dlp: monitoring legal obligations, managing the challenges
TRANSCRIPT
DLP Monitoring Legal Obligations,
Managing the Challenges
Maura McAulay
Contents
Part One – DLP Monitoring, the Legal Obligations
Part Two – Dealing with the Challenges
DLP Monitoring – Legal Obligations
DLP Monitoring of users communications such as (but not limited to) email and web uploads is governed by a number of legal and regulatory factors:
• Data Protection Act• EU Data Protection Regulation• Regulation of Investigatory Powers Act (RIPA)• Lawful Business Practice (LBP) Regulations• ICO Employment Practices Code – Monitoring at Work
Data Protection ActThe UK Data Protection Act was set up in 1998 to regulate the use of 'personal data' and consists of 8 Data Protection Principles.These Principles specify that personal data must be:1. Processed fairly and lawfully2. Obtained for specified and lawful purposes3. Adequate, relevant and not excessive4. Accurate and up to date5. Not kept for any longer than necessary6. Processed in accordance with the 'data subject's' (the individual's) rights7. Securely kept
1. That "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data"
8. Not transferred to any other country without adequate protection in situ.
EU Data Protection RegulationThe EU have stated completion of the reform of data protection rules in the EU is a policy priority for 2015. Shortly afterward organisations will be legally required to be compliant.In terms of DLP there are four key elements• It is a Regulation, and not a previously a Directive• Tougher sanctions for security breaches of up to €100m or 5% of
organisations global revenue, whichever is highest• New requirement to report data loss/security incidents within 72 hours of
the event being known• Tokenised, encrypted or pseudo-anonomised data meets requirement of
individuals' reasonable expectations of privacy• But be wary. Encrypting all data isn't the answer and comes with its
own set of challenges.
Regulation of Investigatory Powers Act (RIPA)Under RIPA it is against the law for a business to intercept an electronic communication on its, or anyone else's system.
There are some exceptions, however, most of the exceptions contained in RIPA itself are unlikely to apply to the monitoring of communications by employers, for example where an interception is authorised under a warrant. The RIPA exceptions that may be relevant are:• Where the interception takes place with the consent from all parties of the
communication• Where the interception is connected with the operation of the
communications service itself.
In addition to the exceptions in RIPA itself, the Lawful Business Practice Regulations set out further exceptions where, in connection with the carrying on of a business, an interception will not contravene RIPA.
An interception of communications that does not come within the exceptions in the LBP Regulations or in RIPA itself is against the law.
Lawful Business Practice (LBP) RegulationsThe LBP Regulations set out the circumstances in which a business is authorised to carry out an interception for the purpose of running its business. They are designed to meet the legitimate needs of businesses to manage their information systems, making use of the capabilities of modern communications technology, but in a way that is consistent with high standards of privacy.
There are 4 essential pre-requisites of the LBP Regulations:1. The regulations apply to business communications only2. Interception that is targeted at personal communications that do
not relate to the business is not allowed regardless of whether the use of the system for such communications is authorised
3. Interceptions must be authorised by the relevant business owner4. Interceptions are authorised only if all reasonable efforts to
inform all potential users that interceptions may be made, why and for what purpose the information will be used.
Lawful Business Practice (LBP) RegulationsThe RegulationsInterception without consent is allowed if it is part of monitoing (or recording) business communications for one of the following purposes:• To establish the existence of facts (e.g. to prove that a customer has been
given certain advice)• To check that the business is complying with regulatory or self-
regulatory procedures• To check the standards that workers are achieving (e.g. to check the
quality of email responses sent to customer enquiries)• To show standards workers ought to achieve (e.g. for staff training)• To prevent or detect crime• To investigate or detect unauthorised use of the
telecommunications system (e.g. sending confidential information by email without using encryption if this is not allowed)
• To ensure the security of the system and its effective operation (e.g. to check for viruses or other threats to the system or to enable automated processes such as caching or load distribution.
ICO Employment Practices Code – Monitoring at WorkThe following are a few of the key obligations employers must meet in relation to monitoring employee activities• Workers must be clearly informed that monitoring takes place, the purpose
of the monitoring and the potential outcomes on workers of the monitoring• Monitoring must meet the workers' legal right to privacy• Take steps to ensure that any intrusion is no more than absolutely
necessary• Monitoring must be carried out in a way that is lawful and fair to workers• Any adverse impact on workers must is justified by the benefits to the
employer and others• Ensure information about workers collected through monitoring is kept
securely and handled in accordance with the DPA• Ensure that all cases requiring further investigation and/or disciplinary
action are treated in a fair and consistent manner.
