Certain legislation requires companies to retain specified documents for a set number of years. The ECT Act states that if the document complies with the listed requirements, it may be retained electronically.
Additionally, a company that faces litigation must retain all documents that may be necessary in court. Therefore, the company must ensure that the document maintains its integrity while in storage and that it is not destroyed. If the company loses data due to a virus attack and the company did not take adequate measures to guard against it, the company acted negligently.
When two accountants of Arthur Anderson suspected that an investigation was inevitable for their client, Enron, they ordered the shredding of documents in terms of the company’s document retention documents. Destroying evidence is unlawful and the American Justice Department indicted the firm for obstruction of justice. Therefore, once the company becomes aware of a pending lawsuit, it should not use its document retention policy to destroy possible evidence and claiming that it was a routine document destruction process. If the company routinely destroys documents twice a year and there is a pending lawsuit, it should rather inform employees what documents not to destroy.
However, the company also should not keep emails and other electronic records indefinitely. The Microsoft monopoly case proved that certain long forgotten emails might be very damaging to a company. Therefore, a company should instruct employees to empty their e-mailboxes regularly. If employees want to keep certain emails for reference purposes, they should save it in a private directory or keep a hard copy. Additionally, the company’s policy might state that all emails will be automatically deleted every 30 days.
By routinely deleting email, the company would eliminate electronic clutter. Should there be a pending lawsuit, a forensic investigator would first check the employees’ email boxes, followed by investigating the archives. Therefore, if the company routinely deleted emails, the investigator would not find any damaging evidence.
To regulate this situation, the company must implement a data retention policy that directs how documents must be stored and when email must be deleted. The policy may also state the specific types of documents that the company must protect. In case of litigation, the policy will prove that the company did not maliciously delete email.
And now I would like to invite you to a free 30 minute consultation to discuss your Data Destruction and Electronic Evidence Strategy.
From Adv. Liesl Briel – an Information Security and Security Awareness Specialist
When Internet and email use is unregulated, employees may spend countless hours surfing the Internet. They may visit sites that are totally unrelated to their jobs. During such searches, they may access websites that contain many graphics or other multi-media files. These files are large and they consume a lot of bandwidth. Therefore, the company is not using its investment to its fullest potential. When a lot of bandwidth is consumed, it will slow down the network and the Internet facilities. That will frustrate other employees that have a legitimate need to use the Internet. This situation occurred in the Bamford and others v Energiser-case. The employees complained that they could not effectively use the Internet because it was too slow. An informal audit of the computer resources showed that pornographic material overloaded it. Following a disciplinary enquiry, the five guilty employees have been dismissed.
Besides wasting valuable working time, the additional Internet use exposes the company to possible virus attacks. Employees may accidentally download viruses from the Internet without realising it. Therefore, the more they access the bigger the risk.
Internal and external spam is also a big problem. Employees sometimes receive emails from friends and then they circulate it throughout the company. In turn, the recipient may then send it to fellow employees unaware that they had received it already. Sending chain mails consumes much bandwidth and it reduces the productivity of the recipient because he or she must read it and delete it. Email has made it so easy to communicate that employees may have become lazy. They would rather email their co-worker in the office next door than get up and talk to them. This too is burdensome on bandwidth. If employees send too many emails, or emails with large attachments, through the network, it may clog the system until it causes a Denial of Service attack. The system shuts down because it cannot cope with the demand because of the overload. The company will then have to spend a lot of money to get the systems up and running again and employees will not be able to work in the mean time.
To estimate how much money the company stands to lose due to lost productivity, an example would suffice. Assume an employee earns R8 000 per month, works 40 hours per week, and spends 30 minutes per day on the Internet for personal reasons. This is nearly 11 hours per month. Th employer loses R508 per month due to that employee’s lost productivity. It may not seem much, but it escalates to R6 097 per year. If there are only ten such employees working for the employer, this amount comes to a tidy sum of R60 000 per year! Arguably, employees could waste more than 30 minutes per day, which would increase he employer’s financial cost.
And now I would like to invite you to read about the Legal Remedies that you can use to protect your company from lost productivity.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Defamation occurs when a person unlawfully publishes a statement about another person intending to make members of society think less of that person. A person publishes a statement on the Internet when third parties access the content and understand the statement. Therefore, if an employee publishes a defamatory statement in an email message, posts it on a website or posts it to a bulletin board and a third party takes notice of it, the law regards it as publication. However, if the third party is unaware of the defamatory meaning, publication did not take place.
