Archive for the 'Confidentiality' Category

The Stig, confidentiality and trade marks

Published August 24, 2010 Confidentiality , In the Media , Intellectual Property Leave a Comment

I’ve been following the recent story about a battle between the BBC and HarperCollins over whether or not The Stig’s real identity can be revealed in his planned autobiography. For the purposes of this blog, I’ll refer to him as “Mr X”.

For those that are not a fan of the BBC’s Top Gear programme, The Stig is the show’s “tamed racing driver” – known only by his white overalls and white helmet (which he never removes). The BBC maintains that revealing his identity would “spoil viewers’ enjoyment of the show.”

What’s the issue?
At play here is a conflict between the contractual obligation of confidence given by the Mr X in his contract with the BBC and Mr X’s attempt to cash in on the fame of the character that he plays. Top Gear and The Stig are very lucrative for the BBC, but newspaper reports suggest that Mr X does not do as well out of this as his fellow presenters.

However, an autobiography about being The Stig is likely to be hugely successful.

Psuedonyms and trade marks
Interestingly, there is no (legal) reason why The Stig could not publish his autobiography under a pseudonym. Section 77 of the Copyright, Designs and Patents Act 1998 specifically provides that moral rights (the right of an author to be named every time a work is published) can be asserted using a pseudonym. However, “The Stig” is a registered trade mark of the BBC, and therefore any attempt to publish an unauthorised book under that pseudonym would infringe that trade mark.

So Mr X is rather stuck. Contractually, he cannot publish his autobiography under his real name, and trade mark law is likely to prevent him from publishing his autobiography under his on-screen alter ego.

This may seem unfair, but The Stig brand is owned by the BBC, and Mr X is contracted to the BBC to play that role under a condition of anonymity. The BBC is therefore simply doing what any brand owner would do to prevent third parties from cashing in on, or damaging, its brand.

So what next?
It will be interesting to see how the battle between the BBC and HarperCollins pans out. A Google News search shows plenty of newspapers revealing Mr X’s suspected identity, and HarperCollins’ argument is that his identity is now no longer confidential. Whilst this might make a common law obligation of confidence no longer enforceable, it may not be as simple as that for a contractual obligation.

I see that the case has been adjourned for a week. I expect that those discussions will lead to the autobiography being published under the pseudonym of “The Stig” (with the BBC getting a cut of the royalties) or Mr X being allowed to publish his autobiography under his own name, but on the condition that (as with Mr X’s predecessor, The Black Stig) he leaves the show and is replaced by a new Stig.

Anyone want to have a guess at what colour he will be?

Erase and rewind – some tips on the safe destruction of data

Published February 25, 2010 Confidentiality , Data Protection Leave a Comment

How do you ensure that redundant hardware is scrubbed of sensitive or personal data?

As the data controller, it will be your responsibility (under the Data Protection Act) to ensure that the data is securely destroyed – even if the kit on which it is stored belongs to a contractor. If data is not properly destroyed, then there is a risk that it could be used to help perpetrate fraud or identity theft, or allow competitors to access your confidential information.

We’ve all read stories about hard drives full of confidential information ending up on eBay. As the volume of data held on servers increases, the more important it is to ensure that the data in question is destroyed when the kit or media upon which it is stored is no longer required.

However, there are two competing industries. On the one hand, plenty of legitimate businesses specialise in recovering apparently lost, corrupt or deleted data – whether it is for the purpose of forensic investigations or for disaster recovery purposes. On the other hand, another sector is trying to help people permanently destroy that data. The techniques used by the data recovery experts show that erasing (or even erasing and re-writing) is not sufficient to stop that data being recovered.

Here are some things to consider:

  • Firstly, develop and adopt (and follow) a policy setting out your organisation’s requirements in respect of the destruction of data. This is likely to involve adopting relevant British and international standards and certifications.
  • The safest thing (in terms of data security, if not avoiding trips to A&E) to do is to remove all drives from your hardware before you dispose of that hardware (replacement drives are cheap). But then what do you do? You could shred the drive (making sure that it is destroyed such that it cannot be reconstituted) or have it degaussed. For CDs and DVDs, as any student will tell you, it is fairly easy to melt them into oblivion.
  • If you do not wish to remove a drive from the hardware before disposal or do not wish to destroy it (or any other magnetic media), you could adopt a recognised erase/re-write standard – for example, the US Department of Defense standard.
  • If you are dealing with a contractor, you should ensure that your contract specifies what the contractor should (and should not!) do. Consider whether the contractor should be responsible for disposal or destruction of media and drives, or whether these should be done under your control.
  • Finally, ensure that your contract with your contractor includes appropriate provisions dealing with liability for a failure to follow those procedures, and rights to terminate the contract.

Enterprising applications*

Published October 27, 2009 Confidentiality , Data Protection , Geek Stuff Leave a Comment

At the recent National Outsourcing Association Awards I was speaking with Clayton Locke, Managing Director (Europe) of IT and outsourcing services company, Virtusa. Virtusa is involved in software development, and one area that it has recently been exploring for its clients is developing enterprise apps for the iPhone and other smart phones.

To date, the majority of apps that have been developed are consumer facing. However, Clayton reckons that there is a market for developing apps that employees of an organisation can use. Given the relatively easy programming platform, it should be fairly straight forward to develop custom apps that can provide employees with an interface to back office systems – whether to view real-time data or to help automate some of the tasks that employees might wish to do on the fly.

Mobile apps already exist for some off-the-shelf enterprise systems. Through its alliance partner programme. Blackberry offers a number of these types of applications which provide mobile connectivity to standard software packages for things like time recording, digital dictation and document management systems.

