it would carry out periodic risk assessments.

Organisations in regulated industries, such as financial services, may have to consider the guidelines and regulations under which they operate in relation to portable personal data.

In February 2007, the theft of a laptop from the home of a Nationwide employee resulted in a £1.4m fine from the Financial Services Authority (FSA). The building society was found not to have effective controls in place to manage its information security risks, exposing its customers to risk of financial crime.

The fine was reduced to £980,000 under the FSA’s executive settlement procedures after Nationwide wrote to regulators with an apology for the breach and co-operated with investigators. Following the breach, Nationwide is reported to have taken several measures, including commissioning a comprehensive review of its information security controls and increasing security around its accounts.

Companies should consider auditing the information stored on laptops and portable technologies used by their staff and contractors to ensure adequate security procedures and effective systems are in place to prevent a data breach.

My board is concerned about what employees might be doing at home, particularly the potential for them to work on other projects.

It is not unusual for employers to be concerned that if their workers are outside the office environment there is the potential for those workers to misuse the employer’s commercially sensitive information. Such concerns were highlighted in a legal case last year, Crowson Fabrics Ltd vs Rider, where certain former employees were found to have copied sales figures, customer lists and supplier contact details from their former employer.

The employees in question went on to set up their own business. Generally, employees have an implied duty of confidentiality in respect of information gathered during the course of their employment. After their employment has ended, they may use information that has become part of their knowledge, unless they are restricted from doing so under the terms of their contract or the information amounts to a trade secret.

In the Crowson Fabrics case, the High Court decided that the employees had not breached their implied duties of confidentiality as the information was not confidential. An ex-employee cannot be prevented from using material that was in the public domain and there were no restrictive covenants in their contracts.

However, the court went on to look at the implied duty of fidelity owed by employees, which includes the duty not to compete, solicit their employer’s customers or misuse its property, as well as a duty to account for any personal gain.

While an employee is entitled to take certain preparatory steps for their next position of employment, the defendants in the case were ruled to have gone beyond what the court felt was permissible. The High Court held that it was not legitimate to deliberately copy or memorise information for use after termination.

In the conclusions to the judgment, it was suggested that an injunction might not be enforceable or worthwhile if the information was in the defendants’ memories and in the public domain. The court suggested that an award of damages against the defendants might be more appropriate, measured by reference to what would be a reasonable price to pay for using the company’s documents as a shortcut to setting up their business.

The case highlights the importance of incorporating confidentiality and non-compete restrictions in contracts of employment. These need to be drafted carefully to ensure they are enforceable.