If the aggrieved party proves that publication took place, it must further prove that the defendant published it. Consequently, the defendant will be liable if he or she could have foreseen or could reasonably have been expected to foresee that an outsider might take notice of the defamatory content.
When the plaintiff proves publication, the defendant must rebut two presumptions. They are unlawfulness and animus iniuriandi. The latter is the subjective intention to injure the plaintiff’s reputation.
Usually, the person who commits the delict is responsible for the damages. However, our courts recognise vicarious liability of employers for the delicts of their employees. The employer will be liable for the damages if the plaintiff can prove that the employee published the content in the course and scope of employment, or to promote the employer’s business. If employees send defamatory statements regarding a third party from the company’s network, the company’s name will appear on the e-mail. Since the company will have deeper pockets than the employee, the victim will prefer to sue the company.
Any party who forwards the defamatory statement is also liable. Therefore, Internet Service Providers (ISP’s) may incur liability when they provide information system services. The definition in the ECT Act is very broad and seems to include a company’s network. However, the ECT Act incorporated provisions that only protect ISP’s from liability.
And now I would like to invite you to read more about the various legal remedies the company can use to protect itself.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Nov
As discussed in Part 1, Employers should use progressively harsher sanctions. This means that the employer may start with light sanctions and progress to more serious sanctions for repeated offenses. This is a three part article on the various sanctions the company may impose. Let’s take a look at the harshest sanction for violating the Information Security Policy.
8. Dismissal
This sanction is reserved for the most serious and or repeated offences. An employee may be dismissed for misconduct when the continued employment relationship becomes intolerable. The employer must have a fair reason for dismissal and must follow a fair procedure. The Code of Good Practice: Dismissal gives guidelines the commissioner must consider when deciding the fairness of a dismissal for misconduct.
To illustrate the application of these guidelines in practice, this article discusses three court cases. The background to the cases is as follows:
In Cronje v Toyota Manufacturing (Toyota case) the employee distributed a cartoon depicting the President of Zimbabwe, Robert Mugabe, as a gorilla. Cronje was dismissed for sending a racially offensive email. In the unreported case of Bamford and others v Energizer (Energizer case), the applicants were dismissed for repeatedly abusing the Internet facilities, forwarding obscene pornographic material and jokes and violating the company’s rules. In Richter v Daimler Chrysler (Daimler Chrysler case) the employee was dismissed for viewing and forwarding pornographic material and did not show remorse when he was confronted.
The first consideration in the Code of Good Practice: Dismissal is whether there was a workplace rule and whether the employee contravened it. In the Toyota case, the company’s Email and Internet policy banned the distribution of racially offensive or pornographic material. The cartoon was clearly racist. In the Energizer case, the company also had a policy and the employer followed it up with an email requesting employees only to use the Internet facilities for business purposes and to preserve the Internet resources. In the Daimler Chrysler case, the company likewise had a desktop policy that prohibited personal and objectionable use of the Internet facilities. The company also followed it up with a notice prohibiting sending pornographic emails and that it viewed transgressions as serious misconduct. Clearly, in all three cases, the company had workplace rules that regulated email and Internet use. The employers also brought it to the employees’ attention.
The second enquiry under the Code of Good Practice: Dismissal is whether the rules are valid and reasonable. In the Toyota case the commissioner found that the rule was reasonable considering the fact that the company mainly consisted of black employees and that the relationship between the trade unions and management was very important. In the Energizer case the commissioner found that sending pornographic email was damaging to the business interests. These emails further consumed much bandwidth that resulted in increased costs for the company. Additionally, the emails exposed the company to possible trademark infringement lawsuits. In the Daimler Chrysler case, the commissioner found that it is reasonable for the company to require its employees only to use the information systems for business purposes. In all these cases, the rules were found to be reasonable.
The third enquiry under the Code of Good Practice: Dismissal is whether the employee knew of the rule or could reasonably have been expected to know of it. In the Toyota case the commissioner found that the employee had been aware that sending racially offensive emails would enrage the black employees. The commissioner in the Energizer case decided that since the company had a policy, sent out email notices and posted notices on the company notice board, the employees must have been aware of the rules. According to the employee’s testimony in the Daimler Chrysler case, he had been aware of the desktop policy before he applied for the Internet access. Therefore, in all the cases the employees had been aware that their actions were wrongful.
