Communications Acceptable Use Policies: Some Cybersecurity Considerations
by Jane Ginn
Managing employee communications devices in the always-connected global business community has become an important issue for information security personnel engaged in the design of effective security policies (Kabay, 2009). Key to successful management that avoids out-bound data loss and leakage and in-bound malicious attacks is buy-in and active participation by all corporate employees. A comprehensive Communications Acceptable Use Policy (CAUP) that addresses each issue systematically and is part of every employment agreement is also important for success (Stewart, 2002). Select provisions of such an agreement should also be part of all third-party contracts, as well.
Construction of a CAUP requires a working knowledge of the key issues that must be addressed (SANS, 2007). To be effective, the policy design should be clearly correlated with the company’s legal liabilities and use proper netiquette that is consistent with the corporate culture. In the banking and financial services sector (BFSS) this will include considerations of intellectual property protection, bank secrecy/anti-fraud considerations, customer privacy and other issues (Grimm, 2010, March). This is especially important in the Bring Your Own Device (BYOD) era where employees are increasingly blending business and personal activities through their communications devices (Roberts, 2012, October).
This paper will address some of the key components for constructing a CAUP for the BFSS. Legal and regulatory constructs and case (i.e. common) law will be used to substantiate my list of key components.
From a review of multiple CAUPs and the critical literature on the subject P.A. Laughton developed a hierarchical view of the importance of key drivers for the design of a CAUP. He found a wide range of examples that varied from being too vague, or, conversely, too restrictive (Laughton, 2008, December). Importantly, he found that the evolving nature of Internet law showed that CAUPs must be viewed as dynamic, living documents that must be revised to reflect the changing liabilities a company faces and responsibilities employees must be informed of.
Important findings among the studies he reviewed included the work of Flowers and Rakes (2000). They identified four generic areas that should be included in every CAUP: (1) liability issues and concerns; (2) online behavior; (3) system integrity, and; (4) the quality of the content. Flowers and Rakes “generic areas” were adapted by Laughton in designing the list of “drivers” for his hierarchical ranking.
In a separate, and somewhat playful analysis by Scott and Vass a Seven P’s Model is suggested: (1) participation; (2) partitioning; (3) philosophy; (4) privacy; (5) pernickety (do’s and do nots of the policy); (6) phog phactor (ways to improve readability and reduce legalistic jargon); and (7) publication (1994). Importantly for my analysis, Laughton uses their framework to inform his 2008 model.
Laughton also found that previous studies and surveys failed to rank the relative level of importance of design drivers that should be dealt with in a CAUP. He offers such a ranking based on the acceptability of the CAUP to user communities and his own expert opinion.
Figure 1 illustrates an adaptation of his hierarchical view I have constructed. I have placed the most important driver at the top of the figure with subsequent categories that he ranked descending, in order, down the stack.
Figure 1. Laughton’s Hierarchy of AUP Issues
In the years since Laughton developed his model, and as companies have become more adept at crafting effective policies, the statutory, and regulatory and case law has evolved significantly. In fact, in the United States, legal frameworks have emerged in all of the categories of drivers originally proposed by Laughton, especially in highly regulated industries such as the BFSS.
Table 1 lists some key examples specific to CAUP construction for the BFSS.
