Website Security and Legal Issues

by Kate McCormick

Our guide on website security examines what businesses should do to make sure both their content and the use of their website is legal and appropriate.

A business’ website is often the main portal to the general public and therefore its potential customer base. It is often the first source of information that the public will acquire about a business and is therefore a highly important marketing tool. There are a number of techniques that marketing departments use to attract customers to their websites. This article looks at what businesses should do to ensure that the content and use of their websites is legal and remains so.

Cookies are a form of software that attaches to a web user’s terminal when a particular web site is visited, allowing marketers to monitor and track that person’s web use and build up a profile of their shopping habits, so as to facilitate more targeted marketing. Cookies are regulated by the Privacy and Electronic Communications Regulations 2003 (Privacy Regulations) and the Data Protection Act 1998. Their use must be clearly signposted on the website and visitors given the chance to refuse them and opt out of their personal details being collected and used for marketing. Finally, any personal information that is collected about an individual visitor should be ‘processed’ (used) in accordance with the Data Protection Principles. Businesses should be particularly wary of spyware where commercial relationships have gone sour, as illustrated by the case of Ashton Investments v OSJC (2006). Here, a Russian company employed spyware, previously attached to its former business partner, Ashton’s, computer system, to illegally hack into privileged information on Ashton’s system concerning litigation between the parties.

Website owners should also watch out for the following security issues

Pagejacking occurs when a competitor/imposter copies some of the contents of a website onto his/her own page and misdirects customers of the original site to the false one through search engine indexing. Once in the false site, the visitor can be subjected to hidden cookies, malicious software or theft of personal information such as account details. Another similar practice is ‘pharming’ which occurs when an imposter infiltrates a DNS server, tampering with a particular domain so that its users are always redirected to another site.

The website’s contents should be closely monitored and vetted at all times as the presence of certain material (e.g. material that is in breach of copyright or that is obscene, defamatory, racist, discriminatory or inaccurate and misleading) can lead to civil or even criminal offences. This is all the more important where users are allowed to post material to the site such as customer reviews or blogs or information to a staff intranet. Vetting can be carried out by the website owner or a contractor. Even if a business employs a contractor to host a website, the business will still be in control of the website and its content and subject to liability accordingly. A written contract should be entered into with the contractor stipulating that adequate security measures be put in place in relation to the website and that the contractor complies with the business’ instructions at all times.

The identity of everyone who posts to such a site must be capable of being traced by the owner, so that they can be barred access and even prosecuted if need be. Therefore the site must inform users that their personal details will be collected and of the action that will be taken if material that is deemed inappropriate is posted. It should be spelled out that material must not be obscene or defamatory and that all material must be original or proof of consent by the copyright owner established.

If a lot of content is being generated in this way, filters can be employed to search for and draw to the owner’s attention any obscene words or pictures. Any inappropriate content should be immediately removed as soon as it is discovered or its defamatory nature is revealed, otherwise the owner will be liable for contributing to its publication, as in the case of Godfrey v Demon Internet Ltd (2001).

In another case, Totalise plc v The Motley Fool Ltd (2001), it was held that the identity of someone who has posted defamatory information should be revealed by the website owner to the victim even though, on its face, this would appear to be a breach of the Data Protection Act 1998 (DPA). This is because there is an exception in the DPA where disclosure is necessary in connection with any legal proceedings or for the administration of justice. A further complication is that, as material from a web site can be downloaded in many countries, the victim of a defamatory statement can bring an action in any jurisdiction in which s/he suffers damage to his/her reputation and the information is downloaded. Archive material that is capable of being accessed should also be monitored in line with developments over time and should contain a warning that the facts may no longer be the truth or are being disputed.

Means of vetting and monitoring

Access to amend the website should be controlled and monitored. For staff, regulatory measures and an explanation of how they are policed should be contained in an I.T. use policy, which should be incorporated into their contracts of employment. Compliance with the policy should be monitored either by ongoing electronic monitoring and filters and/or by spot checks. If you are monitoring internet use, you must be aware that there are several laws that you must comply with, including the Regulation of Investigatory Powers Act 2000 (RIPA), the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (Telecommunications Regs), the Information Commissioner’s Employment Practices Code, as well as the Data Protection Act, Privacy Regulations and Human Rights Act. It is therefore always advisable to have your I.T. policy drafted or checked by a lawyer to ensure that it is legal.

Under the RIPA, the interception of electronic communications is a crime unless it is carried out by the person who controls the system, i.e. a business network. Civil liability will result unless consent is obtained (from both the sender and recipient in the case of emails) or unless the owner has complied with the Telecommunications Regs. These state that the owner must have taken all reasonable steps to notify those using the system and that the monitoring must be for the prevention/detection of crime; the protection of national security; to establish facts; to check or demonstrate standards; or to check compliance with regulatory or self-regulatory practices.

The Employment Practices Code recommends that an impact assessment be carried out before any monitoring is effected to ensure that such monitoring is necessary and proportionate and that staff representatives be consulted on any proposed measures. The results of the assessment and consultation should be recorded in writing in case there are later disputes. The monitoring must be justified by the benefit to be achieved. It must be limited to the minimum intrusion necessary i.e. targeted at a certain group or limited in area and/or time. Employers should avoid opening personal emails where unnecessary, and keep any information obtained through the monitoring safe and private and only use it for the purpose for which it was obtained. Covert monitoring is only ever justified where absolutely necessary to detect criminal activity and in all other cases, staff should be made aware of the type and extent of monitoring that is to occur.

Finally, the Human Rights Act protects an individuals’ right to respect for their private and family life, home and correspondence. In Copeland v UK (2007), a college monitored a member of staff’s email and internet usage to ensure that she did not make excessive personal use of them. This was found to be in breach of the Human Rights Act as the monitoring was not in pursuit of a legitimate aim. Again, evidence of an impact assessment having been carried out, concluding that the monitoring effected is necessary and proportionate, may assist in such a case.