The fourth enquiry of the Code of Good Practice: Dismissal is whether the company consistently applied the rule. This question was answered in the affirmative in the Toyota case because management treated similar cases the same. In the Energizer case some of the employees claimed that the company targeted them and that they were not the only ones contravening the policy. To disprove this allegation, the company approached Deloitte and Touche to conduct an audit of all the emails on the systems to determine who else may be guilty of sending objectionable emails. In the audit, Deloitte and Touche could not identify other employees. Therefore, the company had not selectively applied the rule. In the Daimler Chrysler case, Richter was accused of breaching the policy along with seven other employees. However, Richter was the only one dismissed for it. Richter had no remorse and he was angry with the company for invading his privacy. He said that it did not concern the company what he viewed in his personal capacity. Consequently, the commissioner found that it was fair for the employer to distinguish between the employees based on their remorse.
The final enquiry under the Code of Good Practice: Dismissal relates to the appropriateness of dismissal as a sanction. Dismissal for a first offense is only justified if the misconduct renders the continued employment relationship intolerable. In the Toyota case, the black employees were offended by the email and they demanded that he be dismissed. The company could not afford industrial action and therefore dismissed the employee. In the Energizer case the commissioner found that the employees willfully disobeyed the rules. Their actions consequently severed the trust relationship. They also exposed the company to lawsuits and potential loss of business. Additionally, they were unrepentant at the hearing. The commissioner declared their dismissals fair. In the Daimler Chrysler case, the company averred that revoking the employee’s Internet access had not been an alternative sanction to dismissal because Richter relied on the Internet to do his job. The trust relationship had also been severed because Richter indicated that he would continue to disobey the rules, as he did not think his actions were wrongful. All the dismissals had been found to be substantively fair.
And now I would like to invite you to contact me to discuss your Information Security Policy needs. For a free 30 minute consultation, click here.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Nov
As discussed in Part 1, Employers should use progressively harsher sanctions. This means that the employer may start with light sanctions and progress to more serious sanctions for repeated offenses. This is a three part article on the various sanctions the company may impose. Let’s take a look at the next three sanctions.
5. Revoking of Internet access
Revoking an employee’s Internet privileges could be an effective sanction for someone who breached the Information Security Policy. However, this would only be an appropriate sanction if the employee does not rely on its Internet connection to perform the job. In Richter v Daimler Chrysler , the commissioner enquired why the employer dismissed the employee for viewing pornography instead of revoking the Internet privileges. The employer replied that the revocation of Internet access would not have been an effective sanction as the employee relied on the Internet connection to do his job.
6. Deductions
An employer could deduct money from the employee’s salary for excessive Internet usage. Notably, the employer must prove the employee’s Internet usage to establish that the employee excessively used the Internet. This will require the employer to monitor the employee’s Internet habits.
The Basic Conditions of Employment Act forbids employers to deduct money from an employee’s salary unless by written agreement. Further, the loss or damage must have occurred in the course of employment and was due to the employee’s fault. The employer must follow a fair procedure and must afford the employee the opportunity to show why the employer should not make the deductions. In total, the deduction from the employee’s remuneration may not exceed one-quarter of the employee’s remuneration.
An employer is vicariously liable for the delicts committed by an employee in the course of employment. If someone successfully sues an employer under its vicarious liability, the employer has a right of recourse against the employee for the payment of the damages. Interestingly, the employer may in terms of the BCEA deduct the amount of the damages from the employee’s remuneration instead of suing the employee for damages.
7. Demotion
This is a sanction short of dismissal. Naturally, it may constitute an unfair labour practice if the employer uses it mala fide or where the circumstances of a case do not warrant the demotion of the employee. However, it may be an appropriate sanction if the employer can prove that the employee is not suited for the particular position, but that the employee would be better able to perform a job of a lower status.
And now I would like to invite you to read Part 3 in this series. For a free 30 minute consultation about your Information Security needs, click here.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Nov
The Code of Good Practice: Dismissal of the Labour Relations Act says that employers should use corrective discipline rather than punitive discipline. The employer should make the employee aware of the unacceptable conduct. This can take the form of warnings or counseling. Only for serious or repeated misconduct should the employer use the more formal procedures. When the continued employment relationship becomes intolerable, the employer should dismiss the employee. Therefore, if the employee is unwilling or incapable of adhering to the rules, the dismissal would be substantively fair.
