- Internet & the Web
Information Security: An Exploration of Legislation
The Banking Industry
The banking industry is the most comprehensively legislated and heavily regulated industry in the World; despite this, controversial issues such as the Recession, the Libor Scandal and the miss-selling of PPI has lead to the Financial Services (Banking Reform) Bill, which is currently in its draft form.
As of the current time, the banking industry is legislated by the Financial Services and Markets Act 2000 and The Data Protection Act 1998, and is regulated by the Financial Services Authority (FSA), and the Financial Ombudsman; with employees being subject to the Copyrights, Designs and Patents Act 1988 & the Patents Act 1977, in addition to confidentiality policies.
The sheer amount of legislation and regulation therefore emphasises the need for robust information security policies, procedures and guidelines.
Furthermore, given that an estimated half of all breaches to information systems security are made by internal personnel (Gordon et al. 2005), the importance of a suitable Acceptable Use policy as a cornerstone for consequent guidelines and procedures should not be underestimated.
Employee use of computer systems can lead to potentially costly consequences including litigation, regulatory investigations, security breaches, reduced productivity, and business interruptions should a lawsuit be filed or the media publish details of an electronic disaster story (Flynn 2008); this risk is particularly heightened when, in the case of the banking industry, there is sensitive data and vast quantities of money to consider.
Financial Services and Markets Act 2000
The Financial Services and Markets Act 2000 acts as the principal piece of legislation for the protection of consumers; The Act provides the Financial Services Authority (an independent non-governmental body) a mandate of regulation.
The Data Protection Act 1998
The Data Protection Act legislates against the ways in which data should be used, stored, and transferred; financial institutions have a legal responsibility in relation to the data that they hold on private individuals and corporations, both in respect to a customers personal details and data surrounding their account information (such as balances and financial transactions).
The Copyrights, Designs and Patents Act 1988 & The Patents Act 1977
Employees within the banking industry are subject to adhere to certain pieces of legislation in order to protect the bank; two specific examples being the Copyrights, Designs and Patents Act 1988 & the Patents Act 1977; For example, the divulgence of system specifics, of either security systems, or intranet features, to persons outside the company may be illegal.
Banking Regulatory Requirements
UK Banking institutions are required to file various accurate reports to industry regulators, therefore it is vital that the appropriate data be accurate, valid and available when required.
Financial Services Authority (FSA)
All U.K. companies undertaking ‘regulated activities’ are required by the FSMA, to be authorised by the Financial Services Authority; The FSA is mandated to regulate for: consumer protection, market confidence, financial stability and the reduction of financial crime (FSA 2012); furthermore, the FSA sets out detailed rules with which all authorised firms and individuals must comply.
In addition to the instating of the FSA, the FSMA instated the Financial Ombudsman, a further independent body established to deal with complaints that individuals are unable to resolve with financial institutions.
Acceptable Use Policy
User Account Control
Use of Systems
The Bank’s rules, policies and guidelines in relation to the security of information, and use of hardware and software must be strictly observed at all times.
Unauthorised copying of software;
Unauthorised access to systems without specific permission;
Unauthorised transaction enquiries or affection;
Use of unofficial hardware and software (to prevent the introduction of malicious code).
Unauthorised disclosure of third party personal data is a serious offence and can result in prosecution under the Data Protection Act 1988. Strict confidentiality must be observed in respect of any and all information held by the bank, including dealings, transactions, procedures, policies, decisions, systems and other matters of a confidential nature.
Therefore personnel must ensure that:
Any individual’s personal data is not disclosed without authority;
Appropriate security measurements are taken in the securing of data;
Use of personal data is for lawful purposes only.
Enforcing the Information Technology Act [Scriboard]
Personnel are expected at all times to maintain the highest standards of professionalism and integrity, including communications with colleagues, customers and the public. These standards apply to communications that are verbal, written (e.g. memo, letter, report) and electronic (e.g. fax, e-mail, telephone, voicemail or the internet).
Access to the corporate electronic mail (email) system is provided to personnel whose duties require it for the conduct of corporate business. Since email may be monitored, all personnel using corporate resources for the transmission or receipt of email shall have no expectation of privacy.
If sensitive or confidential information needs to be sent by email to external parties it should only be transmitted using encryption because unencrypted data could be intercepted and used to commit fraud and/or to damage the reputation of the bank.
The bank provides email to facilitate the conduct of corporate business, occasional and incidental personal email is not permitted under any circumstance.
Prohibited activities when using corporate electronic mail shall include, but not be limited to, sending or arranging to receive the following:
a) Information that violates laws or corporate regulations.
b) Any material that may defame, libel, tarnish, present a bad image of, or portray in false light, the corporation, the recipient, the sender, or any other person.
c) Pornographic, racist or offensive material, or malicious code.
System administrators and other personnel with unrestricted access to email and similar services shall receive management approval prior to decrypting or reading the email traffic of other personnel. If management approval is not immediately available, then system administrators and other personnel that intercept, read, or restrict email accounts shall document their actions and provide that documentation to management personnel.
Inventions And The Protecting Intellectual Property
To ensure the integrity of corporate developed software, all personnel shall abide by the intellectual property protection contract provisions of the Bank.
The invention or creation of intellectual property by personnel is regarded as a furthering of interests in the bank; Personnel irrevocably and unconditionally waiver of all rights under Chapter IV of the Copyrights, Designs and Patents Act 1988.
