Forgot your password?
typodupeerror
The Courts IT Your Rights Online

How IT Pros Can Avoid Legal Trouble 230

Posted by Soulskill
from the don't-listen-to-michael-bolton dept.
snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'" What legally questionable scenarios have cropped up at your job?
This discussion has been archived. No new comments can be posted.

How IT Pros Can Avoid Legal Trouble

Comments Filter:
  • by Anonymous Coward on Monday July 19, 2010 @03:46PM (#32956034)

    He was a petulant child.

    This narrative that this ruling could affect non-sociopaths is FUD.

  • by Michael Kristopeit (1751814) on Monday July 19, 2010 @03:49PM (#32956064)
    not post in this thread.
  • by bsDaemon (87307) on Monday July 19, 2010 @03:49PM (#32956066)

    Are the same people claiming that Childs is some sort of mis-understood hero the same people who had "Free Kevin" schwag back in the day? If not, I'm not sure I get the mentality, because from what I know of the situation (maybe not enough), he did sort of grossly overstep the bounds. Maybe he didn't deserve jail time, but I'm not about to go emulating my career after him.

  • You're kidding... (Score:5, Insightful)

    by Un pobre guey (593801) on Monday July 19, 2010 @03:52PM (#32956110) Homepage
    What legally questionable scenarios have cropped up at your job?

    You have got to be shitting me. This isn't phishing, this needs a new term all its own.
  • by FooAtWFU (699187) on Monday July 19, 2010 @03:58PM (#32956198) Homepage
    Whether Childs was ultimately right or wrong, I think the case *did* highlight concerns that "judges and juries are often not technically savvy enough to understand what IT pros do." So. There you go.
  • by linebackn (131821) on Monday July 19, 2010 @04:04PM (#32956326)
    Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do

    As I recall, when the details finally came to light about what he did and how he went about it, the judge and jurry WERE technically savvy enough to understand what he did. It was all the people jumping to uninformed conclusions here on Slashdot that didn't understand.

    I have no doubt there are plenty of cases where judges and juries fail to understand the facts at hand, but I don't think this was one of them.
  • Re:Licensing (Score:2, Insightful)

    by h4rr4r (612664) on Monday July 19, 2010 @04:05PM (#32956340)

    The solution to that is to not buy such software.
    If it is not free or simply licensed, just do not use it.

  • by Toonol (1057698) on Monday July 19, 2010 @04:05PM (#32956350)
    Terry Childs is a terrible poster child for IT professionals. He did all sorts of things professionally and ethically wrong, and probably legally wrong, as well. I certainly would have pressed charges if he had been my employee.

    However, there are some legal traps that even a well-behaved IT pro can fall into. For instance, monitoring too much can be a privacy invasion, monitoring not enough can be negligence. Because the IT word scales up so much, sometimes a minor mistake can end up with millions of dollars of consequences.
  • by Anonymous Coward on Monday July 19, 2010 @04:07PM (#32956394)

    Umm no. I disagree entirely. Are we forgetting there was a network engineer on the jury? Seriously? This is exactly the sort of thing that SHOULD happen. A jury of his "peers!"

    It was described to the engineer, and he was the de-facto explainer for the group, but seriously Childs was working for the gov't too long and had too many bad habits of "fiefdom" creation that are everywhere in city and state organizations. He created a world, then he took the keys away from everyone and didn't give it up. He's not the first, nor will he be the last, but the lesson here should be to all comers "hit by bus strategy... always." Otherwise, things that together could be suspect or could be best practice BECOME suspect without a backup and recovery plan.

    And no, an encrypted that's tattoo'd to an admin's ass doesn't count. Especially if there's a likelyhood of a flame thrower being involved at some point.

  • Re:Licensing (Score:5, Insightful)

    by toastar (573882) on Monday July 19, 2010 @04:11PM (#32956436)

    The solution to that is to not buy such software.
    If it is not free or simply licensed, just do not use it.

    ... tell that to my boss.

  • by bws111 (1216812) on Monday July 19, 2010 @04:14PM (#32956486)

    Why is it a "concern" that judges and juries don't understand what IT pros do? Judges are supposed to understand the law. Period. Juries are supposed to be unbiased. Period. Is it a "concern" that judges and juries don't understand what police detectives do? Doctors? Hospital ethics boards? Accident reconstruction experts? Corporate officers? Accountants? Fund managers? Etc, etc. If the judge or jury needs to understand any of those things it is up to the parties in the case to educate them. There is nothing special about IT that makes it any more or less difficult to explain than anything else.

  • Re:Licensing (Score:3, Insightful)

    by Actually, I do RTFA (1058596) on Monday July 19, 2010 @04:15PM (#32956494)

    The solution to that is to not buy such software.