The company’s Disciplinary Code and Procedure must prescribe reasonable sanctions for violating the Information Security Policy otherwise it may be unenforceable due to harshness. The Information Security Policy will lack legitimacy if the penalty for a minor violation is dismissal or a verbal warning if the violation is substantial.
Employers should use progressively harsher sanctions. This means that the employer may start with light sanctions and progress to more serious sanctions for repeated offenses. This is a three part article on the various sanctions the company may impose. Let’s take a look at the first four sanctions:
1. The verbal warning
This is an informal type of warning where the employer warns the employee that the conduct does not comply with the policy. It is the first stage of the disciplinary process. Employers do not have to follow a specific procedure, but it is advisable that employers keep record of the warning. This will prove that the employee was aware of the rules and that subsequent dismissal for repeated offenses is justified. Verbal warnings aim to correct the employee’s behaviour.
2. The written warning
Should the employee not heed the verbal warning, an employer can issue a written warning as it is a more serious sanction. The employer must investigate the matter, but this need not be a formal enquiry. During the investigation the employee may have a trade union representative or a fellow employee present. It is advisable that the employee sign for the receipt of the warning as it would prove that the employee knew the rule. These warnings have expiry dates as prescribed in the company’s disciplinary code. If the code does not prescribe the expiry date, then it is customary for them to be valid for six months. When deciding further action, the employer may take this warning into account if the employee committed a similar offense within this period. In such a case, the employer may issue a final written warning, or if the transgression is serious enough, the employer may dismiss the employee.
3. Suspension
An employee may be suspended with or without pay. In the former case, the suspension is an administrative measure and not a sanction. The employer may use paid suspension to remove the employee from the workplace to facilitate a proper investigation. In this sense, paid suspension simply means that the employer relieves the employee of the duty to work or to come to work. As with any disciplinary measure, paid suspension may form an unfair labour practice if the employer uses it unfairly or mala fide.
In the case of unpaid suspension, the sanction is punitive and the employer may impose it if the parties consented to this form of sanction in the employment contract or the collective bargaining agreement. Additionally, the employer may use unpaid suspension if it has a substantively fair reason for dismissal but does not wish to dismiss the employee. This will be a sanction short of dismissal, something which the Code of Good Practice: Dismissal encourages employers to consider. Again, unpaid suspension could form an unfair labour practice if the employer acts unfairly in imposing it.
4. Denial of privileges
An employer may withhold discretionary bonuses as a form of sanction. Additionally, the employer may withhold privileges such as car or housing subsidies, bursaries, special leave, study leave or long service recognition awards.
Unfair employer conduct relating to the provision of benefits could form an unfair labour practice. Essentially, this requires that the employer must avail these sanctions only when the circumstances of a case justify it.
And now I would like to invite you to read Part 2 in this series. For a free 30 minute consultation about your Information Security needs, click here.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist
Having a policy and not enforcing it is highly ineffective. If the employer turns a blind eye to the transgressions, employees will think that management is not serious about the policy. Should the employer dismiss one employee for contravening the policy, while ignoring the transgressions of other employees, the dismissal will be unfair because the employer did not consistently apply the rule.
If the employer wants to detect policy violations, it must use monitoring software. Some types of monitoring software controls the content of incoming and outgoing email and they may also scan the email for viruses. Monitoring emails and Internet activities may deter employees from abusing their Internet privileges. If the company does not want to spy on its employees, it may install web-blocking software. This type of software blocks access to undesirable websites. However, it may not be very effective because some software blocks the URL’s (web addresses) of undesirable websites. Since people publish new websites with objectionable content daily, it would be an almost impossible task of updating the software. The company could use another type of web-blocking software that blocks certain search terms. This may provide better website blocking, but it may also be blocking legitimate searches and frustrate the users.
And now I would like to invite you to read more about the Various Sanctions the company can impose for violating the Information Security Policy (Part 1, Part 2, Part 3). If you would like to discuss your needs in this regard, please click here for a free 30 minute consultation.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
After management has drafted the policy, it must implement the policy. As explained earlier, an employer may unilaterally make and implement valid or reasonable rules of conduct for the workplace. The need to stop Internet abuse and to protect information would be sound reasons for making rules of conduct.
The company may not enforce the rules retrospectively because it would be unfair to discipline an employee for transgressions committed before the implementation of the policy.
Here, one must distinguish between the legal positions of existing and new employees. When appointing new employees, the employment contract may specifically say that the employee must comply with the Information Security Policy. By signing the policy, the new employee simultaneously consents to the monitoring of e-communications.
