Editorial: Lessons from the NatWest Three

By on
Editorial: Lessons from the NatWest Three

To many commentators, the case of the NatWest Three may not look like the outcome of a failed information security policy.

They would be wrong. The trio now find themselves at the centre of a headline-grabbing controversy that encompasses concerns for human rights, "unfair" international extradition treaties and, just for good measure, a dollop of anti-Americanism.

But this is to ignore what lies at the kernel of the charges the three will soon face in the heat of a Texan courthouse. Simply, it is this: between 1999 and 2000, David Bermingham, Giles Darby and Gary Mulgrew are alleged to have conspired with Enron's disgraced former CFO Andrew Fastow to undersell a NatWest asset to another company, in which they held stake, and then reap a huge profit after selling it on at its correct market value.

Their innocence or guilt will now be proven when the trial, set for September, opens in Houston. Many local observers are unlikely to care much about extradition, but will focus on the detail of the case.

And there will be a lot of that. Much of the trial is likely to involve email and other computer forensics that will have been trawled from the ashes of Enron and the archives of NatWest, circa 1999.

Underlying all of this will be an old problem. What can companies do to protect themselves against malignant activities carried out by employees? If it is true that the NatWest Three were committing fraud, the evidence would have been accumulating at the time, in mobile phone calls, emails and other documents.

According to a report in The Observer the three were blase in their use of email, openly discussing their relationship with Fastow and the alleged deal, yet no-one at NatWest, it seems, noticed. Or had the means to notice.

There's no simple answer. Total monitoring is not only impractical; it's also highly undesirable. It risks demoralising and insulting the majority of hard-working, honest employees.

There is much you can do, however. Getting acquainted with the law would be a good start. For example, according to international law firm Pinsent Masons, it's "unlawful to intercept electronic communications unless the interception has been authorised, whether by a warrant, by consent, or by regulations". In other words, even when implementing a corporate policy, you can't just do what you want. Your staff have rights - even the bad ones.

HR directors are today constantly grappling with the implications of the labyrinthine new employment laws that arrive fresh off the statute books of the UK and European parliaments. To ignore them is to invite litigation and financial loss. Those concerning themselves with information security will soon find themselves in the same boat - but at a much higher cost.

It's something that SC recognises and, for that reason, we will soon be publishing a new section specifically designed to debate and analyse the legal aspects of your job.

Copyright © SC Magazine, US edition
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?