What does the Investigatory Powers Act mean for SMEs?

Posted: 1st February 2017 08:12

In November the Investigatory Powers Act moved one step closer to becoming law when it was passed following a third reading in the House of Lords. Its progress through Parliament up to this stage had been far from smooth with many MPs and peers requesting extra amendments and safeguards to be included in the law that its critics had been quick to dub “the snooper’s charter.”
The principle behind the new piece of legislation has always been to help beat terrorism and crime as, by gaining access to data that has been created or followed by potential perpetrators, they can be caught more easily.
The Act gives provision for almost 30 different organisations including the police, intelligence agencies and even the armed forces to gain access to both the online and phone activity of suspects in several ways. For example ISPs and phone companies will be required to keep full records of all websites visited by each of their customers for a full 12 months – and hand over this data when requested. It also allows the authorities to hack into the phones or computers of suspects as well as examining so-called “bulk data sets” like medical or tax records.
This may sound rather draconian but there are a number of safeguards that have been put in place to prevent over-use, or abuse, of these powers. The first is that the authorities must consider if they could get the information by other means before resorting to this intrusion. An Investigatory Powers Commissioner will also be appointed to oversee that no abuses take place and any investigation will have to be sanctioned by both the Secretary of State and a judicial commissioner too.
So what does this all mean for SMEs who may have client databases that, until now, have been relatively easy to keep secure? Unfortunately the potential powers of the Act mean that they will no longer be quite so secure. This is because when an SME receives a request to release information it will be obliged to do so by law. However it is promised that the organisation that has requested data will give it the same level of protection as the company from which it has been obtained.
While the level of requests are likely to be somewhat limited in number, and focussing instead on larger firms, the law does grant the power, under the specific circumstances. Confirming that the relevant checks and balances have been covered before granting the issue should be confirmed. Where possible, legal advice should also be sought to ensure that the request for information is valid, and it is indeed legal to send over any information.
Naturally data breaches are problematic for many companies, with larger companies falling foul more often than is preferred; SMEs often find themselves at odds with data breaches. As digital increases in its prevalence, there are also further ways that information can be taken, and so more safeguards and required. These can be difficult for SMEs to implement, especially where there are cost considerations.
Many of the techniques used are for most people common sense, such as ensuring that your antivirus is up to date, that it’s installed, and turned on for every device. Having employees turn off their anti-virus, even temporarily can cause significant damage. Firewalls often add additional protection, with many companies offering the service. For data sensitive information, VPNs are a currently underutilised approach. By routing the internet packets through proxy servers, the level of encryption is increased, meaning securer data transfer, and while different services offer different levels of protection (for example, some VPN providers do, and some don’t keep your traffic on record), there are different packages depending on your preferences, aim, and cost. As many of the VPN companies operate abroad, they are also not covered by the Snooper’s Charter.
The level of knowledge of the Investigatory Powers Act is likely going to affect different companies more, and others less. For those companies that rely on large amounts of data, it’s imperative to become acquainted with the particulars. Reviewing your current digital security, is always a good idea, for any business.