In the case of existing employees, an employer needs to get the employee’s consent to monitor e-communications. However, current employees might refuse to accept and sign the policy. They could argue that acceptance of the policy would change their terms and conditions of employment because the policy would impose new responsibilities when they use the information systems. The employer could argue that it has a right (prerogative) to give instructions about how the employee should carry out duties when using the employer’s Internet facilities.
An employee enjoys legal protection against unilateral changes of terms and conditions of employment. Under common law, a unilateral change of terms and conditions of employment amounts to a breach of contract. An employee may either elect to accept such repudiation and sue for damages or apply for an order for specific performance. Under the Labour Relations Act, an employee who or a trade union that refers a dispute about a unilateral change to terms and conditions of employment to a bargaining council or the CCMA, may require the employer temporarily to restore the terms and conditions of employment that applied before the change. The employer must comply within 48 hours of service of service of the referral on the employer. If the employer fails to comply, the employee or the trade union may approach the Labour Court for an appropriate order.
Under both the common law and the Labour Relations Act the first enquiry is whether an employer’s instruction about the use of its Internet facilities forms a unilateral change of a term or condition of employment. Essentially, this is a factual issue the court must decide. If it finds that the employer’s instruction amounts to a unilateral change, the employee may use the remedies available under common law or the Labour Relations Act. By contrast, if the facts of a particular case show that the employer does have an inherent right to give such an instruction, the employee will not have any remedy under either the common law or the Labour Relations Act.
In case the employer in a specific case lacks the right to give instructions, it must agree any change to the terms and conditions of employment with the employee. Evidently, these changes are negotiable. An employer might demand acceptance of changes and lock out employees to compel them to accept such changes. A lock-out is an employer’s exclusion of employees from its workplace to force them to accept a demand concerning a matter of mutual interest between an employer and employee. Since a lock-out is a collective action in respect of two or more employees, it follows that the employer cannot use the lock-out when only one employee refuses to accept the employer’s demands.
May an employer dismiss an employee for refusing to accept changes in the terms and conditions of employment? The Labour Relations Act makes it an automatically unfair dismissal if the reason for it is to compel the employee to accept a demand in respect of any matter of mutual interest between the employer and the employee.
Here, too, the matter turns on whether the employer has a right to require that employees consent to the monitoring of their e-communications or whether the matter is one of mutual concern between the employer and the employee. A dispute about whether the employer has a right is justiciable, while a dispute about a matter of mutual concern is not — such a dispute is subject to economic power play between the parties, which is the essence of collective bargaining. The courts will not interfere in this power play.
If the employer has a right to insist that the employee must consent to the monitoring of e-communications and to the employer’s Information Security Policy before using the employer’s computer facilities, the employer may dismiss the employee for failing to give consent. The employee would no longer be able to carry out duties in the required manner. This would give the employer a right to dismiss for operational reasons. Alternatively, the employer would have the right to discipline and even dismiss the employee for refusal to carry out a lawful instruction. It does not matter whether the reason is misconduct or operational reasons because in both cases, the employer must prove the substantive fairness of requiring the employee to accept the Information Security Policy. This will include the duty to prove the existence of the employer right to insist that the employee must consent to the monitoring of the electronic communications. Here, the employer would be able to rely on its commercial need to limit the risk attached to the use of the Internet.
Since it is within the company’s prerogative to lay down work rules, it cannot be said that the employees’ terms and conditions of employment would be changed. In A Mauchle (Pty) Ltd t/a Precision Tools v NUMSA the employer wanted employees to increase their production by operating two machines instead of one. The employer attempted to persuade the employees to change by discussing it with the shop stewards. When that failed the employer issued an instruction. The court found that an employer is not obliged to negotiate with employees about an instruction. When the employees refused to obey the instruction, it was lawful to dismiss them. The employer may instruct the employees that the new rules would be implemented the following day and any transgression would be subject to disciplinary action. However the instruction must be reasonable. Requiring employees to follow a few basic rules about how responsibly to use the Internet, will be reasonable. These rules do not alter the employees’ job description.
By contrast, if the employer does not have the right to insist acceptance of its Information Security Policy, it must negotiate that right with the employees. That will bring any dispute within the realms of a matter of mutual interest. In such a case, the employer may not dismiss an employee to compel acceptance of its demand.
