Leaving the Cyber-door Open

I had a couple of ideas for this week’s post – then I saw two news stories within a week which, although completely separate, clicked together in my mind.

The first appeared in The Times and on the BBC  on the 15^th November.  It concerned “wi-fi tapping” –accessing the internet through someone else’s wireless broadband connection without their permission.  In a survey for the paper, more than half of those questioned (fifty-four percent) admitted having done it, but only eleven arrests have been made – no doubt because it’s so difficult to prove.

Reading around this issue, it seems we’re not quite sure where to stand on it.  It’s a criminal offence under the Communications Act 2003 which carries a fine of up to a thousand pounds and a maximum of five years in prison.  To put that into perspective, you might get less for manslaughter.  Yet it appears to be quite socially acceptable.  Yes, we know it’s wrong – but we think, “it’s not really bad, is it?  It’s no worse than knicking some apples from your neighbour’s tree” – “Scrumping in Cyber-space”, as another piece in The Times put it.  Technically it’s theft, “but there’s no real victim … is there?”  Even potential victims seem to accept it as inevitable and relatively unimportant.  A close member of my own family (details withheld to protect the short-sighted) justified the lack of security on his wireless router at home by saying, “Well, they can’t actually get into my files – they’re password protected – so it doesn’t matter, does it?” 

Well, yes, actually, it does.  Aside from the service we’re paying for being slowed down to a point where (to quote the author of “Scrumping in Cyber-space) “it feels like internet commands are being hand-processed by a convoy of tortoises”, the average hacker is far too clever for our own good and can crack our passwords (which most of us don’t put enough thought into) and thereby steal our information and use it to steal our identities.  Even the less techy intruder can lay us open to criminal prosecution by using our connection to download illegal material like child porn – which can only be traced back to the legitimate account-holder.

Part of the problem, I suspect, is awareness – we don’t really understand the potential consequences of our actions here.  Most broadband invaders don’t know the criminal penalties and those in danger of being invaded perhaps don’t realize what it could mean for them.

I was still thinking about the implications of wi-fi tapping for business when the brown stuff hit the fan over the HM Revenue and Customs lost cds.  In blogs and on forums, as well as in the wider media, everyone has been asking all week:

·        Why was the personal data belonging to approximately ten million families copied on to cd in the first place?

·        Why wasn’t it encrypted?

·        Why was it transferred to the Accounts Department by post?

·        Where is it now? And,

·        Where – and who – is the “Junior official” responsible for this monumental cockup?

I don’t have answers to any of those questions – but one thing did occur to me as I followed the coverage:

This isn’t just a big, faceless government department problem.  It should be a wake-up call for all of us, as businesspeople and private individuals.

In business, we hold information about our staff, customers, suppliers and, in some cases, the general public.  Ok, so if we screw up, we won’t hit the headlines as HMRC has done, simply because our mistake is unlikely to affect nearly half of the UK population – but for anyone who has trusted us with their information, the consequences are potentially devastating.  By leaving our cyber-door open – whether through poor procedures for transferring information, or by failing to secure our networks and thereby letting “freeloaders” in – we put people at risk of identity theft – and worse.  After all, our personal information in all its forms is the key to our lives.  As Chris O’Farrell (a global hacking and internet security expert based in the US) pointed out to the BBC, virtual theft could lead to physical risk, especially for certain key personnel.      

It isn’t that we don’t take personal information seriously.  The most recent research by the Information Commissioner’s office (which is responsible for overseeing the operation of the Data Protection and Freedom of Information Acts in this country) found that people rated protection of their own personal data their second biggest concern – above the NHS and national security.  Put that alongside The Times survey and the HMRC fiasco and add in the fact that that isn’t (as we might like to believe) an isolated incident (City Bank, one of the largest companies on the planet, lost over three million records last year) and the contradiction jumps out and bites you.  We worry about protecting our data more than our health service, but so many of us leave ourselves wide open – and fifty-four percent of us take advantage of that.

