What is RIPA and why is it important to your organisation?

RIPA is an acronym for The Regulation of Investigatory Powers Act 2000 which is a piece of UK legislation governing the right of the authorities to recover information from UK organisations as required for investigations. I am not a legal expert, make no claims to be, and therefore I suggest you consult with one before acting upon this information. The following information is IMHO - if you know of inaccuracies in my summary then please let me know either by posting a comment or emailing me (stephlam@microsoft.com).

I've mentioned RIPA @ a number of TechNet events recently. In summary the act states that any UK business must be able to provide either the keys to decrypt data or the clear text (non-cipher text) for any information which is required for an investigation. Think about the implications of that last statement. If any of your employees use cryptographic techniques to encrypt data(which is useful to an investigation) then the representatives (and theoretically administrators too) of your company are legally liable for providing access to said data. In other words, you must ensure that you have the means to decrypt any data your employees may have encrypted. If correctly architected EFS provides mechanisms(key recover operators) for authorised users to meet the requirements of RIPA. Rights Management(and Information Rights Management) also include such mechanisms. You need to be careful that users don't install their own unmanaged alternatives otherwise you many not have the means to meet the requirements of RIPA. I'm not saying don't use third party encryption products, merely to consider how you'd recover data if mandated to do so. If you're users have administrator rights on their machine THEN THERE IS NOTHING you can do to stop them encrypting data AND MEETING THE REQUIREMENTS OF RIPA is likely to be IMPOSSIBLE!

The description of the act itself can be found here. It's not a light read!