The Code of Good Practice: Dismissal of the Labour Relations Act requires that the employee should know of the rule before the employer may discipline the employee for breaking it. Employees should preferably sign a copy of the Information Security Policy to demonstrate that the employee accepts personal responsibility for complying with the policy.
The signature will be proof that the employee also consented to the possible monitoring of communications. The Constitution protects the right to privacy and a court will only acknowledge the employee’s waiver of privacy if it had been done expressly and unequivocally.
A discussion regarding the right to privacy is beyond the scope of this article. However, the policy should deal with this issue and a short discussion here is in order.
Monitoring the employees’ email and Internet use may amount to invasion of their privacy. If the policy states that the company reserves the right to monitor communications, employees will not have a legitimate expectation of privacy. If the company truly wants to prevent or mitigate its e-risks, it must be able to monitor and intercept communications. Even if the company does not have the means actively to monitor the communications, the policy must reserve the right to monitor communications. If the need arises, the company will have the legal right to access the email and to discipline the employee.
The Regulation of Interception of Communications and Provision of Communication-related Information Act (RICA) makes provision for interception under an interception direction by a court, interception by a party the communication, interception with the party’s written consent and interception in connection with carrying on of business.
An interesting question to consider is whether an employer can force an employee to give consent to the monitoring of communications. In other words, can the employer force the employee to sign the policy? The answer is “No”. The Bill of Rights gives citizens the right not to have the privacy of their communications infringed. Only a law of general application may limit this right. The RICA is a law of general application.
One can find many legitimate reasons why the employer may want to monitor employees’ communications. Therefore, it must make access to the company network contingent upon signing the policy. If the employee does not sign it, the employee cannot have access to the network and will not be able to properly carry out the job responsibilities. The employer can then discipline the employee for misconduct in that the employee refuses to carry out a lawful and reasonable instruction.
To show that the employee consented to the monitoring, the company can set up its log-on procedures to ask the employee to click “yes” to accepting the company’s e-communication policy. This will also prove that the employee knew of the rule. Should it become necessary to discipline the employee for a policy violation, the employer can easily show that the employee knew the rule.
The employer can also retrench the employee. The Labour Relations Act defines “operational requirements” as requirements based on the economic, technological, structural or similar needs of an employer. Risk prevention will qualify as “similar needs” as it is necessary for the survival of the company. If the employee does not want to help the company in risk prevention or mitigation, it will be fair to dismiss the employee based on that reason.
Additionally, the employer can ensure that the employees know of the rule by educating them. This can be done by way of newsletters, discussions and showing videos. In the unreported case of Bamford v Energiser, the employer sent a notice requesting the employees not to use the email facilities for personal reasons. The commissioner said that any employee who received the email could understand that sending chain mails were against company policy.
And now I would like to invite you to read the article “What to do after developing Information Security Policies”
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Drafting an e-Communications Policy Manual (Information Security Policy) requires an understanding of the legal risks the company should avoid. It should contain clauses to prevent the various risks as discussed in part one of this website. Since employees are the ones using the information systems, they should know how responsibly to use it. If they do not, they could expose the company to various risks without even knowing it.
The purpose of an Information Security Policy is to lay down the rules and procedures of a company to maintain the confidentiality, integrity and availability of their information assets. Additionally, it must prevent the risks as discussed in other parts of this website while meeting its business objectives and the needs of its customers.
By drafting rules that meet the business objectives, the company will ensure that the policy is strict enough to protect it against risk without losing employee productivity or causing employee bad faith. A policy must not be too restrictive because employees might not follow it and the company would find it difficult to enforce. This would lead to a legitimacy crisis and the company would lose credibility when it wants to enforce it or when it needs to discipline an employee. The Code of Good Practice: Dismissal in the Labour Relations Act says that the employer must consistently apply a rule. Therefore, if the company does not do it, it would be unfair to dismiss an employee for contravening it.
Management has the right and the duty to maintain discipline in the workplace. The Code of Good Practice: Dismissal requires employers to adopt disciplinary rules that direct the conduct of employees. These rules must be clear and understandable. The employer must convey these rules to the employees and must enforce them. Employees must work subordinately. If they disobey the employer’s rules, the employer may discipline them. However, employees often challenge management’s prerogative to institute workplace rules. To be effective, the rules must be reasonable.
The King III report on Corporate Governance places a responsibility on the board of directors to determine the tolerance for risk and it must ensure that the company complies with the law. The board is responsible for the total management of risk. It states further that management must implement internal controls and it is accountable to the board.