So what’s the answer?  There is currently a bi-partisan bill going through the American legislature, designed to make it easier for victims of identity theft to prosecute (not a magic panacea – Chris O’Farrell described it as tackling “ten percent of the problem”).  Perhaps we in the UK also need tighter regulation; but more than that, I think we need a cultural change.  At the moment, I would draw a comparison not with scrumping in cyber-space, but with speeding – most drivers have done it at some time and got away with it – but that doesn’t change the fact that it can have extremely serious consequences.  When it comes to wi-fi tapping, as I see it, we need to start thinking of it as virtual burglary.  Contrary to popular belief, you can be burgled without having anything stolen.  It’s enough that someone trespasses on your property intending to steal (or rape).  The freeloader trespasses on your network intending to steal part of your broadband service at the very least.  I know the evidencial issues are completely different – as yet, there’s no way of taking fingerprints from a wireless connection! – but in principle, the two offences are remarkably similar –although socially they are viewed completely differently.  Surely that has to change, as our offices, financial management and social lives creep further on to the web?  As we live more and more in cyber-space, the bits we occupy become extensions of our homes and offices – and what’s the point of bolting and barring one door if we leave another wide open?

It’s often said that the law lags behind society – but sometimes it’s the other way around.  Drunk driving was criminal long before it was viewed as immoral.  I can’t help thinking that until the same shift happens on this point, we won’t be able to tackle problems like identity theft and information security effectively.

So what do you think?  Have you been affected by cyber crime, either personally or commercially?  Are you one of the fifty-four percent who have used a broadband connection illegally?  If so, did you know it was a crime and what the penalties were?  How did you rationalize it at the time – and can you still justify it in your own mind?  Finally, has your business ever been responsible for losing other people’s information?  Let me know – as anonymously as you like!

  

Sherie Griffiths

Legal Es – the latest Regs on web and email notices – confusing clarification

Just over a year ago, I presented a podcast feature called “E for Evidence”.  It was all about the increasing legal status of electronic communications – illustrated by the growing number of notices which appear on emails and websites. 

A couple of months later, I was talking about the imminent arrival of the Companies Act 2006 – “the biggest shake-up in company law for more than twenty years!”  That piece included a look at the catchily titled  “Companies (Registrar, Languages and Trading Disclosures) Regulations” 2006, which gave the EU “First Company Law Amendment Directive” force in the UK from 1^st January 2007. As so often happens in law, an attempt at clarification has led to a lot of confusion.  Many of the businesses I talk to are still not sure whether the new Regulations affect them and if so, what information they need to be adding to their emails and websites – so here goes with a summary: 

• The Regulations affect you if your business is a private limited company, a public limited company or limited liability partnership.

 You are not affected if you are a Sole trader or Ordinary partnership. 

• The information must appear on:

business lettersorder forms andwebsites. The requirements relating to business letters have been with us for years.  The 2006 Regulations (which also include order forms), acknowledge how much business is now conducted over the web, by stating specifically that the law applies to documents in hard and electronic copy and to websites.  Technically, the required information only needs to appear on an email which is a “business letter”.  In practice, though, it will be much easier to add it to every outgoing email, including messages forwarded and replied to. 

• The minimum information to be included:

 Business name as registeredRegistration numberPlace of registration – eg England and WalesTrading name (if different) – making it clear that it is a trading namegeographical address – often the registered officeVAT number – if VAT registered. 

• The current penalty for not complying is £1000.00.

 I hope that helps. I was going to head this “E for Excessive?” and look at the whole business of email notices etc, how many are required by law and how many actually have any value – but that’s another post, for another day! 

What are your feelings on that subject?  Do you know what all the paragraphs which appear automatically at the bottom of every email mean?  Do you ever read them on other people’s messages?  Do you treat emails as seriously as you would a traditional letter? – do you, in fact, ever write traditional letters any more?  If you have an answer to any of those questions – or another question to pose – leave a comment.  You can do the same if you have an idea for a future post. 

I’m always open to ideas. 

Sherie Griffiths  

“Work/Life Balance or Tippling the Scales Too Far?”

Work/life balance – or the lack of it – is an issue all too familiar to anyone in business.  Over the last couple of months, my own work has taken over to the point where my seven year-old God-daughter has had to wait five weeks for her birthday shopping trip and several friends must be convinced I’ve dropped off the planet! So it came as no surprise to me that the proposal to extend the right to request flexible working made its way into the Queen’s speech last Tuesday.  Since April 2003 (courtesy of the Employment Act 2002), all parents of children under six and those of children with disabilities under eighteen have been able to request to work  

• Different hours
• part-time (including job-sharing)
• compressed hours (the same number of hours compressed into fewer days) or, somewhere other than in the office – usually at home. 

