Will the Investigatory Powers Act affect SMEs?
Technology is changing rapidly and soon almost every electronic device we own will somehow be connected to the internet. This ‘internet of things’ allows us to be more connected than ever and our smartphones, TVs, computers, tablets and in some instances, our boilers, kettles and fridges are constantly transmitting data over the web.
As it stands, the majority of the UK population communicate over the internet on a daily basis, whether it’s sending an email, making an internet phone call via Skype or sharing pictures on Instagram, Facebook, or other social media outlets. This increased level of connectivity has also been highly integral to many businesses.
The increased amount of data that is held on each of us is also of special interest to the government. We live in a world where terrorism is a constant and sustained threat and criminals are benefiting from technology to expand their methods. The Investigatory Powers Act, or Snooper’s Charter, aims to allow the government access to communications made by individuals and organisations. Vast quantities of information can now be viewed, listened to or stored for later access by various public sector agencies, and while readings and amendments have meant that there are some limitations, it’s still entirely feasible for the government to receive the data that they want, regardless of the company that owns it. Naturally this affects companies, and while larger firms have legal teams to help cut through the specifics, this option can often be too costly for SMEs.
A key focus for businesses in an age of cybercrime and identity theft is data protection. Businesses invest huge amounts of money to ensure their customer or client data is only available to them and that no details are passed on to third parties either by accident or due to hacking or the theft of data. We now have to question what will happen to data protection now that the government has unimpeded access to digital communications.
For consumers, carrying out a transaction now requires a lot of personal data to be shared online before they can gain access to a product or service. This information can be pieced together to generate a snapshot of online activities. With high profile cases such as the Ashley Madison hacking scandal, users are now vigilant about how much information they give up to organisations.
Under the snoopers charter, information such as websites visited, online purchases, subscriptions, viewing and sharing habits as well as messages in forums, chat rooms etc. can now also be stored by the government, opening up another channel to hackers who could freely distribute sensitive information on sites visited or services subscribed to. This could mean that potential customers give up less vital data or even avoid a service all together for fear of being monitored and exploited.
The way we carry out business internationally will also change with the new charter. Within the EU, there is the General Data Protection Regulation, the point of which is to ensure individuals have the right to what data is stored about them and to strengthen data protection within the EU, as well as data that is sent outside of the EU. Some countries such as Estonia also have very in depth legislation that grants individuals unprecedented insight into data request, and also guarantees the ownership of their own data. The European charter contradicts parts of the investigatory powers act and the status quo will of course have to be re-negotiated when the UK leaves the European Union.
While it’s unlikely that requests for information will come to SMEs, it’s still important to know what information is required, and what the government needs to supply in order to have access to the information. Simply providing information to anyone who claims to be from the Home Office requesting the information opens up a massive hole in security, and the likelihood of data protection breaches.
Even though SMEs can’t stop the government from accessing customer or client data, there are lots of ways to stop others from exposing the information stored by a business. Using a VPN (virtual private network) will extend a secure network even outside of the organisation, so when travelling or using a laptop you will have the same level of security as you would when using a protected system in the office. Some VPNs also completely hide your IP, and stop your visited websites being stored, though this varies from service to service, by routing your traffic through a proxy server elsewhere. The only data that can be recorded is your visit to the proxy server itself.
There are also many other services that are essential in this day and age, as well as ensuring that you don’t make it easy for non-government agents (such as hackers) from gaining access. Having a complex password and a controlled environment will ensure that it isn’t easy to walk out the door with sensitive information. Educating staff and having a strict cybersecurity policy is a very easy way to ensure everyone is in the same mindset. Also, remember to ensure that all software is licensed and fully up to date. Newer web browsers, operating systems, ERPs and CRMs will all have built-in protection that may not be present in older versions.
It makes sense to be aware of what the snoopers charter is, how it affects your business and the ‘chilling effect’ it can have on customers. However, without adequate digital security, it may not be just the government who are copying and storing sensitive information.