Introduction to corporate security

MINISTRY OFSOCIAL AFFAIRS AND HEALTH

1

Introduction to corporate security

Teemupekka VirtanenHelsinki University of Technology

Telecommunication Software and Multimedia Laboratory

[email protected]


2

3. Lecture - Legislation

Why legislation is important for an organization and its security

Some Finnish legislation related to security Co-operation between an organization and authorities


3

The level of understanding

Understanding the meaning of legislation in the operations of an organization

Engineers are not lawyers and they should not try to be A person who for the purpose of favouring a foreign state or damaging

Finland procures information on a matter concerning the Finnish defence or other preparation for emergencies, Finland’s foreign relations, State finances, foreign trade or power supplies or another comparable matter involving Finnish national security, and the disclosure of the information to a foreign state can cause damage to the Finnish defence, national security, foreign relations or economy, shall be sentenced for espionage to imprisonment for at least one and at most ten years. (Penal code, 12 sect §5)


4

Why there is a legislation


5

A written version of the moral of society

Society requires that there are some rule how to behave The rules of co-operation between entities

Citizens, the state, organizations etc A tool to solve conflicts between entities The content and applications depend on local moral


6

A words from God

Legislation itself is important Laws is not followed because they make life easier but because laws

must be followed The form is important, not the meaning


7

A tool for administrators

Legislation can help keeping current administration Legislation can be a collection of “good habits”

Definitions of one generation Definitions of one religion

A tool to force other people to follow my ethical decisions


8

Legislation and organizations


9

Legislation gives possibilities

The area is regulated by a law Viestintämarkkinalaki (396/1997)

A law gives advantages to certain organizations Postitoimintalaki (N:o 907/ 1993 )

A law gives possibilities for private organizations Laki yksityisistä turvapalveluista (282/2002)


10

Legislation sets requirements

Organizations must follow the rules of a society Penal code (39/89) Personal data act (523/1999) Laki yksityisyyden suojasta televiestinnässä ja

teletoiminnan tietoturvasta (565/1999) (Privacy in communication)

The legislation for specific areas


11

Legislation gives authority

Legislations gives tools to improve security Act on background checks (177/2002)

Immediate crime prevention Hätävarjelu (RL 3 luku §6)

Private guards Private security services act (282/2002)


12

Legislation as a general tool for protection

A punishment will follow if a law is violated A threat of punishment prevents crimes In practise, the probability of being caught is more

important than the level of punishment


13

Some Finnish legislation


14

Penal code

Penal code 19.12.1889/39 Originated from 1889 but updated continuously The most important law for public Me Aleksander Kolmas, Jumalan Armosta, koko Venäjänmaan Keisari ja Itsevaltias,

Puolanmaan Zsaari, Suomen Suuriruhtinas, y.m., y.m., y.m. Teemme tiettäväksi: Suomenmaan Valtiosäätyjen alamaisesta esityksestä tahdomme Me täten armosta vahvistaa seuraavan rikoslain Suomen Suuriruhtinaanmaalle, jonka voimaanpanemisesta, niinkuin myöskin rangaistusten täytäntöönpanosta erityinen asetus annetaan


15

Crimes

Aggravated war crime (578/1995) Violation of human rights in a state of emergency

(578/1995) Genocide (578/1995) Breach of the prohibition of biological weapons

(17/2003) Ethnic agitation (578/1995) Discrimination (578/1995) Warmongering (578/1995)


16

Business secret

For the purposes of this chapter, a business secret is defined as a business or professional secret and to other corresponding business information that a businessman keeps secret and the revelation of which would be conductive to causing financial loss to him/her or to another businessman who has entrusted him/her with the information.


17

Business espionage (769/1990) A person who unjustifiably obtains information regarding the

business secret of another by entering an area closed to unauthorised persons or accessing

an information system protected against unauthorised persons, by gaining possession of or copying a document or other record,

or in another comparable manner, or by using a special technical device,

with the intention of unjustifiably revealing this secret or unjustifiably utilising it shall be sentenced, unless a more severe penalty for the act is provided elsewhere in the law, for business espionage to a fine or to imprisonment for at most two years.


18

Violation of a business secret (769/1990)

A person who, in order to gain financial benefit for himself/herself or another, or to injure another, unlawfully discloses the business secret of another or unlawfully utilises such a business secret, having gained knowledge of the secret

while in the service of another; while acting as a member of the administrative board of directors, the

managing director, auditor or receiver of a corporation or a foundation or in comparable duties;

while performing a duty on behalf of another or otherwise in a fiduciary business relationship; or

in connection with company restructuring proceedings, shall be sentenced, unless a more severe penalty for the act is provided elsewhere in

the law, for violation of a business secret to a fine or to imprisonment for at most two years. (54/1993)

This section does not apply to an act that a person referred to in subsection 1(1) has undertaken after two years has passed since his/her period of service has ended. (61/2003)


19

Assault (578/1995)

A person who employs physical violence on another or, without such violence, damages the health of another, causes pain to another or renders another unconscious or to a comparable condition, shall be sentenced for assault to a fine or to imprisonment for at most two years. An attempt is punishable.