    If it is not free or simply licensed, just do not use it.

    If your word processing and checking your e-mail, fine. But some of us have real jobs. Jobs that require using the same tools as your customers, or simply access to specific applications.

  • by grasshoppa (657393) <skennedy.tpno-co@org> on Monday July 19, 2010 @04:20PM (#32956566) Homepage

    If the device is hooked up to a corporate BES server, then they can already read all of your sms / email.

    Always better for the corporation to completely own the device, from start to finish, to prevent confusion.

  • by XanC (644172) on Monday July 19, 2010 @04:21PM (#32956568)

    That network engineer, IIRC, said here something to the effect that he didn't think Childs had any criminal intent, and that he was doing what he thought was right for the city. The only reason for the conviction was that the letter of the law appeared to be against him.

    This was a case where a fully informed jury should have acquitted, but unfortunately juries are not fully informed. A jury has the right, nay the responsibility, to judge the LAW as well as the FACTS.

    Basically, put yourself in Childs' situation. You did what you thought was right. (Let's assume that's the case, since I believe that's what the juror said.) Wouldn't you hope that somebody would inject some common sense at some point rather than robotically reading the law?

    That's why we have juries. But judges tell them all they can do is robotically read the law. It's awful.

    http://fija.org/ [fija.org]

  • Re:Licensing (Score:2, Insightful)

    by h4rr4r (612664) on Monday July 19, 2010 @04:23PM (#32956594)

    That is your job. You are his technical resource.

  • by Anonymous Coward on Monday July 19, 2010 @04:23PM (#32956596)

    Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.

    They fired me three days after reporting this flaw, calling me a security risk.

    Maybe you shouldn't have informed them via a custom Windows splash screen...

  • by spire3661 (1038968) on Monday July 19, 2010 @04:26PM (#32956632) Journal
    Good intentions rarely excuses malfeasance and is usually non-exonerating. You can have the best of intentions and still be found guilty. The law does take intent into account, but it isnt a free pass.
  • Re:Licensing (Score:1, Insightful)

    by Anonymous Coward on Monday July 19, 2010 @04:29PM (#32956664)

    What's more interesting is in the little time after you started they didn't even bother to tell you what they were doing.

    Speaks volumes my man.

  • by XanC (644172) on Monday July 19, 2010 @04:30PM (#32956678)

    It certainly can be, depending on the situation. Especially in cases where the law and the situation are both so convoluted, like this one, that the defendant had no reasonable way to know ahead of time that he was committing a crime.

    If it takes the jury more than a half hour to determine that a crime was even committed, and the defendant was in good faith attempting to fulfill all his obligations but struck a different, but still reasonable, balance from the one the jury would have picked, I don't see how anybody can possibly convict.

  • by idiot900 (166952) * on Monday July 19, 2010 @04:38PM (#32956768)

    They fired me three days after reporting this flaw, calling me a security risk.

    What a brilliant idea by whoever fired you - producing a disgruntled former employee who knows how to steal money from the company.

  • by Altus (1034) on Monday July 19, 2010 @04:38PM (#32956772) Homepage

    I get where you are coming from, and I totally agree that Childs was a toolbox and could easily have handled the situation better if he had any desire to do so.

    However, if your boss tells you to violate the state policies on passwords and mail them off to someone (or provide them to a room full of people) and then something bad happens because of that, it is quite possible that you will be held legally liable for the damages caused. Just following orders may not be enough of an excuse.

  • Re:Licensing (Score:5, Insightful)

    by Brandee07 (964634) on Monday July 19, 2010 @04:39PM (#32956780)

    Your job is to keep his copy of Microsoft Office working, not to tell him that he should switch to OpenOffice.

    In my limited workplace experience, if you answer "Fix my software" with "Use this other software instead," you will either be ignored or fired. (I found myself ignored, but instilled with a profound desire to not attempt to be helpful again.)

  • by HikingStick (878216) <z01riemer.hotmail@com> on Monday July 19, 2010 @04:39PM (#32956786)
    One problem I see is that requirements may not be the same from state to state (in the US), and there are few formal resources available for IT professionals to know exactly what requirements apply. This is especially true for IT pros in smaller, or privately held firms that don't fall under the authority of some of the big bills that have been enacted. None of the college programs in my area even has a course addressing these issues, except for specific courses dealing with things like HIPPA. This seems to be a big gap, and I know I'd love to find a course (or even a website) that deals with specific requirements both at the State and Federal levels.
  • by FelixNZ (1426093) on Monday July 19, 2010 @04:53PM (#32956960)
    Wow, that's incredible, unless you were a contractor, I am extremely glad to be in a country that has sane employment law right now.
  • Re:Licensing (Score:2, Insightful)

    by Anonymous Coward on Monday July 19, 2010 @05:04PM (#32957126)

    Your job is to keep his copy of Microsoft Office working, not to tell him that he should switch to OpenOffice.

