When wireless networks can put you in the dock
Companies that sell wireless LAN products are quick to stress the benefits that their solutions deliver. What they probably won't tell you about are all of the downsides, or the risks that insecure wireless networks can pose to your business that might land you in legal hot water.
They might warn you about some of the obvious risks - like viruses propagating unchecked across a badly secured network, or the leakage of confidential data following careless use of Wi-Fi hotspots.
However, there is another dimension to the dark side of wireless networks that your organisation may not have accounted for. The laws that govern use and storage of data have never been more numerous or more strictly enforced. The unseen and moveable nature of wireless access means that it's perfectly possible to wind up on the wrong side of one of these laws without being conscious of having done so. But ignorance of the law is no defence.
So what are you liable for?
The human angle
This section states that: "Appropriate technical and organisational measures must be taken against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
"This means that in the event of personal data being disclosed, your business would need to be able to show that such steps had been taken," says Walker-Osborn.
Linked to this is an obligation to comply with human rights legislation, especially the Human Rights Act 1998, Article 8 which sets out that: "Everyone has the right to respect for his private and family life, his home and his/her correspondence."
As such, it would be expected that a business should take care over the security of any and all documentation that contains sensitive information on individuals and particularly personnel files.
Watch out for confidentiality
"You are also likely to have confidentiality agreements with your partners and customers, which would also be breached," says Walker-Osborn. "This could lead to having to pay money to the other company by way of damages and loss of business reputation."
There are also other contractual matters to think about. You are likely to have terms in your contracts with your existing internet or telecoms service provider that require you to ensure external users do not indulge in spamming or promulgating illicit content. If breached, these could lead to liability both in money terms but perhaps more seriously to the right for those companies to suspend the services they provide which would lead to significant business interruption. There are also likely to be many other obligations in your legal contracts with your customers obliging you to provide reasonable levels of security and the like. This will be less of an issue if you have carefully limited your risk and liability under those contracts.
Finally, there may be obligations enshrined in regulatory codes or industry regulations, such as, in the case of the financial sector companies, those of the FSA or Stock Exchange or the banking codes, the latter of which has specific sections dealing with protection of customer information. Regulatory bodies are likely to take a dim view if client information is accidentally disclosed, especially if it is commercially-sensitive.
What you can do
She says problems can arise when this policy is not in place and says that with wireless networks the potential for problems is probably greater than with fixed.
"Clearly, anything forbidden in the internal environment should also be forbidden on mobile networks," she warns. "I would suggest that the AUP deals with accessing or passing on of unsavoury emails, makes such abuse a disciplinary matter, and is tied to disciplinary procedures and policies."
Particularly with the rise in interest in corporate governance, it is also recommended that you put in place a wireless governance policy, dealing with how your business will protect information from abuse, as well as how your company will train employees in the use of the technology and enforce appropriate use.
A policy should also deal with liability for employee acts, and cover how your company will comply with data protection and human rights legislation.
Your business can also try to minimise risk in its own contracts with its suppliers, for example by obliging your technology supplier to make sure the network meets your security needs.
Your contracts with your customers can set out what levels of security you will take in your business and as far as legally possible disclaim liability for a breach of security which causes loss which is beyond those levels.
Are your systems up to it?
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now