The government now plans to extend that option to all parents of children under seventeen.   

Since Tuesday’s announcement, there has been the inevitable debate in the media about the pros and cons of flexible working, from a business perspective.   

A white paper published by Smart Human Logistics PLC in the wake of the 2003 changes, lists the business benefits as the abilities to: “synchronise fluctuating business demand with workforce deployment and achieve significant wage-bill cuts, dramatic productivity gains and raised employee morale, attendance and retention”.

The same paper provides a long list of organisations which, at the time of publication, were already capitalising on those opportunities.  It includes names like: 

Virgin Atlantic

Tesco

Unilever and

The NHS. 

It can’t have escaped your notice (as it didn’t mine) that all those operations have one thing in common – they are large employers.  So does this mean, as Liz Wyn Roberts of professional and financial services group Smith Williamson said on BBC Five Live last week, that flexible working is “a big company luxury”? 

There’s no doubt that smaller businesses work within much tighter margins and need every member of the organisation to carry their own weight – and sometimes somebody else’s!  Early on in my career, I worked for more than one small law firm where each one of us was expected to do the work of two people – or so it seemed to us.  At the same time, anyone in business soon learns that flexibility – evolution – is essential to survival.  Put simply, those who don’t bend tend to break.  Logic says that larger organisations, like those listed in the white paper,  can bend further, because they are underpinned by better resources; but how far can more modest operations, of the kind most of us run, bend without falling over? 

No-one likes change very much – especially if we feel it’s being foisted on us from above.  In The Times this week, John Cridland, Deputy Director-General of the CBI, said his organisation welcomed the government’s decision to review extending the right to flexible working, but that implementation should be by way of a “step by step approach”.  He warned against going “too far too fast” (some Labour MPs expressed the view that the right should be extended to all staff). 

In the same piece, John Wright, national Chairman of the FSB, said that companies needed to “retain the right to organise their workforce to stay competitive”.  He was also quoted as saying “The Government needs to recognise that the reality in a business is that the employees need to be at work to enable the firm to make money, pay their wages and grow to employ others.”  I take his point, but, playing devil’s advocate for a moment, does being “at work” still mean having to be in an office etc during the traditional working day? 

While I have the horns and tail in place, a couple of points have struck me about this subject which I haven’t seen brought out publicly this week. 

On the commercial front, there is the fact that increasing numbers of us, whatever our business size, are trading internationally – in different time zones – creating a reciprocal need for flexibility. 

Then there’s the bigger picture. The Companies Act 2006 imposed on all directors a duty to watch their “triple bottom line” – their companies’ environmental and social impact, as well as economic performance.  Whilst I acknowledge that Tuesday’s proposals, if/when they are implemented, will create a whole new set of challenges for all of us, should we not be adding to that list of business benefits, the potential abilities to reduce the environmental cost of what we do – by  

• expecting staff to travel less
• using less paper (often a bi-product of remote working)
• maintaining smaller premises etc
• reduce the social costs by enabling parents better to supervise their growing children – who (as I recently heard it expressed quite neatly) “need them more, the less they want them” (which has potential implications for education and crime prevention) and
• making it easier for elderly and disabled relatives to be cared for at home, so relieving the burden on public services?

 Ok, I know it isn’t that simple – the smaller picture still dominates our daily lives – because it has to.  The Companies Act provisions don’t apply to sole traders and partnerships (although it’s highly likely they will one day); the twenty-four hour global economy is not a priority for smaller, UK-based traders with UK-based customers; and we all have products to make, customers to serve, deadlines to meet, salaries to pay – and livings to earn; but as corporate social responsibility moves up the business agenda, we will all, in our own way, have to think broader and start finding innovative ways of balancing the financial, environmental and social books – and more flexible working might just be the way to do that. 

I’m sure we’ll come back to this subject when Imelda Walsh (HR Director at Sainsbury’s) reports back on her review next Spring – and again when the proposed consultation with business about how to extend flexible working gets underway. 

In the meantime, where do you stand?  Perhaps you’re already using flexible working to your advantage – or maybe you’re in an industry where it’s very difficult to implement.  Do we need more legal regulation on the subject, or should it be left to business to regulate itself on this one?  And if we do need the law to intervene, how far and how fast should it go?   