Table 1. Laughton’ Drivers and Modern Legal Frameworks for the BFSS
|Laughton’s Driver||Statutory & Regulatory Frameworks||Examples of Case Law|
|Legal Drivers||All laws and regulations listed||All cases listed|
|Netiquette||Title VII of the Civil Rights Act of 1964, as Amended; Age Discrimination Act of 1967, as Amended; Americans With Disabilities Act of 1990, as Amended||Smith v. Pillsbury (on professionalism in Email)|
|Security||Gramm-Leach-Bliley Act (specific to BFSS) Safeguards Rule (on employee’s obligations to protect customer data); Sarbanes-Oxley (SOX) Section 404 Audits||Shoars v. Epson America (on monitoring of Email)|
|Privacy||Omnibus Crime Control and Safe Streets Act, Title III (on criminal investigation); Communications Assistance for Law Enforcement Act (on criminal investigations); Children’s Online Privacy Protection Act of 1998, as Amended; Red Flags Rule under the Fair and Accurate Credit Transactions Act of 2003; FINRA Notices 10-06 & 11-39||Paul F. Ryan v. James F. Normandin (on invasion of privacy); York v. General Electric (on employee surveillance to be limited to public behavior); Rushing v. Hershey Chocolate (on routine drug screening); Double Click Inc. Privacy Litigation, [154 F. Supp. 2d 497, 502-03 (S.D.N.Y. 2001)]; 13 U.S. v. William Cannon; U.S. v. Ramos; People v. James D. Kent (on child pornography)|
|Organizational Property||Economic Espionage Act of 1996, as Amended; Computer Fraud and Abuse Act of 1986, as Amended by the USA PATRIOT Act;||LVRC Holdings v. Brekka (on business Email sent to personal laptop); Automatec Transactions, LLC v. IVG Holding Co.(on patent infringement); PhoneDog v. Kravitz (on follower list ownership); Litigation Mgt. Inc. V. Bourgeois (Ohio, 2011) (on non-competition); Walker Mfg. v. Hoffmann (on reverse engineering).|
What becomes clear from this sampling of legal, regulatory and case law citations is that within each of the subordinate driver categories set forth by Laughton these legal drivers are vital for the design and development of a CAUP. Each one of the factors identified should be addressed from a legal, regulatory and case law point of view to avoid organizational liability, ensure customer and employee privacy, and protect the intellectual property of the enterprise. Therefore, the legal drivers should be envisioned as cross-cutting categories that are applicable to each of Laughton’s other key drivers.
I would recommend an alternative “hierarchy” to the one proposed by Laughton, as shown in Figure 2, below. In my model all four of Laughton’s categories are subjected, systematically, to a review of the legal, regulatory and case law history. Also notice that the order of the ranking has changed to illustrate the emphasis placed on security, privacy and intellectual property protection within the BFSS. For example, Netiquette, although an important factor for guiding the readability of the CAUP, is less important in this sector, given the legal liabilities companies face.
Figure 2. Ginn’s Model of Design Drivers for a CAUP for the BFSS
Below are some examples of how these legal directives relate specifically to concerns of companies within the BFSS. I have used only a small sample of the laws and cases cited on Table 1, above.
Gramm-Leach-Bliley Act (GLBA) regulated parties must protect against unauthorized access, ensure the security and confidentiality of customer records and information, and protect against any anticipated threats or hazards to the security or integrity of records. The Safeguards rule, issued by authority of GLBA, states that BFSS firms must develop, implement, and maintain a comprehensive information security program that is written in “one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to its size and complexity” (FTC, 2002, May 23). A key consideration for the CAUP designer will be how to communicate this program to all employees so that they have a stake in the total security management program. This is where awareness training becomes an integral part of the implementation process.
The Shoars v. Epson America case cited in Table 1 illustrates this point. In this 1994 case the plaintiff alleged that her termination occurred in retaliation for her reporting of, and refusal to go along with, interception of her Email, based on prohibitions concerning wiretapping and eavesdropping. A comprehensive training program and a well-designed CAUP that made the employee a partner in information security could have alerted her to the practice of company monitoring of Email communications within a less adversarial context. It is possible that such a training program could have helped Epson avoid this lawsuit.
In my review of the privacy-related case law the majority of the cases involved enforcement action under the Children’s Online Privacy Protection Act (COPPA). At a minimum a CAUP should specify acceptable employee behavior online regarding children’s privacy. For purposes of this law, a child is defined as a minor under 13 years old.
There are, however, many other privacy-related provisions that are more central to management considerations in the BFSS. Many of these are cited in the Privacy section of Table 1. Note that there are several laws that are tied to criminal investigations in the event of white collar crime and fraud. Forensics investigators into BFSS incidents need to know when and how their investigations can be questioned and/or evidence excluded from a court proceeding because an accused party’s right to privacy has been invaded.
In September of 2011 a Grand Jury in Illinois indicted Chunlai Yang in a case involving intellectual property infringement (U.S. District Court, 2011, September). The defendant had been an employee of the CME Group, a company that operated an electronic trading platform called Globex. He had been an employee during which time he routinely copied proprietary source code for his own personal use. He later opened a Chinese language trading platform that closely resembled the business logic of the Globex platform. The plaintiffs successfully prosecuted the case and Yang was ordered to pay compensation to his former company and turn over all corporate assets he had confiscated in the course of his employment (ibid., p.11).
BFSS firms which develop proprietary business processes as account enhancements own these assets. These assets can give them a competitive edge in an industry with thin profit margins. This case offers one example of how case law is evolving in the area of intellectual property protection.
