The importance of Acceptable Usage policies

The Indian Business scene has changed very rapidly in the last decade. As organizations, we have graduated from books to computers for maintaining data, and every type of data. With the emergence of India as an IT hub for the globe in 2000, the adoption rate has only accelerated.

We depend on computer for everything – data, communication, calculation, forecasts, trends etc. This has allowed Indian businesses to counter most negative global trends and keep up the growth pace. But at the same time, we have also developed a fatal flaw – vulnerability.

For a moment, imagine – one of your company’s top level employee loses his PDA. You might say that you will replace it and his efficiency will remain the same. But, what would the implication be? Most PDA’s are now substitutes for lap-tops. The access to organizational information provided by these devices is such that a single PDA is now able to dispense almost all the confidential data that your company may have.

Add the effect of human nature to the mix, and you have a potential security threat that may destabilize your entire business. Very often, it is not necessary for your employees to devices or information regarding access points to sensitive organizational data – it is enough for them to be merely disgruntled.

To give an Idea of the scale of damages that occur, across the globe, in 2008, companies lost $1 Trillion due to Data Theft, and spent $600 million trying to put things right.

Indian Law and Data Theft

Indian law is woefully inadequate in terms of defining what theft of Data is, and the punishment prescribed. What is more ridiculous in the Indian context is that (till the IT act 2000 came into effect) you would need to prosecute your employee/contractor under a combination of sections under the IPC 1860.

There are two possible scenarios in data theft by an employee–

1. Your employee stole a hardware form of data – you would have needed to prosecute him under Sections 22 (defining movable property), 378 (defining Theft) of the IPC 1860
2. Your employee emailed/transmitted data – you would have needed to prosecute him under Sections 405 and 406 of the IPC 1860.

Add another dimension to this, that of data carriers or data warehouses and bankers and brokers, and you would have needed to prosecute such a crime under sections 407 and 408 of the IPC 1860.

Since the IT act 2000 came into the picture, the same crimes can be prosecuted under Section 43(b) of the act in parallel to the ones above – however damages are limited to one crore rupees. Now relate this to the amount you have invested in research and/or gathering data, and you have an idea of the scale of damages you may have.

Irrespective of the damage, you would still do well to inform your employees or contractors that any data theft would be punished under applicable laws.
The most logical method to counter/deter data theft is to create agreements that very specifically mention data entrustment to such employees or contractors.

Acceptable Usage Policy – What to cover

The objective behind an Acceptable Usage Policy should be to clearly state the company's policy regarding use of the intranet/information system, to avoid potential liability, to promote healthy practices and information in order to reduce threats, and ensure positive use of the resources provided to employees.

The essential areas that need to be covered are –

1. Principles governing usage of such systems
2. Consequences for unauthorized usage
3. Whether systems are monitored
4. Laws applicable
5. Encouragement of safe usage practices

Acceptable Usage Policy – Application

Most companies use an Intranet. They also store sensitive information on the same system. If an employee has access to such information, then it is usually assumed that such an employee will not disclose it to the outside world.

However, here lies the basic flaw. This is an assumption. One way to make this assumption into a legal contract is to provide an Acceptable Usage Policy/Guideline. An acceptable usage guideline usually outlines the activities for which the company has provided the access to such systems. It is however, rare to find even a privacy policy (which actually contains rudiments of such guidelines) on most intranets.

Even if such a policy is available, it is usually relegated to the footer part of the pages. Frankly – have you ever scrolled down to the bottom of your internet banking account to ever check what the links there are? That’s how much notice this will get.


So how can we inform a user of such systems of what constitutes an acceptable use?

There are a few ways of achieving this objective that are in use–
1. As a part of mandatory joining procedures
2. As a part of induction training
3. As a part of the intranet footer

However, I can testify to the fact that these are not very effective means of achieving the same. Another method that may be used is what is usually used in software installation files – that of making the user scroll down to the end of the policy itself and click on a check-box stating he/she has read the same and agrees to it. This is effect allows the company to inform and the user to acknowledge acceptance of the same. This can be used on the sign-on page - or before login is allowed for any of your systems.

I agree, this can end up being slightly irritating, but it can be achieved on any information system by making a user acknowledge the entrustment of confidential data while signing on to such a system.