Security and fraud prevention
Bank plc owns all Corporate information resources; use of such resources constitutes consent for the Corporation to monitor, inspect, audit, collect, and remove any information without permission or further notice. Any infraction of corporate acceptable use policies shall constitute a security violation.
In addition, the bank reserves the right to inspect bank accounts and other facilities held by any employee.Implementation and enforcement
Although it is reasonable to assume that, given the nature of the Client’s business, the relevant stakeholder’s should be well versed in the importance of stringent security processes, a risk assessment should be utilised in order to reinforce the importance of Policy implementation and enforcement; this may be of particular use for demonstrating not only risk to monetary assets, but also to intangible assets such as reputation and consumer trust (Ungerman 2005).
Given that user awareness of the risks to IS security is widely believed to be fundamental to effective IS security (Furnell 2008; Hu et al. 2006; Whitman 2004) it is arguable that rather than viewing employees as the ‘weak link, they should be treated as the contrary.
Whilst appropriate sanctions should be emphasised to staff, positive training should be provided on a regular basis; User participation is also a means to engage users in protecting sensitive information in their business processes (Spears and Barki 2010).
Information Security Management: Computer Security Lectures 2014/15 S1
The Computer Misuse Act (1990)
The Computer Misuse Act (1990) is summarised as being “An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes”; The Act specifically legislates against:
“Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc”.
Additional adaptations, instated by the Police and Justice Act 2006 (Part 5) further legislates against the following:
“Section 35. Unauthorised access to computer material
Section 36. Unauthorised acts with intent to impair operation of computer, etc.
Section 37. Making, supplying or obtaining articles for use in computer misuse offences
Section 38. Transitional and saving provision”.
The exact growth of E-Fraud may be subject to estimation, rather than concrete figures, official financial fraud complaints often lack detail in regards to the instigating contact, for example, in 2008 only 58% of all fraud complaints reported the method of initial contact; with 52% citing email, 11% citing an Internet website and 7% citing a telephone call (Paget 2010);
The legislation of various electronic crimes have often received criticism as to their legitimacy when their physical world counterparts are not considered criminal matters; even prior to it’s official publication, The Criminal Misuse Act had been criticised for legislating against the access of confidential information held on a computer, where if identical information were written on paper, no offence would be committed (Waisk 1989). Furthermore, certain behaviours that would be deemed a civil breach in the physical world, have been legislated as criminal acts in the cyber world, an example of which is hacking, the cyber equivalent of trespass (Tapper 1987).
Furthermore, criminal law in the UK usually requires that persons charged with an offence be proven to have ‘mens rea’ (‘guilty mind’); it must be proven that they intended to bring about particular consequences; for example, a hacker who initiated a denial of service attack in order to compromise a website, for which there has not been a single successful conviction in the U.K. (Bishop 2010).
Further compounding this situation is the difficulty in categorising certain acts as criminal, given the nature of technological advancements, it is impossible to legislate continuously for new techniques developed by cyber criminals.
In exemplification of this, there is a debate surrounding a technique known as screen scraping (in short, the accessing of mobile data; used to gain mobile banking log in details), and whether it amounts to ‘hacking’ (Manish et al. 2004).
The difficulties in quantifying criminal activity under the computer misuse act, and the compounding situation surrounding the identification of cyber crimes within the realm of financial fraud, arguably results in a difficulty in analysing the Act’s effectiveness.
In addition to legislating against crimes originating from external sources, The Computer Misuse Act also legislates against crimes from internal sources; in an unprecedented application of The Computer Misuse Act, seven former employees of the Singapour bank, Citibank, were charged with 1223 charges in relation to disclosing customer information to Citibank rival, CBS (The Financial Times 2008); Citibank pursued a $35m civil lawsuit (the Computer Misuse act, unlike a civil claim does not previse any compensatory element in a prosecution [Akdeniz 1990]).
This case highlights the regional differences in the application of the Computer Misuse Act; whilst Singapore is widely credited with having the World’s strictest banking secrecy laws, the specifics of their Computer Misuse legislation has been criticised for disregarding Human Rights (Carr and Williams 2002).
Whilst prosecution figures under the act are freely available, and account for 10 convictions in year, establishing the number of prosecutions in relation to the banking industry is a more arduous task.
In the 2012 case of R v Pavel Cyganok and Ilja Zakrevski, section 3 of The Act (unauthorised modification), sentences of five and four years respectively were passed for the stealing of online banking data via a Trojan virus; In the case of R v Delamare, section 1 of the act (unauthorised access), a sentence of 4 months was passed for the divulging of account information.
Despite protecting banking and financial institutions from a range of criminal offences, such institutions subject to cyber attacks have often refrained from actively seeking prosecutions, often through fearing the adverse publicity that would undoubtedly accompany a court case (Cornwall 1988, Department of Trade and Industry Report 2002).This is of particular relevance to the banking sector, where loss of custom is not the only concern, but may additionally leave them vulnerable to further attacks (Akdeniz 1990); Furthermore, the reporting of such a crime may result in the consumption of management time which could have contributed to the rectifying of losses endured (Cornwall 1988).
In addition to the detrimental effect a court case may bring about for a financial institution, critics have also argued that cases brought under the Act, are often overly technical and difficult to explain to juries, and often lead to the collapse of a trial; as such, The Fraud Act (2006) is often employed in place of the Computer Misuse Act, due to its relative clarity (Grossman 2010).
The Fraud Act requires those in positions of authority, where they have responsibility for protecting the ﬁnancial interests of others to not abuse this position; This Act is oftentimes more suitable for banking industry prosecutions (Heron 2009).