In an interview with the CISO for a major stock brokerage the importance of the readability of the CAUP was emphasized. He stated, “Since policies and awareness of the policies exist to reduce risk by controlling behavior, the workforce needs clear, readable policy language. Policy language, style, and tone will vary coordinating to company culture. This should be expected, and the content should be reviewed annually” (personal communication, January 9, 2013).
Purpose of Communications Acceptable Use Policies
The importance of a well-crafted CAUP cannot be underestimated. This paper has emphasized the role of legal, regulatory and case law in defining the drivers that will inform the wording of a CAUP.
But beyond the identification of legal, regulatory, and case law drivers discussed in this paper there is the crafting of the metrics used to measure and record compliance. This was emphasized in my interview with the CISO: The area to focus on is the compliance measure and associated metrics. When implementing any compliance program, 100% compliance is always the goal, but perfection is difficult to obtain. So there must be acceptable, marginal, and unacceptable percentages of employees successfully completing the required policy awareness learning module. Start on solid footing and encourage HR to require that employee goal setting/evaluation include adherence to required modules. (personal communication, January 9, 2013).
Two researchers from St. John’s University have recently developed a schema for designing deterrence approaches for using business assets for personal actions (Ugrin, 2008, Winter). Subsequent work on the development of a comprehensive CAUP should also include discussion of these types of methods for gauging conformance and shaping employee behaviors.
This paper has emphasized the role of statutes, regulations and case law in the design and development of a comprehensive CAUP. I have illustrated how a clear understanding of the specific issues within each of four areas can help to craft a document that can have the force of law if challenged in court. These are: (1) security; (2) privacy; (3) organizational property; and (4) netiquette. Although legal issues must be dealt with in a clear and concise manner, it is also important that the wording of the CAUP be understandable by all of the employees and/or contractors subject to its provisions. And, for the CAUP designer, the careful construction of metrics for measuring conformance will be most important for establishing a consistent and enforceable CAUP. The next steps for designing a comprehensive CAUP will be to specify such metrics and measures that correlate specifically to the types of legal considerations outlined in this paper.
Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6506 (Pub. L. 105-277) (1998).
Flowers, B., Rakes, G. (2000). Analyses of acceptable use policies regarding the Internet in selected K-13 schools. Journal of Research on Computing in Education, 32(3), 351-365.
FTC, Standards for safeguarding customer information: Final rule, 16 C.F.R. § Part 314 (2002, May 23).
Gramm–Leach–Bliley Act [GLBA], Pub.L. No. 106-102, 113 U.S.C., § 1338 et. seq. Stat. (1999, November 12).
Grimm, J. R. (2010, March). Intellectual property crimes. American Criminal Law Review, 47(2).
Kabay, M. E., Kelly, S. (2009). Developing security policies. In S. Bosworth, Kabay, M.E., & Whyne, E. (Ed.), Computer Security Handbook (5th ed.). Hoboken, NJ: John Wiley & Sons, Inc.
Laughton, P. A. (2008, December). Hierarchical analysis of acceptable use policies. InterWord Communications, Vol. 10(4).
Roberts, P. (2012, October). Holes in BYOD: Are your security policies up to the challenge of a bring-your-own-device world? Dark Reading. Retrieved from http://www.darkreading.com/security/news/240008838/byod-filling-the-holes-in-your-security-policy.html
SANS. (2007). Information security guide: A development guide for large and small companies. Information Security Reading Room.
Sarbanes–Oxley Act [SOX], Pub. L. No. 107-204, 116, § 745 et. seq. Stat. (2002, July).
Scott, V., Voss, R. (1994). Ethics and the 7 P’s of computing use policies. Ethics in Computing Age, 61-67.
Shoars v. Epson America, Case No. BC007036, Los Angeles County Superior Court (1994).
Stewart, F. (2002). Internet acceptable use policies: Navigating the management, legal, and technical issues, Ch. 31 The Privacy Papers: Managing Technology, Consumer, Employee, and Legislative Actions. Zug, Switzerland: CRC Press, LLC.
U.S. v. Chunlai Yang, Violation: Title 18, U.S.C. § 1832(a)(2) and (a)(4) C.F.R. (2011, September).
Ugrin, J. C., Pearson, M.J. (2008, Winter). Exploring Internet abuse in the workplace: How can we maximize deterrance efforts? Review of Business, 28(2). Retrieved from http://www.freepatentsonline.com/article/Review-Business/184710901.html