When wireless networks can put you in the dock
Companies that sell wireless LAN products are quick to stress the benefits that their solutions deliver. What they probably won't tell you about are all of the downsides, or the risks that insecure wireless networks can pose to your business that might land you in legal hot water.
They might warn you about some of the obvious risks - like viruses propagating unchecked across a badly secured network, or the leakage of confidential data following careless use of Wi-Fi hotspots.
However, there is another dimension to the dark side of wireless networks that your organisation may not have accounted for. The laws that govern use and storage of data have never been more numerous or more strictly enforced. The unseen and moveable nature of wireless access means that it's perfectly possible to wind up on the wrong side of one of these laws without being conscious of having done so. But ignorance of the law is no defence.
So what are you liable for?
"Your company is liable for anything that travels across your network and that includes wireless networks," warns Charlotte Walker-Osborn, a solicitor working for the Technology Group of legal firm Eversheds. "With wireless networks in particular, this is a can of worms just waiting to be opened."
It is not just what you do that can be a problem. Outsiders might use the network as an access point for hacking, or for distributing illegal pornography. In the latter case, provided no business sensitive or confidential information is disclosed, this may not necessarily lead to criminal liability for your company but the damage to your company's reputation could be severe.The human angle
Most of the information stored on a PDA or on a laptop is likely to make reference to individuals and would therefore be classed as personal data under the Data Protection Act 1998. In which case, your business will need to ensure that its compliance with the Data Protection Act extends to this data. The most relevant section, although by no means the only one to be concerned with, is principle seven.
This section states that: "Appropriate technical and organisational measures must be taken against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"This means that in the event of personal data being disclosed, your business would need to be able to show that such steps had been taken," says Walker-Osborn.
Linked to this is an obligation to comply with human rights legislation, especially the Human Rights Act 1998, Article 8 which sets out that: "Everyone has the right to respect for his private and family life, his home and his/her correspondence."
As such, it would be expected that a business should take care over the security of any and all documentation that contains sensitive information on individuals and particularly personnel files.
Watch out for confidentiality
There is potential for further liability for breach of confidentiality. Your company will have a duty naturally arising in law to preserve the confidentiality of your customers' and clients' confidential information when data is travelling across, or made accessible via, your network.
"You are also likely to have confidentiality agreements with your partners and customers, which would also be breached," says Walker-Osborn. "This could lead to having to pay money to the other company by way of damages and loss of business reputation."
There are also other contractual matters to think about. You are likely to have terms in your contracts with your existing internet or telecoms service provider that require you to ensure external users do not indulge in spamming or promulgating illicit content. If breached, these could lead to liability both in money terms but perhaps more seriously to the right for those companies to suspend the services they provide which would lead to significant business interruption. There are also likely to be many other obligations in your legal contracts with your customers obliging you to provide reasonable levels of security and the like. This will be less of an issue if you have carefully limited your risk and liability under those contracts.
Finally, there may be obligations enshrined in regulatory codes or industry regulations, such as, in the case of the financial sector companies, those of the FSA or Stock Exchange or the banking codes, the latter of which has specific sections dealing with protection of customer information. Regulatory bodies are likely to take a dim view if client information is accidentally disclosed, especially if it is commercially-sensitive.
What you can do
"Whilst not rocket science, I should stress that it is sensible to put in place an 'acceptable usage policy' (AUP) to deal with how the business uses wireless technology, and which forms part of the terms and conditions of employment for employees," says Walker-Osborn.
She says problems can arise when this policy is not in place and says that with wireless networks the potential for problems is probably greater than with fixed.
"Clearly, anything forbidden in the internal environment should also be forbidden on mobile networks," she warns. "I would suggest that the AUP deals with accessing or passing on of unsavoury emails, makes such abuse a disciplinary matter, and is tied to disciplinary procedures and policies."
Particularly with the rise in interest in corporate governance, it is also recommended that you put in place a wireless governance policy, dealing with how your business will protect information from abuse, as well as how your company will train employees in the use of the technology and enforce appropriate use.
A policy should also deal with liability for employee acts, and cover how your company will comply with data protection and human rights legislation.
Your business can also try to minimise risk in its own contracts with its suppliers, for example by obliging your technology supplier to make sure the network meets your security needs.
Your contracts with your customers can set out what levels of security you will take in your business and as far as legally possible disclaim liability for a breach of security which causes loss which is beyond those levels.
Are your systems up to it?
Walker-Osborn says her final point is obvious: "Try to ensure that the technology you use is sufficient in relation to the sort of data being passed over the network. In a survey carried out by RSA Security in 2003, one in three Wi-Fi networks in the City were found to be insecure, and nearly two thirds failed to encrypt data traffic. And some companies still fail to utilise sensible password protection such as utilising password protocols set with a mixture of letters, numbers and symbols such as apostrophes, which obviously deter hackers."