Computer Security As Fraud Preventative

by Brendon Carr

Korea’s government has finally woken up to e-mail’s role in official communications, and banned government employees from the use of free web-based e-mail services for official duties, reports the Korea Times.

Additionally, the government is instituting more stringent data-security practices—controlling access to files on government servers, limiting the use of USB flash-memory sticks, and blocking connections to web-based file-exchange services like WebHard (http://www.webhard.co.kr).

After the spate of data-privacy violations this year, somebody must have tumbled to the vast quantity of private information stored on government computers, and how easy it is to scarf up that data. A two-gigabyte USB key (now sell for about $10) can pull off quite a caper.

Finally, they may be establishing a blacklist of sites inappropriate for government workers to access from work. The days of government-sponsored porn surfing may be at an end. (Thank Goodness for the private sector!)

It’s a bit surprising that it took the government so long to tumble to these measures—in particular, the e-mail address thing.

Imagine you got an e-mail from the Securities and Exchange Commission asking for your help with an official government investigation, but the guy who was writing asked you to reply to “bobsmith847@hotmail.com”. Who would go for that? Yet in Korea, it’s been a very normal practice.

The article quotes a government employee complaining that the free web-based services are easier to use than the government’s official systems. Surely ease of use is an issue. But for a country continuously engaged in a struggle against government corruption, the lax computer-security measures created a rather permissive environment for government crooks.

Last year we had a case where a government official used his @naver.com e-mail address in the course of his scheme to extort money from one of our clients. The official held an office with significant discretionary power over government approvals of a certain product, and was making life difficult for the client by what seemed to be an unreasonable interpretation of the sketchy rules applicable.

And then he sent them an e-mail from his private address suggesting that the problems the client was having were due to “not understanding the Korean market and business practice”, and further suggesting that the best way to solve the issues was to convert their local business to a joint venture with the official’s friend—“and then I can take care of you”. Whoopsie daisy.

He must have felt pretty secure writing that, since his office servers would have no record of the communication. Under the new rules, if implemented competently, he would have a somewhat harder time.

For Korea Law Blog readers managing a company in Korea, or legal counsellors supporting such businesses, here are some questions to ask yourselves:

• Do your company’s Work Rules (sometimes also called “Rules of Employment”) include an e-mail and data-security policy?
• Do you log Internet access patterns—i.e., monitor employee visits to websites?
• Do you monitor content of employee e-mails by some kind of keyword-scanning program?
• Are e-mails archived in a central location, or are e-mail boxes stored only on the individual employee’s personal computer?
• Regardless of your policies, what effective practical methods are in place to prevent access to unwanted websites? Do you block access to the free web-based e-mail services and file-exchange services?
• Is there any workgroup-based security plan to prevent access to data outside a user’s ordinary range of responsibilities? Does your server log access to certain files?

There’s definitely a lot to think about here, and in our experience most companies don’t consider any of these issues until after getting hit by an employee fraud or data-theft disaster.

Comments Policy: Comments to Korea Law Blog are moderated. This means abusive, or just plain stupid comments will be deleted. So don't be a jerk. It also means there may be some delay from the time you post a comment to the time it shows up here. If your comment wasn't against the policy, it will show up in a little bit.