11 February 2008
Lagos — As Nigerian lawyers wake up to the vast potentials of e-commerce, JOHN OKONKWO harps on the need for government and corporate organisations to regulate the practice
An Acceptable Use Policy (AUP) is a critical legal instrument in managing e-commerce services. AUPs evolved out of the need to establish a clear governance roadmap to guide compliance with statutory and regulatory obligations.
In addition, AUPs aid organisations to reduce the risk of vicarious liability for a variety of employee actions. They also help to combat malicious Internet borne threats to enterprise information systems such as viruses, phishing and spyware.
So, the importance of an AUP cannot be over-emphasised, as it enables employees to understand the governance and legal implications of using information assets, as well as their rights and obligations when using enterprise information systems. This helps them to minimise the risk of data loss, data leakage and data spoliation.
However, there is growing evidence that poorly drafted AUPs are not especially effective in guiding employee behaviour, or in diffusing knowledge about the importance of good governance in e-commerce functions. As a result, employees are inadvertently or maliciously creating a toxic-mix of tort, contract, criminal and employment liability for their employers. Even worse, employees are creating covert opportunities for fraud, theft and corruption, making it difficult for law enforcement officials to identify and prosecute those involved. The 2006 Annual Report published by the Nigerian Deposit Insurance Corporation (NDIC) shows the gravity of this issue. The Corporation reported that there were 1,193 cases of frauds in banks, involving N4.832 billion.
Although AUPs are not yet widely used in Nigeria, useful trends can be discerned from jurisdictions were AUPs are widely dispersed. In the UK, the Department of Trade and Industry's (DTI) Information Security Breaches survey 2006, conducted by PricewaterhouseCoopers, found that just 31% of employees were aware of their organisation's AUP.
Worse still, only 22% reported that they owned a copy. A different survey of 300 European data and telecoms managers by network integrator NextiraOne, found that only 23% of respondents felt that their policies were completely enforced. Another survey conducted by UK law firm, Morgan Cole in collaboration with software vendor Extend Technologies, revealed that only 22% of organisations seek employee affirmation of their policies. This does not mean that AUPs are worthless. They simply need to be managed in a user friendly manner that encourages adherence.
The major deficiency in the current AUP management model is the method of delivery to employees. Most organisations still rely on the staff handbook and individual hard copies. While these methods provide a tangible reference document, they are expensive to deploy. This results in long intervals between updates and audits, meaning that the AUP lags behind the evolving regulatory and risk landscape. Publication on the intranet is also not very effective because it shifts responsibility to the employee. In reality, Intranets are hardly well organised enough to allow easy location of information. Email distribution has limitations in tracking whether employees actually read the policy or simply file it away. For a busy employee whose performance is assessed against precise metrics, a passive Intranet or email document may well be good enough for non-mandatory policies such as health insurance cover, but it is not ideal for changeable, mandatory policies like an AUP.
In addition to distribution challenges, electronic media formats are rapidly evolving, creating constantly changing risks from portable storage devices, multi-media phones, PDAs, instant messaging (IM), and other Web 2.0 applications. At the same time, new laws and regulations continue to create fresh obligations. For example, 'presence communications' such as IM and VoIP have created legal and security exposures that many firms have not responded to. In many cases, employers are not even aware that their workers have set up private IM accounts which are then used for work. From a litigation risk perspective, it does not matter whether or not the employer has expressly banned the use of IM or whether employees set up the accounts privately. So long as the accounts are used for work related purposes, in the ordinary course of employment, it is likely that the employer will be found vicariously liable for any legal liabilities incurred by their employee. This means that defamatory statements, offensive jokes, and pornography, distributed via IM, in the normal course of employment, can be used to support predatory lawsuits.
The potential for employer liability does not end there. Employees, acting in the normal course of employment, can use email and IM to deliberately or inadvertently expose trade secrets, distribute protected works, violate confidentiality agreements, agree unfavourable contract terms, or collude to commit internal or external fraud. For instance, in November 2006, Deutsche Bank was fired by car rental firm Hertz, after it emerged that one of the bank's employees had sent unauthorised emails to a large number of institutional investors just before Hertz launched an initial public offering (IPO). More recently, in July 2007, business applications conglomerate SAP set aside $100 million to payoff software giant Oracle, after admitting that staff at subsidiary Tomorrow Now, had made inappropriate downloads of Oracle's intellectual property.
As a general guide, for an AUP to be effective communication has to be two way. The following six step process can help government and corporate units of all sizes to achieve this aim.
Keep it simple. The objective is to communicate a clear roadmap for the use of electronic resources. Thus the policy must be written in plain and simple language that steers away from legal, business and technical jargon.
Improve distribution and obtain affirmation. It must be distributed to all relevant employees in a format that allows them to own, read, understand and affirm that they have understood the provisions and the penalties for non-compliance.
Keep it flexible and distribute regular updates. It must be updated and distributed on a regular basis, and be sufficiently flexible to respond to the evolving regulatory and threat landscape. Inflexible application of the AUP runs the risk of alienating employees and reducing acceptance.
Ensure visible enforcement. It must be strictly and uniformly enforced. Contraventions must be investigated and penalised, otherwise the AUP will quickly lose credibility. However, some elements may require a modular or granular approach, to allow for functional differences among diverse business units.
Audit and management reports. Regular audits should be carried out as part of enterprise governance, risk and compliance management.
Monitor adherence. Monitoring procedures that comply with privacy laws and regulations should be used to discern patterns and correct deficiencies in the AUP management model.
- Mr. Okonkwo is a technology, telecoms and information governance lawyer. He is also Director, technology governance & cyber-crimes at the London based Ducain Forbes
Be the first to Write a Comment!
Copyright © 2008 This Day. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.
AllAfrica aggregates and indexes content from over 125 African news organizations, plus more than 200 other sources, who are responsible for their own reporting and views. Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica.
