Firms can be brought to book for illegal images on their systems

Companies are liable for all illegal images stored by staff, says Dave McLoughlin

New Asset  

Companies are liable for all illegal images stored by staff, Dave McLoughlin




Although organisations have been concentrating on developing strategies to prevent viruses, spam and unwanted images getting on to the network via the web or e-mail, many have lost sight of the increased risks from internal threats at the desktop.

Advances in digital technologies such as memory sticks, DVDs, CDs and digital cameras with the capacity to store and transfer images via simple USB connections, means there are now myriad ways that illegal and inappropriate images can find their way on to the desktop and corporate network.

Under the Protection of Children Act and the Obscene Publications Act, company directors and the managers they appoint could be held personally liable if negligence is found in the management of data and images on company computers.

The legislation describes the liability as "vicarious", which means that the liability is valid whether the company or its officers are aware of the activity or not. Breaches of the law carry a penalty of up to five years' imprisonment.

The financial effects on the company can also be serious. Legal firm Petronas has estimated that the cost to a company of a single incident can be as much as £30,000 - and that is before loss of reputation and payment of claims for compensation are taken into account.

The Department of Work and Pensions hit the headlines last year when it was reported that after an investigation it discovered 2,000,000 inappropriate images and, more alarmingly, 18,000 illegal (paedophile) images on its computer systems. As a result, 227 staff were disciplined and a further 16 dismissed.

The announcement sparked coverage in the national media and raised fresh fears about whether employers had sufficient controls over employee use of PCs and related systems in the workplace.

One option open to employers is to monitor employee computer use, although this is a sensitive issue and smacks of "Big Brother".

Although monitoring of computer systems in the workplace is permitted, there must be a balance. It is important to have a clearly written acceptable computer use policy which explains that it is unacceptable to view or store inappropriate images on company computers.

This policy must be communicated clearly to staff so that they are fully aware of the requirements as well as disciplinary policies and procedures.

Organisations differ in how the responsibilities are shared between the IT and human resources departments. Experience suggests that both should have an input to policies on computer use and the IT director should be responsible for the installation and roll-out of the network security products.

Each organisation will need to agree who will make the judgement as to what is inappropriate. Human resources should be involved in setting disciplinary procedures within the company but the effective implementation and management of these procedures requires cross-department involvement.

Dave McLoughlin is director at image detection software supplier PixAlert

Read more on IT risk management