Data Inboxes – Important Risks to Know

Within a few months after the data inboxes were introduced, the benefits of this new system and its potential risks – especially if underestimated by the corporate users – have been revealed. Let us therefore take a brief look at some risks the data inbox users should be aware of.

Bringing modern trends, the data inboxes play a crucial role in places where the public and private sectors meet. With data inboxes, companies may communicate easily, provided the essential e-communication measures are not underestimated and the related legal risks thus avoided. Below, you can find a summary of the major risks faced by the (corporate) users and preventive solutions recommended to take.

Risk One: Message Delivery (10 Days)

Pursuant to the relevant act, the data inboxes are automatically activated as of 1 November, 2009. Relying on your staff to have collected the login details is thus utterly pointless; needless to say the data inboxes are activated regardless of whether the login details are collected or not. Where the data inboxes are not accessed and the messages checked, a so-called delivery fiction is applied, i.e. documents are deemed delivered on the 10th day after they are sent (triggering, for instance, the commencement of the time limit for appealing against the ruling delivered).

Solution: To prevent the delivery fiction from being applied, (small) enterprises are recommended to set clear rules defining how often and by whom the data inbox is to be checked and define the responsibility of their staff for potential failure to do so. At present, some official documents are sent in an electronic form only; internal guidelines of the enterprises thus need to be updated and work with documents delivered by post and into the data inboxes harmonised. Please note that the liability of your employees for unintentional damage is restricted, equalling to a maximum of four average monthly pays.

Risk Two: Login Details (Misuse, Serious Consequences)

Since the data inboxes may additionally be used to perform acts on behalf of the company, the enterprises are highly recommended to protect their login details (username and password) from being misused. Hacked (by a computer virus) or simply accessed (written down in a notepad left on a table located in the public premises of the enterprise), the login details may be misused and lead the enterprise into facing liquidation, leak of confidential information and personal data, and/or misuse of their data inbox for distributing spam or viruses (subject to a potential penalty of up to CZK 20 million).

Solution: The enterprises are recommended thoroughly to protect their company PCs and set strict rules governing the handling of the data inbox login details.

Risk Three: Deleted Messages (90 Days)

With no archive option available, the messages are saved and displayed in the data inbox for a maximum of 90 days. Enterprises underestimating this fact may thus easily lose important (e.g. legal, tax) documents. Commenced in November 2009, the first 90-day period elapsed at the end of January 2010 when enterprises having failed to archive their messages started facing the very first bitter experience of losing the documents from their data inboxes forever.

Solution: To have the messages backed up, the enterprises are recommended to enhance their information system or install an add-on (Data Safe by Czech Post or similar). As for the information systems themselves, it is generally true – and with the boom of data inboxes it is clear more than ever before – that high quality IT systems are something the enterprises should not economise on; especially if the so-called information vulnerability is expected to rise in the future.

Risk Four: Printed Documents

In the era of data inboxes, official documents are – and will be – exchanged with authorities predominantly in an electronic form. Nonetheless, some users believe the documents can merely be printed out from the data inbox and subsequently used as valid documents. This, however, is not true at all.

Solution: Printed out from the data inbox, the documents are legally relevant only if converted into a document in an authorised form (authorised conversion) and their validity certified at the contact points of the Czech public administration (Czech POINT).

Risk Five: Digital Signatures and Time Stamps (Restricted Validity Period)

The restricted validity period of digital signatures (1 year) and time stamps (3 years) is another issue the enterprises need to address – especially in cases where documents are to be saved by the enterprises for a longer period of time.

Solution: The enterprises are recommended to have their e-documents of great importance converted into printed documents in an authorised form by means of the authorised conversion and certified (see above).

Risk Six: Document Delivery (Data Inbox vs Classic Mail)

In practice, documents are sometimes delivered to legal entities by classic mail, rather than into their data inbox as stipulated by law. In such a case, the question, however, is whether such a document can be deemed served and how the period commencing upon the delivery should be calculated. Where, for instance, the authorised representative is away on business, i.e. out of his/her office, relying on documents to be delivered into the data inbox, and the key document is wrongly sent by the authority by mail instead, the enterprise may face serious difficulties.

Solution: Where enterprises incur damage due to a mistake made by the public administration (sending the document by mail rather than delivering it into the corporate data inbox and vice versa), the enterprises are recommended to have recourse to a court of law.

Risk Seven: Authorised Representatives (Small Enterprises)

With the introduction of data inboxes, small enterprises now face a dilemma over their authorised representatives who are both required to have a perfect control over the data inbox and outgoing documents sent and provide for their cover during their holiday or sickness.

Solution: In the data inbox system, various persons can be assigned various rights and thus be entitled to work with the corporate data inbox. For the period of their absence, the authorised representatives – knowing they cannot access the data inbox from anywhere – may thus assign the read-only rights, for instance, to their assistant. Similarly, other rights – entitling the selected users only to send messages, check the data inbox or read all messages except for the messages delivered into the hand of another – may be assigned as defined by the data inbox “owner”.

Risk Eight: Spam (Fees and Charges)

As of January 1, 2010, the data inboxes may additionally be used by private entities – allowed to exchange only e-invoices by July 1, 2010 and then any messages shortly thereafter – whereas each message sent by a private entity via the data inbox system is subject to a charge of CZK 18 collected by Czech Post. Just beware of the “black day” when your corporate data inbox is hacked by a spammer and used (without your knowledge) for distributing spam, sending messages to all the data inbox owners. What a bill!

Solution: A set of dual countermeasures is recommended to be applied – commercial user certificates issued by Czech Post (paid service), alternatively paid monitoring services of other providers; and system monitoring services provided by Czech Post free of charge notifying the data inbox users of any potential spam attack without undue delay (e.g. an unusually high message distribution frequency), and – if necessary – temporarily blocking the data inbox without subjecting the user to a charge for the spam already sent.

Last but not least, it shall be noted that some of the above-mentioned risks witnessed in the data inbox system are not new at all – these are (and have always been) typical of any work with e-documents. Induced by another impulse in the form of introducing the data inboxes, the corporate users may finally begin paying a thorough attention to the data processing security measures – be it the protection of login details and definition of relevant instructions of handling them or introduction of information systems providing for the application of clear corporate processes regulating the work with important documents.