How to control information security issues in enterprises
Information security is one of the most critical factors for any enterprise nowadays. Information is considered an invaluable asset and the key for enterprises to maintain competitiveness and sustainable development in a fiercely competitive market. Information security in enterprises not only ensures the safety of critical data but also contributes to building trust for clients and partners. This trust is one of the key factors in promoting enterprise development. Besides the technical factor, the mechanism for controlling information so that individuals and entities holding and managing information are apprehensive about any intention to harm the enterprise needs to be established on a solid legal basis, through internal regulations of the enterprise or written agreements between the enterprise and the person entrusted with confidential information.
1. Threats of not controlling information security issues
Data loss, leakage, or being sold to third parties are all concerns for enterprises, especially those operating in peculiar fields such as finance, securities, real estate, and insurance. In these enterprises, even a single piece of unfavorable information leaked to the outside or obtained by competitors can lead to significant financial, reputational, and legal consequences. The disclosure of client information, employee information, or sensitive business data can lead to a loss of competitive advantage and client trust. In addition to the damage caused by losing market position when competitors obtain confidential information, another potential risk that the enterprise may face is the demand for compensation and penalties from partners for incompetence in controlling the information.
2. Evaluation of the current information security landscape among enterprises
Currently, many enterprises apply both technical and legal measures to prevent information leakage and make parties entrusted with confidential information hesitant and reconsider about selling or disclosing confidential information. However, the number of enterprises that apply both of these measures is still low, and those that do are often large enterprises. Some enterprises do not focus on building an information security mechanism and transforming it into internal regulations that are mandatory for all employees and partners to follow. The fact that enterprises do not have a procedure for information security from information reception, storage, processing, destruction, etc., and do not have separate agreements between the enterprise and each key individual holding information will lead to the inability to control information and make it difficult to require employees and partners to be responsible.
3. Information security control measures in enterprises
Besides technical measures, creating legal commitments between the enterprise and partners, clients, and employees is considered an effective measure since it affects the psychology of the parties involved, forcing them to maintain compliance with information security. Therefore, it is necessary to clearly define the following:
For transactions involving clients and partners: The contract between the parties must clearly state what information is confidential, the rules for exchanging, sending, and receiving information between the parties, the contact point, the responsibility of each party for their personnel and any third party involved who, for any reason, have access to confidential information, the actions to be taken when a party discovers that confidential information has been leaked or has unauthorized use, sanctions, compensation for damage if one of the parties violates the information security regulations, etc., and many other regulations, depending on the type of contract.
Different types of contracts, such as processing contracts, service contracts, franchise contracts, software contracts, insurance contracts, financial contracts, and e-commerce contracts, will have different information confidentiality regulations. These differences are necessary to ensure that the information security regulations can anticipate the potential risks that may arise in each field.
For employees: We often refer to the document called “Confidentiality Agreement” or “Nondisclosure Agreement”. This document expresses the employee’s will to confirm that the employee understands the company’s information security regulations and the actions that the employee is allowed or not allowed to perform with confidential information.
What is the duration of a confidentiality agreement/commitment? Currently, there are many conflicting opinions on this issue. Some enterprises believe that the obligation to protect information ends when the labor contract terminates because this obligation arises from the labor relationship. However, others argue that the confidentiality agreement/commitment is a separate document governed by civil law and is a civil agreement. Therefore, the duration of the confidentiality will depend on the agreement of the parties and does not depend on whether the employment relationship still exists or has ended, except when the confidential information has become public. The second understanding is considered more suitable in the context of information security and is applied by labor dispute settlement agencies and prosecution agencies in the dispute settlement process.
In addition, enterprises also need to develop internal regulation documents such as the Company Information Security Policy; Labor Regulations; and Labor Agreement that refer to the employee’s obligations regarding confidential information. This is necessary to ensure that disciplinary action is taken in proportion to the severity of the employee’s information security breach, to maintain compliance for the enterprises, and to require all employees, regardless of their role as information holder, supervisor, or information manager, to be bound by the responsibility of information security to the enterprise.
In today’s digital age, information security is not only a technical task but also a commitment to the reputation and ethics of the enterprise. Controlling information security issues requires attention from all levels of the organization, from leaders to grassroots employees, from technical departments to management departments.
Time of writing: 12/03/2024
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Notes when drafting delivery terms in sales contracts (Part 1)
- Notes when drafting delivery terms in sales contracts (Part 2)
- Foreign Investors Need to Pay Attention to Which Taxes When Investing in Vietnam
- Real estate ownership rights in Vietnam for foreign enterprises according to the provisions of the latest Land Law 2024