Management must draft and implement policies to maintain discipline. The company may unilaterally implement policies and management does not have a legal duty to negotiate the rules of conduct with the employees. However, these rules must be valid (i.e. legally defensible) or reasonable and the employer must consistently enforce them. The policy must fit into the corporate culture. Therefore, if the employer has much valuable information assets to protect and if it is a big organisation, the policy will necessarily be more formal than a smaller sized company’s rules. The rules may not discriminate against certain classes of employees and they may not be illegal. An employer must answer the following questions affirmatively to conclude whether the rules are reasonable:
• Did the employer have the authority to make the rule in terms of the employment contract?
• Does the rule comply with the applicable statutes or regulations?
• Is the rule reasonably required for the efficient, orderly and safe conduct of the employer’s business?
• Was the existence of the rule known to the employee, or could/should the employee reasonably have been expected to have known of its existence?
• Has the rule been consistently applied in similar cases in the past?
Only when the rules comply with these questions may the employer fairly discipline an employee.
And now I would like to invite you to claim your free 30 minute consultation to discuss your need to Draft or Review an Information Security Policy.
From Adv. Liesl Briel – the Information Security Policy and Security Awareness Training Specialist.
Trade secrets and other information may get lost in a number of ways. Just being aware of these may already help protect you against it happening.
1. Industrial espionage
Besides independent discovery by competitors, trade secrets may be stolen through industrial espionage. A company’s competitors may want to gain the competitive advantage by knowing and reacting to what the company is planning to do.
2. Information leaks
Another way to lose a trade secret is to post the information on the Internet as that exposes the information to a worldwide audience. The Internet is not a secure network and anyone with the correct training can monitor and intercept sent communications, thereby stealing the trade secrets.
The company should therefore educate its employees about these risks. For example, an employee may accidentally e-mail information to the wrong person. Alternatively, a disgruntled employee may want to sabotage the company by intentionally sending the information to people who have malicious intent. Such an employee may also modify the information causing the company to rely on inaccurate data.
3. Virus attacks
Additionally, trade secrets and other information may be lost during a virus attack. The virus may either delete the information or it may send the information to everyone in the company’s e-mail address list.
The Electronic Communications and Transactions Act states that any intentional interference with data that modifies, destroys or renders the information ineffective, is an offence. Consequently, if the company can determine which employee sent the information or who introduced the virus to the company’s network, the company’s recourse may be to dismiss the disgruntled employee and to lay a criminal charge.
4. Hackers
Another way trade secrets may be lost or disclosed is through hackers. They may break into the company’s information system and steal the information they need. These hackers may do it for their own benefit, or a competitor may hire them to steal certain information. Having a firewall and requiring employees to have secure passwords will help prevent hackers from gaining access to the company’s information systems.
5. Natural disasters
Natural disasters may also wreak havoc on information security. Here one can think of floods, fires and lightning. The company should have adequate fire extinguishers and sprinkler systems. “Uninterruptible power supply” (UPS) will ensure that in case of a power failure, the power supply will not be interrupted. This means that the computer will still have a backup power supply. The user can then safely switch off the computer without losing any data.
6. Hardware theft
An often-overlooked method of information theft is the theft of computer hardware. A laptop can be easily stolen and it frequently happens. Consequently, the company should ensure that it has adequate physical security measures in place. One such measure may be to require the employees to get authorisation to take hardware off the premises.
The Computer Security Institute (www.GoCSI.com) each year conducts a “Computer Crime and Security Survey”. The survey indicates the various types of risk and quantifies them. It also looks at the prevention methods the respondents used. It mainly targets large corporations in the United States, and the statistics indicate where the biggest risks lie. The 2010/2011 survey found that the most likely sources of attack are malware infections and the theft or loss of computer and mobile hardware. The survey shows that 67% and 34% of the respondents respectively indicated those to be the most common forms of attack. Theft of proprietary information is by far the most costly consequence of computer crime. Average losses among the respondents for 2003 were $2,7 million and the total annual losses among the respondents were $70,195,900. This figure is not surprising since companies in the information age heavily rely on their information assets.
And now I would like to invite you to read about ways to prevent these risks from occurring and other legal remedies. For a free 30 minute consultation on what strategy your company must follow, please click here.
From Adv. Liesl Briel – The Information Security Policy and Security Awareness Training Specialist.