A person who through negligence inflicts not insignificant bodily injury or illness on another shall be sentenced for negligent bodily injury to a fine or to imprisonment for at most six months.


20

Negligent homicide (578/1995)

A person who through negligence causes the death of another shall be sentenced for negligent homicide to a fine or to imprisonment for at most two years.

If in the negligent homicide the death of another is caused through gross negligence, and the offence is aggravated also when assessed as a whole, the offender shall be sentenced for grossly negligent homicide to imprisonment for at least four months and at most six years.


21

Manslaughter and Murder (578/1995) A person who kills another shall be sentenced for manslaughter to

imprisonment for a fixed period of at least eight years. An attempt is punishable.

If the manslaughter is premeditated; committed in a particularly brutal or cruel manner; committed by causing serious danger to the public; or committed by killing a public official on duty upholding the

peace or public security, or because of an official action; and the offence is aggravated also when assessed as a whole, the

offender shall be sentenced for murder to life imprisonment. An attempt is punishable.


22

Invasion of public premises (531/2000) A person who unlawfully

by force, stealth or deception, enters a public office, business premises, office, production installation, meeting place, other similar premises or another similar building, or the fenced yard of such a building, a barracks area or another area in the use of the armed forces, where movement is restricted by the decision of the competent authority, or

hides or stays in premises referred to in subparagraph (1) shall be sentenced for an invasion of public premises to a fine or to

imprisonment for at most six months. However, an act that has caused only a minor disturbance does not

constitute an invasion of public premises.


23

Theft and Embezzlement (769/1990)

A person who appropriates movable property from the possession of another shall be sentenced for theft to a fine or to imprisonment for at most one year and six months. An attempt is punishable.

A person who appropriates the assets or other movable property of another which are in the possession of the offender shall be sentenced for embezzlement to a fine or to imprisonment for at most one year and six months.


24

Personal Data Act

22.4.1999/523 The objectives of this Act are to implement, in the

processing of personal data, the protection of private life and the other basic rights which safeguard the right to privacy, as well as to promote the development of and compliance with good processing practice.


25

Personal data

personal data means any information on a private individual and any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household;

Any piece of information that can be connected to a person E-mail Computer logs Video surveillance tape


26

Processing of personal data

Processing of personal data means the collection, recording, organisation, use, transfer, disclosure, storage, manipulation, combination, protection, deletion and erasure of personal data, as well as other measures directed at personal data;


27

The requirements for processing

the data subject has unambiguously consented to the same; there is a relevant connection between the data subject and

the operations of the controller, based on the data subject being a client or member of, or in the service of, the controller or on a comparable relationship between the two


28

Principles relating to data quality

The personal data processed must be necessary for the declared purpose of the processing (necessity requirement).

The controller shall see to that no erroneous, incomplete or obsolete data are processed (accuracy requirement). This duty of the controller shall be assessed in the light of the purpose of the personal data and the effect of the processing on the protection of the privacy of the data subject.


29

Data security The controller shall carry out the technical and

organisational measures necessary for securing personal data against unauthorised access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. The techniques available, the associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy shall be taken into account when carrying out the measures.


30

Remarks about personal data act

Personal data can be collected and processed if there is reasonable connection

Only such information can be collected which is necessary for the reasonable connection

The collection, content and usage must be designed beforehand The information must be correct The information must be protected When the connection end the information must be deleted


31

Act on the Protection of Privacy in Working Life (759/2004)

The employer is only allowed to process personal data directly necessary for the employee’s employment relationship.

The employer shall collect personal data about the employee primarily from the employee him/herself. In order to collect personal data from elsewhere, the employer must obtain the consent of the employee.

The employer shall notify the employee in advance that data on the latter is to be collected in order to establish his/her reliability.

The employer is not permitted to require the employee to take part in genetic testing during recruitment or during the employment relationship, and has no right to know whether or not the employee has ever taken part in such testing.


32

Act on the Protection of Privacy in Working Life (759/2004)

The employer may operate a system of continuous surveillance within his premises based on the use of technical equipment which transmits or records images (camera surveillance) for the purpose of ensuring the personal security of employees and other persons on the premises, protecting property or supervising the proper operation of production processes, and for preventing or investigating situations that endanger safety, property or the production process.

Camera surveillance may not, however, be used for the surveillance of a particular employee or particular employees in the workplace. Neither may camera surveillance be used in lavatories, changing rooms or other similar places, in other staff facilities or in work rooms designated for the personal use of employees.


33

Organization and authorities

Authorities are important for organizations Permissions and authorizations Inspection Advice Crime prevention Crime solving


34

Security and safety related authorities

Police Crime prevention Plans for security Crime solving

Public safety authorities Safety plans Inspections Fire fighting Solving reasons


35

Contacts

Contacts are useful in normal situations, too It is good to have a contact person Authorities can participate in planning phase Communication can be unofficial


36

If something happens

Find out what is happening Prevent the escalation Leave the solving to the authorities Re-build what is needed Prevent such an incident in the future


37

Conclusions

Legislation is A source of possibilities A set of requirements A way to solve conflicts A protection against violators

Documents

Introduction to corporate security