RISKVUE ARCHIVE | RISK BITES

The Internal Cyberthreat

By Lorelie S. Masters

Cyberthreats from internal sources, whether from accidental or intentional actions of employees, can cripple a business just as surely as a fire or natural disaster. Because most organizations face some form of internal cyberthreat, they should create and disseminate the following written policies and procedures.

Web Site Policy

An organization’s Web site policy should establish procedures for regularly addressing the accuracy and content of its Web site. For example, issues such as who will be responsible for ensuring that inappropriate information has not been uploaded onto the Web site should be addressed. The organization’s Web site content policy should identify appropriate and inappropriate uses of the organization’s Web site, materials to be posted, and the process by which material is added. The number of employees entrusted with the responsibility for posting information on a organization’s Web site should be limited.

Security Policy

The organization’s encryption and computer security policies should specify how e-mail and other electronic documents are distributed. The policy also should describe the organization’s position regarding encryption of such documents. To identify and protect against unauthorized intrusions or uses, the organization’s computer security management should determine how networks are upgraded and monitored.

Privacy Policy

A personal privacy policy should be articulated, specifying appropriate and inappropriate uses of personal information collected on both employees and customers. All privacy policies should specify the penalties for inappropriate use of either employee or customer information.

Organization Assets Policy

The organization’s policy regarding protection of assets should clearly state that the organization owns the rights to its intellectual property, trade secrets, and other privileged and confidential information. Such a policy should set forth the organization’s position regarding “works for hire”¹ created during the course of an employee’s career at the organization. Although “works for hire” generally belong to the organization that paid for the development, the existence of a written policy stating this fact can help strengthen the organization’s position should litigation arise over the ownership of such works.

The organization’s encryption system and keys sometimes are overlooked in the process of identifying organization assets. These systems and keys are becoming increasingly valuable with the rise in e-commerce and communication of sensitive information over the Internet. Do not overlook them when cataloguing your organization’s assets.

Confidentiality Policy

The organization’s policy on confidential and privileged information should make clear that confidential organization information will be distributed only on a need-to-know basis following strict compliance with established procedure. Such a policy should clearly state that all assets and documents containing proprietary and other confidential information belong to the organization.

E-mail Policy

E-mail policies, also called Acceptable Use Policies (“AUP”), specify appropriate and inappropriate uses of e-mail, including:

• What may-and may not-be downloaded and sent over the organization’s e-mail system.
• In which situations material sent over the Internet must be encrypted to protect its confidentiality.
• The organization’s rights to monitor employee e-mail, which may help prevent and identify the unauthorized disclosure or theft of trade secrets and proprietary information.

Document Retention Policy

An organization’s document security and retention policy should address regular and systematic document retention and destruction-not just of hard copy documents and faxes, but also electronic documents and files. Such a policy should make clear that once the organization knows or believes a particular subject matter may be the subject of litigation, electronic and hard copies of documents relating to that subject matter are exempted from the provisions of the organization’s document retention and destruction policy.² Computer networks and e-mail leave many “tracks.” Both organization and Internet servers can track a user’s travels on the network and through cyberspace. The organization and Internet networks also may create hidden backup of e-mails and other documents as part of the system’s regular procedures for backing up and preserving network data.

Electronic Signature Policy

Courts have not resolved the issue of what constitutes a valid and binding contract created over the Internet. However, encryption technology and statutory provisions regarding electronic signatures are creating standards that govern this issue of whether communications over the Internet constitute a valid contract.

Organizations should set policies regarding who has authority to bind the organization on a contractual or other basis, whether in the real or virtual worlds. Such a policy should be clear that representations made in organization or Internet e-mail may bind the organization. To limit the potential in this regard, the organization’s policy should identify those individuals or positions that have authority to bind a corporation. The existence of this policy could help the organization avoid liability for alleged contracts made by an employee acting outside the scope of his or her authority.

To be effective, an organization’s policies must be clearly communicated not only to employees, but also to other persons, such as outside contractors, who also should be subject to such policies. Businesses, therefore, should establish a training program that documents the teaching of employees and others in the organization’s policies and procedures.

After an employee has received policies and procedures training, the organization should document the fact that the training has occurred. The organization should consider requiring each employee to acknowledge in writing that the employee participated in training and understands and agrees to comply with all policies and procedures. Policies should be reviewed, updated and disseminated to employees on a regular basis. 

Notes
¹ A “work for hire” is an asset that an employee (or independent contractor) creates as part of his or her regular duties and responsibilities for the employer. If the asset or work created qualifies as a “work for hire” under the work-for-hire doctrine, the employer or person commissioning the asset or work owns the rights to the asset or work, rather than the individual who created it. The work-for-hire doctrine is an exception to the general rule that the individual who creates a work owns it. See, e.g., 17 U.S.C. sections 101 et seq. (1999).
² The importance of electronic copies of e-mails and other documents was demonstrated by the trial of Oliver North in the 1980s and the Microsoft antitrust litigation in the 1990s. Electronic copies of e-mail may expose a company or individuals to potential liability or embarrassing publicity when introduced in litigation.

ABOUT THE AUTHOR

Lorelie S. Masters is a Director of the Washington, DC office of Beveridge & Diamond, P.C., where she represents and advises policyholders on technology, insurance, and litigation issues. She co-authored the treatise Insurance Coverage Litigation (second edition published in January 2000). She can be reached at lmasters@bdlaw.com.

riskVue | The webzine for risk management professionals
July 2000