Dealing wth the ChallengesNot having DLP Controls in place is not an option if organisations are to meet DPA and EU Data Protection Regulations obligations to protect any personal data collected and/or processed, and meet stakeholder expectatations that they also protect other important business data.
The challenge is how to carry out these activities within the parameters of RIPA and LBP Regulations, especially in today's world where most organisations allow some personal use of the systems.
Know your data and how it is used, and remember DLP is not simply about monitoringThink:
• Data Governance• Stakeholder Engagement• Education and Awareness• Culture
Data GovernanceKnow your data:• Know what it is• Know how it is used• Know how important it is to you• Know how important it is to othersKnow your risk and what remediation is required to carry out effective monitoring of your business data.
Have the right policies in place:• Information Security/Records Management/Privacy• Acceptable Use• Change ManagementMake sure policies are precise and easily understood by all users (not just us!) and back them up with fit for purpose standards and procedures.
Data GovernanceProvide the tools needed to meet policy:• Policy needs to be achievable. There's little point requiring users to treat
information in ways they can't because:a. Tools aren't availableb. Tools are difficult to usec. Inadequate guidance provided on how and when to use the tools
• Remember tools aren't always technical. Don't forget the importance of business tools such as data risk evaluation matrices, data inventory templates, etc.
Don't set users up to fail and remember you need this information to build business focussed monitoring policies.
Stakeholder EngagementDon't operate in isolation. Know your stakeholders and engage with them.Business• Put simply how can you know the data you need to protect if you don't
engage with the business who own and use the dataPrivacy/Legal• How can you be assured that the monitoring you carry out and the
resulting activities are legally compliantHRThe following are a few ways that engageing with HR is beneficial:• Reference point to confirm that investigatory processes are consistent and
fair to colleagues and help cascade any required business activities downstream
• Help ensure communications are colleague focussed• Support any disciplinary activities• Where required assist with any engagement with unions or other colleague
support parties
Education & AwarenessRemember information security is our day job – not theirs. We have a responsibility to make sure the business understand and get it right.Effective Education• Make sure policies and guidance are easily understood and easy to find• Don't rely on annual refresher training. Provide additional guidance, helpful
hints & tips, worked examples, etc.• Tell the story – explain why data security is important, e.g. the impacts of
sending work to home email, even thought the intention is good• Provide solutions, e.g. remote secure accessCommunications• Tell users clearly monitoring is carried out• Make communications (including education and guidance) visible, present
and frequent• Don't rely on policy, intranet and newsletters – use posters, screensavers
and backgrounds, and pop-up awareness stalls• Keep it relevant and cascade messages via execs within the business areas
Education & AwarenessConsequences• Be clear about the consequences of not following policy and abiding by
Acceptable Use• Provide clear guidance to be followed should a user realise they have
breached policy and data has been lost. Stress hiding will make it worse• Users need to understand the importance and potential severity but don't
scaremonger
CultureAimThe aim of Information Security within an organisaton should be to embed an ethos of data security mindfulness among its users where users feel confident they are carrying out their day to day activities securely and can identify and highlight weakness in business processes.• Security becomes just part of how you do business, no longer a painful
extra and a blocker• Enabling organisations to embrace new technologies securely and meet
colleague and customer demands to keep pace
"Aligned information security and business objectives—The model must enable and support business objectives. The information security program should align with the organization from the boardroom to end users, and information security controls should be practical and provide real, measurable risk reduction." - ISACA
CultureFear FactorThe facts:• Most people want to do the right thing• Some will make mistakes• Only a small number act maliciouslyIf you want to avoid a culture of fear, action following an identified data loss event must be appropriate to the nature and severity of the incidentNumber of people disciplined – a mark of success or indicator of failings?Ask:• Are your policies fit for purpose?• Are you educating users effectively?• Do your users have the right tools?• Are the wrong types of people getting through vetting procedures?
CultureSenior ExecutivesEnabling or sabotaging?
Too often in organisations the experience is that executives make the right noises about data security but see themselves as being exempt.Why is this? Is it because:• They believe the rules don't apply to them?• They don't fully understand?• No-one is prepared to put their head above the parapet and challenge?• Is their support staff smoothing the way because applying security is a
pain and its their job to take that pain away?• Have we made security just too damned hard and delivered it without any
thought to the business?
Questions?