protecting your ip and data trustee responsibilities by brian miller (solicitor) and vicki bowles...
DESCRIPTION
From Ethics to Fraud. These slides focus on concerns about internet fraud and data protection faced by charities and other not-for-profit organisations. Session 2 of the 23rd Catholic Charity Conference. Chair - Richard Maitland, Sarasins, Melanie Roberts.Sarasins, Brian Miller, Stone King and Vicky Bowles, Stone King.TRANSCRIPT
WELCOMEto the 23rd Annual
Catholic Charity ConferenceSponsored by Sarasin Investment
Management
Protecting Your IP and Data: Trustee Responsibilities
Brian Miller & Vicki BowlesStone King LLP
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
FRAUD• What is fraud?• Where are you vulnerable?• Personal data and fraud
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• What is fraud?– “form of dishonesty, involving either fake representations or
failure to disclose information or abuse of position, undertaken in order to make a gain or cause a loss”
IF IT HAPPENS, ITS HOW YOU DEAL WITH IT THAT COUNTS!!
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• Particular areas of vulnerability for charities:– Overseas transactions– Cash– Use of technology…
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• Focus on personal information:– Information that identifies an individual– Stored on your computer systems– Transferred between devices and applications
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• Trustee responsibilities:– Data Protection Act 1998
• Schedule 1 – the data protection principles– Principle 7:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• Assess Risk:–WHAT personal information do you have?
• is any of it sensitive?
–WHY do you have that data? • is it necessary?
–WHO has access to the information?– HOW do you protect the information?
8
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
• Particular issue – BYOD– No control over security as data controller– Different mindset between home and office– Action should be proportionate to information
involved• Passwords• Encryption• VPN• Own devices
9
10
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
THE END
(Part 1)
Protecting Your IP and Data: Trustee Responsibilities
(Part 2)
12
WEBSITES, DOMAIN NAMES & BRAND THEFT
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
DOMAIN NAMESHow Do I Know If Own My Domain Name? • Ensure your organisation is the registered owner of the
domain (check on WHOIS, eg. www.123-reg.co.uk/domain-names/)
• registrations in employee’s name to be avoided• Don’t forget to keep tabs on renewal
Whois record for abccharity.org.uk
Domain name:abccharity.org.uk
Registrant:ABC Charity
Registrant type:UK Registered Charity, (Charity number: 123456)
Registrant's address:ABC Charity42 Any Road
London
EC2A 3NHUnited Kingdom
Registrar:Webfusion Ltd t/a 123-reg [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:Registered on: before Aug-1996
Expiry date: 11-May-2013Last updated: 08-Jun-2011
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
13
DOMAIN NAMESWhat’s to Stop Someone Registering A Similar Name?• nothing!• buy identical domains for the top-level domains (eg. .com)• if a cybersquatter appears, complain to registrar• allowing cybersquatters can result in
• damage to brand • theft of business or donations
• register a trade mark relating to domain name• Should assist in transfer of name back from cybersquatter
WEBSITES, DOMAIN NAMES & BRAND THEFT
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
14
15
WEBSITES, DOMAIN NAMES & BRAND THEFT
DOMAIN NAMESHow Do I Know My Domain Name Does Not Infringe
Another Party’s Rights?
• Carry out checks (eg. via Google)• Check Trade Marks Register and Trade Marks Journal• Look on Companies House for similar company names• Using another’s name can result in passing off etc• Use a specialised agent if concerned
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
16
CLOUD COMPUTING AND WEBSITE SECURITY
Cloud computing is the name given to the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).
(Wikipedia)
1) Security• If a cloud provider not using adequate security, data
never safe:– adequate firewalls– adequate encryption
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
17
1) Security (continued)
IT and legal experts must do due diligence on cloud provider
If you cannot show this, you could be liable if data breach.
Personal data accessible by a third party=
Breach of the Data Protection Act
Get your website penetration-tested regularly!
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
18
2) Who Are You Contracting With?• May be a number of providers involved• sub-contractors must be bound by same standards of
– security– confidentiality
• Main provider needs to carry can for subcontractors
Tip: check the sub-contractor’s T&Cs
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
A Salutary Tale: Charity X• Website hacked• Donor data stolen• Donor bank accounts raided
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
19
20
So Why Do Such Things Happen?
• It’s not just online fraudsters who want your money • Anyone with an axe to grind may try to compromise
your website to damage your reputation • Attacks aimed at or via Android phones are increasing• Think very carefully if you are contemplating
implementing a BYOD policy
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
21
Lesson To Be Learnt
• Office Security:
Make sure staff are not physically compromising security
Operate a clean desk policy Avoid the temptation to rely on one
individual for security Monitor bank statements daily test cash donations through your systems monitor your bank very carefully
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
22
Liability for Data Breach
• Fine of up to £500,000 by ICO• Civil claim by each data subject affected for
• Damages• Legal costs
• Trustees personally liable for fines without an indemnity
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
23
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
SUMMARY: HOW TO AVOID FRAUD
1. Be vigilant.2. Never become complacent.3. Report fraud.4. Highlight risk.
24
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
For a whistle-stop tour of today’s workshop, go to these articles on the firm’s website:
• Is Your Website Legally Compliant• Cloud Computing: What You Need To Know
ANY QUESTIONS?
Brian MillerSenior Associate
IP, IT & CommercialStone King LLP
brianmillersolicitor @theitsolicitor0207 324 1523
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
What do I do if I discover that personal information has been compromised?
• Report it– Police– ICO– Charity Commission– Individuals affected
• Consequences– Fine from ICO– Personal action by individuals– Reputational damage– Misconduct/mismanagement in a charity…
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
How can I control the use of personal devices?
• Restrict access to certain information– Passwords– Encryption
• Do not allow USBs/CDs etc
• Have well written and understood policies in place
PROTECTING YOUR IP AND DATA: TRUSTEE RESPONSIBILITIES
How do I carry out a Risk Assessment?
• List the possible risks• Prioritise in terms of seriousness/likelihood• List mitigation actions• Review regularly• Update regularly• Record when mitigation action is put in
place
28
What can happen if you allow cybersquatters to use your domain name
• Reputation damaged• Copycat site, donations potentially diverted
What is an effective protection against this?
• Complain to the domain name registrar• Trade mark effective way of ensuring domain name
transferred back
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
29
What are two major risks of using cloud computing and what are the possible solutions?
Data is not secure: can be viewed by others. Solution 1: ensure T&Cs state they will keep all data
confidentialSolution 2: encrypt your data
Subcontractors may be usedSolution: ensure T&Cs state:
Any subcontractor will also agree to keep data secure
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
30
What internal office procedures can be adopted to help to prevent online fraud from happening?
• Implement a Security Policy
• Monitor bank statements
• Test donations
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
31
PROTECTING YOUR IP AND DATA:TRUSTEE RESPONSIBILITIES
For a whistle-stop tour of today’s workshop, go to these articles on the firm’s website:
• Is Your Website Legally Compliant• Cloud Computing: What You Need To Know
THE END
Brian MillerSenior Associate
IP, IT & CommercialStone King LLP
www.slideshare.net/BrianMillerSolicitor [email protected]
brianmillersolicitor @theitsolicitor0207 324 1523