Delegates at the ICT law conference in Johannesburg have heard that employees are responsible for up to 80% of IT security breaches.
The three-day ICT law conference, organised by Marcusevans conferences in Johannesburg, focussed on information security as a legal issue. It is the duty of the company to take certain precautions to reduce its IT security risks, legal experts said.
The nature of the liability
IT attorney Reinhardt Buys told delegates that although SA does not have legislation that specifically covers IT security, there are various ways in which a company could be culpable if there is a security breach. For example, Section 424 of the Companies Act deals with the reckless running of the company.
If there is a security breach and it can be shown that the company failed to take reasonable steps to minimise its risk, then clearly, the company could be held responsible for any damage incurred.
This could be loss of data and unauthorised disclosure of information, which could in turn compromise business negotiations or the confidentiality of client information.
Legal precedents have also shown that an employer could be forced to assume vicarious liability for the misconduct of its employees, says Jan H Snyman, a legal advisor for the Sasol group of companies.
For example, if an employee did harm to another person while engaged in the affairs of the employer at the time the misconduct took place, or if the employer knew of the misconduct and failed to take speedy action, the company could be held "vicariously liable".
Identifying the threat
According to Snyman, statistics have shown that employees carry out at least 80% of IT security breaches.
Buys concurred: "It is the disgruntled or careless employee who poses the greatest danger to the company`s IT security."
Lance Michalson of Michalsons Information Technology Attorneys suggested that companies invest in their human resources as much as they do in their security software.
"It`s no use installing security software when the greatest threat the company faces is the employees walking around carrying memory sticks," he said.
Neutralising the threat
The message was clear: the first step to reduce risk is to develop an IT security policy and train employees on its contents. The policy should not be too legal or too technical and it should certainly not be too long. The legal advisor should also draft an incident response, Michalson said.
Buys suggested that the company also take steps to ensure that staff members are trained. A policy also provides the legal basis for dismissal or any punishment of careless employees who endanger the security of the company, he said.
Finally, Michalson encouraged companies to "understand their own peculiar risks", as there is no legislation dealing with the issue directly.
The conference ends today with a workshop on "electronic evidence handling and collection". Presented by Dave Oswald, a director at the Forensic Restitution, the workshop covers planting evidence, search and seizure of computers and forensic imaging and verification. Oswald will also outline some of the problems with computer forensics and use real world case studies.
Related stories
ICT Law a "balancing act"
Spotlight falls on ICT Law
Policy would decrease ICT risk
SADC looking to harmonise cyber laws
Governance can mitigate risk
Share