However, the new SDKs for Blackberry, iPhone and Android should make it easy for individual organisations to develop their own custom apps that reflect the tasks that their employees perform on a day to day basis. One example might be an app for board members which gives real-time access to sales figures. Another example might be an app which allows employees to carry out tasks which would traditionally require a laptop to access and submit data.

The advantages of developing custom apps for the organisation’s chosen smartphone are obvious. Application development costs should be reasonably low. There are low deployment costs as the device is already in the pocket of most members of staff (or can replace their existing mobile device). It can be accessed anytime, any place – no need for a bulky laptop and power supply. Hosting an app on the client, rather than the server, lowers the amount of data traffic without any impact on functionality, as you only need to transfer the live data, not the application itself (cf with “The Future” ten years ago, when thin clients were seen as the way forward). The combination of 2G/3G and wifi connectivity means that a data link is usually always available (and when it’s not, data can be cached locally and then synchronised), and GPS/location based functionality adds another level of functionality. All these things can help improve productivity, efficiency and the service offered to customers. What might app could might you benefit from?

Of course, all this mobile access does give rise to increased risks.

I’ve blogged before about the security (or lack thereof) of personal mobile devices. Providing a direct link to back-end systems giving access to confidential data and (potentially) personal data raises a number of informations security and data protection issues. In particular, organisations developing and deploying such apps will want to ensure that the devices (and the data link) are encrypted, that a VPN is used to protect the link into the back-end systems, and that additional verification is considered when accessing the app itself. Any app that gives access to customer lists or customer information will need to be considered against the organisation’s obligations under the Data Protection Act. This also requires a health-check of the organisation’s internal acceptable use policies to ensure that employees are also doing everything that they should be to avoid unnecessary security risks.

Martin Sloan

*Sorry – no Schwarzenegger puns today.

Padlocking your pocket?

Published September 30, 2009 Confidentiality , Data Protection , In the Media Comments

There was an interesting article on the BBC Website last week about what happens to your email accounts, social networking accounts and other data after you die. In particular, how your next of kin get access to passwords so that they can access all that data that you hold in the cloud. Today also sees the launch of yet another social networking type site, with Google’s new Wave service, which aims to bring email, instant messaging, chat and third party apps together in one big happy family. Hnmmm, isn’t that what Facebook does?

However, one thing that rarely gets mentioned is the plethora of data that each of us now carry, or have access to, through mobile devices, such as mobile phones and PDAs. Whilst (the lack of) encryption of mobile devices used by the public and private sector is becoming an almost daily news event, how often do you hear about protection of personal, non-work, mobile devices, which are almost always unprotected?

You may think that there isn’t really anything to protect here. But consider this. If you have an iPhone, iPod Touch, Blackberry or other “smart” device offering access to the Internet, it’s likely that you can access your email account, social networking account, contacts and other personal information without needing to enter a password – you simply load up the relevant app and will be logged straight in. The Internet browser may also have saved website passwords. As the app market matures, it is likely that banks will start offering Internet banking apps that allow you to access your personal bank account through your iPhone or Blackberry. We may also see apps allowing access to NHS and other sensitive records and services. The “Internet in your pocket” isn’t just marketing fluff.

But what happens if your device is lost or stolen? As well as the inconvenience of losing your device (and any data on it that hasn’t been backed up) and people spamming in your name, you will probably need to reset all the passwords for your email and other accounts. There’s also a reasonable risk of identity theft in one way or another – whether it be people hijacking your email account, attempting to access your bank or credit card account, or buying things through Amazon with your saved credit card details. If you have been negligent in protecting your account (or card number), it is likely that a bank would take a dim view of any loss suffered – have a look at your online banking ts and cs. Other organisations are likely to take the same view.

Most devices tend not to come with their security features activated. One of the easiest things to do to reduce this risk is to regularly back-up your device and activate the main password protection function on the device. It’s a fairly simple step, but it is amazing how many people don’t use it. On the iPhone and iPod Touch, you can also set the device to erase all data on it after ten failed password attempts.

Whilst this protection may not stop a determined hacker with time and specialist software at his disposal, it may stop the average phone thief from easy access to your data.

Martin-Sloan-signoff

Password Protection = Confidentiality

Published August 12, 2009 Confidentiality Leave a Comment

In a recent case in the English High Court a judge strongly suggested that any information that is held on a computer and that is password protected automatically obtains the protections given by English Law to confidential information.

The judgement came in the context of a messy divorce between the super rich.  So I have to be careful what I say here in terms of libel law!

The wife’s family obtained files and emails from the  computer used by the husband. In order to do so they used  an IT expert to bypass the husband’s password protection.

The judgement was simple and unsurprising : the wife’s family shouldn’t have done it; they had to return all the files and emails, and they couldn’t use them in the divorce proceedings.

From a legal standpoint the interesting thing was that the judge said in passing that any files on a  computer that are password protected are presumed to be “confidential information”.

You are probably thinking “so what?”.  Well in terms of the various case laws  information is not protected by confidentiality law unless it has “the necessary quality of confidence”.

There is a lot of case law about when information has the “necessary quality of confidence”.  So for example if I tell you something in the pub does that have the “necessary quality of confidence”?   Probably not (unless I tell you its confidential).  However, if I tell you something in the context of a business negotiation then it probably does meet the “necessary quality of confidence” test (unless I tell you its not confidential).

Got it? Good.

So this case makes it fairly certain that password protected computer files and  emails that are password protected, or that are stored on a computer where the computer in password protected,  have the necessary quality of confidence.

 Douglas

 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930