Friday, October 28, 2005

A Viking Raid on EU Employee Email Monitoring?

The Norwegians have been a seafaring people at least since Viking days, and the Norwegian Society for Sea Rescue ("NSSR") is a humanitarian organization whose aim is "to save life and property at sea" (in 2004, the NSSR saved 40 people from drowning). But even an organization like NSSR is not outside the reach of the long arm of EU data protection law. In a move which will bring home to employers the risks of accessing or monitoring EU employee emails, the Norwegian Data Inspectorate has called for the NSSR to be prosecuted for breaching the country's Personal Data Act 2000, which implements the EU Data Protection Directive (although Norway is not part of the EU, it implements a substantial amount of EU legislation).
If the NSSR is prosecuted, the case will set a benchmark in determining the extent to which European employers can rely on work-related interests as grounds to access workers' electronic communications. And regardless of the outcome, the case will serve as a reminder to employers of both the precautions that need to be taken in relation to the monitoring of workers' emails and the risks of improperly doing so. Indeed, given the strict treatment of the a public service entity like the NSSR, the ramifications for for-profit corporations could be even more substantial

Steptoe & Johnson LLP. Steptoe & Johnson LLP weekly newsletter

Monday, October 24, 2005

How to Foil a Phish

What happens after phishers strike? Have a look at a midsize bank's cutting-edge incident response plan.

ID card a recipe for ID fraud

Microsoft UK National Technology Officer Jerry Fishenden has warned that the UK ID card scheme could trigger "massive identity fraud on a scale beyond anything we have seen before." Writing in today's Scotsman, Fishenden says that the security implications of storing biometrics centrally are enormous. "Unlike other forms of information such as credit card details," he says, "if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones."

Friday, October 21, 2005

Increased Organized Crime

Attacks on computer security infrastructure used to be little more than indiscriminate acts of vandalism perpetrated by hackers who desired bragging rights more than anything. But the perpetrators of attacks and their motivations have changed...read more

Wednesday, October 19, 2005

Adopt e-mail authentication

The Direct Marketing Association (DMA) will require all members to adopt authentication systems for outgoing e-mail, the group's board of directors decided today.

EFF cracks Secret Service code

EFF researchers have cracked a code which allows the US Secret Service to track information from Xerox DocuColor printers. And they believe similar codes may also feature on printers made by Canon, Epson, HP, IBM and Dell, among others

Password-based Web log-ons not sufficient

Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.

Monday, October 17, 2005

MS, Nigeria fight e-mail scammers

Microsoft has announced an anti-fraud partnership with Nigeria, the country of origin for some of the Internet's most notorious email scams.

Is Privacy of E-Mail Messages possible?

A U.S. federal court has ruled that Interloc could intercept e-mail messages sent from Amazon.com. Never assume e-mail is safe when routed through or hosted by a third party.

Friday, October 14, 2005

Hold developers liable for flaws

Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser.

Tuesday, October 04, 2005

Interception of Communications - what now?!

At last !! The Regulation of Interception of Communications and Provision of Communications-Related Information Act, number 70 of 2002, and also known as RIC Act, except for sections 40 and 62(6), is now law. No more jumping between the aforesaid Act and the Prohibition and Monitoring Act of 1992.

What next? What will be the impact on your business?
Be careful for certain Service Providers that will now all of a sudden sell you 'new' policies.
  1. This very important Act can not be dealt with in isolation and will have to be implemented, if not already part of your business, in combination with other very important legislation, for example the Electronic Communications and Transactions Act 2002, The Labour Relations Act 1995, and draft Directives that have already been issued to various operators in the Cellular and Telecommunication Industry;
  2. A single policy is not the solution to all and will it be imperative for your business to review the following:-
  • Employment Agreements;
  • Independent Contractors Agreements;
  • Service Provider Agreements;
  • eCommunication Policy (and yes, keep it technology neutral);
  • eMail Legal Notice, to be attached to every single email that leaves your business;
  • For certain Industries it might be useful to implement a Interception of Communications Policy, e.g. Cellular Operators etc.;
  • Records Management Policy, specifically focussing on the retention of certain records for evidential purposes or for example where, as per a specific Directive, your Company is required to retain the records then retention of records as prescribed by law;
  • Disciplinary Codes to be reviewed;
  • Data Retention Policy

(please take note that the above is not an exhaustive list and will definitely varies from Company to Company)

Again, this should not be an expensive exercise but definitely an exercise that should be executed sooner than later...

For more details, assistance or quote, please feel free to refer to our website and more specifically the section called eCommunications where you can select certain deliverables and request a quote. The eVG Policy Manager (see eVG Services), for implementation of the above mentioned, may also be of interest to your company