Sherie Griffiths

Talking Rubbish – New Recycling Regulations

What do you know about the “Producer Pre-treatment Regulations”?  If you’re staring blankly at the screen, don’t worry – you’re not alone.  In fact, according to a UGOV survey, you’re among the four out of five businesses who had no idea the compliance deadline for the new Regs was last Tuesday, 30^th October. 

If you’re now shouting at the screen, “So why didn’t you tell me earlier?!”, I have to admit that the first I heard of this was on last Tuesday’s “Wake Up to Money” (BBC Radio Five Live, 5:30/6:00 AM).  The two contributors to the piece were a representative from the Forum for Private Business and a spokesperson for Envirowise, which provides free “government-supported environmental consultation, advice, and documentation forUK businesses”.  The Envirowise spokesperson stated there had been a lot of publicity around the implementation – DEFRA (the Department for the Environment, Food and Rural Affairs) had announced it in July 2005 and the Environment Agency had issued guidance last April.  In addition, organisations like the CBI, as well as waste management companies, had been sending out leaflets; but (as the FPB rep retorted), the fact remained that the majority of businesses were unaware this was coming – and even if they knew it was on its way, they were confused about how it would affect them.  After the programme, I set about my own research – which I have to say at times was like drawing teeth!  I Googled the Regs as they were billed on the programme, but found very little.  I didn’t do much better on a legal database.  So I contacted the DEFRA helpline – and finished up feeling sorry for the poor girl on the other end, who seemed to have no idea what I was talking about!  “We haven’t even had a press release on it”, she confessed, embarrassed.  Finally, picking up on something in my Google research, I was able to trace the Regulations. 

They are part of the Landfill (England and Wales) Regulations 2002, which bring the EU Landfill Directive into UK law.  The Directive is scheduled to be fully in force by July 2009. 

So what exactly are we expected to do as of last Tuesday?  The complete answer needs more research – or an environmental law expert – but in summary:We need to “pre-treat” our rubbish before it goes to landfill.  This could be as simple as taking trips to the bottle bank, or putting paper etc into a separate sack (as so many of us already do at home).  Alternatively, we could just pay our existing waste management company to do it.  It’s about removing and recycling what can be recycled, so reducing what goes to landfill.  Yes, there is a cost to us as businesses – but if we don’t do it, we face potential fines (as yet the amount appears not to have been set – which it seems to me violates at least one basic principle of a fair legal system – the right to know the likely penalty before we commit the offence). 

On the BBC programme, the FPB representative made his organisation’s position clear:It wasn’t the provisions themselves they objected to – they had no issue with the idea of businesses being encouraged to be “more resource efficient” (to quote the Envirowise spokesperson); but, he said, we also needed to be “information-efficient”. “Throwing money at advertising doesn’t necessarily mean engaging with the right people”. 

So did you know about these Regs?; and if so, when and from where?  If you didn’t, where do you stand – on the Regs themselves and the apparent lack of information about them?  And on a broader point, where do you normally get this kind of information from?; Where – and how – would you prefer to have it delivered?  Let me know.  In the meantime, I’m in search of more information on these particular Regulations – and when I find it, I’ll pass it on. 

Sherie Griffiths  

A necessary Evil:

Law is a necessary evil for business – like insurance – and taxes!  Everyone knows they ought to be up to speed with the parts that apply to them – but no-one really wants to engage with it unless or until they have to – at which point it’s often too late to do more than fire-fight.  But does it have to be that way?  UK business tends to be reactive rather than proactive (and I speak as someone who is part of that, in my own right as well as through my clients); but I’m all in favour of prevention rather than cure.  It’s less time-consuming, less stressful – and most importantly, it’s cheaper!  Lawyers aren’t traditionally known for being open to new ideas (although that is changing).  When I started out (19 years ago), while other offices were bringing in computers, we were still using typewriters – remember those?!  Now, though, my profession is catching up with the rest of the world – using the web, blogging and podcasting – my own clients seem to appreciate our podcasts.  But law is still a subject many businesspeople shy away from.  So if you’re in that position, what’s good (if anything!), bad – and downright ugly! – about the law you have to comply with and the legal services available to help you do that?