    In my limited workplace experience, if you answer "Fix my software" with "Use this other software instead," you will either be ignored or fired. (I found myself ignored, but instilled with a profound desire to not attempt to be helpful again.)

    Depends on how your phrase the question. Say "Switch to OpenOffice" then you've already failed. Talk about reducing company wide 10-year Licensing Fees by 100% and you have them hooked. IT has no place for ideals sadly, so I just sell them at their game.

  • by Anonymous Coward on Monday July 19, 2010 @05:11PM (#32957214)

    The only reason for the conviction was that the letter of the law appeared to be against him.

    then that jury failed in its duty to set precedent against bad law.

  • Re:Obvious (Score:2, Insightful)

    by Anonymous Coward on Monday July 19, 2010 @06:24PM (#32958054)

    yeah you're saying that's how it is and I"m saying that's not how it should be.

    if the employee is expected by law to say NO, then he should be able to do so without repercussions. Otherwise he is under duress. telling someone he's fired if he doesn't do $ILLEGAL_ACTION when he's got a mortgage and a family to feed is akin to holding a gun to his head. he is powerless because he is now stuck between two entities who have total power over him and who want conflicting things. this powerlessness should grant him immunity to actions done either power's name. Perhaps this is a symptom of a larger problem: law conflicts too much with reality.

    1. that's fine, but the liability should rest with those who are holding the mallets over the employee.

    2. this wouldn't be an issue if he had immunity. he wouldn't have to complain.

    3. so what is the probability that these two events will line up just so? are you serious?

  • by Opportunist (166417) on Monday July 19, 2010 @08:56PM (#32959408)

    Why?

    Because I'm in IT security. My job is to analyze and dissect malware, not only to find out what it does but also how it does it, what attack vectors are used, what system flaws are exploited, what means of communication with a controlling server are used and, if possible, I should also try to cut those lines and render the malware useless, preferably create some kind of remedy or even protection against it. All this can usually only be done by taking a closer look at the software than is possible by simply watching it run. In other words, disassembly and protocol sniffing and decoding are two of the main parts of my work. Both already illegal in some countries.

    Now, fortunately my country provides protection for this (albeit ... well, I have a law that I might pull out of my ass should I need it, but it's anything but a certain victory in case anyone ever goes to court for it). But in theory, any writer of malware could pull any IT security company to court and stand a pretty good chance to win. Though he'd first have to admit that it was him who created the malware.

    In other words, as odd as it may be, I may violate that copyright because the one who could drag me to court for it certainly has no interest to come forwards and claim ownership of the code.

    And now let's ponder for a moment what will change should ACTA become reality and copyright violations get shifted from civil to criminal code. Technically, the State Attorney would have to step forward and protect the copyright of the writers of malware without them asking for it (because the SA has to act even without prompting from the injured party) and prosecute those that analyze malware and design protection and remedies against it.

    You see, you don't have to be the bad guy to think that ACTA is a really, really bad idea...

  • by slashqwerty (1099091) on Monday July 19, 2010 @10:41PM (#32960092)
    Police and doctors are in the news and on TV all the time. Most people interact with doctors frequently. Many people interact with the police as well. That may not tell a person how doctors and police do their jobs but it is a pretty good start. Ethics boards are made up of people from the community. The job is pretty self-explanatory.

    Accident reconstruction experts tend to be expert witnesses. It is not often that they are on trial for committing a crime on the job. They also tend to be well-trained and follow clear well-established guidelines.

    You are correct that the other fields are not very well understood by juries. That is one reason it is so hard to hold corporate officers, accountants, and fund managers responsible for white-collar crime. The issues have been litigated, the weak points of the law are well-known, so that's where fund managers, et al focus their exploits.

    Hard-sciences are different. People view hard-sciences as having the answer. When someone is accused of doing something that doesn't work out well people assume the suspect knew what was going to happen and that the suspect's intentions must have been malicious. People have been taught that computers are deterministic machines so IT is put in the category of a hard science.

    From another perspective, there are few fields where someone can become an 'expert' from a four-hour class. IT is one of those fields. The police will send an officer off to a class to be trained on how to use EnCase. Since most people use computers in their day-to-day lives and since computers record information so well this so-called 'expert' will incriminate all kinds of people on shabby evidence. Few defendants can afford a real expert to counter the police so juries are left with little to go on.
  • Re:Licensing (Score:3, Insightful)

    by nosfucious (157958) on Tuesday July 20, 2010 @10:26AM (#32965062)

    First lesson: Developers never run with Admin rights.

    Give your users admin rights before you give your developers admin rights.

"Ahead warp factor 1" - Captain Kirk

Working...